desktop.exe and friends
#31
Posted 24 April 2005 - 07:30 AM
#32
Posted 24 April 2005 - 09:25 PM
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left.
IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
#33
Posted 24 April 2005 - 10:34 PM
L2Mfix 1.03
Running From:
C:\Documents and Settings\Lefty\Desktop\l2mfix
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\Lefty\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\Lefty\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1088 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Desktop.ini sucessfully removed
Zipping up files for submission:
adding: echo.reg (deflated 8%)
adding: clear.reg (deflated 2%)
adding: desktop.ini (stored 0%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 63%)
adding: lo2.txt (deflated 72%)
adding: test2.txt (stored 0%)
adding: test3.txt (stored 0%)
adding: test5.txt (stored 0%)
adding: test.txt (stored 0%)
adding: backregs/shell.reg (deflated 74%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
The following are the files found:
****************************************************************************
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************
Logfile of HijackThis v1.99.1
Scan saved at 12:31:04 AM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Lefty\Application Data\Mozilla\Profiles\default\qk2es76k.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.dorneypar...sses/CFJava.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://noteshub.rose...a.us/iNotes.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefend...bitdefender.cab
O16 - DPF: {92C6F560-8F6D-11D9-9669-0800200C9A66} - http://fad-1112.nyc1...iewer_cia15.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...463/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com...irus/PitPav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08AE78C9-2E0D-4822-9237-C662654EBA3B}: NameServer = 151.197.0.38 151.197.0.39
O17 - HKLM\System\CS1\Services\Tcpip\..\{08AE78C9-2E0D-4822-9237-C662654EBA3B}: NameServer = 151.197.0.38 151.197.0.39
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
#34
Posted 25 April 2005 - 02:24 AM
#35
Posted 25 April 2005 - 06:43 PM
Here is the panda scan
thanks again,
Lefty
Incident Status Location
Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Lefty\Application Data\ssk?wrd.dll
Adware:Adware/SearchRelevancy No disinfected Windows Registry
Spyware:Spyware/Search3 No disinfected C:\WINDOWS\DOWNLO~1\search3.dll
Adware:Adware/SearchTheWeb No disinfected Windows Registry
Adware:Adware/QoolShown No disinfected C:\WINDOWS\system32\tyhetyt.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.bin
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.008
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\system32\dosync.dll
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\system32\docore.dll
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\system32\dolsp.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInst.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\ceres.inf
Adware:Adware/ISearch No disinfected C:\WINDOWS\delprot.ini
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MARKETING11.exe
Adware:Adware/Funcade No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MEDIAWHIZ5.exe
Adware:Adware/Funcade No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MEDIAWHIZ3.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\BM2.dll
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\installer_MARKETING11.exe
Adware:Adware/Funcade No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\installer_MEDIAWHIZ5.exe
Adware:Adware/Funcade No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\installer_MEDIAWHIZ3.exe
Adware:Adware/Funcade No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_MEDIAWHIZ3.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_MARKETING11.exe
Adware:Adware/Funcade No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_MEDIAWHIZ5.exe
Adware:Adware/Funcade No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\installer_MEDIAWHIZ5.exe
Adware:Adware/Funcade No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\installer_MEDIAWHIZ5.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/FunWeb No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\backups\backup-20050326-214356-863.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\backups\backup-20050328-131700-267.dll
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\UnInstaller.exe
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[ll32.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[dlskcopy.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[dsskadp.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[sjimgvw.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[nwlanui.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[imrtprio.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[cgyptdlg.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[rdgwizc.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[sgnike.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[l04q0ah5ed4.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[insutil.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[nhevtmsg.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[kldycc.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[MZSCP.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[dcprop.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[aulddial.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[amptif.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[mdl_qic.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[uytheme.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[vswwdm32.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[jt6007jme.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[mrjava.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[wyadss.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[l4p20e7oeh.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[ajsmsext.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[lvnq0955e.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[mirui.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[tipmib.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[kxdhu.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[iymontr.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[syhannel.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[kfdbu.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[fp8403lqe.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[aza6lgjs16o6.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[gp80l3lm1.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[k2080cduef080.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[ir40l5hm1.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[gprql3951.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[owbctrac.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[dnwsockx.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[enn4l15q1.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[DISPYDLL.DLL]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[i060lajm1doa.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[gpnsl3571.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[h4n00e5meh.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[f4l00e3meh.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[enn2l15o1.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[h0l2la3o1d.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[m682lglo16qc.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[hr4605hse.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\l2mfix\backup.zip[cZpicom.dll]
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Lefty\Application Data\Sskuknwrd.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Lefty\Application Data\Sskcwrd.dll
#36
Posted 25 April 2005 - 08:46 PM
Download FindQoologic.zip save it to your Desktop.
FindQoologic
Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder. Preferable to your desktop.
Locate and double-click the Find-Qoologic.bat file to run it.
Wait until a text opens.
Post this in your next reply
#37
Posted 25 April 2005 - 09:24 PM
#38
Posted 25 April 2005 - 09:27 PM
#39
Posted 25 April 2005 - 09:54 PM
#40
Posted 26 April 2005 - 03:55 AM
#41
Posted 26 April 2005 - 11:37 PM
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* urllogic C:\WINDOWS\JNHRJ.DLL
* urllogic C:\WINDOWS\HCEKHC.DLL
* qoologic C:\WINDOWS\JNHRJ.DLL
* qoologic C:\WINDOWS\HCEKHC.DLL
* ad-beh C:\WINDOWS\System32\TYHETYT.DLL
* ad-beh C:\WINDOWS\System32\ARPOA.DLL
#42
Posted 27 April 2005 - 02:59 AM
#43
Posted 27 April 2005 - 03:08 AM
Click killbox.exe.
Select the option "Delete on reboot".
Now copy the next bold:
C:\WINDOWS\JNHRJ.DLL
C:\WINDOWS\HCEKHC.DLL
C:\WINDOWS\System32\TYHETYT.DLL
C:\WINDOWS\System32\ARPOA.DLL
Open 'file' in the killboxmenu on top and choose Paste from clipboard
paste the above in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together!
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
Your computer must reboot now.
When rebooted, post a new findqoologiclog with a new hijackthislog.
#44
Posted 28 April 2005 - 06:42 PM
here are the logs
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* ad-beh C:\WINDOWS\System32\BARXBAB.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
Adobe Gamma Loader.lnk.disabled
User Startup:
C:\Documents and Settings\Lefty\Start Menu\Programs\Startup
.
..
desktop.ini
HotSync Manager.lnk
Norton System Doctor.lnk
»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fytsfy
<NO NAME> REG_SZ {0e066d04-eb11-4c59-a01b-c6fb1672aaff}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fytsfyfs
<NO NAME> REG_SZ {57dfcb7a-4501-4d92-b4c0-358ce5578ce7}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
<NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3
<NO NAME> REG_SZ {E8ADA3E1-CE9B-44A0-A165-997304EF4E18}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin
»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
"Find activesetup", version1, launched at: 20:38
Operating System: Windows XP
HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
Logfile of HijackThis v1.99.1
Scan saved at 8:33:51 PM, on 4/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Lefty\My Documents\spywear adwear tools\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Lefty\Application Data\Mozilla\Profiles\default\qk2es76k.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.dorneypar...sses/CFJava.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://noteshub.rose...a.us/iNotes.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefend...bitdefender.cab
O16 - DPF: {92C6F560-8F6D-11D9-9669-0800200C9A66} - http://fad-1112.nyc1...iewer_cia15.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...463/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com...irus/PitPav.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks,
Lefty
#45
Posted 29 April 2005 - 08:09 PM
o desktop.exe
o edmond.exe
o ffisearch.exe
* Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg on your Desktop.
REGEDIT4
[-HKEY_CLASSES_ROOT\CLSID\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]
[-HKEY_CLASSES_ROOT\CLSID\{950238fb-c706-4791-8674-4d429f85897e}]
[-HKEY_CLASSES_ROOT\mfiltis]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\desktop search]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ffis]
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\legacy_delprot]
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\delprot]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000000
[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDevMgrUpdate"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"NoUpdateCheck"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate]
"DisableWindowsUpdateAccess"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000
Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
Restart your computer.
* Launch Notepad, and copy/paste the box below into a new text file. Save it as Unreg.bat and save it on your Desktop.
regsvr32 /u C:\Windows\isrvs\msfiltis.dll regsvr32 /u C:\Windows\isrvs\msdbhk.dll regsvr32 /u C:\Windows\isrvs\sysupd.dll
Locate Unreg.bat on your Desktop and double-click on it.
* Delete the following files/folders (if present) in C:\Windows or C:\Windows\System32
o delprot.ini
o delprot.log
o desktop.exe
o isrvs (delete the entire folder)
* Delete the following file: C:\Windows\System32\Drivers\Delprot.sys
* Delete the following files/folder (if present) in C:\Documents and Settings\<your user name>\Desktop
o anal exploits.url
o big [bleep] school for 2.95.url
o evidence eraser.lnk
o popup blocker stops popups.lnk
o spyware avenger.lnk
o virus hunter security.lnk
o your platinum visa.lnk
Run Hijack This and put a check mark next to this one.
O16 - DPF: {92C6F560-8F6D-11D9-9669-0800200C9A66} - http://fad-1112.nyc1...iewer_cia15.cab
Reboot.
* Post a new log from HijackThis.
Similar Topics
3 user(s) are reading this topic
0 members, 3 guests, 0 anonymous users