Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't get rid of pop ups [RESOLVED]

Started by mcronin , Nov 23 2005 12:38 PM

  • This topic is locked This topic is locked

#1
mcronin
Posted 23 November 2005 - 12:38 PM

mcronin

    New Member

  • Member
  • Pip
  • 6 posts
Hey there,

Since I connected to the net about 2 weeks ago I've been having problems. MOst of these have been resolved but I continue to get pop-ups. I have explorer and mozilla and when I'm running explorer a new window just pops up quite regularly. As well as this, a mozilla window pops up even when i'm not using mozilla. I've followed the guidelines in "Read this before posting a HJT log" (except instead of Ewido I have Norton AntiVirus) but the problem continues. Could someone please have a look at my HJT logfile below and offer some suggestions. Thank you very much.

One other question: I want to do a credit card transaction over the net and I'm apprehensive while I still have these malware problems. Is this a genuine worry or am I being overly cautious? Can I go ahead and do the transaction without fear of someone getting my number? Again, thanks very much.

Logfile of HijackThis v1.99.1
Scan saved at 15:28:05, on 23/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\TWljaGFlbCBDcm9uaW4\command.exe
C:\WINNT\msdt.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\shost.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe
C:\Program Files\uapl\amoa.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rte.ie/
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.iol.ie"); (C:\Program Files\Netscape\Users\free\prefs.js)
O1 - Hosts: 82.146.41.81 lloydstsb.co.uk
O1 - Hosts: 82.146.41.81 www.lloydstsb.co.uk
O1 - Hosts: 82.146.41.81 www.lloydstsb.com
O1 - Hosts: 82.146.41.81 personal.barclays.co.uk
O1 - Hosts: 82.146.41.81 barclays.co.uk
O1 - Hosts: 82.146.41.81 www.barclays.co.uk
O1 - Hosts: 82.146.41.81 nwolb.com
O1 - Hosts: 82.146.41.81 hsbc.co.uk
O1 - Hosts: 82.146.41.81 www.hsbc.co.uk
O1 - Hosts: 82.146.41.81 abbey.com
O1 - Hosts: 82.146.41.81 www.abbey.com
O1 - Hosts: 82.146.41.81 www.abbey.co.uk
O1 - Hosts: 82.146.41.81 abbey.co.uk
O1 - Hosts: 82.146.41.81 cahoot.com
O1 - Hosts: 82.146.41.81 www.cahoot.com
O1 - Hosts: 82.146.41.81 www.cahoot.co.uk
O1 - Hosts: 82.146.41.81 cahoot.co.uk
O1 - Hosts: 82.146.41.81 www.co-operativebank.co.uk
O1 - Hosts: 82.146.41.81 co-operativebank.co.uk
O1 - Hosts: 82.146.41.81 www.co-operativebank.com
O1 - Hosts: 82.146.41.81 co-operativebank.com
O1 - Hosts: 82.146.41.81 welcome2.co-operativebankonline.co.uk
O1 - Hosts: 82.146.41.81 welcome6.co-operativebankonline.co.uk
O1 - Hosts: 82.146.41.81 welcome8.co-operativebankonline.co.uk
O1 - Hosts: 82.146.41.81 welcome10.co-operativebankonline.co.uk
O1 - Hosts: 82.146.41.81 www.smile.co.uk
O1 - Hosts: 82.146.41.81 smile.co.uk
O1 - Hosts: 82.146.41.81 www.cajamar.es
O1 - Hosts: 82.146.41.81 cajamar.es
O1 - Hosts: 82.146.41.81 www.cajamar.com
O1 - Hosts: 82.146.41.81 www.unicaja.es
O1 - Hosts: 82.146.41.81 unicaja.es
O1 - Hosts: 82.146.41.81 www.unicaja.com
O1 - Hosts: 82.146.41.81 unicaja.com
O1 - Hosts: 82.146.41.81 www.caixagalicia.es
O1 - Hosts: 82.146.41.81 caixagalicia.es
O1 - Hosts: 82.146.41.81 www.caixagalicia.com
O1 - Hosts: 82.146.41.81 caixagalicia.com
O1 - Hosts: 82.146.41.81 activa.caixagalicia.es
O1 - Hosts: 82.146.41.81 www.caixapenedes.es
O1 - Hosts: 82.146.41.81 caixapenedes.es
O1 - Hosts: 82.146.41.81 www.caixapenedes.com
O1 - Hosts: 82.146.41.81 caixapenedes.com
O1 - Hosts: 82.146.41.81 www.caixasabadell.es
O1 - Hosts: 82.146.41.81 caixasabadell.es
O1 - Hosts: 82.146.41.81 www.caixasabadell.net
O1 - Hosts: 82.146.41.81 caixasabadell.net
O1 - Hosts: 82.146.41.81 www.cajamadrid.es
O1 - Hosts: 82.146.41.81 cajamadrid.es
O1 - Hosts: 82.146.41.81 www.cajamadrid.com
O1 - Hosts: 82.146.41.81 cajamadrid.com
O1 - Hosts: 82.146.41.81 www.ccm.es
O1 - Hosts: 82.146.41.81 ccm.es
O1 - Hosts: 17.145.117.11 d-ru-1f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-ru-1h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-ru-2f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-ru-2h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-2f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-2h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-1f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-1h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-us-1f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-us-1h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 downloads1.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads2.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads3.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads4.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads5.kaspersky.ru
O1 - Hosts: 17.145.117.11 kaspersky.ru
O1 - Hosts: 17.145.117.11 www.kaspersky-labs.com
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing)
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Windows System Security] hbhzri.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINNT\System32\csrs.exe
O4 - HKLM\..\Run: [ntdll.dll] c:\program files\zango\zango.exe
O4 - HKLM\..\Run: [Microsoft Windows Game Updater] msgame32.exe
O4 - HKLM\..\Run: [VEL_] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe"
O4 - HKLM\..\RunServices: [m4n70s Personal Firewall] m4n70s.exe
O4 - HKLM\..\RunServices: [Windows System Security] hbhzri.exe
O4 - HKLM\..\RunServices: [mouse] mouse.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Game Updater] msgame32.exe
O4 - HKCU\..\Run: [Windows System Security] hbhzri.exe
O4 - HKCU\..\Run: [Wioc] "C:\Program Files\uapl\amoa.exe" -vt mt
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tcl: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\nptcl32.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132247282904
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rcabinstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{80DA7953-EF5F-4FF0-9404-99CBC96AC244}: NameServer = 200.74.160.103 200.74.160.104
O20 - Winlogon Notify: IPConfTSP - C:\WINNT\system32\j60s0gd7e60.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TWljaGFlbCBDcm9uaW4\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft Distributed Transaction (MSDT) - Unknown owner - C:\WINNT\msdt.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements

#2
Crustyoldbloke
Posted 23 November 2005 - 03:15 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello mcronin and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans that need to be eradicated. Let’s see what we can do with the first sweep.

Now that I am assisting you, please revisit http://www.spywarewa...ic.php?p=104480 and cancel your request for help there. I would hate to think of someone working for over an hour on this log only to find you had gone somewhere else. I would not advise using a credit or debit card on this PC until it is declared clean.

Firstly could you please disable Ad-watch from running during the fix, it may just hinder our attempts to change anything. To disable AdWatch:

Open Ad-Aware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
Ewido Security Suite
Hoster

Go to Start>Run and type Services.msc then hit OK
Scroll down and find these services:

Command Service (cmdService)
Service Hosts (ServiceHost)

When you find them, double-click on each. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter these items into that field (copy and paste):

cmdService
ServiceHost

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Please run Hoster (just double click it to open). Choose the Restore Original Hosts button and press OK.

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Install Ewido Security Suite.
  • Install Ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
    • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates
Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Launch Ewido, there should be an icon on your desktop, double-click it.
  • The programme will now open to the main screen.
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK.
Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop and include it in your reply.
Now close Ewido security suite.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - Default URLSearchHook is missing
O1 - Hosts: 82.146.41.81 lloydstsb.co.uk
O1 - Hosts: 82.146.41.81 www.lloydstsb.co.uk
O1 - Hosts: 82.146.41.81 www.lloydstsb.com
O1 - Hosts: 82.146.41.81 personal.barclays.co.uk
O1 - Hosts: 82.146.41.81 barclays.co.uk
O1 - Hosts: 82.146.41.81 www.barclays.co.uk
O1 - Hosts: 82.146.41.81 nwolb.com
O1 - Hosts: 82.146.41.81 hsbc.co.uk
O1 - Hosts: 82.146.41.81 www.hsbc.co.uk
O1 - Hosts: 82.146.41.81 abbey.com
O1 - Hosts: 82.146.41.81 www.abbey.com
O1 - Hosts: 82.146.41.81 www.abbey.co.uk
O1 - Hosts: 82.146.41.81 abbey.co.uk
O1 - Hosts: 82.146.41.81 cahoot.com
O1 - Hosts: 82.146.41.81 www.cahoot.com
O1 - Hosts: 82.146.41.81 www.cahoot.co.uk
O1 - Hosts: 82.146.41.81 cahoot.co.uk
O1 - Hosts: 82.146.41.81 www.co-operativebank.co.uk
O1 - Hosts: 82.146.41.81 co-operativebank.co.uk
O1 - Hosts: 82.146.41.81 www.co-operativebank.com
O1 - Hosts: 82.146.41.81 co-operativebank.com
O1 - Hosts: 82.146.41.81 welcome2.co-operativebankonline.co.uk
O1 - Hosts: 82.146.41.81 welcome6.co-operativebankonline.co.uk
O1 - Hosts: 82.146.41.81 welcome8.co-operativebankonline.co.uk
O1 - Hosts: 82.146.41.81 welcome10.co-operativebankonline.co.uk
O1 - Hosts: 82.146.41.81 www.smile.co.uk
O1 - Hosts: 82.146.41.81 smile.co.uk
O1 - Hosts: 82.146.41.81 www.cajamar.es
O1 - Hosts: 82.146.41.81 cajamar.es
O1 - Hosts: 82.146.41.81 www.cajamar.com
O1 - Hosts: 82.146.41.81 www.unicaja.es
O1 - Hosts: 82.146.41.81 unicaja.es
O1 - Hosts: 82.146.41.81 www.unicaja.com
O1 - Hosts: 82.146.41.81 unicaja.com
O1 - Hosts: 82.146.41.81 www.caixagalicia.es
O1 - Hosts: 82.146.41.81 caixagalicia.es
O1 - Hosts: 82.146.41.81 www.caixagalicia.com
O1 - Hosts: 82.146.41.81 caixagalicia.com
O1 - Hosts: 82.146.41.81 activa.caixagalicia.es
O1 - Hosts: 82.146.41.81 www.caixapenedes.es
O1 - Hosts: 82.146.41.81 caixapenedes.es
O1 - Hosts: 82.146.41.81 www.caixapenedes.com
O1 - Hosts: 82.146.41.81 caixapenedes.com
O1 - Hosts: 82.146.41.81 www.caixasabadell.es
O1 - Hosts: 82.146.41.81 caixasabadell.es
O1 - Hosts: 82.146.41.81 www.caixasabadell.net
O1 - Hosts: 82.146.41.81 caixasabadell.net
O1 - Hosts: 82.146.41.81 www.cajamadrid.es
O1 - Hosts: 82.146.41.81 cajamadrid.es
O1 - Hosts: 82.146.41.81 www.cajamadrid.com
O1 - Hosts: 82.146.41.81 cajamadrid.com
O1 - Hosts: 82.146.41.81 www.ccm.es
O1 - Hosts: 82.146.41.81 ccm.es
O1 - Hosts: 17.145.117.11 d-ru-1f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-ru-1h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-ru-2f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-ru-2h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-2f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-2h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-1f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-eu-1h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-us-1f.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 d-us-1h.kaspersky-labs.com
O1 - Hosts: 17.145.117.11 downloads1.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads2.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads3.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads4.kaspersky.ru
O1 - Hosts: 17.145.117.11 downloads5.kaspersky.ru
O1 - Hosts: 17.145.117.11 kaspersky.ru
O1 - Hosts: 17.145.117.11 www.kaspersky-labs.com
O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing)
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINNT\System32\csrs.exe
O4 - HKLM\..\Run: [ntdll.dll] c:\program files\zango\zango.exe
O4 - HKLM\..\Run: [Microsoft Windows Game Updater] msgame32.exe
O4 - HKLM\..\Run: [VEL_] C:\windows\mrjj.exe
O4 - HKLM\..\RunServices: [m4n70s Personal Firewall] m4n70s.exe
O4 - HKLM\..\RunServices: [Windows System Security] hbhzri.exe
O4 - HKLM\..\RunServices: [mouse] mouse.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Game Updater] msgame32.exe
O4 - HKCU\..\Run: [Windows System Security] hbhzri.exe
O4 - HKCU\..\Run: [Wioc] "C:\Program Files\uapl\amoa.exe" -vt mt
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rcabinstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{80DA7953-EF5F-4FF0-9404-99CBC96AC244}: NameServer = 200.74.160.103 200.74.160.104
O20 - Winlogon Notify: IPConfTSP - C:\WINNT\system32\j60s0gd7e60.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TWljaGFlbCBDcm9uaW4\command.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these folders (if present) using Windows Explorer:

C:\WINNT\TWljaGFlbCBDcm9uaW4\
C:\Program Files\RXToolBar\
c:\program files\zango\

Please delete these files (if present) using Windows Explorer:

msgame32.exe – use search to find these files
m4n70s.exe
hbhzri.exe
mouse.exe

Close Windows Explorer and Reboot normally

Please install Killbox by Option^Explicit.
  • Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
  • In the Killbox programme, select the Delete on Reboot option.
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINNT\shost.exe
C:\WINNT\System32\csrs.exe
C:\Program Files\uapl\amoa.exe
C:\WINNT\web\related.htm
C:\WINNT\system32\j60s0gd7e60.dll
C:\windows\mrjj.exe
  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Post back a fresh HijackThis log (from normal mode) and I will take another look. (2 logs)
  • 0

#3
mcronin
Posted 24 November 2005 - 04:09 PM

mcronin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hey Crustyoldbloke,

Sorry for not replying earlier. I was only able to complete the guidelines you gave me today. Thank you so much for the advice. Unfortunately I still have the pop up problem whereby explorer opens a new window periodically and mozilla just starts up of its own accord. I was able to follow your advice completely apart from these bits:

1) AT the very beginning after running Services.msc, you said to click the Stop button for Command Service and Service Hosts. However the stop button was disabled. By the way, I'm not sure if this makes a difference but I'm running Windows 2000 Professional on this computer.

2) You advised me that when I ran Ewido for the first time in Safe Mode I would get a warning "Database could not be found"

and finally

3) For Killbox you said to copy the filenames below, return to Killbox and choose "Paste from Clipboard"

C:\WINNT\shost.exe
C:\WINNT\System32\csrs.exe
C:\Program Files\uapl\amoa.exe
C:\WINNT\web\related.htm
C:\WINNT\system32\j60s0gd7e60.dll
C:\windows\mrjj.exe

However it seemed to me that I was only able to paste the following 2 files (i.e. only these 2 showed up in the "Full Path of File to Delete" box. I tried typing in the other files and deleting but nothing happened.
C:\Program Files\uapl\amoa.exe
C:\WINNT\web\related.htm


I don't know if these points made a difference but I thought I'd mention them. As requested here is the Scan Report from Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 14:21:51, 24/11/2005
+ Report-Checksum: 8EBF7E67

+ Scan result:

HKLM\SOFTWARE\Classes\ADM.ADM -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM.ADM\CLSID -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM.ADM\CLSID\\ -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM.ADM\CurVer -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM.ADM.1 -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM.ADM.1\CLSID\\ -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\adm.EXE\\AppID -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE\\AppID -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{8B0FEF15-54DC-49F5-8377-8172DE975F75} -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{99A8E2B2-3405-4C0D-9110-131C14CAAF62} -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0} -> Spyware.RXToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}\TypeLib\\ -> Spyware.RXToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{44BE0690-5429-47F0-85BB-3FFD8020233E} -> Spyware.UCmore : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4D1C4E89-A32A-416b-BCDB-33B3EF3617D3} -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4D1C4E8B-A32A-416b-BCDB-33B3EF3617D3} -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{630D6140-04C5-4db0-B27A-020D766FF09B} -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9BBCF06C-DCD7-495D-80DF-CDD5399D0FF8} -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9BBCF06C-DCD7-495D-80DF-CDD5399D0FF8}\\AppID -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C15B7EA2-A360-43E8-A591-5FAEDC7C4E1D} -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C15B7EA2-A360-43E8-A591-5FAEDC7C4E1D}\\AppID -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C15B7EA2-A360-43E8-A591-5FAEDC7C4E1D}\TypeLib\\ -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C91E8926-D4BE-4685-99F4-0D996B96BAC0} -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F78B32D6-D6D8-4137-A18F-91EBE1A4AEDB}\TreatAs\\ -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{16097036-894C-4C00-A61F-93CA0D49A70E} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{16097036-894C-4C00-A61F-93CA0D49A70E}\ProxyStubClsid32\\ -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{1B540D44-3F61-4394-AE30-25FDC3649405}\ProxyStubClsid32\\ -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{29E825AA-13BC-457C-806A-D72E4A25B3C5} -> Spyware.BrilliantDigital : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{29E825AA-13BC-457C-806A-D72E4A25B3C5}\TypeLib\\ -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2ED5AF98-9258-45BA-B79B-06625C92F662} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2ED5AF98-9258-45BA-B79B-06625C92F662}\ProxyStubClsid32\\ -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4D1C4E8A-A32A-416B-BCDB-33B3EF3617D3} -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4D1C4E8C-A32A-416B-BCDB-33B3EF3617D3} -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{700DC0DD-F409-42E0-9DE5-21EE1A2BA9FD} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{700DC0DD-F409-42E0-9DE5-21EE1A2BA9FD}\ProxyStubClsid32\\ -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C91E8926-D4BE-4685-99F4-0D996B96BAC0} -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C91E8926-D4BE-4685-99F4-0D996B96BAC0}\ProxyStubClsid32\\ -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{CE9B37EC-D243-47A2-83DB-3A8350175193}\ProxyStubClsid32\\ -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{E79DADC6-18D0-4A2A-831F-D196D41F8438} -> Spyware.BrilliantDigital : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{E79DADC6-18D0-4A2A-831F-D196D41F8438}\TypeLib\\ -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{FB590D02-0A82-4F44-9FAD-517948DCF4F3}\TypeLib\\ -> Spyware.RXToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{FD42F6D3-7AB1-470C-979B-7996EDC99099} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{FD42F6D3-7AB1-470C-979B-7996EDC99099}\ProxyStubClsid32\\ -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.SettingsPlugin -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.SettingsPlugin\CLSID -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.SettingsPlugin\CLSID\\ -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.SettingsPlugin\CurVer -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.SettingsPlugin.1 -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.SettingsPlugin.1\CLSID\\ -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.ToolbarPlugin -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.ToolbarPlugin\CLSID -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.ToolbarPlugin\CLSID\\ -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.ToolbarPlugin\CurVer -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.ToolbarPlugin.1 -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.ToolbarPlugin.1\CLSID\\ -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\NN_Bar_Dummy.NN_BarDummy\CLSID\\ -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Classes\NN_Bar_Dummy.NN_BarDummy.1\CLSID\\ -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Classes\RXToolBar.TBInfo -> Spyware.RXToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\RXToolBar.TBInfo\CLSID -> Spyware.RXToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\RXToolBar.TBInfo\CLSID\\ -> Spyware.RXToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\RXToolBar.TBInfo\CurVer -> Spyware.RXToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\RXToolBar.TBInfo.1 -> Spyware.RXToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\RXToolBar.TBInfo.1\CLSID\\ -> Spyware.RXToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\SigningModule.SigningModule -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\SigningModule.SigningModule\CLSID -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\SigningModule.SigningModule\CLSID\\ -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\SigningModule.SigningModule\CurVer -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\SigningModule.SigningModule.1 -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\SigningModule.SigningModule.1\CLSID\\ -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{5830698F-7FC0-40CD-A453-9A0CAFDF3A64} -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{66B20295-DC57-42B6-ACDF-52D916E86464} -> Spyware.RXToolbar : Cleaned with backup
HKLM\SOFTWARE\ClickSpring -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Effective-i -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator\\ComId -> Spyware.UCmore : Cleaned with backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator\IE5 -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D6711C8-7154-40BB-8380-3DEA45B69CBF} -> TrojanDownloader.WebP2P : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0} -> Spyware.RXToolbar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{44BE0690-5429-47f0-85BB-3FFD8020233E} -> Spyware.UCmore : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Need2FindBar Uninstall -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/MediaTicketsInstaller.ocx\\.Owner -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/MediaTicketsInstaller.ocx\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/mfc42.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/msvcrt.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/olepro32.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AltnetDM -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Need2FindBar Uninstall -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RXToolBar -> Spyware.RXToolbar : Cleaned with backup
HKLM\SOFTWARE\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Need2Find\bar\Partner -> Spyware.Need2Find : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Effective-i -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Effective-i\TheSearchAccelerator -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Effective-i\TheSearchAccelerator\IE5 -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1053 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1074 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4496 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4543 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0\Seqn_1053 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0\Seqn_1068 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0\Seqn_1074 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_1053 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_1068 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_1074 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1116 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1524 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1553 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1641 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Queue -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Status -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Maxthon\Plugin\toolbar\{44BE0690-5429-47f0-85BB-3FFD8020233E} -> Spyware.UCmore : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0} -> Spyware.RXToolbar : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{44BE0690-5429-47F0-85BB-3FFD8020233E} -> Spyware.UCmore : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-21-1202660629-813497703-1060284298-500\Software\RX Toolbar -> Spyware.RXToolbar : Cleaned with backup
[96] C:\WINNT\system32\sqcur32.dll -> Spyware.Look2Me : Error during cleaning
[480] C:\WINNT\system32\sqcur32.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adtech[1].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B0WHYJVT\AppWrap[1].exe -> Spyware.AdURL : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B0WHYJVT\AppWrap[2].exe -> Spyware.AdURL : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MWKNXHV3\AppWrap[1].exe -> Spyware.Zestyfind : Cleaned with backup
C:\mte3ndi6odoxng.exe -> TrojanDownloader.Small.buy : Cleaned with backup
C:\Program Files\Common Files\Sony Shared\Visualizer\ExlGen.dll -> Dialer.Generic : Cleaned with backup
C:\Program Files\Kazaa\TopSearch.dll -> Spyware.Altnet : Cleaned with backup
C:\Program Files\Need2Find -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\1.bin -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\1.bin\N2FFXTBR.JAR -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\1.bin\N2NTSTBR.JAR -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\1.bin\N2PLUGIN.DLL -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\1.bin\NPND2FN.DLL -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\1.bin\PARTNER.DAT -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Cache -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Cache\00677C46 -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Cache\0067DB04 -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Cache\00699CB0 -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Cache\files.ini -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\History -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\History\search -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Settings -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Settings\prevcfg.htm -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\RXToolBar -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTadopt_hotbar_com_tpad_jsp_l=6043&sz=pop&rnd=4436NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTapollo_rte_ie_search_jsp_query=family+history%5DNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTa_tribalfusion_com_p_media_WWKMLINONQWNMSPRGLISGPOYJPQKBSIEJMHJMLEICVPXDNMLSKOQELROISFKHOEVJWSLLDVMRPNSJ_137796_pop_htmlNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTby20fd_bay20_hotmail_msn_com_cgi-bin_dasp_virusScanPopup_aspNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTby20fd_bay20_hotmail_msn_com_cgi-bin_HoTMaiL_curmbox=F000000001&a=fcc266a40c95cf5cabc4da2378fec8d7ad5e2ea2fc4ef084c5d57a4ed0ecad45NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTc_azjmp_com_az_ch_php_f=1803&i=1847&sub=&pop=&aux=&bypass=NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTc_azjmp_com_az_ch_php_f=1885&i=1918&sub=NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTc_azjmp_com_az_ch_php_f=925&i=1918&sub=popup&pop=0&r=1&geo=1NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTc_azjmp_com_az_ch_php_pop=0&f=1783&i=1918&sub=popupNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTc_qckjmp_com_az_ch_php_f=1903&i=1918NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTfamilygames_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTgroups_yahoo_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CThome_pacbell_net_nymets11_genuki_LIM_NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTlabmice_techtarget_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTlimerickdiocese_org -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTmolyworld_net_molyneux_wrongsp01_htmNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTmovies_yahoo_com_NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTnews_bbc_co_uk_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTnews_bbc_co_uk_sport_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTnews_yahoo_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTsantiago_craigslist_org_eng_NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTscripts_ireland_com_ancestor_fuses_rcparishmaps_index_cfm_fuseaction=showidrecords&CityCounty=Kerry&parish=Listowel&churchid=678NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTsearch_freefind_com_find_html_id=9173135&pageid=r&mode=ALL&query=molyneauxNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTservice_bfast_com_bfast_click_bfmid=5647408&siteid=39580444&bfpage=bfrd&bfurl=http___www_ancestry_com_rd_befree_affprodredirect_asp_key=Uhttp___www_rootsweb_com_~irlker_birth_htmlNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTservice_bfast_com_bfast_click_bfmid=5647408&siteid=39580444&bfpage=bfrd&bfurl=http___www_ancestry_com_rd_befree_affprodredirect_asp_key=Uhttp___www_rootsweb_com_~irlker_death_htmlNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTservice_bfast_com_bfast_click_bfmid=5647408&siteid=40838474&bfpage=uki_aftNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTspywarewarrior_com_viewtopic_php_p=105244#105244NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTsupport_microsoft_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTtechrepublic_com_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTupdate_microsoft_com_microsoftupdate_v6_default_aspxNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_altnet_com_as_frame-spyscan_htm_email=NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_ancestry_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_annoyances_org_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_apollo_ie_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_atozmarriages_com -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_bbc_co_uk_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_board_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_browseireland_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_census-online_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_censusfinder_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_cmcrp_net -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_computrabajo_cl_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_corkaid_ie_NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_cousinconnect_com -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_cybertechhelp_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_eslcafe_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_eslcafe_com_forums_job_login_phpNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_eslcafe_com_forums_job_viewtopic_php_t=31906NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_eslcafe_com_jobinfoNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_familydynamics_net_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_fhm_com_site_girls_covergirl_asp_GID=452&Page=2NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_football365_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_from-ireland_net -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_gaeltalk_net -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_google_cl_search_hl=es&q=daves+esl+cafe&meta=NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_google_cl_search_hl=es&q=general+knowledge+quiz+&meta=NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_google_cl_search_hl=es&q=trabaj+en+chile&meta=NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_google_ie_search_hl=en&q=birth+death+marriage+records+kerry+limerick&meta=NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_help_com -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_interment_net_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_interment_net_ireland_index_htm -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_ireland_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_ireland_com_ancestor_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_irishgenealogy_ie_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_irishroots_net_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_isc_org_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_koptalk_org_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_landing_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_limerickdioceseheritage_org -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_macromedia_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_microsoft_com_windows2000_downloads_servicepacks_default_aspNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_mypleasure_com -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_nationalarchives_ie_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_netidentity_com_FileNotFound_aspx_d=www_limerickroots_ireland_org&mp=404NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_nli_ie_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_oneworldnursery_cl_NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_oneworldnursery_cl_oneworld_engvolunteering_htmlNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_organizedregistry_com -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_play_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_rootsweb_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_rootsweb_com_~irlker_sitemap_html#surnamesNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_rootsweb_com_~irllim_LimerickCityBarony1659_htmNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_rootsweb_com_~irllim_SmCountyBarony1659_htmNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_rte_ie_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_search_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_softwaretipsandtricks_com_forum_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_spotresults_com_cgi-bin_search_cgi_keywords=how+do+system+backupNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_spotresults_com_cgi-bin_search_cgi_keywords=online+sports+gamblingNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_sysinternals_com_ntw2k_freeware_autoruns_shtmlNC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_syvum_com -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_syvum_com_squizzes_spanish_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_techsupportforum_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_tercera_cl_NC -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_triv_net_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_ul_ie_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_unison_ie_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_userena_cl_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_valoff_ie_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\CTwww_windowsxpforums_com_ -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\UALEXAby20fd_bay20_hotmail_msn_com -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\Cache\UALEXAwww_rte_ie -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\CacheCatolog.rx -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\additional.gif -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\additional_active.gif -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\background.jpg -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\blue_hr_horz.GIF -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\gray_hr_horz.GIF -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\thumbtack.gif -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\thumbtack_active.gif -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\graphics\thumbtack_click.gif -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\HTML -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\HTML\content.htm -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\HTML\main.htm -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\kanoodle.xsl -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\rxtoolbar.cfg -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\RXToolBar.dll -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\searchfeed.xsl -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\sfcont.bin -> Spyware.RXToolbar : Cleaned with backup
C:\Program Files\RXToolBar\sfcont.dll -> Spyware.RXToolbar : Cleaned with backup
C:\ucmoreiex.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\ucmoreiex.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\WINNT\Downloaded Program Files\WebP2PInstaller.dll -> TrojanDownloader.WebP2PInstaller : Cleaned with backup
C:\WINNT\icont.exe -> Spyware.AdURL : Cleaned with backup
C:\WINNT\iconu.exe -> Spyware.Zestyfind : Cleaned with backup
C:\WINNT\shost.exe -> Backdoor.SdBot.aig : Cleaned with backup
C:\WINNT\system32\dfiman32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\eraseme_20351.exe -> Backdoor.SdBot.aig : Cleaned with backup
C:\WINNT\system32\kcdic.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\muhtmled.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\Temp\bw2.com -> Spyware.Zestyfind : Cleaned with backup
C:\WINNT\TWljaGFlbCBDcm9uaW4\asappsrv.dll -> Spyware.CommAd : Cleaned with backup
C:\WINNT\TWljaGFlbCBDcm9uaW4\command.exe -> Adware.CommAd : Cleaned with backup
C:\WINNT\VEL_.exe/mrjj.exe -> Trojan.LowZones.am : Cleaned with backup


::Report End




And here is the latest HJT logfile


Logfile of HijackThis v1.99.1
Scan saved at 18:44:02, on 24/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\msdt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rte.ie/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.iol.ie"); (C:\Program Files\Netscape\Users\free\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tcl: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\nptcl32.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132247282904
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rcabinstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{80DA7953-EF5F-4FF0-9404-99CBC96AC244}: NameServer = 200.74.160.103 200.74.160.104
O20 - Winlogon Notify: MCD - C:\WINNT\system32\l2n40c5qef.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft Distributed Transaction (MSDT) - Unknown owner - C:\WINNT\msdt.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




Any suggestions? Thanks again for your time
  • 0

#4
Crustyoldbloke
Posted 25 November 2005 - 03:34 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#5
mcronin
Posted 25 November 2005 - 01:32 PM

mcronin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is the contents of the l2mfix logfile:


L2MFIX find log 1.99
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\q2860clsefq60.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User

Agent\Post Platform]
"{81F21848-3DA7-23A2-830A-DF5F57F8FD80}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network

objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Merge Shell Folder"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Microsoft SearchBand"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}"="Registered ActiveX Controls"
"{D545EBD1-BD92-11CF-8772-00A0C9039735}"="Developer Studio Components"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{C56C4E21-706D-11d0-AFC5-444553540002}"="My Digital Camera"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{5D3589F1-82C6-4BD6-A853-08478EFCC6A9}"=""
"{E134AD6D-7910-44BF-9BB5-FF8D39766C0B}"=""
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E134AD6D-7910-44BF-9BB5-FF8D39766C0B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E134AD6D-7910-44BF-9BB5-FF8D39766C0B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E134AD6D-7910-44BF-9BB5-FF8D39766C0B}\Implemented

Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E134AD6D-7910-44BF-9BB5-FF8D39766C0B}\InprocServer32]
@="C:\\WINNT\\system32\\UKER32.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
atmtd.dll Mon 16 Jan 2006 12:11:50 A.... 687,592 671.48 K
cdral.dll Wed 26 Oct 2005 19:07:22 A.... 45,056 44.00 K
cdrtc.dll Wed 26 Oct 2005 19:07:22 A.... 45,056 44.00 K
dn4001~1.dll Thu 24 Nov 2005 22:27:06 ..S.R 237,141 231.58 K
q2860c~1.dll Thu 24 Nov 2005 15:13:02 ..S.R 236,689 231.14 K
uker32.dll Fri 25 Nov 2005 15:33:32 ..S.R 236,689 231.14 K

6 items found: 6 files (3 H/S), 0 directories.
Total of file sizes: 1,488,223 bytes 1.42 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 84E8-1983

Directory of C:\WINNT\System32

25/11/2005 15:33 236,689 UKER32.DLL
24/11/2005 22:27 237,141 dn4001hme.dll
24/11/2005 15:13 236,689 q2860clsefq60.dll
23/11/2005 02:13 <DIR> dllcache
3 File(s) 710,519 bytes
1 Dir(s) 3,376,480,256 bytes free
  • 0

#6
Crustyoldbloke
Posted 25 November 2005 - 03:02 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
The VX2 infection on your PC is confirmed.

Close any programmes you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Extra note... after reboot and logging in, normally a screen will pop up and perform the rest of the fix and notepad opens automatically afterwards.
If that doesn't happen, you'll have to do it manually, so open your L2M-folder which is present on your desktop and doubleclick second.bat.
Let it run and notepad (log.txt) will open then. Copy and paste the contents of it in your next reply with a new hijackthislog.
  • 0

#7
mcronin
Posted 25 November 2005 - 07:46 PM

mcronin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is the logfile that opened on reboot from l2mfix

Starting Beta Fix 112305
Creating Account.
The command completed successfully.


Adding Administrative privleges.
The command completed successfully.


Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Setting Directory
C:\Documents and Settings\Administrator\Desktop\l2mfix
C:\Documents and Settings\Administrator\Desktop\l2mfix

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 180 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 204 'winlogon.exe'
Killing PID 204 'winlogon.exe'
Error 0x5 : Access is denied.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1132 'explorer.exe'
Killing PID 1132 'explorer.exe'
Error 0x5 : Access is denied.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 936 'rundll32.exe'

Scanning First Pass. Please Wait!

Checking for L2MFix account(0=no 1=yes):
0
First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\dn4001hme.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\f6j20g1oe6.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\HSL.DLL
1 file(s) copied.
deleting: C:\WINNT\system32\dn4001hme.dll
Successfully Deleted: C:\WINNT\system32\dn4001hme.dll
deleting: C:\WINNT\system32\f6j20g1oe6.dll
Successfully Deleted: C:\WINNT\system32\f6j20g1oe6.dll
deleting: C:\WINNT\system32\HSL.DLL
Successfully Deleted: C:\WINNT\system32\HSL.DLL


Zipping up files for submission:
adding: dn4001hme.dll (152 bytes security) (deflated 5%)
adding: f6j20g1oe6.dll (152 bytes security) (deflated 4%)
adding: HSL.DLL (152 bytes security) (deflated 5%)
zip warning: name not matched: *.tmp

zip error: Nothing to do! (backup.zip)
adding: clear.reg (152 bytes security) (deflated 36%)
adding: echo.reg (152 bytes security) (deflated 12%)
zip warning: name not matched: *.ini

zip error: Nothing to do! (backup.zip)
adding: direct.txt (152 bytes security) (stored 0%)
adding: flag.txt (152 bytes security) (stored 0%)
adding: lo2.txt (152 bytes security) (deflated 70%)
adding: readme.txt (152 bytes security) (deflated 52%)
adding: report.txt (152 bytes security) (deflated 62%)
adding: test.txt (152 bytes security) (deflated 46%)
adding: test2.txt (152 bytes security) (deflated 17%)
adding: test3.txt (152 bytes security) (deflated 17%)
adding: test5.txt (152 bytes security) (deflated 17%)
adding: xfind.txt (152 bytes security) (deflated 38%)
adding: backregs/E134AD6D-7910-44BF-9BB5-FF8D39766C0B.reg (152 bytes security) (deflated 70%)
adding: backregs/notibac.reg (152 bytes security) (deflated 73%)
adding: backregs/shell.reg (152 bytes security) (deflated 75%)

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: dn4001hme.dll
deleting local copy: f6j20g1oe6.dll
deleting local copy: HSL.DLL

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\dn4001hme.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINNT\system32\dn4001hme.dll
C:\WINNT\system32\f6j20g1oe6.dll
C:\WINNT\system32\HSL.DLL

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{5D3589F1-82C6-4BD6-A853-08478EFCC6A9}"=-
"{E134AD6D-7910-44BF-9BB5-FF8D39766C0B}"=-
[-HKEY_CLASSES_ROOT\CLSID\{5D3589F1-82C6-4BD6-A853-08478EFCC6A9}]
[-HKEY_CLASSES_ROOT\CLSID\{E134AD6D-7910-44BF-9BB5-FF8D39766C0B}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************





And here is the latest hijackthis logfile:


Logfile of HijackThis v1.99.1
Scan saved at 22:46:32, on 25/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\msdt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rte.ie/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.iol.ie"); (C:\Program Files\Netscape\Users\free\prefs.js)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tcl: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\nptcl32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132247282904
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rcabinstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{80DA7953-EF5F-4FF0-9404-99CBC96AC244}: NameServer = 200.74.160.103 200.74.160.104
O20 - Winlogon Notify: Setup - C:\WINNT\system32\dn4001hme.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft Distributed Transaction (MSDT) - Unknown owner - C:\WINNT\msdt.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#8
Crustyoldbloke
Posted 26 November 2005 - 08:08 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

That was quite an unusual log from L2me, but your HJT log shows the VX2 infection has gone. However, there is a proxy server being used. Do you recognise this address? Gustavo Welkner Oelckers Av del Condor 796 Huechuraba 858-0704 Santiago - Chile.

It looks like a hijacker but I must be sure it is nothing to do with your ISP or work or supplier. I'll await your reply on that part. Meantime, there is just some adjusting to do.

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rcabinstall.cab
O20 - Winlogon Notify: Setup - C:\WINNT\system32\dn4001hme.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.

Post back a fresh HijackThis log, from normal mode, and I will take another look.
  • 0

#9
mcronin
Posted 26 November 2005 - 01:39 PM

mcronin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hey again,

This address "Av del Condor 796 Huechuraba 858-0704 Santiago - Chile." is the address of my service provider here in Chile. The internet provider is called Manquehue Net. The name "Gustavo ..." I don't recognise but i guess he's the guy responsible for setting up my connection. Also I don't have a proxy server running on my computer as i checked it up on my internet options.


Here is the latest HJT logfile

Logfile of HijackThis v1.99.1
Scan saved at 16:34:41, on 26/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\msdt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rte.ie/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.iol.ie"); (C:\Program Files\Netscape\Users\free\prefs.js)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tcl: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\nptcl32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132247282904
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{80DA7953-EF5F-4FF0-9404-99CBC96AC244}: NameServer = 200.74.160.103 200.74.160.104
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft Distributed Transaction (MSDT) - Unknown owner - C:\WINNT\msdt.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#10
Crustyoldbloke
Posted 26 November 2005 - 02:29 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Congratulations! your new log is clean. :tazz: Just a little bit more to do to prevent further infection.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programmes for “on demand” scanning, having two or more antivirus systems is not recommended as they may well interfere with each other.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antispyware and antivirus updated. :)

If you were in Ireland, where I thought you were, Chile would definitely be a proxy server, but I can see the time difference is a bit out for that :)

Happy safe surfing!
  • 0

#11
mcronin
Posted 30 November 2005 - 03:24 PM

mcronin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hey again,

Sorry for not replying earlier. I just want to say thank you so much for all the time and effort you put into helping me. It's great to have a functioning computer again! You're a legend.
Thanks again.

All the best,
Mike
  • 0

#12
Crustyoldbloke
Posted 30 November 2005 - 06:09 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
You are very welcome.

I will leave this thread open for a few days in case of misfortune.
  • 0

#13
Crustyoldbloke
Posted 11 December 2005 - 12:00 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP