Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

FireFox Pop-ups out of nowhere and a virus issue [RESOLVED]

Started by Chris Y , Dec 03 2005 10:13 PM

This topic is locked

#1
Chris Y

Posted 03 December 2005 - 10:13 PM

Member

Member
34 posts

Hello there! :woot:

I've got a very annoying problem with something I suspect is an adware of some kind. It keeps opening my Firefox browser and directs me to a lot of commercial sites. I also have a problem with my Symantec Anti-Virus tool, which is notifying me about a file that doesn't exist! It claims to remove it from the system but after 4-5 secs it warns me again about it! Now that is annoying.

The file and it's location is: C:\WINDOWS\System32\rdriv.sys

Please help me get rid of these!

I have tried using:
SpyBot - Search And Destroy
Spyware Doctor
The Spyware Detective
Ad-aware 6.0
Microsoft Anti-Spyware BETA
Symantec Anti-Virus

And I'm pretty sure that no Spyware killer is going to help in either of these problems. I need to do something manually.

Here's the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 05:02:23, on 2005-12-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Norton Personal Firewall\ISSVC.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Spyware Doctor\sdhelp.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program\Analog Devices\SoundMAX\Smax4.exe
C:\Program\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\SYMANT~1\VPTray.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\smsvc.exe
C:\WINDOWS\System32\msmsgss.exe
C:\Program\iPod\bin\iPodService.exe
D:\Spel\JK II\GameData\jk2Ded.exe
C:\Program\Shareaza\Shareaza.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program\Microsoft AntiSpyware\gcasServ.exe
C:\Program\Winamp\Winamp.exe
C:\Program\Symantec AntiVirus\VPC32.EXE
C:\Documents and Settings\-xlnt-\Skrivbord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\Program\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Microsoft DLL Verifier] smsvc.exe
O4 - HKLM\..\Run: [msmsgr] msmsgss.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] Sygate.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] smsvc.exe
O4 - HKLM\..\RunServices: [msmsgr] msmsgss.exe
O4 - HKCU\..\Run: [synean] C:\WINDOWS\System32\synean.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17....es/MsnPUpld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\mv8ql9l51.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program\Norton Personal Firewall\ISSVC.exe
O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

A lot of stuff... I have no idea what half of these things even is! :tazz:

I'd be thankful if you could help me.

Chris Y

Edited by Chris Y, 04 December 2005 - 12:27 AM.

#2
Excal

Posted 04 December 2005 - 12:49 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi Chris Y and welcome to GeeksToGo! My name is Excal and I will be helping you.

Please follow all instructions as specified. Print these instructions to ensure all are followed.

Please download the following programs, but do not run them yet:

* rdrivRem.zip

Unzip it to your desktop.

* Ewido Security Suite

Install ewido security suite
Launch ewido, there should be a big E icon on your desktop, double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed
After the updates are installed exit Ewido.

* CleanUp!

Install it.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

1.) Please go into the rdrivrem folder and double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

2.) Double-click the Ewido Security Suite icon to run the program.

Click on scanner
Click Complete System Scan
Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report
Save the report to your desktop
Exit Ewido

3.) Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
**If it asks if you want to reboot or log off press NO.

4.) After Cleanup! is finished, run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft DLL Verifier] smsvc.exe
O4 - HKLM\..\Run: [msmsgr] msmsgss.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] Sygate.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] smsvc.exe
O4 - HKLM\..\RunServices: [msmsgr] msmsgss.exe
O4 - HKCU\..\Run: [synean] C:\WINDOWS\System32\synean.exe
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\mv8ql9l51.dll

Close HiJackThis.

5.) Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\System32\Sygate.exe
C:\WINDOWS\System32\smsvc.exe
C:\WINDOWS\System32\msmsgss.exe
C:\WINDOWS\System32\synean.exe
C:\WINDOWS\system32\mv8ql9l51.dll

empty recycling bin please.

Reboot your computer into normal mode.

5.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

7.) Run BOTH of these online virus scans (NOT at the same time!):
ActiveScan
TrendMicro's HouseCall

Save the results from ActiveScan.

I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.

#3
Chris Y

Posted 05 December 2005 - 10:07 AM

Member

Topic Starter
Member
34 posts

Thank you for helping me! Rdriv.sys seems to have been fixed thanks to you!

But Firefox still goes popping up with random commercial sites...

I've followed your instructions (with two exceptions, as I was stupid and forgot to save the report from Ewido... :woot:

and Active Scan won't let me scan for some reason. I press the "My Computer" and the "Local Disc" options but nothing happens. Trendo Micro HouseCall detected 2 viruses.

Results:
We have detected 2 infected file(s) with 2 virus(es) on your computer. Only 0 out of 0 infected files are displayed.
Detected File Associated Virus Name
C:\WINDOWS\system32\myhost.exe WORM_AGOBOT.AYE
C:\WINDOWS\MSmedia.exe WORM_AGOBOT.AYE

It removed them both succesfully too...

I also couldn't not delete all the files you requested, since they were most likely already cleaned by ewido :tazz:

But in my HijackThis logfile I still see Synean. But it is nowhere to be found!

I'm sorry I messed up on the Ewido report... :woot:

Is there still any ways left to remove Firefox pop-ups?

HijackThis Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 17:04:24, on 2005-12-05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Norton Personal Firewall\ISSVC.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Symantec AntiVirus\DefWatch.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Spyware Doctor\sdhelp.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program\Analog Devices\SoundMAX\Smax4.exe
C:\Program\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program\SYMANT~1\VPTray.exe
C:\Program\Microsoft AntiSpyware\gcasServ.exe
C:\Program\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\-xlnt-\Skrivbord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\Program\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [synean] C:\WINDOWS\System32\synean.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program\Delade filer\Adobe\Updater\AdobeUpdater.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17....es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\f2l00c3mef.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program\Norton Personal Firewall\ISSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

[EDIT: Forgot to add the rdriv logg. Im sorry!
~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~

~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~

That's all it says... :woot:

]

Edited by Chris Y, 05 December 2005 - 12:08 PM.

#4
Excal

Posted 05 December 2005 - 12:38 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Download L2mfix from one of these two locations:

One
Two
Save the file to your desktop and double click l2mfix.exe.
Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Note; if you recieve any error messages for CMD or Autoexec.bat>> select option 5 from the l2mfix and once at the site, click on the link that apply to your operating system!
Double-click the file it downloads and extract the files to its predetermined System32 folder!

Then post a HijackThis log (not attach) together with the log of the L2Mfix

#5
Chris Y

Posted 05 December 2005 - 12:43 PM

Member

Topic Starter
Member
34 posts

L2MFIX find log 120305
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServices]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\f2l00c3mef.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{75E72BBF-894D-9575-853E-6200501F919E}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Egenskapsf”rteckning f”r multimediefiler"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Hantering av ICM-skanner"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-s„kerhetssida"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Egenskapssida f”r OLE-dokumentfiler"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell-till„gg f”r delning"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelstill„gg f”r bildsk„rmskort"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelstill„gg f”r bildsk„rm"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelstill„gg f”r bildsk„rmspanorering"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-s„kerhetssida"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilitetssida"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Diskkopiering - till„gg"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell-till„gg f”r Microsoft Windows Network-objekt"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Hantering av ICM-bildsk„rm"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Hantering av ICM-skrivare"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell-till„gg f”r filkomprimering"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Shell-till„gg f”r webbutskrift"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Snabbmeny f”r kryptering"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Portf”lj"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal-ikontill„gg"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Skrivars„kerhetssida"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell-till„gg f”r delning"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-till„gg"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Till„gg f”r kryptografisk signering"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="N„tverksanslutningar"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="N„tverksanslutningar"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Skannrar och kameror"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Skannrar och kameror"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Skannrar och kameror"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Skannrar och kameror"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Skannrar och kameror"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell-till„gg f”r Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft-datal„nk"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Schemalagda aktiviteter"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Aktivitetsf„ltet och Start-menyn"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="S”k"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hj„lp och support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hj„lp och support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="K”r..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-post"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrationsverktyg"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adress"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Parsning f”r adressf„lt"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Globala mappinst„llningar"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft-tj„nst f”r tidigare adresser (URL)"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Tidigare"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Tillf„lliga Internet-filer"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Tillf„lliga Internet-filer"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="V„lkomstsk„rm f”r Internet Explorer 4.0 Suite"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Mappen ActiveX Cache"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Mappen Subscriptions"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Programhanteraren"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Uppr„knare f”r installerade program"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extraherare f”r GDI+-filminiatyrer"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Information om miniatyrer (DOC-filer)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extraherare f”r HTML-miniatyrer"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Webbpubliceringsguiden"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Guiden Best„ll foton via Internet"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objekt f”r webbpubliceringsguiden"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Guiden Skaffa Passport"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Anv„ndarkonton"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Kanalfil"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Kanalgenv„g"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offlinefiler"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Efter &personer..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{715659E6-2F62-4DCF-8019-C4A8FE18EDA2}"=""
"{6224E4CD-B3DE-4127-BC40-2882ED60EEE8}"=""
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}"="Multiscan"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{09C5469F-C402-4572-878E-730980438CDE}"=""
"{D87F594B-5D24-4D14-BBC2-95DBA5CC0B69}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{715659E6-2F62-4DCF-8019-C4A8FE18EDA2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{715659E6-2F62-4DCF-8019-C4A8FE18EDA2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{715659E6-2F62-4DCF-8019-C4A8FE18EDA2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{715659E6-2F62-4DCF-8019-C4A8FE18EDA2}\InprocServer32]
@="C:\\WINDOWS\\system32\\kvddv.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6224E4CD-B3DE-4127-BC40-2882ED60EEE8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6224E4CD-B3DE-4127-BC40-2882ED60EEE8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6224E4CD-B3DE-4127-BC40-2882ED60EEE8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6224E4CD-B3DE-4127-BC40-2882ED60EEE8}\InprocServer32]
@="C:\\WINDOWS\\system32\\rRsmontr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{09C5469F-C402-4572-878E-730980438CDE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{09C5469F-C402-4572-878E-730980438CDE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{09C5469F-C402-4572-878E-730980438CDE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{09C5469F-C402-4572-878E-730980438CDE}\InprocServer32]
@="C:\\WINDOWS\\system32\\immp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D87F594B-5D24-4D14-BBC2-95DBA5CC0B69}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D87F594B-5D24-4D14-BBC2-95DBA5CC0B69}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D87F594B-5D24-4D14-BBC2-95DBA5CC0B69}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D87F594B-5D24-4D14-BBC2-95DBA5CC0B69}\InprocServer32]
@="C:\\WINDOWS\\system32\\nsdsapi.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
dkserial.dll Sat 2005-12-03 22.10.38 ..S.R 233 668 228,19 K
en82l1~1.dll Sat 2005-12-03 0.05.14 ..S.R 236 979 231,42 K
f2l00c~1.dll Mon 2005-12-05 15.14.32 ..S.R 236 379 230,84 K
gccoll~1.dll Tue 2005-11-15 12.12.08 A.... 126 680 123,71 K
gcunco~1.dll Tue 2005-11-15 12.12.06 A.... 95 448 93,21 K
hashlib.dll Tue 2005-11-15 12.12.08 A.... 117 976 115,21 K
immp.dll Mon 2005-12-05 15.05.56 ..S.R 235 041 229,53 K
j2p00c~1.dll Sat 2005-12-03 23.25.12 ..S.R 234 240 228,75 K
k0080a~1.dll Mon 2005-12-05 16.15.36 ..S.R 237 179 231,62 K
mjrclr40.dll Sat 2005-12-03 14.35.14 ..S.R 235 698 230,17 K
nv4_disp.dll Fri 2005-11-04 18.03.00 A.... 3 924 096 3,74 M
nvapi.dll Fri 2005-11-04 18.03.00 A.... 86 016 84,00 K
nvcod.dll Fri 2005-11-04 18.03.00 A.... 35 328 34,50 K
nvcodins.dll Fri 2005-11-04 18.03.00 A.... 35 328 34,50 K
nvcpl.dll Fri 2005-11-04 18.03.00 A.... 7 307 264 6,97 M
nvhwvid.dll Fri 2005-11-04 18.03.00 A.... 573 440 560,00 K
nview.dll Fri 2005-11-04 18.03.00 A.... 1 466 368 1,40 M
nvmccs.dll Fri 2005-11-04 18.03.00 A.... 229 376 224,00 K
nvmccsrs.dll Fri 2005-11-04 18.03.00 A.... 45 056 44,00 K
nvmctray.dll Fri 2005-11-04 18.03.00 A.... 86 016 84,00 K
nvnt4cpl.dll Fri 2005-11-04 18.03.00 A.... 286 720 280,00 K
nvoglnt.dll Fri 2005-11-04 18.03.00 A.... 5 394 432 5,14 M
nvshell.dll Fri 2005-11-04 18.03.00 A.... 466 944 456,00 K
nvwddi.dll Fri 2005-11-04 18.03.00 A.... 81 920 80,00 K
nvwdmcpl.dll Fri 2005-11-04 18.03.00 A.... 1 662 976 1,59 M
nvwimg.dll Fri 2005-11-04 18.03.00 A.... 1 019 904 996,00 K
nyvlogon.dll Sat 2005-12-03 18.05.12 ..S.R 237 101 231,54 K
rrsmontr.dll Mon 2005-12-05 16.15.36 ..S.R 236 379 230,84 K
sirenacm.dll Wed 2005-10-12 17.11.06 A.... 118 784 116,00 K
wpsdmoe.dll Sat 2005-12-03 18.01.14 ..S.R 236 007 230,47 K

30 items found: 30 files (10 H/S), 0 directories.
Total of file sizes: 25 518 743 bytes 24,34 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volymen i enhet C har ingen etikett.
Volymens serienummer „r 7072-1F81

Inneh†ll i katalogen C:\WINDOWS\System32

2005-12-05 16:15 236ÿ379 rRsmontr.dll
2005-12-05 16:15 237ÿ179 k0080adued080.dll
2005-12-05 15:14 236ÿ379 f2l00c3mef.dll
2005-12-05 15:05 235ÿ041 immp.dll
2005-12-03 23:25 234ÿ240 j2p00c7mef.dll
2005-12-03 22:10 233ÿ668 dkserial.dll
2005-12-03 18:05 237ÿ101 NYvLogon.dll
2005-12-03 18:01 236ÿ007 wpsdmoe.dll
2005-12-03 14:35 235ÿ698 mjrclr40.dll
2005-12-03 00:05 236ÿ979 en82l1lo1.dll
2005-12-02 23:56 <KAT> dllcache
2005-11-20 18:22 <KAT> Microsoft
10 fil(er) 2ÿ358ÿ671 byte
2 katalog(er) 18ÿ369ÿ916ÿ928 byte ledigt

#6
Chris Y

Posted 05 December 2005 - 12:43 PM

Member

Topic Starter
Member
34 posts

Logfile of HijackThis v1.99.1
Scan saved at 19:43:25, on 2005-12-05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Norton Personal Firewall\ISSVC.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Symantec AntiVirus\DefWatch.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Spyware Doctor\sdhelp.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program\Analog Devices\SoundMAX\Smax4.exe
C:\Program\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program\SYMANT~1\VPTray.exe
C:\Program\Microsoft AntiSpyware\gcasServ.exe
C:\Program\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Shareaza\Shareaza.exe
C:\Program\ewido\security suite\ewidoguard.exe
C:\Program\Winamp\Winamp.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\-xlnt-\Skrivbord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\Program\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program\Delade filer\Adobe\Updater\AdobeUpdater.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17....es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\f2l00c3mef.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program\Norton Personal Firewall\ISSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

#7
Chris Y

Posted 05 December 2005 - 12:46 PM

Member

Topic Starter
Member
34 posts

The l2mfix finished in 1 second! I had no chance to see if there was any errors... But I guess it worked. :tazz:

[edit: Sorry for the triple post!]

Edited by Chris Y, 05 December 2005 - 01:20 PM.

#8
Excal

Posted 05 December 2005 - 03:09 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter
Press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.
Copy the contents of log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

#9
Chris Y

Posted 05 December 2005 - 03:23 PM

Member

Topic Starter
Member
34 posts

I think it didn't work :tazz:

L2mfix Beta 120305
Creating Account.
Kommandot har utf”rts.

Adding Administrative privleges.
Systemfel 1376 har uppst†tt.

Den angivna lokala gruppen finns inte.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0

If you don't know swedish I translate what it says:
System-error 1376:
The chosen local group does not exist.

==========================================================
The HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 22:21:54, on 2005-12-05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Norton Personal Firewall\ISSVC.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Symantec AntiVirus\DefWatch.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\Program\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Spyware Doctor\sdhelp.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program\Symantec AntiVirus\Rtvscan.exe
C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program\Analog Devices\SoundMAX\Smax4.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program\SYMANT~1\VPTray.exe
C:\Program\Microsoft AntiSpyware\gcasServ.exe
C:\Program\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\-xlnt-\Skrivbord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\Program\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program\Delade filer\Adobe\Updater\AdobeUpdater.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17....es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\f2l00c3mef.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program\Norton Personal Firewall\ISSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

This is one of the worst adwares I ever got in my life.

#10
Excal

Posted 05 December 2005 - 04:21 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click the Free Trial link under to "SpySweeper" to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

#11
Chris Y

Posted 05 December 2005 - 05:22 PM

Member

Topic Starter
Member
34 posts

Here we go!
********
23:55: | Start of Session, den 5 december 2005 |
23:55: Spy Sweeper started
23:55: Sweep initiated using definitions version 578
23:55: Starting Memory Sweep
23:56: Found Adware: icannnews
23:56: Detected running threat: C:\WINDOWS\system32\sgimeng.dll (ID = 83)
23:56: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:56: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:56: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:56: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:56: Detected running threat: C:\WINDOWS\system32\f2l00c3mef.dll (ID = 83)
23:57: Memory Sweep Complete, Elapsed Time: 00:01:26
23:57: Starting Registry Sweep
23:57: Found Adware: dollarrevenue
23:57: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795)
23:57: Found Adware: elitemediagroup-mediamotor
23:57: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mm83.ocx (ID = 959929)
23:57: Found Trojan Horse: trojan downloader popuppers
23:57: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mm83.ocx\ (2 subtraces) (ID = 960758)
23:57: Found Trojan Horse: trojan_backdoor_irc_spybot
23:57: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || sygate personal firewall (ID = 144991)
23:57: Found Adware: maxifiles
23:57: HKU\S-1-5-18\software\director\ || baseurl (ID = 980277)
23:57: HKU\S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping\ || {77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f} (ID = 1021025)
23:57: Registry Sweep Complete, Elapsed Time:00:00:14
23:57: Starting Cookie Sweep
23:57: Cookie Sweep Complete, Elapsed Time: 00:00:00
23:57: Starting File Sweep
23:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:57: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:57: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:57: a0008663.exe (ID = 133210)
23:57: a0008807.exe (ID = 194150)
23:57: Found Adware: targetsaver
23:57: a0008463.exe (ID = 193995)
23:57: Found Adware: look2me
23:57: a0008828.dll (ID = 159)
23:58: Found Adware: e2g
23:58: a0008808.exe (ID = 59402)
23:58: Found Trojan Horse: trojan downloader matcash
23:58: a0008425.exe (ID = 184140)
23:58: a0008446.exe (ID = 185254)
23:58: Found Adware: command
23:58: a0008666.dll (ID = 144945)
23:58: a0008655.exe (ID = 184143)
23:58: a0011441.exe (ID = 194150)
23:58: a0008430.exe (ID = 190798)
23:58: a0010094.dll (ID = 159)
23:58: a0008723.exe (ID = 184143)
23:58: a0008824.exe (ID = 195131)
23:58: a0008823.exe (ID = 195130)
23:58: a0008822.exe (ID = 195128)
23:59: a0008825.exe (ID = 195132)
23:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:59: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:59: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:59: Found Adware: internetoptimizer
23:59: a0008619.dll (ID = 64043)
23:59: a0008728.exe (ID = 190798)
23:59: a0008428.exe (ID = 185254)
23:59: a0008827.exe (ID = 125346)
23:59: a0011097.dll (ID = 159)
23:59: a0007376.exe (ID = 199080)
23:59: a0008814.dll (ID = 180542)
23:59: a0008448.exe (ID = 199080)
23:59: a0008734.dll (ID = 159)
00:00: a0008455.dll (ID = 198663)
00:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:00: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:00: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:00: a0008815.exe (ID = 188217)
00:00: a0007378.dll (ID = 163672)
00:00: a0008461.exe (ID = 185985)
00:00: a0008426.exe (ID = 190798)
00:00: a0008439.dll (ID = 159)
00:00: data.~ (ID = 188119)
00:00: Found Adware: apropos
00:00: a0011133.dll (ID = 166754)
00:00: a0008644.dll (ID = 159)
00:00: a0008450.exe (ID = 190798)
00:01: a0008640.exe (ID = 184143)
00:01: a0008735.dll (ID = 159)
00:01: a0008445.exe (ID = 184143)
00:01: a0008443.dll (ID = 159)
00:01: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:01: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:01: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:01: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:01: a0011485.dll (ID = 159)
00:02: a0008662.exe (ID = 125346)
00:02: a0010071.exe (ID = 199080)
00:02: a0011134.exe (ID = 193501)
00:02: a0007385.dll (ID = 163672)
00:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:02: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:02: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:03: a0010036.exe (ID = 184143)
00:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:04: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:04: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:04: a0008383.dll (ID = 159)
00:04: a0009946.dll (ID = 159)
00:04: a0010030.dll (ID = 159)
00:04: en82l1lo1.dll (ID = 159)
00:04: a0011590.dll (ID = 159)
00:04: a0008664.exe (ID = 144946)
00:04: a0008645.exe (ID = 190798)
00:04: a0008452.exe (ID = 198662)
00:04: j2p00c7mef.dll (ID = 159)
00:05: a0011130.exe (ID = 190798)
00:05: a0010079.dll (ID = 159)
00:05: a0011123.dll (ID = 198663)
00:05: a0011135.dll (ID = 195129)
00:05: nyvlogon.dll (ID = 159)
00:05: a0010048.exe (ID = 184143)
00:05: a0011128.exe (ID = 190798)
00:05: a0008460.exe (ID = 168558)
00:05: a0011101.dll (ID = 159)
00:05: a0011129.exe (ID = 185254)
00:05: a0010085.dll (ID = 159)
00:05: a0010037.exe (ID = 185254)
00:05: a0010057.dll (ID = 159)
00:05: a0011105.dll (ID = 159)
00:05: a0010061.dll (ID = 159)
00:05: a0010046.dll (ID = 159)
00:05: a0010102.dll (ID = 159)
00:05: a0008741.exe (ID = 184143)
00:05: a0008626.dll (ID = 159)
00:05: a0008449.exe (ID = 184140)
00:05: a0011131.exe (ID = 184143)
00:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:05: a0008661.exe (ID = 199080)
00:06: a0010063.exe (ID = 184143)
00:06: a0008656.exe (ID = 185254)
00:06: a0008431.exe (ID = 198662)
00:06: a0008650.dll (ID = 159)
00:06: a0008729.exe (ID = 190798)
00:06: a0008673.exe (ID = 184143)
00:06: a0011144.dll (ID = 159)
00:06: a0008427.exe (ID = 184143)
00:06: tsupdate2[2].ini (ID = 193498)
00:06: a0008654.dll (ID = 159)
00:06: a0010064.exe (ID = 185254)
00:06: a0008742.exe (ID = 185254)
00:06: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:06: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:06: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:06: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:06: a0008624.dll (ID = 59389)
00:07: a0010049.exe (ID = 185254)
00:07: a0011127.exe (ID = 184140)
00:07: a0011489.dll (ID = 159)
00:07: sgimeng.dll (ID = 159)
00:07: a0011585.dll (ID = 159)
00:07: a0008819.exe (ID = 184140)
00:07: a0008820.exe (ID = 190798)
00:07: a0008818.exe (ID = 198662)
00:07: a0011108.exe (ID = 199080)
00:07: a0011126.exe (ID = 198662)
00:07: a0008451.exe (ID = 190798)
00:08: a0008933.dll (ID = 159)
00:08: a0009934.dll (ID = 159)
00:08: a0008677.exe (ID = 190798)
00:08: a0008433.dll (ID = 198663)
00:08: a0008730.exe (ID = 198662)
00:08: a0010074.dll (ID = 159)
00:08: a0011475.dll (ID = 159)
00:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:08: a0008671.dll (ID = 159)
00:08: a0008675.exe (ID = 185254)
00:08: a0008938.dll (ID = 159)
00:08: a0008642.exe (ID = 185254)
00:08: a0010042.dll (ID = 159)
00:08: a0008727.exe (ID = 184140)
00:08: k0080adued080.dll (ID = 159)
00:08: a0008816.dll (ID = 198663)
00:08: a0011140.dll (ID = 159)
00:08: a0010034.dll (ID = 159)
00:08: a0008667.dll (ID = 159)
00:08: a0008821.exe (ID = 190798)
00:08: a0008724.exe (ID = 185254)
00:08: a0008719.dll (ID = 159)
00:08: wpsdmoe.dll (ID = 159)
00:08: a0011608.dll (ID = 159)
00:08: mjrclr40.dll (ID = 159)
00:08: a0009940.dll (ID = 159)
00:09: p44uleh91h4.dll (ID = 159)
00:09: immp.dll (ID = 159)
00:09: a0011586.dll (ID = 159)
00:09: dkserial.dll (ID = 159)
00:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:09: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:09: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:09: f2l00c3mef.dll (ID = 159)
00:09: a0008826.vbs (ID = 185675)
00:09: donotdelete[1].htm (ID = 198788)
00:09: drsmartload.dat (ID = 198788)
00:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:11: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:11: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:11: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:11: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:13: File Sweep Complete, Elapsed Time: 00:15:39
00:13: Full Sweep has completed. Elapsed time 00:17:27
00:13: Traces Found: 145
00:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:16: Removal process initiated
00:16: Quarantining All Traces: icannnews
00:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
00:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
00:16: icannnews is in use. It will be removed on reboot.
00:16: C:\WINDOWS\system32\sgimeng.dll is in use. It will be removed on reboot.
00:16: C:\WINDOWS\system32\f2l00c3mef.dll is in use. It will be removed on reboot.
00:16: Quarantining All Traces: look2me
00:17: look2me is in use. It will be removed on reboot.
00:17: sgimeng.dll is in use. It will be removed on reboot.
00:17: p44uleh91h4.dll is in use. It will be removed on reboot.
00:17: f2l00c3mef.dll is in use. It will be removed on reboot.
00:17: Quarantining All Traces: trojan downloader matcash
00:17: Quarantining All Traces: apropos
00:17: Quarantining All Traces: internetoptimizer
00:17: Quarantining All Traces: maxifiles
00:17: Quarantining All Traces: trojan downloader popuppers
00:17: Quarantining All Traces: trojan_backdoor_irc_spybot
00:17: Quarantining All Traces: command
00:17: Quarantining All Traces: dollarrevenue
00:17: Quarantining All Traces: e2g
00:17: Quarantining All Traces: elitemediagroup-mediamotor
00:17: Quarantining All Traces: targetsaver
00:18: Preparing to restart your computer. Please wait...
00:18: Removal process completed. Elapsed time 00:02:22
********
23:54: | Start of Session, den 5 december 2005 |
23:54: Spy Sweeper started
23:54: Sweep initiated using definitions version 578
23:54: Starting Memory Sweep
23:54: Sweep Canceled
23:54: Memory Sweep Complete, Elapsed Time: 00:00:06
23:54: Traces Found: 0
23:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:55: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:55: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:55: | End of Session, den 5 december 2005 |
********
23:53: | Start of Session, den 5 december 2005 |
23:53: Spy Sweeper started
23:54: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
23:54: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:54: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
23:54: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:54: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
23:54: Updating spyware definitions
23:54: Your spyware definitions have been updated.
23:54: | End of Session, den 5 december 2005 |

#12
Excal

Posted 05 December 2005 - 05:41 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

can you reboot and please post me a fresh HiJackthis log.

thanks,

:tazz:

Excal

#13
Chris Y

Posted 06 December 2005 - 12:18 AM

Member

Topic Starter
Member
34 posts

Just woke up :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 07:17:32, on 2005-12-06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Norton Personal Firewall\ISSVC.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Symantec AntiVirus\DefWatch.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\Program\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program\Spyware Doctor\sdhelp.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\Analog Devices\SoundMAX\Smax4.exe
C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program\Microsoft AntiSpyware\gcasServ.exe
C:\Program\Symantec AntiVirus\Rtvscan.exe
C:\Program\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Shareaza\Shareaza.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\-xlnt-\Skrivbord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\Program\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program\Delade filer\Adobe\Updater\AdobeUpdater.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17....es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program\Norton Personal Firewall\ISSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

I haven't gotten any pop-up so far.

#14
Excal

Posted 06 December 2005 - 06:25 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Great job, it appears your computer is clean :tazz:

Ensure you rehide your “hidden files and folders” back to the way they were.

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

I recommend that you Defrag your computer before setting your Restore points:

Go to start>all programs>accessories>system tools>Disk Defragmentor Make sure it set to the proper drive (default should be your main driver) and click on defragment

Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware

If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir

The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Included in those updates is Windows XP Service Pack 2. Click Here
Since you're junkware free, the time to get it is NOW. Service Pack 2 is a MAJOR upgrade for XP. It adds numerous security and software patches, as well as new features and functionality. You will also be adding another layer of protection against future threats.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read So how did I get infected in the first place?

#15
Chris Y

Posted 06 December 2005 - 09:39 AM

Member

Topic Starter
Member
34 posts

Just got back from school. :woot:

Yeah not one single pop-up today! :tazz:

Thanks a lot Excal! You did a excellent job.

I'll be sure to follow your last advices as well. I've been thinking about SP2 pack for a time but a friend of mine says it will crash my PC since my XP isn't really legal... but it's just a myth, right?

Got one firewall up and running now, Norton Personal Firewall, and also Symantec Anti-Virus. It was a big mistake to go onto Internet before having a firewall activated... :woot:

I'll make sure not to repeat that.

Thanks again for all your help and instructions!

I'll be sure to head back here next time something struggles (which won't happen I hope :woot:

)

Chris Y