Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Adware.VX2.100 help needed

Started by yitd01 , Feb 26 2005 09:20 AM

  • Please log in to reply

#1
yitd01
Posted 26 February 2005 - 09:20 AM

yitd01

    New Member

  • Member
  • Pip
  • 1 posts
Hello and thanks in advance,
I've been battling this for 3 days now. Windows comes up but after about 5 minutes explorer crashes and system blue screens when tying to reboot. I can reboot and stay on for about 5 minutes and start over.
I am running TrojanHunter and when the system boots up it finds Adware.VX2.100 when I select clean it states:

Cleaning module slcur32.dll in process rundll32.exe
Module slcur32.dll successfully unloaded from process rundll32.exe (1524)

Cleaning module slcur32.dll in process explorer.exe
Module slcur32.dll successfully unloaded from process explorer.exe (1884)

Unable to rename file C:\WINDOWS\system32\slcur32.dll (The process cannot access the file because it is being used by another process). Scheduling file to be renamed on reboot
Trojan cleaning finished.

I also run HJT and I get the following:

Logfile of HijackThis v1.99.1
Scan saved at 10:12:22 AM, on 2/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ViceVersa Pro\ViceVersa.exe
C:\Program Files\SureSync\SPISched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\My Download Files\spybot\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\wbarbuto\Application Data\Mozilla\Profiles\default\07rr40h2.slt\prefs.js)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ViceVersa Pro] C:\Program Files\ViceVersa Pro\ViceVersa.exe
O4 - HKLM\..\Run: [SureSync Scheduler] C:\Program Files\SureSync\SPISched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [second] C:\WINDOWS\system32\second.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?312
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\c000ladm1d0a.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

I've deleted
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
over and over again,

also run Spybot S&D finds:

--- Search result list ---
Common hijacker: Redirected host (Redirected host, nothing done)


Common hijacker: Redirected host (Redirected host, nothing done)


IGetNet: Redirected host (Redirected host, nothing done)



--- Spybot - Search & Destroy version: 1.3 .1TX (build: 20040801) ---

2004-05-12 blindman.exe (1.0.0.0)
2004-08-30 SpybotSD.exe (1.3.0.12)
2004-05-12 TeaTimer.exe (1.3.0.12)
2003-02-02 UNINS000.EXE (51.6.0.0)
2004-06-15 unins001.exe (51.15.0.0)
2004-05-12 Update.exe (1.3.0.0)
2004-10-04 advcheck.dll (1.0.1.0)
2004-05-12 borlndmm.dll (7.0.4.453)
2004-05-12 delphimm.dll (7.0.4.453)
2004-05-12 SDHelper.dll (1.3.0.12)
2004-05-12 Tools.dll (2.0.0.0)
2004-05-12 UnzDll.dll (1.73.1.1)
2004-05-12 ZipDll.dll (1.73.2.0)
2004-11-29 Includes\Cookies.sbi
2005-02-16 Includes\Dialer.sbi
2005-02-16 Includes\Hijackers.sbi
2005-01-11 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2005-02-16 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2004-11-29 Includes\Revision.sbi
2005-02-09 Includes\Security.sbi
2005-02-16 Includes\Spybots.sbi
2005-02-16 Includes\Tracks.uti
2005-02-16 Includes\Trojans.sbi



--- System information ---
Windows XP (Build: 2600) Service Pack 1
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB886906)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Service Pack 3 (KB867461)
/ .NETFramework / 1.0: Microsoft .NET Framework Service Pack 1
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX: DirectX Update 819696
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB867282
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB889293
/ Outlook Express 6 / SP1: Windows XP Hotfix - KB887797
/ Windows Media Player: Windows Media Player Hotfix [See KB837272 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 320920
/ Windows Media Player: Windows Media Update 320920
/ Windows Media Player: Windows Media Update 819639
/ Windows Media Player: Windows Media Update 828026
/ Windows XP / SP0: Windows Media Player Hotfix [See KB837272 for more information]
/ Windows XP / SP1: Windows XP Service Pack 1
/ Windows XP / SP2: Windows XP Hotfix - KB282010
/ Windows XP / SP2: Windows XP Hotfix - KB810217
/ Windows XP / SP2: Advanced Networking Pack for Windows XP
/ Windows XP / SP2: Windows XP Hotfix - KB820291
/ Windows XP / SP2: Windows XP Hotfix - KB821253
/ Windows XP / SP2: Windows XP Hotfix - KB821557
/ Windows XP / SP2: Windows XP Hotfix - KB822603
/ Windows XP / SP2: Windows XP Hotfix - KB823182
/ Windows XP / SP2: Windows XP Hotfix - KB823559
/ Windows XP / SP2: Windows XP Hotfix - KB823980
/ Windows XP / SP2: Windows XP Hotfix - KB824105
/ Windows XP / SP2: Windows XP Hotfix - KB824141
/ Windows XP / SP2: Windows XP Hotfix - KB824146
/ Windows XP / SP2: Windows XP Hotfix - KB825119
/ Windows XP / SP2: Windows XP Hotfix - KB826942
/ Windows XP / SP2: Windows XP Hotfix - KB828028
/ Windows XP / SP2: Windows XP Hotfix - KB828035
/ Windows XP / SP2: Windows XP Hotfix - KB828741
/ Windows XP / SP2: Windows XP Hotfix - KB833407
/ Windows XP / SP2: Windows XP Hotfix - KB833987
/ Windows XP / SP2: Windows XP Hotfix - KB833998
/ Windows XP / SP2: Windows XP Hotfix - KB835732
/ Windows XP / SP2: Windows XP Hotfix - KB837001
/ Windows XP / SP2: Windows XP Hotfix - KB839645
/ Windows XP / SP2: Windows XP Hotfix - KB840315
/ Windows XP / SP2: Windows XP Hotfix - KB840374
/ Windows XP / SP2: Windows XP Hotfix - KB840987
/ Windows XP / SP2: Windows XP Hotfix - KB841356
/ Windows XP / SP2: Windows XP Hotfix - KB841533
/ Windows XP / SP2: Windows XP Hotfix - KB841873
/ Windows XP / SP2: Windows XP Hotfix - KB842773
/ Windows XP / SP2: Windows XP Hotfix - KB871250
/ Windows XP / SP2: Windows XP Hotfix - KB873376
/ Windows XP / SP2: Windows XP Hotfix - KB883357
/ Windows XP / SP2: Windows XP Hotfix - KB891711
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q322011
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q323255 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q327979
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q328310
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329048 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329115 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329170
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329390 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329441
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329834 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q331953
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q810243 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810565
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810577
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810833
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811493
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811630
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q814033
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q814995
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q815021
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q815485
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q817287
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q817606
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q818043
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB891781


--- Startup entries list ---
Located: HK_LM:Run, AdaptecDirectCD
command: C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
file: C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
size: 684032
MD5: bfa83b551abd8084b4623887d0e3b53c

Located: HK_LM:Run, ATIPTA
command: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
file: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
size: 344064
MD5: beeb5b0f62d87b84c143d9c5ad17d682

Located: HK_LM:Run, C-Media Mixer
command: Mixer.exe /startup
file: C:\WINDOWS\Mixer.exe
size: 1818624
MD5: f83709d0bacba84d297183825f089d98

Located: HK_LM:Run, CookiePatrol
command: C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe

Located: HK_LM:Run, gcasServ
command: "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
file: C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
size: 469824
MD5: 70c5a9c9cf9e65a9073a2a43da822841

Located: HK_LM:Run, HPHmon04
command: C:\WINDOWS\System32\hphmon04.exe
file: C:\WINDOWS\System32\hphmon04.exe
size: 348160
MD5: 2f593e885b1539384afeb79bfa211a66

Located: HK_LM:Run, iTunesHelper
command: C:\Program Files\iTunes\iTunesHelper.exe
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 278528
MD5: 2e0e2be7bd6614ea4c86b9ece793e31e

Located: HK_LM:Run, MCAgentExe
command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
file: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
size: 245760
MD5: 8b5a97e5c16db873092cf3d27b8145a6

Located: HK_LM:Run, MCUpdateExe
command: C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
file: C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
size: 184320
MD5: 5c50f41e60a03146e029d5a408ebbc32

Located: HK_LM:Run, Microsoft Works Update Detection
command: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
file: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
size: 28738
MD5: 5ac34c17115d3818dc9c9f5b2d909858

Located: HK_LM:Run, MULTIMEDIA KEYBOARD
command: C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
file: C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
size: 425984
MD5: 65c32ec2858128a228b8eaa420b3af17

Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, PaperPort PTD
command: C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
file: C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
size: 45108
MD5: 73a33af5825e915ce08907c278f35b83

Located: HK_LM:Run, PPMemCheck
command: C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 98304
MD5: 76a3a30b58405c2c6d833895253a51a9

Located: HK_LM:Run, RoxioEngineUtility
command: "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
file: C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe
size: 65536
MD5: 364784a6f653df81b76424a39dba237b

Located: HK_LM:Run, second
command: C:\WINDOWS\system32\second.bat

Located: HK_LM:Run, smapp
command: C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
file: C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
size: 98304
MD5: b9d6a45f5c452335347ebaf9a9c276d1

Located: HK_LM:Run, SMSERIAL
command: sm56hlpr.exe
file: C:\WINDOWS\sm56hlpr.exe
size: 548864
MD5: 19c207fab6ba2ccdf95e9f47b058d314

Located: HK_LM:Run, SureSync Scheduler
command: C:\Program Files\SureSync\SPISched.exe
file: C:\Program Files\SureSync\SPISched.exe
size: 532480
MD5: fa974d95da43b2926cff1a87d9fa4d8e

Located: HK_LM:Run, THGuard
command: "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
file: C:\Program Files\TrojanHunter 4.2\THGuard.exe
size: 1089024
MD5: edb3dca0b1f57ac8d915c8ad0830b27c

Located: HK_LM:Run, ViceVersa Pro
command: C:\Program Files\ViceVersa Pro\ViceVersa.exe
file: C:\Program Files\ViceVersa Pro\ViceVersa.exe
size: 2723840
MD5: 954aa985614e055fddc9aa1fc0159e9e

Located: HK_LM:Run, ViewMgr
command: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
file: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
size: 106557
MD5: 1cd4dda616a8c2e2ee028895271492e9

Located: HK_LM:Run, VirusScan Online
command: "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
file: c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
size: 180224
MD5: fbf233e7b883cf00564409ba05812b21

Located: HK_LM:Run, VSOCheckTask
command: "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
file: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
size: 139264
MD5: ef4cca29ccae836416dc023c58b946dc

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\System32\ctfmon.exe
file: C:\WINDOWS\System32\ctfmon.exe
size: 13312
MD5: 414de7cf9d3f19c3ea902f1bb38ec116

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1038336
MD5: 58f7e6434d285f4c98ad3621e0bd8c8d

Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll

Located: WinLogon, Control Panel
command: C:\WINDOWS\system32\c000ladm1d0a.dll
file: C:\WINDOWS\system32\c000ladm1d0a.dll
size: 0
MD5: d41d8cd98f00b204e9800998ecf8427e

Located: WinLogon, crypt32chain
command: crypt32.dll

Located: WinLogon, cryptnet
command: cryptnet.dll

Located: WinLogon, cscdll
command: cscdll.dll

Located: WinLogon, ScCertProp
command: wlnotify.dll

Located: WinLogon, Schedule
command: wlnotify.dll

Located: WinLogon, sclgntfy
command: sclgntfy.dll

Located: WinLogon, SensLogn
command: WlNotify.dll

Located: WinLogon, termsrv
command: wlnotify.dll

Located: WinLogon, wlballoon
command: wlnotify.dll



--- Browser helper object list ---


--- ActiveX list ---
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
DPF name:
CLSID name: YInstStarter Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: yinsthelper.dll
Short name: YINSTH~1.DLL
Date (created): 7/11/2001 4:55:28 PM
Date (last access): 2/26/2005 10:14:52 AM
Date (last write): 7/11/2001 4:55:28 PM
Filesize: 81920
Attributes: archive
MD5: F18F29A87DD4F311ED377B54E850DBEF
CRC32: 9C5F5456
Version: 7.209.0.7

{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 8/27/2003 4:10:30 AM
Date (last access): 2/26/2005 10:15:46 AM
Date (last write): 8/27/2003 4:10:30 AM
Filesize: 314368
Attributes: archive
MD5: 1E32EC4A8A17B19926B49EA5F6B79A76
CRC32: E98FC293
Version: 0.11.0.0

{41F17733-B041-4099-A042-B518BB6A408C} ()
DPF name:
CLSID name:

{4B48D5DF-9021-45F7-A240-60304302A215} (MalwareCleaner Class)
DPF name:
CLSID name: MalwareCleaner Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: WebCleaner.dll
Short name: WEBCLE~1.DLL
Date (created): 2/1/2005 10:19:24 PM
Date (last access): 2/26/2005 10:14:52 AM
Date (last write): 2/1/2005 10:19:24 PM
Filesize: 420704
Attributes: archive
MD5: 816C3067E154C27EA56C0902B90E3588
CRC32: 89002FF4
Version: 0.1.0.0

{597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class)
DPF name:
CLSID name: OPUCatalog Class
Path: C:\WINDOWS\System32\
Long name: opuc.dll
Short name:
Date (created): 4/10/2002 2:45:00 PM
Date (last access): 2/26/2005 7:13:22 AM
Date (last write): 4/10/2002 2:45:00 PM
Filesize: 180496
Attributes: archive
MD5: 5ADE6ADD514D6CA23DB325EFCEB372FB
CRC32: 71D1B58C
Version: 0.10.0.0

{8AD9C840-044E-11D1-B3E9-00805F499D93} ()
DPF name:
CLSID name:
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla

{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla

{A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object)
DPF name:
CLSID name: GDIChk Object
Path: C:\WINDOWS\Downloaded Program Files\
Long name: GDIChk.dll
Short name:
Date (created): 9/9/2004 2:17:40 PM
Date (last access): 2/26/2005 10:14:50 AM
Date (last write): 9/9/2004 2:17:40 PM
Filesize: 65272
Attributes: archive
MD5: 56AF5FF66A5F8F927411B59B66107C84
CRC32: 61E0CF2E
Version: 0.1.0.0

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash.ocx
Short name:
Date (created): 6/9/2004 2:59:26 PM
Date (last access): 2/26/2005 10:15:02 AM
Date (last write): 6/9/2004 2:59:26 PM
Filesize: 939224
Attributes: archive
MD5: FC3E17E12C2E31FAC34B416B3DAB829F
CRC32: D1CF3A57
Version: 0.7.0.0

{EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class)
DPF name:
CLSID name: QDiagHUpdateObj Class
Path: C:\WINDOWS\System32\
Long name: qdiagh.ocx
Short name:
Date (created): 7/30/2003 4:35:14 AM
Date (last access): 2/26/2005 7:13:24 AM
Date (last write): 7/30/2003 4:35:14 AM
Filesize: 696320
Attributes: archive
MD5: 524EC480162CE64A75F3197498874B19
CRC32: 2127A39D
Version: 0.1.0.0



--- Process list ---

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 112 (1884) C:\WINDOWS\sm56hlpr.exe
PID: 168 (1884) C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
PID: 180 (1884) C:\WINDOWS\System32\hphmon04.exe
PID: 192 (1884) C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
PID: 208 (1884) C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
PID: 224 (1884) C:\PROGRA~1\mcafee.com\agent\mcagent.exe
PID: 232 ( 208) c:\progra~1\mcafee.com\vso\mcvsescn.exe
PID: 244 (1884) C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PID: 256 (1884) C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PID: 300 (1884) C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
PID: 308 (1884) C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
PID: 404 (1884) C:\Program Files\QuickTime\qttask.exe
PID: 412 (1884) C:\Program Files\iTunes\iTunesHelper.exe
PID: 456 (1884) C:\Program Files\TrojanHunter 4.2\THGuard.exe
PID: 512 (1884) C:\WINDOWS\System32\ctfmon.exe
PID: 524 (1884) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 560 ( 4) \SystemRoot\System32\smss.exe
PID: 624 ( 700) C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
PID: 632 ( 560) csrss.exe
PID: 656 ( 560) \??\C:\WINDOWS\system32\winlogon.exe
PID: 676 ( 700) alg.exe
PID: 700 ( 656) C:\WINDOWS\system32\services.exe
PID: 712 ( 656) C:\WINDOWS\system32\lsass.exe
PID: 828 ( 700) C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
PID: 864 ( 700) C:\WINDOWS\System32\Ati2evxx.exe
PID: 896 ( 700) C:\WINDOWS\system32\svchost.exe
PID: 984 ( 700) c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
PID: 1016 ( 700) C:\WINDOWS\System32\svchost.exe
PID: 1036 ( 700) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
PID: 1196 ( 700) svchost.exe
PID: 1284 ( 700) svchost.exe
PID: 1472 ( 700) C:\WINDOWS\system32\spoolsv.exe
PID: 1524 ( 656) C:\WINDOWS\system32\rundll32.exe
PID: 1620 (3408) C:\WINDOWS\system32\NOTEPAD.EXE
PID: 1660 ( 700) locator.exe
PID: 1732 ( 700) C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PID: 1764 ( 700) C:\WINDOWS\System32\svchost.exe
PID: 1820 ( 700) wdfmgr.exe
PID: 1832 ( 656) C:\WINDOWS\system32\Ati2evxx.exe
PID: 1884 (1860) C:\WINDOWS\Explorer.EXE
PID: 1992 ( 300) C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
PID: 1996 (1884) C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
PID: 2004 (1884) C:\WINDOWS\Mixer.exe
PID: 2012 (1884) C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
PID: 2020 (1884) C:\Program Files\ViceVersa Pro\ViceVersa.exe
PID: 2036 (1884) C:\Program Files\SureSync\SPISched.exe
PID: 2052 ( 300) C:\Program Files\Netropa\Onscreen Display\OSD.exe
PID: 2072 ( 700) C:\WINDOWS\system32\svchost.exe
PID: 2132 ( 896) C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
PID: 2420 ( 700) C:\Program Files\iPod\bin\iPodService.exe
PID: 2508 ( 700) c:\PROGRA~1\mcafee.com\vso\mcshield.exe
PID: 2828 (2072) C:\WINDOWS\System32\wuauclt.exe
PID: 2892 (1884) C:\Program Files\Internet Explorer\iexplore.exe
PID: 3156 ( 656) C:\WINDOWS\System32\taskmgr.exe
PID: 3232 (3156) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 3692 (3408) C:\WINDOWS\system32\NOTEPAD.EXE
PID: 3956 (1884) C:\Program Files\Internet Explorer\iexplore.exe
Spybot - Search && Destroy process list report, 2/26/2005 10:16:56 AM


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 2/26/2005 10:16:56 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft...=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.microsoft...=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.rr.com/flash/index.cfm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://home.microsof...arch/search.asp
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsof...search.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft...=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.microsoft...=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.rr.com/flash/index.cfm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft...er=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://home.microsof...arch/search.asp
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\SearchAssistant
http://ie.search.msn...st/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn...st/srchcust.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn...st/srchcust.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsof...search.asp?p=%s


--- Winsock Layered Service Provider list ---
Protocol 0: dolsp over [MSAFD Tcpip [RAW/IP]]
GUID: {4C1C5FEA-1C9E-46E5-BAA8-C705CE29C98D}
Filename: C:\WINDOWS\System32\dolsp.dll

Protocol 1: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 4: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2544B42A-44AB-457A-8F65-C98FE3DCC86D}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2544B42A-44AB-457A-8F65-C98FE3DCC86D}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{72C09BC3-1334-4FDD-B680-CF3CED86FFD8}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{72C09BC3-1334-4FDD-B680-CF3CED86FFD8}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1CD5D1EE-BDBC-49E7-82F0-72BC22948D24}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1CD5D1EE-BDBC-49E7-82F0-72BC22948D24}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5CF3500C-2687-468E-B673-881CB14833C3}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5CF3500C-2687-468E-B673-881CB14833C3}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{959943EC-F49D-4783-A716-16158809BE56}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{959943EC-F49D-4783-A716-16158809BE56}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{79B452CB-B7AF-4C23-A08B-0D30FB6564DC}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{79B452CB-B7AF-4C23-A08B-0D30FB6564DC}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AD22261A-22D1-471B-85D8-CD4A1C23FC7C}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AD22261A-22D1-471B-85D8-CD4A1C23FC7C}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EA4275DC-C389-4173-B034-EC032F768592}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EA4275DC-C389-4173-B034-EC032F768592}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D1F106B7-0BFE-4DD4-A46D-C9E0BD53209E}] SEQPACKET 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D1F106B7-0BFE-4DD4-A46D-C9E0BD53209E}] DATAGRAM 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E0BB2238-01BC-4F1F-9F53-34630D3B3932}] SEQPACKET 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E0BB2238-01BC-4F1F-9F53-34630D3B3932}] DATAGRAM 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 26: MSAFD NetBIOS [\Device\NetBT_Tcpip_{88002972-7BF2-4EC4-908C-650FBB8C076F}] SEQPACKET 10
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 27: MSAFD NetBIOS [\Device\NetBT_Tcpip_{88002972-7BF2-4EC4-908C-650FBB8C076F}] DATAGRAM 10
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 28: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EC170D68-DE2C-4289-A0EC-0234E1CEA001}] SEQPACKET 11
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 29: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EC170D68-DE2C-4289-A0EC-0234E1CEA001}] DATAGRAM 11
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 30: dolsp
GUID: {CD395805-A77B-401F-B1AC-A3A409EF16BB}
Filename: C:\WINDOWS\System32\dolsp.dll

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Thanks
  • 0

Advertisements

#2
SierraBear
Posted 27 February 2005 - 06:59 PM

SierraBear

    Member

  • Member
  • PipPip
  • 12 posts

Follow these steps carefully then run Highjackthis and post the new log only.

Step One: Scan for Spyware/Adware
Download
http://www.download....ubj=dl&tag=top5
Configure Adware this way...

1. If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
2. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
3. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
4. Once the definitions have been updated:
5. Reconfigure Ad-Aware for Full Scan as per the following instructions:
* Launch the program, and click on the Gear at the top of the start screen.
* Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
o "Automatically save logfile"
o Automatically quarantine objects prior to removal"
o Safe Mode (always request confirmation)
o Prompt to update outdated confirmation) - Change to 7 days.
* Click the "Scanning" button (On the left side).
* Under Drives & Folders, select "Scan within Archives"
* Click "Click here to select Drives + folders" and select your installed hard drives.
* Under Memory & Registry, select all options.
* Click the "Advanced" button (On the left hand side).
* Under "Shell Integration", select "Move deleted files to Recycle Bin".
* Under "Log-file detail", select all options.
* Click on the "Defaults" button on the left.
* Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
* Click the "Tweak" button (Again, on the left hand side).
* Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
o "Unload recognized processes during scanning."
o "Obtain command line of scanned processes"
o "Scan registry for all users instead of current user only"
* Under "Cleaning Engine", select the following:
o "Automatically try to unregister objects prior to deletion."
o "During removal, unload explorer and IE if necessary"
o "Let Windows remove files in use at next reboot."
o "Delete quarrantined objects after restoring"
* Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
* Click on "Proceed" to save these Preferences.
* Click on the "Scan Now" button on the left.
* Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
6. Close all programs except ad-aware.
7. Click on "Next" in the bottom right corner to start the scan.
8. Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
9. After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Install and run CW Shreddeer
http://www.majorgeek...wnload4086.html

Step Two: Viruses
Even if you do have antivirus software it can be compromised and corrupted by many forms of malware, so an online scan is a good idea.

Run the free online virus scan (tick the "Auto Clean" checkbox).
http://housecall.tre.../start_corp.asp

Step Three: Windows Updates
An unprotected, unpatched Windows XP installation will get infected within minutes of connecting to the Internet. Because of this, we'll require you to do install critical updates before providing assistance in our forums. If not, we're both just wasting our time.

SP2 NOTE: Windows XP Service Pack 2 (SP2) has terrific security features, and we highly recommend everyone install it, however it should not be installed until your system is free from malware. Installing SP2 with malware present can cause many compatibility problems, or even prevent your computer from restarting. If your system has a malware infection, or if you're unsure, use the SP1a download link above.

Step Four: Reboot - Test
The tools above will completely clear malware from the majority of systems. Test your system to see how it's working.

SierraBear
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP