Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan look2me, and more [RESOLVED]

Started by mirella , Nov 12 2005 08:35 PM

  • This topic is locked This topic is locked

#1
mirella
Posted 12 November 2005 - 08:35 PM

mirella

    New Member

  • Member
  • Pip
  • 9 posts
Hi, there!

I was serching for smth, and I got infected, think it was the spyseriff, but i'm not sure
My desktop was locked, it looked like this: http://komodorac.bir...Mp3/desktop.JPG, and my start page of IE like this: http://komodorac.bir...Mp3/warning.JPG. Then I serched for description of spyseriff, and i had some simptoms, but not all.
So, I tryed to resolve the problem by myself, by using CleanUp, and Ewido, and HiJack this tool. Frankly wasn't 100% sure what I was doing, I think that I didn't delete anything that I shouldn't.

And, my comp is working fine now, but my Microsfot Antispyware, had to block smth. So, I guess it isn't clean.

This is my log

Logfile of HijackThis v1.99.1
Scan saved at 21:52:21, on 13.11.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Winamp\winampa.exe
C:\windows\adtech2005.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Vatreni Zid\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ACAD2000\acad.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\Mirelaa\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Vatreni Zid\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [klop] C:\WINDOWS\D.tmp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Check Local Printer.lnk = C:\Program Files\KXP6X00\Chkpnt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1050\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\m4ju0e19eh.dll (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\fpj4031qe.dll
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\pcklphlo.dll (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWlyZWxh\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


As.. there are no answers I refreshed my hijack this log. it seems that i have this look2me trojan. I tried to remove it but i couldn't. Ewido is finding it evry time when I log on to windows. And there are pop ups in my mozilla, and IE. When I open a wb page, it's there for few seconds, then it changes by itself into new page (wheather, serach, commericiales etc).
:)

(p.s: I formatted my c drive few days ago, and this situation is driving me crazy. I know exactly how I got infected... So naive... :tazz: :) )


Thanks!

Edited by mirella, 13 November 2005 - 03:04 PM.

  • 0

Advertisements

#2
OwNt
Posted 15 November 2005 - 07:35 AM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, mirella.

Please DELETE your current HJT program from its present location.

Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident

Run HijackThis

Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')

Also, you have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
  • 0

#3
mirella
Posted 15 November 2005 - 06:07 PM

mirella

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here it is...


Logfile of HijackThis v1.99.1
Scan saved at 1:00:23, on 16.11.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Winamp\winampa.exe
C:\windows\adtech2005.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Vatreni Zid\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Vatreni Zid\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [klop] C:\WINDOWS\D.tmp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Check Local Printer.lnk = C:\Program Files\KXP6X00\Chkpnt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1050\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\mv6ml9j11.dll
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\m4ju0e19eh.dll (file missing)
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\pcklphlo.dll (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWlyZWxh\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.ex


L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv6ml9j11.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\m4ju0e19eh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8B9B27D1-4342-0D82-ECA7-57AEC9E50297}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B089FE88-FB52-11d3-BDF1-0050DA34150D}"="NOD32 Context Menu Shell Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{00020000-0000-1011-8004-0000C06B5161}"="WIBU-SYSTEMS Shell Extension"
"{2989D934-03B1-4537-AA2A-AC19603B0043}"=""
"{5C926F11-3EAA-4704-9EAF-C68BEEB67269}"=""
"{C01AF41B-7ADF-4A08-BB77-0AAF919C068D}"=""
"{BDB8FD69-5190-4F97-933E-8DBFE69553EC}"=""
"{D7DF0407-F394-42A4-82BB-3B8397C191DC}"=""
"{2A37456A-EC44-49F0-B3B7-807CA73D4E0B}"=""
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}"="AutoCAD Digital Signatures Icon Overlay Handler"
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}"="Autodesk Drawing Preview"
"{6DEA92E9-8682-4b6a-97DE-354772FE5727}"="Autodesk DWF Preview"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2989D934-03B1-4537-AA2A-AC19603B0043}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2989D934-03B1-4537-AA2A-AC19603B0043}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2989D934-03B1-4537-AA2A-AC19603B0043}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2989D934-03B1-4537-AA2A-AC19603B0043}\InprocServer32]
@="C:\\WINDOWS\\system32\\MBT2FW95.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5C926F11-3EAA-4704-9EAF-C68BEEB67269}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5C926F11-3EAA-4704-9EAF-C68BEEB67269}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5C926F11-3EAA-4704-9EAF-C68BEEB67269}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5C926F11-3EAA-4704-9EAF-C68BEEB67269}\InprocServer32]
@="C:\\WINDOWS\\system32\\cmyptsvc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C01AF41B-7ADF-4A08-BB77-0AAF919C068D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C01AF41B-7ADF-4A08-BB77-0AAF919C068D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C01AF41B-7ADF-4A08-BB77-0AAF919C068D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C01AF41B-7ADF-4A08-BB77-0AAF919C068D}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BDB8FD69-5190-4F97-933E-8DBFE69553EC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BDB8FD69-5190-4F97-933E-8DBFE69553EC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BDB8FD69-5190-4F97-933E-8DBFE69553EC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BDB8FD69-5190-4F97-933E-8DBFE69553EC}\InprocServer32]
@="C:\\WINDOWS\\system32\\nmapi16.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D7DF0407-F394-42A4-82BB-3B8397C191DC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DF0407-F394-42A4-82BB-3B8397C191DC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DF0407-F394-42A4-82BB-3B8397C191DC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DF0407-F394-42A4-82BB-3B8397C191DC}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2A37456A-EC44-49F0-B3B7-807CA73D4E0B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2A37456A-EC44-49F0-B3B7-807CA73D4E0B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2A37456A-EC44-49F0-B3B7-807CA73D4E0B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2A37456A-EC44-49F0-B3B7-807CA73D4E0B}\InprocServer32]
@="C:\\WINDOWS\\system32\\wsntrust.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
atmtd.dll Sat Nov 12 2005 1:19:18a A.... 687,592 671.48 K
browseui.dll Sat Sep 3 2005 12:52:04a A.... 1,019,904 996.00 K
cdfview.dll Sat Sep 3 2005 12:52:04a A.... 151,040 147.50 K
cdosys.dll Sat Sep 10 2005 2:53:42a A.... 2,067,968 1.97 M
danim.dll Sat Sep 3 2005 12:52:04a A.... 1,053,696 1.00 M
dcvxde~1.dll Sun Nov 13 2005 8:19:22p ..S.R 237,279 231.71 K
dxtrans.dll Sat Sep 3 2005 12:52:04a A.... 205,312 200.50 K
extmgr.dll Sat Sep 3 2005 12:52:04a A.... 55,808 54.50 K
fpj403~1.dll Sun Nov 13 2005 8:23:22p ..... 237,279 231.71 K
gdi32.dll Thu Oct 6 2005 4:09:36a A.... 280,064 273.50 K
iepeers.dll Sat Sep 3 2005 12:52:04a A.... 251,392 245.50 K
imon.dll Fri Nov 11 2005 3:22:30p A.... 180,224 176.00 K
inseng.dll Sat Sep 3 2005 12:52:04a A.... 96,256 94.00 K
k044la~1.dll Sat Nov 12 2005 7:01:06p ..S.R 235,683 230.16 K
linkinfo.dll Thu Sep 1 2005 2:41:54a A.... 19,968 19.50 K
mshtml.dll Tue Oct 4 2005 5:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Sat Sep 3 2005 12:52:06a A.... 448,512 438.00 K
msrating.dll Sat Sep 3 2005 12:52:06a A.... 146,432 143.00 K
mstime.dll Sat Sep 3 2005 12:52:06a A.... 530,432 518.00 K
mv6ml9~1.dll Sun Nov 13 2005 11:16:30p ..S.R 237,279 231.71 K
netman.dll Mon Aug 22 2005 7:29:46p A.... 197,632 193.00 K
nms32.dll Fri Nov 11 2005 3:22:30p A.... 114,688 112.00 K
pngfilt.dll Sat Sep 3 2005 12:52:06a A.... 39,424 38.50 K
quartz.dll Tue Aug 30 2005 4:54:26a A.... 1,287,168 1.23 M
shdocvw.dll Sat Sep 3 2005 12:52:06a A.... 1,483,776 1.41 M
shell32.dll Fri Sep 23 2005 4:05:30a A.... 8,450,560 8.06 M
shlwapi.dll Sat Sep 3 2005 12:52:06a A.... 473,600 462.50 K
sirenacm.dll Wed Oct 12 2005 5:11:06p A.... 118,784 116.00 K
umpnpmgr.dll Tue Aug 23 2005 4:35:42a A.... 123,392 120.50 K
urlmon.dll Sat Sep 3 2005 12:52:06a A.... 608,768 594.50 K
vsdata.dll Mon Aug 29 2005 7:08:34p A.... 83,712 81.75 K
vsinit.dll Mon Aug 29 2005 7:08:46p A.... 141,056 137.75 K
vsmonapi.dll Mon Aug 29 2005 7:08:54p A.... 104,192 101.75 K
vspubapi.dll Mon Aug 29 2005 7:08:58p A.... 227,072 221.75 K
vsregexp.dll Mon Aug 29 2005 7:09:02p A.... 71,424 69.75 K
vsutil.dll Mon Aug 29 2005 7:09:14p A.... 382,720 373.75 K
vsxml.dll Mon Aug 29 2005 7:09:22p A.... 100,096 97.75 K
w16.dll Sat Nov 12 2005 1:16:28a A.... 11,264 11.00 K
w95inf16.dll Fri Nov 11 2005 3:31:44p A.... 2,272 2.22 K
w95inf32.dll Fri Nov 11 2005 3:31:44p A.... 4,608 4.50 K
wininet.dll Sat Sep 3 2005 12:52:06a A.... 658,432 643.00 K
winsrv.dll Thu Sep 1 2005 2:41:54a A.... 291,840 285.00 K
zlbw.dll Sat Nov 12 2005 1:18:10a A.... 46,592 45.50 K
zlcomm.dll Mon Aug 29 2005 7:09:42p A.... 79,616 77.75 K
zlcommdb.dll Mon Aug 29 2005 7:09:46p A.... 71,424 69.75 K
__dele~1.dll Sun Nov 13 2005 8:49:30p A.... 237,279 231.71 K

46 items found: 46 files (3 H/S), 0 directories.
Total of file sizes: 26,568,679 bytes 25.34 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Mon Nov 14 2005 12:26:26a ..S.R 237,003 231.45 K
__dele~1.tmp Sun Nov 13 2005 8:50:30p A.... 237,279 231.71 K

2 items found: 2 files (1 H/S), 0 directories.
Total of file sizes: 474,282 bytes 463.16 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is CCA7-FCB2

Directory of C:\WINDOWS\System32

16.11.2005 00:38 <DIR> dllcache
14.11.2005 00:26 237.003 guard.tmp
13.11.2005 23:16 237.279 mv6ml9j11.dll
13.11.2005 20:19 237.279 dcvxdec_040c.dll
12.11.2005 19:01 235.683 k044lahq1d4e.dll
11.11.2005 10:49 <DIR> Microsoft
4 File(s) 947.244 bytes
2 Dir(s) 2.968.629.248 bytes free


  • 0

#4
OwNt
Posted 15 November 2005 - 06:12 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, mirella.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Also, post back a fresh Hijackthis log please.
  • 0

#5
mirella
Posted 16 November 2005 - 07:59 AM

mirella

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi,

********
14:16: | Start of Session, 16. studeni 2005 |
14:16: Spy Sweeper started
14:16: Sweep initiated using definitions version 573
14:16: Starting Memory Sweep
14:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:24: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:24: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:29: Memory Sweep Complete, Elapsed Time: 00:12:48
14:29: Starting Registry Sweep
14:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:29: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:29: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:30: Found System Monitor: sc-keylog
14:30: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\explorer\ (6 subtraces) (ID = 140468)
14:30: Found Trojan Horse: spamrelayer_alpiok
14:30: HKCR\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (3 subtraces) (ID = 608255)
14:30: HKLM\software\classes\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (3 subtraces) (ID = 609144)
14:30: Found Trojan Horse: trojan-backdoor-zubox
14:30: HKCR\appid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (ID = 650832)
14:30: HKLM\software\classes\appid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (ID = 650872)
14:30: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || systray.excn2 (ID = 790580)
14:30: Found Adware: command
14:30: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
14:30: Found Adware: cws_secure32.html hijack
14:30: HKLM\software\microsoft\internet explorer\main\ || start page (ID = 946025)
14:30: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670)
14:30: Found Adware: findthewebsiteyouneed hijacker
14:30: HKU\S-1-5-21-515967899-854245398-1957994488-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
14:30: Found Trojan Horse: trojan-backdoor-us15info
14:30: HKU\S-1-5-21-515967899-854245398-1957994488-1003\software\microsoft\windows\currentversion\run\ || shell (ID = 650813)
14:30: Found Trojan Horse: trojan-backdoor-superbgirlz
14:30: HKU\S-1-5-21-515967899-854245398-1957994488-1003\software\classes\clsid\{4f141cba-1457-6cca-03a7-7aa21b61ea0f}\ (3 subtraces) (ID = 954563)
14:30: Registry Sweep Complete, Elapsed Time:00:01:01
14:30: Starting Cookie Sweep
14:30: Found Spy Cookie: yieldmanager cookie
14:30: [email protected][1].txt (ID = 3751)
14:30: Found Spy Cookie: atlas dmt cookie
14:30: mirelaa@atdmt[1].txt (ID = 2253)
14:30: Found Spy Cookie: belnk cookie
14:30: mirelaa@belnk[1].txt (ID = 2292)
14:30: [email protected][2].txt (ID = 2293)
14:30: Cookie Sweep Complete, Elapsed Time: 00:00:01
14:30: Starting File Sweep
14:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:31: Warning: Failed to open file "c:\system volume information\_restore{24532266-bd1f-4529-87a4-b7fd9ef2cb0c}\rp13\a0001161.exe". Access is denied
14:31: a0001159.exe (ID = 183253)
14:31: toolbar.exe (ID = 183857)
14:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:32: Warning: Failed to open file "c:\system volume information\_restore{24532266-bd1f-4529-87a4-b7fd9ef2cb0c}\rp14\a0001207.dll". Access is denied
14:32: Warning: Failed to open file "c:\system volume information\_restore{24532266-bd1f-4529-87a4-b7fd9ef2cb0c}\rp14\a0001213.exe". Access is denied
14:32: Warning: Failed to open file "c:\system volume information\_restore{24532266-bd1f-4529-87a4-b7fd9ef2cb0c}\rp14\a0001206.dll". Access is denied
14:32: tool5.exe (ID = 183857)
14:32: Found Adware: look2me
14:32: a0001153.exe (ID = 168558)
14:33: Found Adware: spysheriff
14:33: secure32.html (ID = 184319)
14:33: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:33: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:33: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:33: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:33: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:33: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:33: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:33: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:34: mte3ndi6odoxng.exe (ID = 185985)
14:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:35: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:35: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:35: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:35: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:35: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:35: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:35: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:35: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:36: Found Trojan Horse: trojan-backdoor-securemulti
14:36: a0000980.exe (ID = 188677)
14:36: a0000981.exe (ID = 188677)
14:36: a0001162.dll (ID = 144945)
14:36: desktop.html (ID = 178574)
14:36: Warning: Failed to open file "c:\system volume information\_restore{24532266-bd1f-4529-87a4-b7fd9ef2cb0c}\rp13\a0001164.dll". Access is denied
14:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:37: Warning: Failed to open file "c:\system volume information\_restore{24532266-bd1f-4529-87a4-b7fd9ef2cb0c}\rp13\a0001156.exe". Access is denied
14:37: a0001154.exe (ID = 185985)
14:37: Found Adware: effective-i toolbar
14:37: a0000986.dll (ID = 59843)
14:38: Warning: Failed to open file "c:\system volume information\_restore{24532266-bd1f-4529-87a4-b7fd9ef2cb0c}\rp13\a0001004.exe". Access is denied
14:38: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:38: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:38: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:38: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:38: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:38: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:38: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:38: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:39: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:39: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:39: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:39: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:39: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:39: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:39: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:39: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:40: a0001026.dll (ID = 163672)
14:40: Found Adware: apropos
14:40: atmtd.dll._ (ID = 166754)
14:40: a0000983.exe (ID = 59853)
14:40: installer[1].exe (ID = 185986)
14:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:41: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:41: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:41: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:41: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:42: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:42: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:42: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:42: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:42: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:42: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:42: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:42: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:42: secure32.html (ID = 184319)
14:43: mte3ndi6odoxng[1].exe (ID = 185985)
14:43: a0001188.dll (ID = 144945)
14:43: atmtd.dll (ID = 166754)
14:43: a0001180.exe (ID = 144946)
14:43: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:43: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:43: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:43: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:43: cmdinst.exe (ID = 185986)
14:43: a0000982.exe (ID = 144946)
14:43: a0000985.dll (ID = 106574)
14:43: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:43: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:43: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:43: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:43: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:43: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:44: a0001005.dll (ID = 163672)
14:44: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:44: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:44: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:44: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:44: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:44: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:44: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:44: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:45: a0001158.dll (ID = 163672)
14:45: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:45: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:45: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:45: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:45: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:45: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:45: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:45: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:46: nq5vtqu1.vbs (ID = 185675)
14:46: a0000987.lnk (ID = 59838)
14:46: a0000989.lnk (ID = 59855)
14:47: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:47: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:47: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:47: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:47: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:47: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:47: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:47: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:48: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:48: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: Warning: Unhandled Archive Type
14:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:48: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:48: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:49: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:49: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:49: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:49: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:49: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:49: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:49: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:49: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:49: File Sweep Complete, Elapsed Time: 00:19:10
14:49: Full Sweep has completed. Elapsed time 00:33:17
14:49: Traces Found: 79
14:50: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:50: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:50: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:50: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:51: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:51: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:51: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:51: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:51: Removal process initiated
14:51: Quarantining All Traces: look2me
14:51: Quarantining All Traces: sc-keylog
14:51: Quarantining All Traces: spamrelayer_alpiok
14:51: Quarantining All Traces: spysheriff
14:51: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:51: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:51: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:51: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:51: Quarantining All Traces: trojan-backdoor-securemulti
14:51: Quarantining All Traces: trojan-backdoor-us15info
14:51: Quarantining All Traces: trojan-backdoor-zubox
14:51: Quarantining All Traces: apropos
14:51: Quarantining All Traces: trojan-backdoor-superbgirlz
14:51: Quarantining All Traces: command
14:52: Quarantining All Traces: cws_secure32.html hijack
14:52: Quarantining All Traces: effective-i toolbar
14:52: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:52: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:52: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:52: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:52: Quarantining All Traces: findthewebsiteyouneed hijacker
14:52: Quarantining All Traces: atlas dmt cookie
14:52: Quarantining All Traces: belnk cookie
14:52: Quarantining All Traces: yieldmanager cookie
14:52: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:52: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:52: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:52: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:53: Removal process completed. Elapsed time 00:01:52
14:53: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:53: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:53: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:53: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
********
14:13: | Start of Session, 16. studeni 2005 |
14:13: Spy Sweeper started
14:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:15: Your spyware definitions have been updated.
14:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
14:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
14:16: | End of Session, 16. studeni 2005 |


Logfile of HijackThis v1.99.1
Scan saved at 14:57:15, on 16.11.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Winamp\winampa.exe
C:\windows\adtech2005.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Vatreni Zid\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\Mirelaa\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Vatreni Zid\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [klop] C:\WINDOWS\D.tmp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Check Local Printer.lnk = C:\Program Files\KXP6X00\Chkpnt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1050\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\mv6ml9j11.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


  • 0

#6
OwNt
Posted 16 November 2005 - 09:24 AM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, mirella.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.

Then open Hijackthis, scan, and place a checkmark by the following entries:

O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKCU\..\Run: [klop] C:\WINDOWS\D.tmp
This is a recommended removal as it is a major resource hog.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\mv6ml9j11.dll (file missing)

Close all open windows/browsers and click Fix Checked.

Then reboot into safe mode by tapping the F8 key as you turn on your computer. Select safe mode from the list that appears.

Once in safe mode sow hidden files and folders.

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Then delete the following files:

C:\windows\adtech2005.exe
C:\windows\timessquare.exe
C:\WINDOWS\D.tmp

Reboot into normal mode and post back a fresh Hijackthis log, and the log from L2MFix.
  • 0

#7
mirella
Posted 16 November 2005 - 01:46 PM

mirella

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hellooo
next problems occured during the latest procedure, what you told me to do:

1. After I rebooted the destocp icons didnt dissappear (ht L2mfix didn't run) so I did the second procedure, but after it was finished, the desktop icons haven't appeared, so I restarted my comp once again. The log file was saved in L2mfix folder. (There's also this test5.txt document created.)

2 I couldn't find file C:\WINDOWS\D.temp

Before deleting files:
(C:\windows\adtech2005.exe;
C:\windows\timessquare.exe;
C:\WINDOWS\D.tmp);
my ewido had to blok trojan look2me. Now it's silent.
And my NOD alerted me that there was virus:

Time Module Object Name Virus Action User Info
16.11.2005 18:56:47 AMON file C:\System Volume Information\_restore{24532266-BD1F-4529-87A4-B7FD9EF2CB0C}\RP20\A0002986.exe Win32/PSW.Agent.BU trojan NT AUTHORITY\SYSTEM


It is silnet now.

( I don't know what are you saying to me, I don't know what I'm doing, that's why I'm explaining what was happening.)

And here are my logs:

L2Mfix 1.04a

Running From:
C:\Documents and Settings\Mirelaa\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(IO) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- changing existing entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

Setting Directory
C:\Documents and Settings\Mirelaa\Desktop\l2mfix

Running From:
C:\Documents and Settings\Mirelaa\Desktop\l2mfix

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 384 'smss.exe'
Error 0x6 : The handle is invalid.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 648 'winlogon.exe'
Error 0x6 : The handle is invalid.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1008 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\__delete_on_reboot__szesrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dcvxdec_040c.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnl8013ue.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpj4031qe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k044lahq1d4e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\__delete_on_reboot__guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\__delete_on_reboot__szesrv.dll
Successfully Deleted: C:\WINDOWS\system32\__delete_on_reboot__szesrv.dll
deleting: C:\WINDOWS\system32\dcvxdec_040c.dll
Successfully Deleted: C:\WINDOWS\system32\dcvxdec_040c.dll
deleting: C:\WINDOWS\system32\dnl8013ue.dll
Successfully Deleted: C:\WINDOWS\system32\dnl8013ue.dll
deleting: C:\WINDOWS\system32\fpj4031qe.dll
Successfully Deleted: C:\WINDOWS\system32\fpj4031qe.dll
deleting: C:\WINDOWS\system32\k044lahq1d4e.dll
Successfully Deleted: C:\WINDOWS\system32\k044lahq1d4e.dll
deleting: C:\WINDOWS\system32\__delete_on_reboot__guard.tmp
Successfully Deleted: C:\WINDOWS\system32\__delete_on_reboot__guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: dcvxdec_040c.dll (164 bytes security) (deflated 6%)
adding: dnl8013ue.dll (164 bytes security) (deflated 5%)
adding: fpj4031qe.dll (164 bytes security) (deflated 6%)
adding: k044lahq1d4e.dll (164 bytes security) (deflated 5%)
adding: __delete_on_reboot__szesrv.dll (164 bytes security) (deflated 6%)
adding: guard.tmp (164 bytes security) (deflated 6%)
adding: __delete_on_reboot__guard.tmp (164 bytes security) (deflated 6%)
adding: clear.reg (164 bytes security) (deflated 60%)
adding: echo.reg (164 bytes security) (deflated 11%)
zip warning: name not matched: *.ini

zip error: Nothing to do! (backup.zip)
adding: direct.txt (164 bytes security) (stored 0%)
adding: flag.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 78%)
adding: readme.txt (164 bytes security) (deflated 52%)
adding: report.txt (164 bytes security) (deflated 68%)
adding: test.txt (164 bytes security) (deflated 64%)
adding: test2.txt (164 bytes security) (deflated 42%)
adding: test3.txt (164 bytes security) (deflated 42%)
adding: test5.txt (164 bytes security) (deflated 42%)
adding: xfind.txt (164 bytes security) (deflated 57%)
adding: backregs/2365BB48-C114-4028-BD2B-7B838D24189F.reg (164 bytes security) (deflated 70%)
adding: backregs/2989D934-03B1-4537-AA2A-AC19603B0043.reg (164 bytes security) (deflated 70%)
adding: backregs/2A37456A-EC44-49F0-B3B7-807CA73D4E0B.reg (164 bytes security) (deflated 70%)
adding: backregs/5C926F11-3EAA-4704-9EAF-C68BEEB67269.reg (164 bytes security) (deflated 70%)
adding: backregs/BDB8FD69-5190-4F97-933E-8DBFE69553EC.reg (164 bytes security) (deflated 70%)
adding: backregs/C01AF41B-7ADF-4A08-BB77-0AAF919C068D.reg (164 bytes security) (deflated 70%)
adding: backregs/D7DF0407-F394-42A4-82BB-3B8397C191DC.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: __delete_on_reboot__szesrv.dll
deleting local copy: dcvxdec_040c.dll
deleting local copy: dnl8013ue.dll
deleting local copy: fpj4031qe.dll
deleting local copy: k044lahq1d4e.dll
deleting local copy: __delete_on_reboot__guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dnl8013ue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\__delete_on_reboot__szesrv.dll
C:\WINDOWS\system32\dcvxdec_040c.dll
C:\WINDOWS\system32\dnl8013ue.dll
C:\WINDOWS\system32\fpj4031qe.dll
C:\WINDOWS\system32\k044lahq1d4e.dll
C:\WINDOWS\system32\__delete_on_reboot__guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{2989D934-03B1-4537-AA2A-AC19603B0043}"=-
"{5C926F11-3EAA-4704-9EAF-C68BEEB67269}"=-
"{C01AF41B-7ADF-4A08-BB77-0AAF919C068D}"=-
"{BDB8FD69-5190-4F97-933E-8DBFE69553EC}"=-
"{D7DF0407-F394-42A4-82BB-3B8397C191DC}"=-
"{2A37456A-EC44-49F0-B3B7-807CA73D4E0B}"=-
"{2365BB48-C114-4028-BD2B-7B838D24189F}"=-
[-HKEY_CLASSES_ROOT\CLSID\{2989D934-03B1-4537-AA2A-AC19603B0043}]
[-HKEY_CLASSES_ROOT\CLSID\{5C926F11-3EAA-4704-9EAF-C68BEEB67269}]
[-HKEY_CLASSES_ROOT\CLSID\{C01AF41B-7ADF-4A08-BB77-0AAF919C068D}]
[-HKEY_CLASSES_ROOT\CLSID\{BDB8FD69-5190-4F97-933E-8DBFE69553EC}]
[-HKEY_CLASSES_ROOT\CLSID\{D7DF0407-F394-42A4-82BB-3B8397C191DC}]
[-HKEY_CLASSES_ROOT\CLSID\{2A37456A-EC44-49F0-B3B7-807CA73D4E0B}]
[-HKEY_CLASSES_ROOT\CLSID\{2365BB48-C114-4028-BD2B-7B838D24189F}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************



Logfile of HijackThis v1.99.1
Scan saved at 20:30:58, on 16.11.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Vatreni Zid\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mirelaa\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Vatreni Zid\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Check Local Printer.lnk = C:\Program Files\KXP6X00\Chkpnt.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1050\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


  • 0

#8
OwNt
Posted 16 November 2005 - 03:36 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, mirella.

Let's delete the current restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405


Then please run a scan at Kaspersky.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back a fresh Hijackthis log, and the log from Kaspersky.
  • 0

#9
mirella
Posted 17 November 2005 - 11:36 AM

mirella

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hello,
I have restored my system. But I cannot enter site: http://www.kaspersky.com/

Logfile of HijackThis v1.99.1
Scan saved at 18:36:21, on 17.11.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Vatreni Zid\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Vatreni Zid\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Check Local Printer.lnk = C:\Program Files\KXP6X00\Chkpnt.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1050\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


  • 0

#10
OwNt
Posted 18 November 2005 - 12:30 AM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, mirella.

Please try HouseCall.

Trend-Micro Housecall Scan
  • Please go HERE to run Housecall.
  • Note: you must use Internet Explorer, other browsers will not work.
  • Under "Scan your PC", please click Scan now. It's free!
  • Select your location and click the Go button.
  • Click the red magnifying glass button.
  • Select Complete Scan.
  • Please be patient while Housecall downloads.
  • Please allow the ActiveX Control and when prompted click install
  • Put a check next to My Computer
  • Leave the following checked:
    • Scan for Spyware
      Check security vulnerabilities
  • Click the Next button.
  • It will download the latest scan engine and pattern files.
  • When the definitions have been downloaded, the scan will start.
  • After it's done scanning it will take you to the summary page.
  • Click the Next button.
  • Click the drop-down to choose delete or remove on each bad guy found, if you receive a prompt click OK.
  • Click the Next button to move onto the recovery (final) portion of the scan.
  • After everything has been removed, please click the show button on everything.
  • Highlight all the of text and press CTRL + C to copy the text.
  • Please post the contents into your next reply.
Also, how is your computer running?

Edited by OwNt, 18 November 2005 - 12:31 AM.

  • 0

#11
mirella
Posted 18 November 2005 - 05:05 PM

mirella

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Virus Scan 0 virus cleaned, 0 virus deleted


Results:
We have detected 0 infected file(s) with 0 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 0 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken




Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken




Spyware Check 2 spyware programs removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 2 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 0 spyware(s) passed, 0 spyware(s) no action available
- 2 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken
COOKIE_45 Cookie Removal successful
COOKIE_3201 Cookie Removal successful


It's working much much better.
:tazz:
I think all the problemas are resolved.

Thank you very much.
Greetings from Mostar (Bosnia & Herzegovina, ex Yu, SouthEastern Europe).
  • 0

#12
OwNt
Posted 19 November 2005 - 12:59 AM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, mirella.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

  • 0

#13
OwNt
Posted 27 November 2005 - 01:42 AM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP