Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

desktop.exe and friends

Started by leftyelvis , Mar 29 2005 11:07 PM

Please log in to reply

#31
coachwife6

Posted 24 April 2005 - 07:30 AM

SuperStar

Retired Staff
11,413 posts

Hey LE. I am out of town and just checking my messages. I will try to get back with you tonight. You're doing a great job. :tazz:

#32
coachwife6

Posted 24 April 2005 - 09:25 PM

SuperStar

Retired Staff
11,413 posts

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

#33
leftyelvis

Posted 24 April 2005 - 10:34 PM

Member

Topic Starter
Member
27 posts

Hey Coach, here you go.

L2Mfix 1.03

Running From:
C:\Documents and Settings\Lefty\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Lefty\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Lefty\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1088 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Desktop.ini sucessfully removed

Zipping up files for submission:
adding: echo.reg (deflated 8%)
adding: clear.reg (deflated 2%)
adding: desktop.ini (stored 0%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 63%)
adding: lo2.txt (deflated 72%)
adding: test2.txt (stored 0%)
adding: test3.txt (stored 0%)
adding: test5.txt (stored 0%)
adding: test.txt (stored 0%)
adding: backregs/shell.reg (deflated 74%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 12:31:04 AM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Lefty\Application Data\Mozilla\Profiles\default\qk2es76k.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.dorneypar...sses/CFJava.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://noteshub.rose...a.us/iNotes.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefend...bitdefender.cab
O16 - DPF: {92C6F560-8F6D-11D9-9669-0800200C9A66} - http://fad-1112.nyc1...iewer_cia15.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...463/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com...irus/PitPav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08AE78C9-2E0D-4822-9237-C662654EBA3B}: NameServer = 151.197.0.38 151.197.0.39
O17 - HKLM\System\CS1\Services\Tcpip\..\{08AE78C9-2E0D-4822-9237-C662654EBA3B}: NameServer = 151.197.0.38 151.197.0.39
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#34
coachwife6

Posted 25 April 2005 - 02:24 AM

SuperStar

Retired Staff
11,413 posts

OK. Now, how is it running?

#35
leftyelvis

Posted 25 April 2005 - 06:43 PM

Member

Topic Starter
Member
27 posts

computer is still running ok, but the panda scan is still a mess. The only popup I get is a netflix one every now and then.

Here is the panda scan

thanks again,

Lefty

Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Lefty\Application Data\ssk?wrd.dll
Adware:Adware/SearchRelevancy No disinfected Windows Registry
Spyware:Spyware/Search3 No disinfected C:\WINDOWS\DOWNLO~1\search3.dll
Adware:Adware/SearchTheWeb No disinfected Windows Registry
Adware:Adware/QoolShown No disinfected C:\WINDOWS\system32\tyhetyt.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.bin
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.008
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\system32\dosync.dll
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\system32\docore.dll
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\system32\dolsp.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInst.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\ceres.inf
Adware:Adware/ISearch No disinfected C:\WINDOWS\delprot.ini
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MARKETING11.exe
Adware:Adware/Funcade No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MEDIAWHIZ5.exe
Adware:Adware/Funcade No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MEDIAWHIZ3.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\BM2.dll
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\installer_MARKETING11.exe
Adware:Adware/Funcade No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\installer_MEDIAWHIZ5.exe
Adware:Adware/Funcade No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\installer_MEDIAWHIZ3.exe
Adware:Adware/Funcade No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_MEDIAWHIZ3.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_MARKETING11.exe
Adware:Adware/Funcade No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_MEDIAWHIZ5.exe
Adware:Adware/Funcade No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\installer_MEDIAWHIZ5.exe
Adware:Adware/Funcade No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\installer_MEDIAWHIZ5.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/FunWeb No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\backups\backup-20050326-214356-863.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\backups\backup-20050328-131700-267.dll
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\UnInstaller.exe
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[ll32.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[dlskcopy.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[dsskadp.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[sjimgvw.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[nwlanui.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[imrtprio.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[cgyptdlg.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[rdgwizc.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[sgnike.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[l04q0ah5ed4.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[insutil.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[nhevtmsg.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[kldycc.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[MZSCP.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[dcprop.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[aulddial.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[amptif.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[mdl_qic.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[uytheme.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[vswwdm32.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[jt6007jme.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[mrjava.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[wyadss.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[l4p20e7oeh.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[ajsmsext.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[lvnq0955e.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[mirui.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[tipmib.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[kxdhu.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[iymontr.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[syhannel.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[kfdbu.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[fp8403lqe.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[aza6lgjs16o6.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[gp80l3lm1.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[k2080cduef080.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[ir40l5hm1.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[gprql3951.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[owbctrac.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[dnwsockx.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[enn4l15q1.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[DISPYDLL.DLL]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[i060lajm1doa.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[gpnsl3571.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[h4n00e5meh.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[f4l00e3meh.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[enn2l15o1.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[h0l2la3o1d.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[m682lglo16qc.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[hr4605hse.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[cZpicom.dll]
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Lefty\Application Data\Sskuknwrd.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Lefty\Application Data\Sskcwrd.dll

#36
coachwife6

Posted 25 April 2005 - 08:46 PM

SuperStar

Retired Staff
11,413 posts

OK. Just for grins. :tazz:

Download FindQoologic.zip save it to your Desktop.
FindQoologic

Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder. Preferable to your desktop.
Locate and double-click the Find-Qoologic.bat file to run it.
Wait until a text opens.
Post this in your next reply

#37
leftyelvis

Posted 25 April 2005 - 09:24 PM

Member

Topic Starter
Member
27 posts

that link didn't work, should I download it from any site?

#38
coachwife6

Posted 25 April 2005 - 09:27 PM

SuperStar

Retired Staff
11,413 posts

Try this:

http://forums.net-in...=post&id=134981

#39
leftyelvis

Posted 25 April 2005 - 09:54 PM

Member

Topic Starter
Member
27 posts

When I run the program, I get a message from my Norton anti virus that a malicious script it being run. Should I ignore this message and let it run?

#40
coachwife6

Posted 26 April 2005 - 03:55 AM

SuperStar

Retired Staff
11,413 posts

Yes, please allow it.

#41
leftyelvis

Posted 26 April 2005 - 11:37 PM

Member

Topic Starter
Member
27 posts

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\WINDOWS\JNHRJ.DLL
* urllogic C:\WINDOWS\HCEKHC.DLL
* qoologic C:\WINDOWS\JNHRJ.DLL
* qoologic C:\WINDOWS\HCEKHC.DLL

* ad-beh C:\WINDOWS\System32\TYHETYT.DLL
* ad-beh C:\WINDOWS\System32\ARPOA.DLL

#42
coachwife6

Posted 27 April 2005 - 02:59 AM

SuperStar

Retired Staff
11,413 posts

Is that the entire log? There should be some more info. :tazz:

#43
coachwife6

Posted 27 April 2005 - 03:08 AM

SuperStar

Retired Staff
11,413 posts

* Download Killbox
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold:

C:\WINDOWS\JNHRJ.DLL
C:\WINDOWS\HCEKHC.DLL
C:\WINDOWS\System32\TYHETYT.DLL
C:\WINDOWS\System32\ARPOA.DLL

Open 'file' in the killboxmenu on top and choose Paste from clipboard

paste the above in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together!

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Your computer must reboot now.

When rebooted, post a new findqoologiclog with a new hijackthislog.

#44
leftyelvis

Posted 28 April 2005 - 06:42 PM

Member

Topic Starter
Member
27 posts

Hey Coach,

here are the logs

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* ad-beh C:\WINDOWS\System32\BARXBAB.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
Adobe Gamma Loader.lnk.disabled

User Startup:
C:\Documents and Settings\Lefty\Start Menu\Programs\Startup
.
..
desktop.ini
HotSync Manager.lnk
Norton System Doctor.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fytsfy
<NO NAME> REG_SZ {0e066d04-eb11-4c59-a01b-c6fb1672aaff}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fytsfyfs
<NO NAME> REG_SZ {57dfcb7a-4501-4d92-b4c0-358ce5578ce7}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
<NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3
<NO NAME> REG_SZ {E8ADA3E1-CE9B-44A0-A165-997304EF4E18}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 20:38
Operating System: Windows XP

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

Logfile of HijackThis v1.99.1
Scan saved at 8:33:51 PM, on 4/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Lefty\Application Data\Mozilla\Profiles\default\qk2es76k.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.dorneypar...sses/CFJava.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://noteshub.rose...a.us/iNotes.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefend...bitdefender.cab
O16 - DPF: {92C6F560-8F6D-11D9-9669-0800200C9A66} - http://fad-1112.nyc1...iewer_cia15.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...463/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com...irus/PitPav.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks,

Lefty

#45
coachwife6

Posted 29 April 2005 - 08:09 PM

SuperStar

Retired Staff
11,413 posts

* Run HijackThis. Click on "Config...", "Misc Tools", "Open process manager". Select the following files and click on "Kill process". Answer Yes to the "Are you sure..." question.
o desktop.exe
o edmond.exe
o ffisearch.exe

* Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg on your Desktop.

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_CLASSES_ROOT\CLSID\{950238fb-c706-4791-8674-4d429f85897e}]

[-HKEY_CLASSES_ROOT\mfiltis]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\desktop search]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ffis]

[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\legacy_delprot]

[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\delprot]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000000

[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDevMgrUpdate"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"NoUpdateCheck"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate]
"DisableWindowsUpdateAccess"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000

Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
Restart your computer.

* Launch Notepad, and copy/paste the box below into a new text file. Save it as Unreg.bat and save it on your Desktop.

regsvr32 /u C:\Windows\isrvs\msfiltis.dll
      regsvr32 /u C:\Windows\isrvs\msdbhk.dll
      regsvr32 /u C:\Windows\isrvs\sysupd.dll

Locate Unreg.bat on your Desktop and double-click on it.

* Delete the following files/folders (if present) in C:\Windows or C:\Windows\System32
o delprot.ini
o delprot.log
o desktop.exe
o isrvs (delete the entire folder)

* Delete the following file: C:\Windows\System32\Drivers\Delprot.sys

* Delete the following files/folder (if present) in C:\Documents and Settings\<your user name>\Desktop
o anal exploits.url
o big [bleep] school for 2.95.url
o evidence eraser.lnk
o popup blocker stops popups.lnk
o spyware avenger.lnk
o virus hunter security.lnk
o your platinum visa.lnk

Run Hijack This and put a check mark next to this one.

O16 - DPF: {92C6F560-8F6D-11D9-9669-0800200C9A66} - http://fad-1112.nyc1...iewer_cia15.cab

Reboot.

* Post a new log from HijackThis. :tazz: