Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Manifest files? [resolved]

Started by chuckygeorge , Dec 27 2004 02:02 PM

  • Please log in to reply

#1
chuckygeorge
Posted 27 December 2004 - 02:02 PM

chuckygeorge

    IT Professional

  • Member
  • PipPip
  • 13 posts
After doing some cleaning up of and runnning a few utilities suggested in here, I have come across something I am unfamiliar with, manifest files.

I know there is some more cleaning to be done, not sure where to start.

Below is a copy of logs from findit.bat and hijackthis:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\cabbott.SEPHORAUS\My

Documents\SoftLib\Anti-spyware\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 2CCF-502D

Directory of C:\WINDOWS\System32

12/27/2004 11:50 AM 223,232 l06olaj31do.dll
12/27/2004 10:40 AM 223,232 nxtlogon.dll
12/27/2004 10:02 AM 223,232 j86m0ij1e8o.dll
12/12/2004 08:42 AM <DIR> dllcache
11/30/2004 05:56 PM <DIR> Microsoft
3 File(s) 669,696 bytes
2 Dir(s) 7,121,711,104 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 2CCF-502D

Directory of C:\WINDOWS\System32

12/12/2004 08:42 AM <DIR> dllcache
11/30/2004 09:09 AM 488 logonui.exe.manifest
11/30/2004 09:09 AM 488 WindowsLogon.manifest
11/30/2004 09:09 AM 749 nwc.cpl.manifest
11/30/2004 09:09 AM 749 sapi.cpl.manifest
11/30/2004 09:09 AM 749 ncpa.cpl.manifest
11/30/2004 09:09 AM 749 wuaucpl.cpl.manifest
11/30/2004 09:09 AM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 7,121,711,104 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 2CCF-502D

Directory of C:\WINDOWS\System32

12/27/2004 01:16 PM 224,126 guard.tmp
1 File(s) 224,126 bytes
0 Dir(s) 7,121,711,104 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 2CCF-502D

Directory of C:\WINDOWS\System32

12/27/2004 01:16 PM 224,126 guard.tmp
08/23/2001 07:00 AM 2,577 CONFIG.TMP
2 File(s) 226,703 bytes
0 Dir(s) 7,121,707,008 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User

Agent\Post Platform]
"{E5452334-F9EA-4199-9C89-0B89D8F45364}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Tue Nov 30 2004 9:09:40a A..HR 749 0.73 K
j86m0i~1.dll Mon Dec 27 2004 10:02:40a ..S.R 223,232 218.00 K
l06ola~1.dll Mon Dec 27 2004 11:50:14a ..S.R 223,232 218.00 K
logonu~1.man Tue Nov 30 2004 9:09:54a A..HR 488 0.48 K
ncpacp~1.man Tue Nov 30 2004 9:09:40a A..HR 749 0.73 K
nwccpl~1.man Tue Nov 30 2004 9:09:40a A..HR 749 0.73 K
nxtlogon.dll Mon Dec 27 2004 10:40:56a ..S.R 223,232 218.00 K
sapicp~1.man Tue Nov 30 2004 9:09:40a A..HR 749 0.73 K
window~1.man Tue Nov 30 2004 9:09:54a A..HR 488 0.48 K
wuaucp~1.man Tue Nov 30 2004 9:09:40a A..HR 749 0.73 K

10 items found: 10 files, 0 directories.
Total of file sizes: 674,417 bytes 658.61 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PCTVOICE"="pctspk.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Logitech Utility"="Logi_MwX.Exe"
"AdaptecDirectCD"="C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"Client Access Service"="\"C:\\Program Files\\IBM\\Client Access\\cwbsvstr.exe\""
"Client Access Help Update"="\"C:\\Program Files\\IBM\\Client Access\\cwbinhlp.exe\""
"Client Access Check Version"="\"C:\\Program Files\\IBM\\Client Access\\cwbckver.exe\"

LOGIN"
"Client Access Express Welcome"="\"C:\\Program Files\\IBM\\Client Access\\cwbwlwiz.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




Hijack this logs:



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\cabbott.SEPHORAUS\My

Documents\SoftLib\Anti-spyware\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 2CCF-502D

Directory of C:\WINDOWS\System32

12/27/2004 11:50 AM 223,232 l06olaj31do.dll
12/27/2004 10:40 AM 223,232 nxtlogon.dll
12/27/2004 10:02 AM 223,232 j86m0ij1e8o.dll
12/12/2004 08:42 AM <DIR> dllcache
11/30/2004 05:56 PM <DIR> Microsoft
3 File(s) 669,696 bytes
2 Dir(s) 7,121,711,104 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 2CCF-502D

Directory of C:\WINDOWS\System32

12/12/2004 08:42 AM <DIR> dllcache
11/30/2004 09:09 AM 488 logonui.exe.manifest
11/30/2004 09:09 AM 488 WindowsLogon.manifest
11/30/2004 09:09 AM 749 nwc.cpl.manifest
11/30/2004 09:09 AM 749 sapi.cpl.manifest
11/30/2004 09:09 AM 749 ncpa.cpl.manifest
11/30/2004 09:09 AM 749 wuaucpl.cpl.manifest
11/30/2004 09:09 AM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 7,121,711,104 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 2CCF-502D

Directory of C:\WINDOWS\System32

12/27/2004 01:16 PM 224,126 guard.tmp
1 File(s) 224,126 bytes
0 Dir(s) 7,121,711,104 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 2CCF-502D

Directory of C:\WINDOWS\System32

12/27/2004 01:16 PM 224,126 guard.tmp
08/23/2001 07:00 AM 2,577 CONFIG.TMP
2 File(s) 226,703 bytes
0 Dir(s) 7,121,707,008 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User

Agent\Post Platform]
"{E5452334-F9EA-4199-9C89-0B89D8F45364}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Tue Nov 30 2004 9:09:40a A..HR 749 0.73 K
j86m0i~1.dll Mon Dec 27 2004 10:02:40a ..S.R 223,232 218.00 K
l06ola~1.dll Mon Dec 27 2004 11:50:14a ..S.R 223,232 218.00 K
logonu~1.man Tue Nov 30 2004 9:09:54a A..HR 488 0.48 K
ncpacp~1.man Tue Nov 30 2004 9:09:40a A..HR 749 0.73 K
nwccpl~1.man Tue Nov 30 2004 9:09:40a A..HR 749 0.73 K
nxtlogon.dll Mon Dec 27 2004 10:40:56a ..S.R 223,232 218.00 K
sapicp~1.man Tue Nov 30 2004 9:09:40a A..HR 749 0.73 K
window~1.man Tue Nov 30 2004 9:09:54a A..HR 488 0.48 K
wuaucp~1.man Tue Nov 30 2004 9:09:40a A..HR 749 0.73 K

10 items found: 10 files, 0 directories.
Total of file sizes: 674,417 bytes 658.61 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PCTVOICE"="pctspk.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Logitech Utility"="Logi_MwX.Exe"
"AdaptecDirectCD"="C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"Client Access Service"="\"C:\\Program Files\\IBM\\Client Access\\cwbsvstr.exe\""
"Client Access Help Update"="\"C:\\Program Files\\IBM\\Client Access\\cwbinhlp.exe\""
"Client Access Check Version"="\"C:\\Program Files\\IBM\\Client Access\\cwbckver.exe\"

LOGIN"
"Client Access Express Welcome"="\"C:\\Program Files\\IBM\\Client Access\\cwbwlwiz.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




Any help or feedback would be appreciated!
~Casey
  • 0

Advertisements

#2
-=jonnyrotten=-
Posted 27 December 2004 - 02:08 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Please scan with Hijack This and post that log too :tazz:

-=jonnyrotten=- ;)
  • 0

#3
chuckygeorge
Posted 27 December 2004 - 02:22 PM

chuckygeorge

    IT Professional

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

Please scan with Hijack This and post that log too :tazz:

-=jonnyrotten=- ;)

View Post



Here you go:

Logfile of HijackThis v1.98.2
Scan saved at 2:53:35 PM, on 12/27/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\UTLite33.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\cabbott.SEPHORAUS\My Documents\SoftLib\Anti-spyware\hijackthis\updatehijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.00.0000.1180\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.00.0000.1180\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Registration .LNK = C:\Program Files\UBISOFT\Myst IV - Revelation\support\register\na\RegistrationReminder.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0000.1180\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...llInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101838169618
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...12/QDow_AS2.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sephoraus.com
O17 - HKLM\Software\..\Telephony: DomainName = sephoraus.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sephoraus.com
  • 0

#4
-=jonnyrotten=-
Posted 27 December 2004 - 02:29 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\XXXXX.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\l06olaj31do.dll
    • C:\WINDOWS\System32\nxtlogon.dll
    • C:\WINDOWS\System32\j86m0ij1e8o.dll
    • C:\WINDOWS\System32\guard.tmp
    • C:\WINDOWS\System32\
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • You may get this message>>>"Pending File Rename Operations Registry Data has been Removed by External Process!" This is okay, you will just have to manually restart your pc.
Copy and paste the quoted text below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\XXXXX]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


Reboot.
[*]Double-click on find.bat and post the new output.txt.

-=jonnyrotten=- :tazz:
  • 0

#5
chuckygeorge
Posted 27 December 2004 - 04:07 PM

chuckygeorge

    IT Professional

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Alrighty, this is what I come up with. Still seeing the manifest files.. any idea what is generating these? Does look like we scrubbed out those odd dll files though....:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\cabbott.SEPHORAUS\My Documents\SoftLib\Anti-spyware\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 2CCF-502D

Directory of C:\WINDOWS\System32

12/12/2004 08:42 AM <DIR> dllcache
11/30/2004 05:56 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 7,117,135,872 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 2CCF-502D

Directory of C:\WINDOWS\System32

12/12/2004 08:42 AM <DIR> dllcache
11/30/2004 09:09 AM 488 logonui.exe.manifest
11/30/2004 09:09 AM 488 WindowsLogon.manifest
11/30/2004 09:09 AM 749 nwc.cpl.manifest
11/30/2004 09:09 AM 749 sapi.cpl.manifest
11/30/2004 09:09 AM 749 ncpa.cpl.manifest
11/30/2004 09:09 AM 749 wuaucpl.cpl.manifest
11/30/2004 09:09 AM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 7,117,135,872 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 2CCF-502D

Directory of C:\WINDOWS\System32

12/27/2004 04:32 PM 56 Guard.tmp
1 File(s) 56 bytes
0 Dir(s) 7,117,135,872 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 2CCF-502D

Directory of C:\WINDOWS\System32

12/27/2004 04:32 PM 56 Guard.tmp
08/23/2001 07:00 AM 2,577 CONFIG.TMP
2 File(s) 2,633 bytes
0 Dir(s) 7,117,131,776 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E5452334-F9EA-4199-9C89-0B89D8F45364}"=""
"SV1"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Tue Nov 30 2004 9:09:40a A..HR 749 0.73 K
logonu~1.man Tue Nov 30 2004 9:09:54a A..HR 488 0.48 K
ncpacp~1.man Tue Nov 30 2004 9:09:40a A..HR 749 0.73 K
nwccpl~1.man Tue Nov 30 2004 9:09:40a A..HR 749 0.73 K
sapicp~1.man Tue Nov 30 2004 9:09:40a A..HR 749 0.73 K
window~1.man Tue Nov 30 2004 9:09:54a A..HR 488 0.48 K
wuaucp~1.man Tue Nov 30 2004 9:09:40a A..HR 749 0.73 K

7 items found: 7 files, 0 directories.
Total of file sizes: 4,721 bytes 4.61 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PCTVOICE"="pctspk.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Logitech Utility"="Logi_MwX.Exe"
"AdaptecDirectCD"="C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"Client Access Service"="\"C:\\Program Files\\IBM\\Client Access\\cwbsvstr.exe\""
"Client Access Help Update"="\"C:\\Program Files\\IBM\\Client Access\\cwbinhlp.exe\""
"Client Access Check Version"="\"C:\\Program Files\\IBM\\Client Access\\cwbckver.exe\" LOGIN"
"Client Access Express Welcome"="\"C:\\Program Files\\IBM\\Client Access\\cwbwlwiz.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




~Casey
  • 0

#6
-=jonnyrotten=-
Posted 27 December 2004 - 04:47 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
  • Download VX2Finder.
  • Double-click on VX2Finder.exe.
  • Click "Restore Policy".
  • In the File menu click "Exit".
  • Double-click on KillBox.exe.
  • In the File menu click "Delete all Dummy files".
  • In the Tools menu click "Delete Temp Files".
  • Choose "Standard File Kill" if not already selected.
  • Paste these files one by one into the top "Full Path of File to Delete" box.
    • C:\RECYCLER\desktop.ini
    • C:\WINDOWS\System32\drivers\etc\HOSTS
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Confirm Delete prompt.
  • It should give you a successful "File was deleted" prompt for each one.
Reboot and post new Hijack This log. We're getting close now ;)

-=jonnyrotten=- :tazz:
  • 0

#7
chuckygeorge
Posted 27 December 2004 - 06:13 PM

chuckygeorge

    IT Professional

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Looking sweet!

Logfile of HijackThis v1.98.0
Scan saved at 7:10:57 PM, on 12/27/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Programa Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\cabbott.SEPHORAUS\My Documents\SoftLib\Anti-spyware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.00.0000.1180\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.00.0000.1180\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Registration .LNK = C:\Program Files\UBISOFT\Myst IV - Revelation\support\register\na\RegistrationReminder.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0000.1180\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...llInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101838169618
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...12/QDow_AS2.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sephoraus.com
O17 - HKLM\Software\..\Telephony: DomainName = sephoraus.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sephoraus.com
  • 0

#8
-=jonnyrotten=-
Posted 27 December 2004 - 11:58 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Nice! You look pretty clean, just a couple removals.

You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...12/QDow_AS2.cab

Reboot normally and post new log. Is sephoraus.com your domain?

-=jonnyrotten=- :tazz:
  • 0

#9
chuckygeorge
Posted 28 December 2004 - 06:19 AM

chuckygeorge

    IT Professional

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Yes, sephoraus.com is my domain.

I'm pretty impressed, not sure the last time I was this clean. I sure do see a difference in how quickly my browser is launching.

There is still a line in the log referencing Quicktime, looks to be the update installer? If we take this out, will I have to update QT myself, or is it going to render it inoperatable?

Logfile of HijackThis v1.98.0
Scan saved at 7:14:40 AM, on 12/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\UTLite33.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.00.0000.1180\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.00.0000.1180\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Registration .LNK = C:\Program Files\UBISOFT\Myst IV - Revelation\support\register\na\RegistrationReminder.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0000.1180\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...llInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101838169618
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sephoraus.com
O17 - HKLM\Software\..\Telephony: DomainName = sephoraus.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sephoraus.com
  • 0

#10
Metallica
Posted 28 December 2004 - 07:12 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
About Manifest files. I hope this is not too technical:
http://java.sun.com/...s/manifest.html
http://msdn.microsof...stallations.asp

Regards,

Pieter
  • 0

Advertisements

#11
chuckygeorge
Posted 28 December 2004 - 07:37 AM

chuckygeorge

    IT Professional

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks Pieter... good information. I guess the question is then, how did I come up with those if I am not doing any kind of dev work?

BTW... are you in Germany? What part?
  • 0

#12
Metallica
Posted 28 December 2004 - 08:59 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts

Thanks Pieter... good information.  I guess the question is then, how did I come up with those if I am not doing any kind of dev work?

BTW... are you in Germany?  What part?

View Post


The Netherlands, not Germany. :tazz:

To be honest, I have no idea where they come from, but it is not unusual to have them. Since we use FindIt to track the VX2 files I have seen a lot of them.
Maybe somebody else knows.

Regards,

Pieter

Edited by Metallica, 28 December 2004 - 08:59 AM.

  • 0

#13
-=jonnyrotten=-
Posted 28 December 2004 - 12:35 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Yes you can take it out, but you will have to update it manually. Also you can remove these for a small performance boost.

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe<<<<automatic java updater
O4 - Startup: Registration .LNK = C:\Program Files\UBISOFT\Myst IV - Revelation\support\register\na\RegistrationReminder.exe<<<<<exactly as it says "registration reminder for Myst"

Also if it were me I would uninstall yahoo and msn toolbars from add/remove programs in control panel and just use the google toolbar.

-=jonnyrotten=- :tazz:
  • 0

#14
chuckygeorge
Posted 28 December 2004 - 04:18 PM

chuckygeorge

    IT Professional

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

Yes you can take it out, but you will have to update it manually.  Also you can remove these for a small performance boost.

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe<<<<automatic java updater
O4 - Startup: Registration .LNK = C:\Program Files\UBISOFT\Myst IV - Revelation\support\register\na\RegistrationReminder.exe<<<<<exactly as it says "registration reminder for Myst" 

Also if it were me I would uninstall yahoo and msn toolbars from add/remove programs in control panel and just use the google toolbar.

-=jonnyrotten=- :tazz:

View Post



Yeah... I was considering the move on the toolbars. I like to check them out for funtionality, and as expected, Google it fine, I get enough info on MSN and Yahoo from the IM clients.

Java, I need that updating on it's own. Myst, [bleep], I paid for the game, might as well as register it :-) QT... .that stuff is just [bleep] irritating, but necessary when surfing ;-) Update, I can do manually.

Everything else seems to be good.

Thanks for all of your help... very insightful. You collection of folks seem pretty knowledgable. Even for one that is a sys admin, you can never know everything. This whole new battery of ad/spy ware crap is polluting not only my laptop, but my domain as well! I am looking into an enterprise solution in Pest Patrol, do you all have in thoughts/opinions/experience on this product, or would you make a different suggestion?

~Casey
  • 0

#15
-=jonnyrotten=-
Posted 28 December 2004 - 04:22 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Well I have heard that if you have all the pc's set up the same or groups of pc's that are set up the same you can use a disk imaging program like Norton Ghost to just reimage the pc everytime it is infected. Just set up one just how you want the others to be and make an image. Do this for all the groups or your one group. Or you could use AdAware, Spybot Search and Destroy, Spyware Blaster, AdSpy, and Firefox all together to keep your pc's clean. Of course this has to be mixed with "Safe Browsing Habits".

-=jonnyrotten=- :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP