Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

spyware'd *cries* hijackthis log [RESOLVED]

Started by dr_pyser , Dec 01 2005 07:03 PM

  • This topic is locked This topic is locked

#1
dr_pyser
Posted 01 December 2005 - 07:03 PM

dr_pyser

    Member

  • Member
  • PipPip
  • 16 posts
hi all. i got spyware'd (again) :tazz::(:):( i've run microsoft antispyware beta and spybot s&d, and i'm still infected. here's my hijackthis log, any help at all would be eternally appreciated. :)

Logfile of HijackThis v1.99.1
Scan saved at 11:56:29 AM, on 2/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\LTMSG.exe
D:\Program Files\ClamWin\bin\ClamTray.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\windows\system32\mdms.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\tool2.exe
C:\stub_113_4_0_4_0.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\rundll32.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\DOCUME~1\Pyser\LOCALS~1\Temp\Rar$EX00.281\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
F2 - REG:system.ini: Shell=explorer.exe "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ClamWin] "D:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SysMemory manager] d:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [bxproxy] D:\WINDOWS\bxproxy.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [bxproxy] D:\WINDOWS\bxproxy.exe
O4 - HKCU\..\Run: [pro] D:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [miuw] C:\stub_113_4_0_4_0.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132291094218
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C515D26-EEEF-49B3-A08B-7FF5CBDC3111}: NameServer = 203.134.64.66 203.134.65.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C515D26-EEEF-49B3-A08B-7FF5CBDC3111}: NameServer = 203.134.64.66 203.134.65.66
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: BITS - D:\WINDOWS\system32\cyprops.dll
O20 - Winlogon Notify: Hints - D:\WINDOWS\system32\f0l0la3m1d.dll
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - D:\WINDOWS\system32\pkjdejlc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
  • 0

Advertisements

#2
Armodeluxe
Posted 04 December 2005 - 09:32 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi dr pyser,

1) You are running Hijackthis from a temporary file,but Hijackthis should be in a permanent folder to save its backups in case we need to undo any changes. Please delete the one you currently have.
  • Download HijackThis again by clicking here,but don’t hit “Open”, but “Save as”. Then navigate to your desktop, and hit “Save”. After downloading, minimize all windows until you’re on your desktop.
  • Now double-click on the zip file containing the HijackThis.exe file. Select the HijackThis.exe, and hit the combination “Ctrl + C”.
  • Minimize the zipfolder, and go to My Computer. Double-click on C:/.
  • In the menu bar you’ll find “File”. Click it, then choose “New”, and then “Folder”.
  • Call this folder HijackThis. Double-click to open this - new - folder.
  • Now use the combination “Ctrl + V” to paste the HijackThis.exe into this folder. Now double-click on the HijackThis.exe in the folder you’ve just created and please post a new log.
2) You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe,
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
  • 0

#3
dr_pyser
Posted 08 December 2005 - 03:16 AM

dr_pyser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
hi there armodeluxe. thankyou very very much for your help. i'm taking a long time to reply to your posts because it's pretty nasty removing this infection - i basically have to do everything via my laptop, because the desktop is crashing all the time. anyway, here are my hijackthis and l2mfix logs:

Logfile of HijackThis v1.99.1
Scan saved at 7:57:53 PM, on 8/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\LTMSG.exe
D:\Program Files\ClamWin\bin\ClamTray.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\windows\system32\mdms.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\tool2.exe
C:\winstall.exe
D:\PROGRA~1\COMMON~1\wuim\wuimm.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\PROGRA~1\COMMON~1\wuim\wuima.exe
D:\WINDOWS\explorer.exe
D:\Program Files\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
F2 - REG:system.ini: Shell=explorer.exe "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ClamWin] "D:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SysMemory manager] d:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [bxproxy] D:\WINDOWS\bxproxy.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [bxproxy] D:\WINDOWS\bxproxy.exe
O4 - HKCU\..\Run: [pro] D:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [wuim] D:\PROGRA~1\COMMON~1\wuim\wuimm.exe
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132291094218
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - D:\WINDOWS\system32\q8nu0i59e8.dll
O20 - Winlogon Notify: msctl32.dll - D:\WINDOWS\system32\msctl32.dll
O20 - Winlogon Notify: Setup - D:\WINDOWS\system32\cyprops.dll (file missing)
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - D:\WINDOWS\system32\pkjdejlc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

and the l2mfix log:

L2MFIX find log 120305

These are the registry keys present

**********************************************************************************

Winlogon/notify:

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

"Asynchronous"=dword:00000000

"DllName"=""

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]

"Asynchronous"=dword:00000000

"DllName"="D:\\WINDOWS\\system32\\q8nu0i59e8.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll]

"DllName"="D:\\WINDOWS\\system32\\msctl32.dll"

"Startup"="Startup"

"Asynchronous"=dword:00000001

"Impersonate"=dword:00000000



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]

"Asynchronous"=dword:00000000

"DllName"="D:\\WINDOWS\\system32\\cyprops.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001



**********************************************************************************

useragent:

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{90E3E535-BAC1-7178-08C9-6FAAA5D07B08}"=""



**********************************************************************************

Shell Extension key:

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"

"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"

"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"

"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"

"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"

"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"

"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"

"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"

"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"

"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"

"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"

"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"

"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"

"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"

"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"

"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"

"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"

"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"

"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"

"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"

"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"

"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"

"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"

"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"

"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"

"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"

"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"

"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"

"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"

"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"

"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"

"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"

"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"

"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"

"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"

"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"

"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"

"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"

"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"

"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"

"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"

"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"

"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"

"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"

"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"

"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"

"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."

"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"

"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"

"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"

"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"

"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"

"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"

"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"

"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"

"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"

"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"

"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"

"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"

"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"

"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"

"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"

"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"

"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"

"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"

"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"

"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"

"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"

"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"

"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"

"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"

"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"

"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"

"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"

"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"

"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"

"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"

"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"

"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"

"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"

"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"

"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"

"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"

"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"

"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"

"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"

"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"

"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"

"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"

"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"

"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"

"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"

"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"

"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"

"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"

"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"

"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"

"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"

"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"

"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"

"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"

"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"

"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"

"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"

"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"

"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"

"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"

"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"

"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"

"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"

"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"

"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"

"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"

"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"

"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"

"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"

"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"

"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"

"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"

"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"

"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"

"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"

"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"

"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"

"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"

"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"

"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"

"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"

"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"

"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"

"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"

"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"

"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"

"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"

"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"

"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"

"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"

"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"

"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"

"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"

"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"

"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"

"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"

"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"

"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"

"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"

"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"

"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"

"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"

"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"

"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"

"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"

"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"

"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"

"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"

"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"

"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"

"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"

"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."

"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"

"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"

"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"

"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"

"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"

"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"

"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"

"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"

"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"

"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"

"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"

@=""

"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}"="PhotoToys"

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"

"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play Devices"

"{eb9ebda0-b3e7-11cf-81c9-0000c0aa665f}"="FTP Explorer Shell Extension"

"{7638D521-E136-45C6-9756-1226AAD6D972}"=""

"{5E2121EE-0300-11D4-8D3B-444553540000}"="st"

"{E298F8ED-5422-4DCB-A68B-A464AFF074B5}"=""



**********************************************************************************

HKEY ROOT CLASSIDS:

Windows Registry Editor Version 5.00



[HKEY_CLASSES_ROOT\CLSID\{7638D521-E136-45C6-9756-1226AAD6D972}]

@=""



[HKEY_CLASSES_ROOT\CLSID\{7638D521-E136-45C6-9756-1226AAD6D972}\Implemented Categories]

@=""



[HKEY_CLASSES_ROOT\CLSID\{7638D521-E136-45C6-9756-1226AAD6D972}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""



[HKEY_CLASSES_ROOT\CLSID\{7638D521-E136-45C6-9756-1226AAD6D972}\InprocServer32]

@="D:\\WINDOWS\\system32\\wwcsvc.dll"

"ThreadingModel"="Apartment"



Windows Registry Editor Version 5.00



[HKEY_CLASSES_ROOT\CLSID\{E298F8ED-5422-4DCB-A68B-A464AFF074B5}]

@=""



[HKEY_CLASSES_ROOT\CLSID\{E298F8ED-5422-4DCB-A68B-A464AFF074B5}\Implemented Categories]

@=""



[HKEY_CLASSES_ROOT\CLSID\{E298F8ED-5422-4DCB-A68B-A464AFF074B5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""



[HKEY_CLASSES_ROOT\CLSID\{E298F8ED-5422-4DCB-A68B-A464AFF074B5}\InprocServer32]

@="D:\\WINDOWS\\system32\\mfvcp60.dll"

"ThreadingModel"="Apartment"



**********************************************************************************

Files Found are not all bad files:



D:\WINDOWS\SYSTEM32\

afcups.dll Fri 2 Dec 2005 12:20:34 ..S.R 234,272 228.78 K

bassmod.dll Fri 18 Nov 2005 17:28:04 A.... 15,360 15.00 K

cdosys.dll Sat 10 Sep 2005 12:53:42 A.... 2,067,968 1.97 M

cgpesnpn.dll Fri 2 Dec 2005 12:00:36 ..S.R 234,272 228.78 K

csrds.dll Wed 7 Dec 2005 21:08:58 ..S.R 236,234 230.70 K

ctadmin.dll Sat 3 Dec 2005 11:05:56 ..S.R 234,272 228.78 K

davxde~1.dll Fri 2 Dec 2005 11:03:36 ..S.R 234,272 228.78 K

dfshim.dll Fri 23 Sep 2005 7:28:38 A.... 83,456 81.50 K

dmvxde~1.dll Fri 2 Dec 2005 11:54:32 ..S.R 234,272 228.78 K

dnquery.dll Tue 6 Dec 2005 20:59:18 ..S.R 235,276 229.76 K

dycpsapi.dll Fri 2 Dec 2005 12:14:32 ..S.R 234,272 228.78 K

dz32gt.dll Sun 4 Dec 2005 12:05:44 ..S.R 234,933 229.43 K

dzserver.dll Wed 7 Dec 2005 20:49:32 ..S.R 235,276 229.76 K

e2202c~1.dll Fri 2 Dec 2005 11:06:40 ..S.R 0 0.00 K

en68l1~1.dll Wed 7 Dec 2005 21:08:58 ..S.R 234,178 228.69 K

f0l0la~1.dll Fri 2 Dec 2005 11:46:36 ..S.R 235,749 230.22 K

fpr203~1.dll Sat 3 Dec 2005 10:46:08 ..S.R 235,756 230.23 K

fvlemgmt.dll Sat 3 Dec 2005 10:53:38 ..S.R 234,272 228.78 K

gdi32.dll Thu 6 Oct 2005 14:09:36 A.... 280,064 273.50 K

gpj6l3~1.dll Sun 4 Dec 2005 11:15:30 ..S.R 235,885 230.36 K

gpj8l3~1.dll Tue 6 Dec 2005 20:59:18 ..S.R 237,089 231.53 K

hrj205~1.dll Sat 3 Dec 2005 10:36:14 ..S.R 234,487 228.99 K

icfosoft.dll Fri 2 Dec 2005 12:15:36 ..S.R 234,272 228.78 K

igxsap.dll Fri 2 Dec 2005 12:22:34 ..S.R 234,272 228.78 K

iiitpki.dll Fri 2 Dec 2005 11:55:32 ..S.R 234,272 228.78 K

ikxrtmgr.dll Fri 2 Dec 2005 11:04:38 ..S.R 234,272 228.78 K

ioked.dll Sat 3 Dec 2005 10:47:22 ..S.R 234,272 228.78 K

iossvcs.dll Fri 2 Dec 2005 12:08:34 ..S.R 234,272 228.78 K

ipssdo.dll Wed 7 Dec 2005 20:43:30 ..S.R 235,276 229.76 K

joaw400.dll Fri 2 Dec 2005 10:58:24 ..S.R 234,272 228.78 K

l46ole~1.dll Wed 7 Dec 2005 20:43:30 ..S.R 236,640 231.09 K

llbmpe~1.dll Fri 2 Dec 2005 12:09:34 ..S.R 234,272 228.78 K

maise.dll Sun 4 Dec 2005 11:41:24 ..S.R 234,272 228.78 K

mal_mtf.dll Fri 2 Dec 2005 11:56:34 ..S.R 234,272 228.78 K

mc43dmod.dll Tue 6 Dec 2005 20:54:30 ..S.R 235,276 229.76 K

mdsign32.dll Sat 3 Dec 2005 11:02:10 ..S.R 234,272 228.78 K

mfvcp60.dll Thu 8 Dec 2005 19:43:40 ..S.R 236,234 230.70 K

mhvcp50.dll Fri 2 Dec 2005 12:10:34 ..S.R 234,272 228.78 K

mqhtmler.dll Fri 2 Dec 2005 12:03:34 ..S.R 234,272 228.78 K

msc42enu.dll Fri 2 Dec 2005 12:23:30 ..S.R 234,272 228.78 K

mscoree.dll Fri 23 Sep 2005 7:28:52 A.... 270,848 264.50 K

mscorier.dll Fri 23 Sep 2005 7:28:52 A.... 150,016 146.50 K

mscories.dll Fri 23 Sep 2005 7:28:52 A.... 74,240 72.50 K

msctl32.dll Wed 7 Dec 2005 21:19:52 A.... 41,472 40.50 K

mshtml.dll Tue 4 Oct 2005 17:26:00 A.... 3,015,168 2.88 M

mv6ul9~1.dll Wed 7 Dec 2005 20:49:32 ..S.R 237,245 231.68 K

my3216.dll Fri 2 Dec 2005 12:16:36 ..S.R 234,272 228.78 K

myv1_0.dll Sun 4 Dec 2005 11:15:30 ..S.R 234,272 228.78 K

mywmdm.dll Fri 2 Dec 2005 12:17:30 ..S.R 234,272 228.78 K

n2p40c~1.dll Wed 7 Dec 2005 22:16:54 ..S.R 236,234 230.70 K

npmarta.dll Sat 3 Dec 2005 10:36:14 ..S.R 234,272 228.78 K

nv4_disp.dll Fri 4 Nov 2005 18:03:00 A.... 3,924,096 3.74 M

nvapi.dll Fri 4 Nov 2005 18:03:00 A.... 86,016 84.00 K

nvcod.dll Fri 4 Nov 2005 18:03:00 A.... 35,328 34.50 K

nvcodins.dll Fri 4 Nov 2005 18:03:00 A.... 35,328 34.50 K

nvcpl.dll Fri 4 Nov 2005 18:03:00 A.... 7,307,264 6.97 M

nvhwvid.dll Fri 4 Nov 2005 18:03:00 A.... 573,440 560.00 K

nview.dll Fri 4 Nov 2005 18:03:00 A.... 1,466,368 1.40 M

nvmccs.dll Fri 4 Nov 2005 18:03:00 A.... 229,376 224.00 K

nvmccsrs.dll Fri 4 Nov 2005 18:03:00 A.... 45,056 44.00 K

nvmctray.dll Fri 4 Nov 2005 18:03:00 A.... 86,016 84.00 K

nvnt4cpl.dll Fri 4 Nov 2005 18:03:00 A.... 286,720 280.00 K

nvoglnt.dll Fri 4 Nov 2005 18:03:00 A.... 5,394,432 5.14 M

nvshell.dll Fri 4 Nov 2005 18:03:00 A.... 466,944 456.00 K

nvwddi.dll Fri 4 Nov 2005 18:03:00 A.... 81,920 80.00 K

nvwdmcpl.dll Fri 4 Nov 2005 18:03:00 A.... 1,662,976 1.59 M

nvwimg.dll Fri 4 Nov 2005 18:03:00 A.... 1,019,904 996.00 K

nwhtml.dll Fri 2 Dec 2005 11:57:34 ..S.R 234,272 228.78 K

nwtui0.dll Fri 2 Dec 2005 12:24:34 ..S.R 234,272 228.78 K

o4840e~1.dll Tue 6 Dec 2005 20:54:30 ..S.R 235,760 230.23 K

oneacc.dll Fri 2 Dec 2005 12:04:34 ..S.R 234,272 228.78 K

p2r4lc~1.dll Sun 4 Dec 2005 10:57:40 ..S.R 235,764 230.24 K

pbotot~1.dll Fri 2 Dec 2005 11:00:40 ..S.R 234,272 228.78 K

pkjdejlc.dll Fri 2 Dec 2005 10:40:52 A.... 40,960 40.00 K

pqp.dll Fri 2 Dec 2005 11:51:18 ..S.R 234,272 228.78 K

q286lc~1.dll Sat 3 Dec 2005 10:53:40 ..S.R 234,272 228.78 K

q8nu0i~1.dll Wed 7 Dec 2005 20:56:14 ..S.R 236,234 230.70 K

qbsf.dll Fri 2 Dec 2005 12:11:32 ..S.R 234,272 228.78 K

ricns4.dll Fri 2 Dec 2005 12:25:32 ..S.R 234,272 228.78 K

rpcxss.dll Fri 2 Dec 2005 10:34:48 A.... 24,576 24.00 K

rssppp.dll Fri 2 Dec 2005 12:18:32 ..S.R 234,272 228.78 K

rsutils.dll Fri 2 Dec 2005 11:58:34 ..S.R 234,272 228.78 K

rtlcpapi.dll Fri 16 Sep 2005 14:14:36 A.... 157,184 153.50 K

shell32.dll Fri 23 Sep 2005 14:05:30 A.... 8,450,560 8.06 M

sirenacm.dll Wed 12 Oct 2005 17:11:06 A.... 118,784 116.00 K

soell32.dll Fri 2 Dec 2005 12:13:34 ..S.R 234,272 228.78 K

sroolss.dll Fri 2 Dec 2005 12:05:34 ..S.R 234,272 228.78 K

tubyuv.dll Sun 4 Dec 2005 10:57:42 ..S.R 234,272 228.78 K

tupmonui.dll Fri 2 Dec 2005 11:01:38 ..S.R 234,272 228.78 K

ucrv80a.dll Fri 2 Dec 2005 12:26:32 ..S.R 234,272 228.78 K

umnp.dll Fri 2 Dec 2005 12:19:32 ..S.R 234,272 228.78 K

uuib.dll Fri 2 Dec 2005 12:12:36 ..S.R 234,272 228.78 K

uvimdmat.dll Fri 2 Dec 2005 11:52:36 ..S.R 234,272 228.78 K

vfmdbg.dll Fri 2 Dec 2005 11:08:18 ..S.R 234,272 228.78 K

vmipxspx.dll Fri 2 Dec 2005 11:59:32 ..S.R 234,272 228.78 K

winacpi.dll Thu 8 Dec 2005 19:43:52 A.... 55,861 54.55 K

wwcsvc.dll Sat 3 Dec 2005 11:37:54 ..S.R 235,049 229.54 K

xgob2res.dll Fri 2 Dec 2005 11:02:38 ..S.R 234,272 228.78 K

xknroll.dll Fri 2 Dec 2005 11:53:28 ..S.R 234,272 228.78 K

zlbw.dll Fri 2 Dec 2005 10:41:18 A.... 46,592 45.50 K



100 items found: 100 files (68 H/S), 0 directories.

Total of file sizes: 53,319,652 bytes 50.85 M

Locate .tmp files:



No matches found.

**********************************************************************************

Directory Listing of system files:

Volume in drive D is Hyperion

Volume Serial Number is 7C5D-F271



Directory of D:\WINDOWS\System32



08/12/2005 07:43 PM 236,234 mfvcp60.dll

07/12/2005 10:16 PM 236,234 n2p40c7qef.dll

07/12/2005 09:08 PM 236,234 cSrds.dll

07/12/2005 09:08 PM 234,178 en68l1ju1.dll

07/12/2005 08:56 PM 236,234 q8nu0i59e8.dll

07/12/2005 08:49 PM 235,276 dzserver.dll

07/12/2005 08:49 PM 237,245 mv6ul9j91.dll

07/12/2005 08:43 PM 235,276 iPssdo.dll

07/12/2005 08:43 PM 236,640 l46olej31ho.dll

06/12/2005 08:59 PM 235,276 dnquery.dll

06/12/2005 08:59 PM 237,089 gpj8l31u1.dll

06/12/2005 08:54 PM 235,276 mc43dmod.dll

06/12/2005 08:54 PM 235,760 o4840elqehqe0.dll

04/12/2005 12:05 PM 234,933 dz32gt.dll

04/12/2005 11:41 AM 234,272 maise.dll

04/12/2005 11:15 AM 234,272 myv1_0.dll

04/12/2005 11:15 AM 235,885 gpj6l31s1.dll

04/12/2005 10:57 AM 234,272 tubyuv.dll

04/12/2005 10:57 AM 235,764 p2r4lc9q1f.dll

03/12/2005 11:37 AM 235,049 wwcsvc.dll

03/12/2005 11:05 AM 234,272 ctadmin.dll

03/12/2005 11:02 AM 234,272 mdsign32.dll

03/12/2005 10:53 AM 234,272 q286lcls1fq6.dll

03/12/2005 10:53 AM 234,272 fvlemgmt.dll

03/12/2005 10:47 AM 234,272 IOKED.DLL

03/12/2005 10:46 AM 235,756 fpr2039oe.dll

03/12/2005 10:36 AM 234,272 npmarta.dll

03/12/2005 10:36 AM 234,487 hrj2051oe.dll

02/12/2005 12:26 PM 234,272 ucrv80a.dll

02/12/2005 12:25 PM 234,272 ricns4.dll

02/12/2005 12:24 PM 234,272 nwtui0.dll

02/12/2005 12:23 PM 234,272 MSC42ENU.DLL

02/12/2005 12:22 PM 234,272 igxsap.dll

02/12/2005 12:20 PM 234,272 afcups.dll

02/12/2005 12:19 PM 234,272 umnp.dll

02/12/2005 12:18 PM 234,272 rSsppp.dll

02/12/2005 12:17 PM 234,272 MYWMDM.dll

02/12/2005 12:16 PM 234,272 my3216.dll

02/12/2005 12:15 PM 234,272 icfosoft.dll

02/12/2005 12:14 PM 234,272 dycpsapi.dll

02/12/2005 12:13 PM 234,272 soell32.dll

02/12/2005 12:12 PM 234,272 uuib.dll

02/12/2005 12:11 PM 234,272 qBsf.dll

02/12/2005 12:10 PM 234,272 mhvcp50.dll

02/12/2005 12:09 PM 234,272 llbmpeg2_ff.dll

02/12/2005 12:08 PM 234,272 iOssvcs.dll

02/12/2005 12:05 PM 234,272 sroolss.dll

02/12/2005 12:04 PM 234,272 oneacc.dll

02/12/2005 12:03 PM 234,272 mqhtmler.dll

02/12/2005 12:00 PM 234,272 cGpesnpn.dll

02/12/2005 11:59 AM 234,272 vmipxspx.dll

02/12/2005 11:58 AM 234,272 rsutils.dll

02/12/2005 11:57 AM 234,272 nwhtml.dll

02/12/2005 11:56 AM 234,272 mal_mtf.dll

02/12/2005 11:55 AM 234,272 iiitpki.dll

02/12/2005 11:54 AM 234,272 dmvxdec_0407.dll

02/12/2005 11:53 AM 234,272 xknroll.dll

02/12/2005 11:52 AM 234,272 uvimdmat.dll

02/12/2005 11:51 AM 234,272 pQp.dll

02/12/2005 11:46 AM 235,749 f0l0la3m1d.dll

02/12/2005 11:08 AM 234,272 vfmdbg.dll

02/12/2005 11:06 AM 0 e2202cfmgf2a2.dll

02/12/2005 11:04 AM 234,272 ikxrtmgr.dll

02/12/2005 11:03 AM 234,272 davxdec_0411.dll

02/12/2005 11:02 AM 234,272 xgob2res.dll

02/12/2005 11:01 AM 234,272 tupmonui.dll

02/12/2005 11:00 AM 234,272 pbototoys.dll

02/12/2005 10:58 AM 234,272 joaw400.dll

02/12/2005 09:38 AM <DIR> dllcache

18/11/2005 02:55 PM <DIR> Microsoft

68 File(s) 15,725,359 bytes

2 Dir(s) 32,837,529,600 bytes free


thanks so much again!!! :tazz:
  • 0

#4
Armodeluxe
Posted 09 December 2005 - 11:43 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.
  • 0

#5
dr_pyser
Posted 09 December 2005 - 07:36 PM

dr_pyser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
hi armodeluxe,

i don't think the fixes worked - here are my new logs:

L2mfix Beta 120305

Creating Account.

The command completed successfully.



Adding Administrative privleges.

The command completed successfully.



Checking for L2MFix account(0=no 1=yes):

1

Granting SeDebugPrivilege to L2MFIX ... successful

D:\WINDOWS\System32\80116C8E-510B-4155-9A4C-9639A1E20C66.reg

Checking for L2MFix account(0=no 1=yes):

0



Logfile of HijackThis v1.99.1
Scan saved at 11:43:30 AM, on 10/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\LTMSG.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\windows\system32\mdms.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\tool2.exe
C:\winstall.exe
D:\PROGRA~1\COMMON~1\wuim\wuimm.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\PROGRA~1\COMMON~1\wuim\wuima.exe
D:\WINDOWS\system32\wuauclt.exe
D:\PROGRA~1\COMMON~1\wuim\wuiml.exe
D:\WINDOWS\explorer.exe
D:\Program Files\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
F2 - REG:system.ini: Shell=explorer.exe "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ClamWin] "D:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SysMemory manager] d:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [bxproxy] D:\WINDOWS\bxproxy.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [bxproxy] D:\WINDOWS\bxproxy.exe
O4 - HKCU\..\Run: [pro] D:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [wuim] D:\PROGRA~1\COMMON~1\wuim\wuimm.exe
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132291094218
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: msctl32.dll - D:\WINDOWS\system32\msctl32.dll
O20 - Winlogon Notify: WindowsUpdate - D:\WINDOWS\system32\n2p40c7qef.dll
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - D:\WINDOWS\system32\pkjdejlc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
  • 0

#6
Armodeluxe
Posted 10 December 2005 - 01:15 PM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
No, it didn't work..let's try Spysweeper it also gets this infection..

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Please post that log along with a new Option1 log from l2mfix. They may not fit together into a post, make seperate posts.
  • 0

#7
dr_pyser
Posted 18 December 2005 - 02:06 AM

dr_pyser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
hey armodeluxe. i ran spysweeper twice, but i don't think it caught the spyware. here's the log:

********

3:38 PM: | Start of Session, Sunday, 11 December 2005 |

3:38 PM: Spy Sweeper started

3:38 PM: Sweep initiated using definitions version 582

3:38 PM: Found Trojan Horse: spamrelayer_alpiok

3:38 PM: HKCR\clsid\{7368d5fc-6f5c-4f5b-b964-e67214f67852}\inprocserver32\ (2 subtraces) (ID = 1042148)

3:38 PM: pkjdejlc.dll (ID = 1042148)

3:38 PM: Starting Memory Sweep

3:40 PM: Found Adware: trojan-backdoor-bxproxy

3:40 PM: Detected running threat: D:\WINDOWS\bxproxy.exe (ID = 204198)

3:40 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || bxproxy (ID = 0)

3:40 PM: HKU\S-1-5-21-515967899-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run || bxproxy (ID = 0)

3:40 PM: HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run || bxproxy (ID = 0)

3:40 PM: HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run || bxproxy (ID = 0)

3:40 PM: HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run || bxproxy (ID = 0)

3:42 PM: Found Adware: targetsaver

3:42 PM: Detected running threat: D:\Program Files\Common Files\wuim\wuimm.exe (ID = 195131)

3:42 PM: HKU\S-1-5-21-515967899-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run || wuim (ID = 0)

3:44 PM: Detected running threat: D:\WINDOWS\system32\RpcxSs.dll (ID = 204192)

3:46 PM: Memory Sweep Complete, Elapsed Time: 00:07:43

3:46 PM: Starting Registry Sweep

4:19 PM: HKCR\clsid\{7368d5fc-6f5c-4f5b-b964-e67214f67852}\ (3 subtraces) (ID = 913291)

4:19 PM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || systray.exys (ID = 913416)

4:19 PM: HKLM\software\classes\clsid\{7368d5fc-6f5c-4f5b-b964-e67214f67852}\ (3 subtraces) (ID = 913513)

4:19 PM: Found Adware: cws_secure32.html hijack

4:19 PM: HKLM\software\microsoft\internet explorer\main\ || local page (ID = 946024)

4:19 PM: HKLM\software\microsoft\internet explorer\main\ || start page (ID = 946025)

4:19 PM: Found Trojan Horse: trojan-downloader-hochladen

4:19 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\msctl32.dll\ (4 subtraces) (ID = 1021403)

4:19 PM: HKLM\system\currentcontrolset\services\i386p\ (11 subtraces) (ID = 1021419)

4:20 PM: HKLM\software\microsoft\windows\currentversion\run\ || bxproxy (ID = 1038464)

4:20 PM: HKLM\system\currentcontrolset\services\rpcxss\ (15 subtraces) (ID = 1038466)

4:24 PM: Found Adware: spysheriff

4:24 PM: HKU\S-1-5-21-515967899-1957994488-839522115-1003\software\microsoft\windows\currentversion\run\ || windows installer (ID = 142127)

4:24 PM: Found Trojan Horse: trojan-backdoor-securemulti

4:24 PM: HKU\S-1-5-21-515967899-1957994488-839522115-1003\software\microsoft\windows\currentversion\run\ || windows installer (ID = 484139)

4:25 PM: HKU\S-1-5-21-515967899-1957994488-839522115-1003\software\microsoft\windows\currentversion\run\ || bxproxy (ID = 1038463)

4:30 PM: HKU\S-1-5-20\software\microsoft\windows\currentversion\run\ || bxproxy (ID = 1038463)

4:34 PM: HKU\S-1-5-19\software\microsoft\windows\currentversion\run\ || bxproxy (ID = 1038463)

4:39 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || bxproxy (ID = 1038463)

4:39 PM: Registry Sweep Complete, Elapsed Time:00:53:26

4:39 PM: Starting Cookie Sweep

4:39 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01

4:39 PM: Starting File Sweep

5:03 PM: secure32.html (ID = 184319)

5:05 PM: Found Adware: look2me

5:05 PM: a0015434.exe (ID = 168558)

5:14 PM: Found Adware: command

5:14 PM: a0015435.exe (ID = 185985)

5:19 PM: a0026496.exe (ID = 193995)

5:32 PM: The Spy Communication shield has blocked access to:

5:32 PM: The Spy Communication shield has blocked access to:

5:50 PM: tsupdate2[1].ini (ID = 193498)

5:50 PM: a0027490.exe (ID = 204198)

5:56 PM: a0027570.exe (ID = 65739)

5:56 PM: tsuninst.exe (ID = 193501)

5:56 PM: a0027569.dll (ID = 163672)

5:57 PM: hrj2051oe.dll (ID = 159)

5:58 PM: a0026486.dll (ID = 159)

5:58 PM: a0027568.dll (ID = 163672)

5:59 PM: a0027567.dll (ID = 163672)

5:59 PM: wwcsvc.dll (ID = 159)

6:00 PM: a0027566.dll (ID = 163672)

6:01 PM: a0027565.dll (ID = 163672)

6:03 PM: csrds.dll (ID = 159)

6:03 PM: secure32.html (ID = 184319)

6:05 PM: tsinstall_4_0_4_0_b4.exe (ID = 193496)

6:07 PM: a0027564.dll (ID = 163672)

6:07 PM: mv6ul9j91.dll (ID = 159)

6:08 PM: a0016442.exe (ID = 204198)

6:08 PM: a0026492.exe (ID = 204198)

6:09 PM: a0027563.dll (ID = 163672)

6:09 PM: a0027562.exe (ID = 65721)

6:10 PM: a0027561.dll (ID = 163672)

6:16 PM: Found Trojan Horse: trojan-backdoor-zubox

6:16 PM: a0027572.exe (ID = 149593)

6:17 PM: a0027560.dll (ID = 163672)

6:19 PM: a0027559.dll (ID = 163672)

6:20 PM: a0027558.dll (ID = 163672)

6:21 PM: ll.exe (ID = 200422)

6:22 PM: gpj8l31u1.dll (ID = 159)

6:22 PM: a0027557.dll (ID = 163672)

6:22 PM: a0027516.dll (ID = 159)

6:23 PM: a0027556.dll (ID = 163672)

6:23 PM: a0027555.dll (ID = 163672)

6:23 PM: p2r4lc9q1f.dll (ID = 159)

6:23 PM: a0020464.exe (ID = 204198)

6:23 PM: dzserver.dll (ID = 159)

6:23 PM: a0027554.dll (ID = 163672)

6:23 PM: bot.exe (ID = 204198)

6:25 PM: q8rq0i95e8.dll (ID = 159)

6:27 PM: a0027553.dll (ID = 163672)

6:27 PM: a0027552.dll (ID = 163672)

6:27 PM: a0027551.dll (ID = 163672)

6:27 PM: a0022480.dll (ID = 159)

6:28 PM: a0027550.dll (ID = 163672)

6:28 PM: a0027549.dll (ID = 163672)

6:28 PM: a0027548.dll (ID = 163672)

6:28 PM: a0015437.exe (ID = 204198)

6:28 PM: a0027547.dll (ID = 163672)

6:29 PM: a0027546.dll (ID = 163672)

6:29 PM: dz32gt.dll (ID = 159)

6:29 PM: gprol3931.dll (ID = 159)

6:29 PM: a0027497.exe (ID = 204198)

6:29 PM: a0027545.dll (ID = 163672)

6:29 PM: a0021471.exe (ID = 204198)

6:30 PM: en68l1ju1.dll (ID = 159)

6:30 PM: a0027513.exe (ID = 204198)

6:31 PM: a0027544.dll (ID = 163672)

6:31 PM: a0016449.exe (ID = 204198)

6:31 PM: a0027543.dll (ID = 163672)

6:31 PM: a0027542.dll (ID = 163672)

6:31 PM: a0022477.exe (ID = 204198)

6:31 PM: kzdusl.dll (ID = 159)

6:31 PM: a0027541.dll (ID = 163672)

6:31 PM: a0027540.dll (ID = 163672)

6:31 PM: axl.dll (ID = 159)

6:31 PM: a0027539.dll (ID = 163672)

6:31 PM: a0027538.dll (ID = 163672)

6:31 PM: a0027537.dll (ID = 163672)

6:33 PM: a0027536.dll (ID = 163672)

6:33 PM: smriptpw.dll (ID = 159)

6:33 PM: l46olej31ho.dll (ID = 159)

6:33 PM: a0027492.dll (ID = 159)

6:33 PM: a0027535.dll (ID = 163672)

6:33 PM: a0026494.dll (ID = 159)

6:33 PM: a0016433.exe (ID = 204198)

6:33 PM: a0027534.dll (ID = 163672)

6:33 PM: a0027533.dll (ID = 163672)

6:33 PM: a0020466.dll (ID = 159)

6:33 PM: a0027532.dll (ID = 163672)

6:33 PM: a0017453.exe (ID = 204198)

6:33 PM: a0027531.dll (ID = 163672)

6:33 PM: a0027530.dll (ID = 163672)

6:33 PM: a0027529.dll (ID = 163672)

6:34 PM: ipssdo.dll (ID = 159)

6:34 PM: wuiml.exe (ID = 195130)

6:34 PM: fpr2039oe.dll (ID = 159)

6:34 PM: a0027528.dll (ID = 163672)

6:34 PM: dnquery.dll (ID = 159)

6:34 PM: a0027527.dll (ID = 163672)

6:34 PM: a0027526.dll (ID = 163672)

6:34 PM: a0022487.exe (ID = 204198)

6:34 PM: a0020472.exe (ID = 204198)

6:35 PM: a0027525.dll (ID = 163672)

6:35 PM: a0027524.dll (ID = 163672)

6:35 PM: a0023486.exe (ID = 204198)

6:35 PM: a0027523.dll (ID = 163672)

6:36 PM: f4l00e3meh.dll (ID = 159)

6:36 PM: guard.tmp (ID = 159)

6:36 PM: a0027521.exe (ID = 204198)

6:36 PM: wuimp.exe (ID = 195132)

6:36 PM: a0027508.exe (ID = 204198)

6:36 PM: gpj6l31s1.dll (ID = 159)

6:36 PM: Found Adware: dollarrevenue

6:36 PM: toolbar.exe (ID = 194384)

6:36 PM: a0027580.exe (ID = 204198)

6:36 PM: o4840elqehqe0.dll (ID = 159)

6:36 PM: bnmsrv.exe (ID = 204198)

6:37 PM: mc43dmod.dll (ID = 159)

6:39 PM: rpcxss.dll (ID = 204192)

6:39 PM: Found Trojan Horse: trojan-backdoor-us15info

6:39 PM: ibm00002.dll (ID = 204672)

6:39 PM: a0027571.exe (ID = 149593)

6:39 PM: bxproxy.exe (ID = 204198)

6:39 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || bxproxy (ID = 0)

6:39 PM: HKU\S-1-5-21-515967899-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run || bxproxy (ID = 0)

6:39 PM: HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run || bxproxy (ID = 0)

6:39 PM: HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run || bxproxy (ID = 0)

6:39 PM: HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run || bxproxy (ID = 0)

6:39 PM: wuimm.exe (ID = 195131)

6:39 PM: HKU\S-1-5-21-515967899-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run || wuim (ID = 0)

6:39 PM: wuima.exe (ID = 195128)

6:39 PM: wuimc.dll (ID = 195129)

6:41 PM: a0027522.dll (ID = 163672)

6:41 PM: a0027573.dll (ID = 159)

6:41 PM: mfvcp60.dll (ID = 159)

6:42 PM: kl.exe (ID = 204412)

6:42 PM: msarch.exe (ID = 203739)

6:46 PM: Found System Monitor: potentially rootkit-masked files

6:46 PM: worddocument (ID = 0)

6:46 PM: 1table (ID = 0)

6:46 PM: data (ID = 0)

6:46 PM: contents (ID = 0)

6:46 PM: contents (ID = 0)

6:46 PM: contents (ID = 0)

6:46 PM: contents (ID = 0)

6:46 PM: contents (ID = 0)

6:46 PM: contents (ID = 0)

6:46 PM: contents (ID = 0)

6:46 PM: workbook (ID = 0)

6:46 PM: _3_objinfo (ID = 0)

6:46 PM: _3_objinfo (ID = 0)

6:46 PM: contentsv30 (ID = 0)

6:46 PM: _5_summaryinformation (ID = 0)

6:46 PM: _1_compobj (ID = 0)

6:46 PM: _1_compobj (ID = 0)

6:46 PM: _1_ole (ID = 0)

6:46 PM: _3_objinfo (ID = 0)

6:46 PM: contentsv30 (ID = 0)

6:46 PM: _1_compobj (ID = 0)

6:46 PM: _1_ole (ID = 0)

6:46 PM: _3_objinfo (ID = 0)

6:46 PM: contentsv30 (ID = 0)

6:46 PM: _1_compobj (ID = 0)

6:46 PM: _1_ole (ID = 0)

6:46 PM: _3_objinfo (ID = 0)

6:46 PM: contentsv30 (ID = 0)

6:46 PM: _1_compobj (ID = 0)

6:46 PM: _1_ole (ID = 0)

6:46 PM: _3_objinfo (ID = 0)

6:46 PM: contentsv30 (ID = 0)

6:46 PM: _1_compobj (ID = 0)

6:46 PM: _1_ole (ID = 0)

6:46 PM: _1_compobj (ID = 0)

6:46 PM: _1_ole (ID = 0)

6:46 PM: contentsv30 (ID = 0)

6:46 PM: _1_compobj (ID = 0)

6:46 PM: _1_ole (ID = 0)

6:49 PM: File Sweep Complete, Elapsed Time: 02:09:40

6:49 PM: Full Sweep has completed. Elapsed time 03:10:56

6:49 PM: Traces Found: 231

6:53 PM: Removal process initiated

6:54 PM: Quarantining All Traces: look2me

6:56 PM: Quarantining All Traces: potentially rootkit-masked files

7:00 PM: potentially rootkit-masked files is in use. It will be removed on reboot.

7:00 PM: worddocument is in use. It will be removed on reboot.

7:00 PM: 1table is in use. It will be removed on reboot.

7:00 PM: data is in use. It will be removed on reboot.

7:00 PM: contents is in use. It will be removed on reboot.

7:00 PM: contents is in use. It will be removed on reboot.

7:00 PM: contents is in use. It will be removed on reboot.

7:00 PM: contents is in use. It will be removed on reboot.

7:00 PM: contents is in use. It will be removed on reboot.

7:00 PM: contents is in use. It will be removed on reboot.

7:00 PM: contents is in use. It will be removed on reboot.

7:00 PM: workbook is in use. It will be removed on reboot.

7:00 PM: _3_objinfo is in use. It will be removed on reboot.

7:00 PM: _3_objinfo is in use. It will be removed on reboot.

7:00 PM: contentsv30 is in use. It will be removed on reboot.

7:00 PM: _5_summaryinformation is in use. It will be removed on reboot.

7:00 PM: _1_compobj is in use. It will be removed on reboot.

7:00 PM: _1_compobj is in use. It will be removed on reboot.

7:00 PM: _1_ole is in use. It will be removed on reboot.

7:00 PM: _3_objinfo is in use. It will be removed on reboot.

7:00 PM: contentsv30 is in use. It will be removed on reboot.

7:00 PM: _1_compobj is in use. It will be removed on reboot.

7:00 PM: _1_ole is in use. It will be removed on reboot.

7:00 PM: _3_objinfo is in use. It will be removed on reboot.

7:00 PM: contentsv30 is in use. It will be removed on reboot.

7:00 PM: _1_compobj is in use. It will be removed on reboot.

7:00 PM: _1_ole is in use. It will be removed on reboot.

7:00 PM: _3_objinfo is in use. It will be removed on reboot.

7:00 PM: contentsv30 is in use. It will be removed on reboot.

7:00 PM: _1_compobj is in use. It will be removed on reboot.

7:00 PM: _1_ole is in use. It will be removed on reboot.

7:00 PM: _3_objinfo is in use. It will be removed on reboot.

7:00 PM: contentsv30 is in use. It will be removed on reboot.

7:00 PM: _1_compobj is in use. It will be removed on reboot.

7:00 PM: _1_ole is in use. It will be removed on reboot.

7:00 PM: _1_compobj is in use. It will be removed on reboot.

7:00 PM: _1_ole is in use. It will be removed on reboot.

7:00 PM: contentsv30 is in use. It will be removed on reboot.

7:00 PM: _1_compobj is in use. It will be removed on reboot.

7:00 PM: _1_ole is in use. It will be removed on reboot.

7:00 PM: Quarantining All Traces: spamrelayer_alpiok

7:00 PM: spamrelayer_alpiok is in use. It will be removed on reboot.

7:00 PM: pkjdejlc.dll is in use. It will be removed on reboot.

7:00 PM: Quarantining All Traces: spysheriff

7:00 PM: Quarantining All Traces: trojan-backdoor-securemulti

7:00 PM: Quarantining All Traces: trojan-backdoor-us15info

7:00 PM: Quarantining All Traces: trojan-backdoor-zubox

7:00 PM: Quarantining All Traces: trojan-downloader-hochladen

7:00 PM: Quarantining All Traces: command

7:00 PM: Quarantining All Traces: cws_secure32.html hijack

7:00 PM: Quarantining All Traces: dollarrevenue

7:00 PM: Quarantining All Traces: targetsaver

7:01 PM: targetsaver is in use. It will be removed on reboot.

7:01 PM: wuimm.exe is in use. It will be removed on reboot.

7:01 PM: Quarantining All Traces: trojan-backdoor-bxproxy

7:01 PM: trojan-backdoor-bxproxy is in use. It will be removed on reboot.

7:01 PM: rpcxss.dll is in use. It will be removed on reboot.

7:01 PM: bxproxy.exe is in use. It will be removed on reboot.

7:01 PM: D:\WINDOWS\bxproxy.exe is in use. It will be removed on reboot.

7:01 PM: D:\WINDOWS\system32\RpcxSs.dll is in use. It will be removed on reboot.

7:08 PM: Preparing to restart your computer. Please wait...

7:08 PM: Removal process completed. Elapsed time 00:15:06

7:10 PM: Processing Startup Alerts

7:10 PM: Allowed Startup entry: Windows installer

********

11:56 AM: | Start of Session, Sunday, 11 December 2005 |

11:56 AM: Spy Sweeper started

11:56 AM: Sweep initiated using definitions version 556

11:56 AM: Found Adware: look2me

11:56 AM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\ms-dos emulation\ || dllname (ID = 129984)

11:56 AM: l4r0le9m1h.dll (ID = 129984)

11:56 AM: Starting Memory Sweep

11:58 AM: Found Adware: icannnews

11:58 AM: Detected running threat: D:\WINDOWS\system32\l4r0le9m1h.dll (ID = 83)

12:02 PM: Found Trojan Horse: trojan-backdoor-zubox

12:02 PM: Detected running threat: D:\WINDOWS\system32\mdms.exe (ID = 149593)

12:02 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || SysMemory manager (ID = 0)

12:02 PM: Detected running threat: D:\WINDOWS\system32\mgcomput.dll (ID = 83)

12:03 PM: Memory Sweep Complete, Elapsed Time: 00:06:47

12:03 PM: Starting Registry Sweep

12:28 PM: Found Adware: targetsaver

12:28 PM: HKLM\software\microsoft\windows\currentversion\uninstall\tsa\ (2 subtraces) (ID = 143607)

12:31 PM: HKCR\acpi.acpi.1\ (3 subtraces) (ID = 484081)

12:31 PM: HKCR\acpi.acpi.1\clsid\ (1 subtraces) (ID = 484083)

12:31 PM: HKCR\acpi.ext\ (5 subtraces) (ID = 484085)

12:31 PM: HKCR\*\shellex\contextmenuhandlers\sysacpildap\ (1 subtraces) (ID = 484093)

12:31 PM: HKCR\typelib\{5e2121e1-0300-11d4-8d3b-444553540000}\ (9 subtraces) (ID = 484124)

12:31 PM: HKLM\software\classes\acpi.acpi.1\ (3 subtraces) (ID = 484140)

12:31 PM: HKLM\software\classes\acpi.ext\ (5 subtraces) (ID = 484144)

12:31 PM: HKLM\software\classes\*\shellex\contextmenuhandlers\sysacpildap\ (1 subtraces) (ID = 484152)

12:31 PM: HKLM\software\classes\typelib\{5e2121e1-0300-11d4-8d3b-444553540000}\ (9 subtraces) (ID = 484210)

12:31 PM: HKLM\software\microsoft\windows\currentversion\run\ || sysmemory manager (ID = 511012)

12:33 PM: Found Trojan Horse: trojan-backdoor-us15info

12:33 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\ || shell (ID = 762897)

12:37 PM: Found Adware: spysheriff

12:37 PM: HKU\S-1-5-21-515967899-1957994488-839522115-1003\software\microsoft\windows\currentversion\run\ || windows installer (ID = 142127)

12:38 PM: HKU\S-1-5-21-515967899-1957994488-839522115-1003\software\mzs\mdms\ (4 subtraces) (ID = 480808)

12:38 PM: HKU\S-1-5-21-515967899-1957994488-839522115-1003\software\microsoft\windows\currentversion\run\ || shell (ID = 650813)

12:38 PM: HKU\S-1-5-21-515967899-1957994488-839522115-1003\software\mzs\mdms\mzu\ || pt (ID = 656825)

12:50 PM: Registry Sweep Complete, Elapsed Time:00:46:45

12:50 PM: Starting Cookie Sweep

12:50 PM: Found Spy Cookie: yieldmanager cookie

12:50 PM: [email protected][2].txt (ID = 3751)

12:50 PM: Found Spy Cookie: hbmediapro cookie

12:50 PM: [email protected][2].txt (ID = 2768)

12:50 PM: Found Spy Cookie: atlas dmt cookie

12:50 PM: pyser@atdmt[2].txt (ID = 2253)

12:50 PM: Found Spy Cookie: serving-sys cookie

12:50 PM: pyser@serving-sys[2].txt (ID = 3343)

12:50 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02

12:50 PM: Starting File Sweep

1:55 PM: appwrap[1].exe (ID = 65739)

1:59 PM: icont.exe (ID = 65739)

1:59 PM: pqp.dll (ID = 163672)

2:00 PM: nwhtml.dll (ID = 163672)

2:00 PM: mhvcp50.dll (ID = 163672)

2:01 PM: pbototoys.dll (ID = 163672)

2:01 PM: mal_mtf.dll (ID = 163672)

2:03 PM: appwrap[1].exe (ID = 65721)

2:03 PM: bw2.com (ID = 65721)

2:03 PM: appwrap[1].exe (ID = 65722)

2:05 PM: nwtui0.dll (ID = 163672)

2:05 PM: llbmpeg2_ff.dll (ID = 163672)

2:05 PM: iconu.exe (ID = 65721)

2:06 PM: uvimdmat.dll (ID = 163672)

2:09 PM: hammer.exe (ID = 149593)

2:09 PM: tupmonui.dll (ID = 163672)

2:10 PM: mywmdm.dll (ID = 163672)

2:10 PM: mdsign32.dll (ID = 163672)

2:12 PM: a0022472.dll (ID = 163672)

2:12 PM: xknroll.dll (ID = 163672)

2:12 PM: qbsf.dll (ID = 163672)

2:12 PM: davxdec_0411.dll (ID = 163672)

2:13 PM: npmarta.dll (ID = 163672)

2:14 PM: rsutils.dll (ID = 163672)

2:14 PM: dmvxdec_0407.dll (ID = 163672)

2:14 PM: xgob2res.dll (ID = 163672)

2:15 PM: rssppp.dll (ID = 163672)

2:15 PM: umnp.dll (ID = 163672)

2:15 PM: cgpesnpn.dll (ID = 163672)

2:15 PM: fvlemgmt.dll (ID = 163672)

2:15 PM: uuib.dll (ID = 163672)

2:16 PM: tubyuv.dll (ID = 163672)

2:16 PM: mqhtmler.dll (ID = 163672)

2:17 PM: iiitpki.dll (ID = 163672)

2:17 PM: icfosoft.dll (ID = 163672)

2:17 PM: vmipxspx.dll (ID = 163672)

2:17 PM: ioked.dll (ID = 163672)

2:17 PM: oneacc.dll (ID = 163672)

2:17 PM: ucrv80a.dll (ID = 163672)

2:17 PM: my3216.dll (ID = 163672)

2:18 PM: igxsap.dll (ID = 163672)

2:18 PM: sroolss.dll (ID = 163672)

2:18 PM: myv1_0.dll (ID = 163672)

2:18 PM: msc42enu.dll (ID = 163672)

2:18 PM: q286lcls1fq6.dll (ID = 163672)

2:18 PM: afcups.dll (ID = 163672)

2:18 PM: a0019453.dll (ID = 163672)

2:18 PM: soell32.dll (ID = 163672)

2:18 PM: dycpsapi.dll (ID = 163672)

2:19 PM: ricns4.dll (ID = 163672)

2:19 PM: iossvcs.dll (ID = 163672)

2:19 PM: maise.dll (ID = 163672)

2:19 PM: joaw400.dll (ID = 163672)

2:19 PM: vfmdbg.dll (ID = 163672)

2:19 PM: ctadmin.dll (ID = 163672)

2:19 PM: a0020459.dll (ID = 163672)

2:20 PM: a0016436.dll (ID = 163672)

2:21 PM: mdms.exe (ID = 149593)

2:21 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || SysMemory manager (ID = 0)

2:21 PM: vocabulary (ID = 78283)

2:21 PM: class-barrel (ID = 78229)

2:22 PM: ikxrtmgr.dll (ID = 163672)

2:25 PM: Found System Monitor: potentially rootkit-masked files

2:25 PM: worddocument (ID = 0)

2:25 PM: 1table (ID = 0)

2:25 PM: data (ID = 0)

2:25 PM: contents (ID = 0)

2:25 PM: contents (ID = 0)

2:26 PM: contents (ID = 0)

2:26 PM: contents (ID = 0)

2:26 PM: contents (ID = 0)

2:26 PM: contents (ID = 0)

2:26 PM: contents (ID = 0)

2:26 PM: workbook (ID = 0)

2:26 PM: _3_objinfo (ID = 0)

2:26 PM: _3_objinfo (ID = 0)

2:26 PM: contentsv30 (ID = 0)

2:26 PM: _5_summaryinformation (ID = 0)

2:26 PM: _1_compobj (ID = 0)

2:26 PM: _1_compobj (ID = 0)

2:26 PM: _1_ole (ID = 0)

2:26 PM: _3_objinfo (ID = 0)

2:26 PM: contentsv30 (ID = 0)

2:26 PM: _1_compobj (ID = 0)

2:26 PM: _1_ole (ID = 0)

2:26 PM: _3_objinfo (ID = 0)

2:26 PM: contentsv30 (ID = 0)

2:26 PM: _1_compobj (ID = 0)

2:26 PM: _1_ole (ID = 0)

2:26 PM: _3_objinfo (ID = 0)

2:26 PM: contentsv30 (ID = 0)

2:26 PM: _1_compobj (ID = 0)

2:26 PM: _1_ole (ID = 0)

2:26 PM: _3_objinfo (ID = 0)

2:26 PM: contentsv30 (ID = 0)

2:26 PM: _1_compobj (ID = 0)

2:26 PM: _1_ole (ID = 0)

2:26 PM: _1_compobj (ID = 0)

2:26 PM: _1_ole (ID = 0)

2:26 PM: contentsv30 (ID = 0)

2:26 PM: _1_compobj (ID = 0)

2:26 PM: _1_ole (ID = 0)

2:27 PM: Warning: Unhandled Archive Type

2:29 PM: Warning: Unhandled Archive Type

2:30 PM: File Sweep Complete, Elapsed Time: 01:40:18

2:30 PM: Full Sweep has completed. Elapsed time 02:33:57

2:30 PM: Traces Found: 170

2:33 PM: Removal process initiated

2:33 PM: Quarantining All Traces: potentially rootkit-masked files

2:37 PM: potentially rootkit-masked files is in use. It will be removed on reboot.

2:37 PM: worddocument is in use. It will be removed on reboot.

2:37 PM: 1table is in use. It will be removed on reboot.

2:37 PM: data is in use. It will be removed on reboot.

2:37 PM: contents is in use. It will be removed on reboot.

2:37 PM: contents is in use. It will be removed on reboot.

2:37 PM: contents is in use. It will be removed on reboot.

2:37 PM: contents is in use. It will be removed on reboot.

2:37 PM: contents is in use. It will be removed on reboot.

2:37 PM: contents is in use. It will be removed on reboot.

2:37 PM: contents is in use. It will be removed on reboot.

2:37 PM: workbook is in use. It will be removed on reboot.

2:37 PM: _3_objinfo is in use. It will be removed on reboot.

2:37 PM: _3_objinfo is in use. It will be removed on reboot.

2:37 PM: contentsv30 is in use. It will be removed on reboot.

2:37 PM: _5_summaryinformation is in use. It will be removed on reboot.

2:37 PM: _1_compobj is in use. It will be removed on reboot.

2:37 PM: _1_compobj is in use. It will be removed on reboot.

2:37 PM: _1_ole is in use. It will be removed on reboot.

2:37 PM: _3_objinfo is in use. It will be removed on reboot.

2:37 PM: contentsv30 is in use. It will be removed on reboot.

2:37 PM: _1_compobj is in use. It will be removed on reboot.

2:37 PM: _1_ole is in use. It will be removed on reboot.

2:37 PM: _3_objinfo is in use. It will be removed on reboot.

2:37 PM: contentsv30 is in use. It will be removed on reboot.

2:37 PM: _1_compobj is in use. It will be removed on reboot.

2:37 PM: _1_ole is in use. It will be removed on reboot.

2:37 PM: _3_objinfo is in use. It will be removed on reboot.

2:37 PM: contentsv30 is in use. It will be removed on reboot.

2:37 PM: _1_compobj is in use. It will be removed on reboot.

2:37 PM: _1_ole is in use. It will be removed on reboot.

2:37 PM: _3_objinfo is in use. It will be removed on reboot.

2:37 PM: contentsv30 is in use. It will be removed on reboot.

2:37 PM: _1_compobj is in use. It will be removed on reboot.

2:37 PM: _1_ole is in use. It will be removed on reboot.

2:37 PM: _1_compobj is in use. It will be removed on reboot.

2:37 PM: _1_ole is in use. It will be removed on reboot.

2:37 PM: contentsv30 is in use. It will be removed on reboot.

2:37 PM: _1_compobj is in use. It will be removed on reboot.

2:37 PM: _1_ole is in use. It will be removed on reboot.

2:37 PM: Quarantining All Traces: look2me

2:39 PM: look2me is in use. It will be removed on reboot.

2:39 PM: l4r0le9m1h.dll is in use. It will be removed on reboot.

2:39 PM: Quarantining All Traces: trojan-backdoor-zubox

2:39 PM: Quarantining All Traces: spysheriff

2:39 PM: Quarantining All Traces: trojan-backdoor-us15info

2:39 PM: Quarantining All Traces: icannnews

2:39 PM: icannnews is in use. It will be removed on reboot.

2:39 PM: D:\WINDOWS\system32\l4r0le9m1h.dll is in use. It will be removed on reboot.

2:39 PM: D:\WINDOWS\system32\mgcomput.dll is in use. It will be removed on reboot.

2:39 PM: Quarantining All Traces: targetsaver

2:40 PM: targetsaver is in use. It will be removed on reboot.

2:40 PM: class-barrel is in use. It will be removed on reboot.

2:40 PM: Quarantining All Traces: atlas dmt cookie

2:40 PM: Quarantining All Traces: hbmediapro cookie

2:40 PM: Quarantining All Traces: serving-sys cookie

2:40 PM: Quarantining All Traces: yieldmanager cookie

2:40 PM: Warning: Launched explorer.exe

2:40 PM: Warning: Quarantine process could not restart Explorer.

2:44 PM: Preparing to restart your computer. Please wait...

2:44 PM: Removal process completed. Elapsed time 00:11:00

3:26 PM: Processing Startup Alerts

3:26 PM: Allowed Startup entry: Windows installer

3:31 PM: Updating spyware definitions

3:37 PM: Your spyware definitions have been updated.

3:38 PM: | End of Session, Sunday, 11 December 2005 |

********

11:55 AM: | Start of Session, Sunday, 11 December 2005 |

11:55 AM: Spy Sweeper started

11:55 AM: Sweep initiated using definitions version 556

11:55 AM: Found Adware: look2me

11:55 AM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\ms-dos emulation\ || dllname (ID = 129984)

11:55 AM: l4r0le9m1h.dll (ID = 129984)

11:55 AM: Starting Memory Sweep

11:55 AM: Sweep Canceled

11:55 AM: Memory Sweep Complete, Elapsed Time: 00:00:09

11:55 AM: Traces Found: 2

11:56 AM: | End of Session, Sunday, 11 December 2005 |

********

11:53 AM: | Start of Session, Sunday, 11 December 2005 |

11:53 AM: Spy Sweeper started
  • 0

#8
dr_pyser
Posted 18 December 2005 - 02:07 AM

dr_pyser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
and here's l2mfix:

L2MFIX find log 120305

These are the registry keys present

**********************************************************************************

Winlogon/notify:

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]

"Asynchronous"=dword:00000000

"DllName"="WRLogonNTF.dll"

"Impersonate"=dword:00000001

"Lock"="WRLock"

"StartScreenSaver"="WRStartScreenSaver"

"StartShell"="WRStartShell"

"Startup"="WRStartup"

"StopScreenSaver"="WRStopScreenSaver"

"Unlock"="WRUnlock"

"Shutdown"="WRShutdown"

"Logoff"="WRLogoff"

"Logon"="WRLogon"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]

"DLLName"="wzcdlg.dll"

"Logon"="WZCEventLogon"

"Logoff"="WZCEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000000



**********************************************************************************

useragent:

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{90E3E535-BAC1-7178-08C9-6FAAA5D07B08}"=""



**********************************************************************************

Shell Extension key:

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"

"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"

"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"

"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"

"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"

"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"

"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"

"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"

"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"

"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"

"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"

"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"

"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"

"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"

"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"

"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"

"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"

"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"

"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"

"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"

"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"

"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"

"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"

"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"

"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"

"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"

"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"

"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"

"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"

"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"

"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"

"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"

"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"

"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"

"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"

"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"

"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"

"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"

"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"

"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"

"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"

"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"

"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"

"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"

"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"

"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"

"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."

"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"

"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"

"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"

"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"

"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"

"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"

"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"

"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"

"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"

"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"

"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"

"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"

"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"

"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"

"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"

"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"

"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"

"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"

"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"

"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"

"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"

"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"

"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"

"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"

"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"

"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"

"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"

"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"

"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"

"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"

"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"

"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"

"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"

"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"

"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"

"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"

"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"

"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"

"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"

"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"

"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"

"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"

"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"

"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"

"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"

"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"

"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"

"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"

"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"

"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"

"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"

"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"

"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"

"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"

"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"

"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"

"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"

"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"

"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"

"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"

"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"

"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"

"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"

"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"

"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"

"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"

"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"

"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"

"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"

"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"

"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"

"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"

"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"

"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"

"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"

"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"

"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"

"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"

"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"

"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"

"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"

"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"

"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"

"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"

"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"

"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"

"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"

"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"

"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"

"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"

"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"

"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"

"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"

"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"

"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"

"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"

"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"

"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"

"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"

"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"

"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"

"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"

"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"

"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"

"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"

"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"

"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"

"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"

"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"

"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"

"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"

"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."

"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"

"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"

"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"

"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"

"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"

"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"

"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"

"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"

"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"

"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"

"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"

@=""

"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}"="PhotoToys"

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"

"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play Devices"

"{eb9ebda0-b3e7-11cf-81c9-0000c0aa665f}"="FTP Explorer Shell Extension"

"{5E2121EE-0300-11D4-8D3B-444553540000}"="st"

"{AE67E587-8644-4266-8474-031D12A63103}"=""

"{81CD0BA4-6158-40E2-B3C3-2AA9CCC09ECC}"=""

"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

"{486BB9FE-71D4-4486-BFAE-16C93D0919AE}"=""



**********************************************************************************

HKEY ROOT CLASSIDS:

**********************************************************************************

Files Found are not all bad files:



D:\WINDOWS\SYSTEM32\

bassmod.dll Fri 18 Nov 2005 17:28:04 A.... 15,360 15.00 K

dfshim.dll Fri 23 Sep 2005 7:28:38 A.... 83,456 81.50 K

e2202c~1.dll Fri 2 Dec 2005 11:06:40 ..S.R 0 0.00 K

f0l0la~1.dll Fri 2 Dec 2005 11:46:36 ..S.R 235,749 230.22 K

gdi32.dll Thu 6 Oct 2005 14:09:36 A.... 280,064 273.50 K

islzma.dll Fri 21 Oct 2005 15:50:14 A.... 102,912 100.50 K

mscoree.dll Fri 23 Sep 2005 7:28:52 A.... 270,848 264.50 K

mscorier.dll Fri 23 Sep 2005 7:28:52 A.... 150,016 146.50 K

mscories.dll Fri 23 Sep 2005 7:28:52 A.... 74,240 72.50 K

msctl32.dll Wed 7 Dec 2005 21:19:52 A.... 41,472 40.50 K

mshtml.dll Tue 4 Oct 2005 17:26:00 A.... 3,015,168 2.88 M

nv4_disp.dll Fri 4 Nov 2005 18:03:00 A.... 3,924,096 3.74 M

nvapi.dll Fri 4 Nov 2005 18:03:00 A.... 86,016 84.00 K

nvcod.dll Fri 4 Nov 2005 18:03:00 A.... 35,328 34.50 K

nvcodins.dll Fri 4 Nov 2005 18:03:00 A.... 35,328 34.50 K

nvcpl.dll Fri 4 Nov 2005 18:03:00 A.... 7,307,264 6.97 M

nvhwvid.dll Fri 4 Nov 2005 18:03:00 A.... 573,440 560.00 K

nview.dll Fri 4 Nov 2005 18:03:00 A.... 1,466,368 1.40 M

nvmccs.dll Fri 4 Nov 2005 18:03:00 A.... 229,376 224.00 K

nvmccsrs.dll Fri 4 Nov 2005 18:03:00 A.... 45,056 44.00 K

nvmctray.dll Fri 4 Nov 2005 18:03:00 A.... 86,016 84.00 K

nvnt4cpl.dll Fri 4 Nov 2005 18:03:00 A.... 286,720 280.00 K

nvoglnt.dll Fri 4 Nov 2005 18:03:00 A.... 5,394,432 5.14 M

nvshell.dll Fri 4 Nov 2005 18:03:00 A.... 466,944 456.00 K

nvwddi.dll Fri 4 Nov 2005 18:03:00 A.... 81,920 80.00 K

nvwdmcpl.dll Fri 4 Nov 2005 18:03:00 A.... 1,662,976 1.59 M

nvwimg.dll Fri 4 Nov 2005 18:03:00 A.... 1,019,904 996.00 K

rtlcpapi.dll Fri 16 Sep 2005 14:14:36 A.... 157,184 153.50 K

shell32.dll Fri 23 Sep 2005 14:05:30 A.... 8,450,560 8.06 M

sirenacm.dll Wed 12 Oct 2005 17:11:06 A.... 118,784 116.00 K

winacpi.dll Sun 11 Dec 2005 11:51:16 A.... 55,861 54.55 K

wrlogo~1.dll Mon 24 Oct 2005 12:20:36 A.... 492,544 481.00 K

wrlzma.dll Mon 24 Oct 2005 12:20:32 A.... 17,920 17.50 K

zlbw.dll Fri 2 Dec 2005 10:41:18 A.... 46,592 45.50 K



34 items found: 34 files (2 H/S), 0 directories.

Total of file sizes: 36,309,914 bytes 34.63 M

Locate .tmp files:



No matches found.

**********************************************************************************

Directory Listing of system files:

Volume in drive D is Hyperion

Volume Serial Number is 7C5D-F271



Directory of D:\WINDOWS\System32



02/12/2005 11:46 AM 235,749 f0l0la3m1d.dll

02/12/2005 11:06 AM 0 e2202cfmgf2a2.dll

02/12/2005 09:38 AM <DIR> dllcache

18/11/2005 02:55 PM <DIR> Microsoft

2 File(s) 235,749 bytes

2 Dir(s) 32,764,264,448 bytes free
  • 0

#9
Armodeluxe
Posted 18 December 2005 - 07:06 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Maybe Spysweeper didn't get the whole infection, but it certainly crippled it..and while at it got rid of many of the other infections that we were going to deal with after removing looktome as well.. :tazz:

In the period you took time in replying l2mfix was updated for the previous error we got..so please delete the whole folder you have and download it again from one of these locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.
  • 0

#10
dr_pyser
Posted 23 December 2005 - 07:19 PM

dr_pyser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
happy christmas armodeluxe! here's my l2mfix log:

L2mfix Beta 121605
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
D:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 456 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 544 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'
Killing PID 1960 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1708 'rundll32.exe'

Scanning First Pass. Please Wait!


Running From:
D:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 452 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 540 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'
Killing PID 1932 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1600 'rundll32.exe'

Scanning First Pass. Please Wait!


Running From:
D:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 456 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 552 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 408 'explorer.exe'
Killing PID 408 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Granting SeDebugPrivilege to Administrateurs ... failed (GetAccountSid(Administrateurs)=1332
Granting SeDebugPrivilege to Administrat÷rer ... failed (GetAccountSid(Administrat÷rer)=1332
Granting SeDebugPrivilege to Administradores ... failed (GetAccountSid(Administradores)=1332
Granting SeDebugPrivilege to Amministratore ... failed (GetAccountSid(Amministratore)=1332
Granting SeDebugPrivilege to Administratoren ... failed (GetAccountSid(Administratoren)=1332

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7638D521-E136-45C6-9756-1226AAD6D972}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7638D521-E136-45C6-9756-1226AAD6D972}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7638D521-E136-45C6-9756-1226AAD6D972}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7638D521-E136-45C6-9756-1226AAD6D972}\InprocServer32]
@="D:\\WINDOWS\\system32\\wwcsvc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E298F8ED-5422-4DCB-A68B-A464AFF074B5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E298F8ED-5422-4DCB-A68B-A464AFF074B5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E298F8ED-5422-4DCB-A68B-A464AFF074B5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E298F8ED-5422-4DCB-A68B-A464AFF074B5}\InprocServer32]
@="D:\\WINDOWS\\system32\\kzdusl.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{80116C8E-510B-4155-9A4C-9639A1E20C66}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{80116C8E-510B-4155-9A4C-9639A1E20C66}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{80116C8E-510B-4155-9A4C-9639A1E20C66}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{80116C8E-510B-4155-9A4C-9639A1E20C66}\InprocServer32]
@="D:\\WINDOWS\\system32\\axl.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{AE67E587-8644-4266-8474-031D12A63103}"=-
"{81CD0BA4-6158-40E2-B3C3-2AA9CCC09ECC}"=-
"{486BB9FE-71D4-4486-BFAE-16C93D0919AE}"=-
[-HKEY_CLASSES_ROOT\CLSID\{AE67E587-8644-4266-8474-031D12A63103}]
[-HKEY_CLASSES_ROOT\CLSID\{81CD0BA4-6158-40E2-B3C3-2AA9CCC09ECC}]
[-HKEY_CLASSES_ROOT\CLSID\{486BB9FE-71D4-4486-BFAE-16C93D0919AE}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (164 bytes security) (deflated 88%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)



and hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 12:09:55 PM, on 24/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\LTMSG.exe
D:\Program Files\ClamWin\bin\ClamTray.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\tool2.exe
C:\winstall.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ClamWin] "D:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [pro] D:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132291094218
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MS-DOS Emulation - D:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

enjoy your festive season!!!! :tazz:
  • 0

#11
Armodeluxe
Posted 24 December 2005 - 07:17 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Good, we're done with look2me.. :tazz:

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
===================================================
O4 - HKCU\..\Run: [pro] D:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O20 - Winlogon Notify: MS-DOS Emulation - D:\WINDOWS\
===================================================

Close HiJackThis.

Delete this file if present:

D:\WINDOWS\tool2.exe

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#12
dr_pyser
Posted 27 December 2005 - 04:17 AM

dr_pyser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
heya armodeluxe - i think everything is clear now! here's the panda log:


Incident Status Location

Virus:Trj/Mitglieder.GB Disinfected D:\Documents and Settings\Pyser\Application Data\Thunderbird\Profiles\7sf83uz1.default\Mail\Local Folders\Inbox[12.exe]
Virus:Trj/Mitglieder.GB Disinfected D:\Documents and Settings\Pyser\Application Data\Thunderbird\Profiles\7sf83uz1.default\Mail\Local Folders\Junk[12.exe]
Virus:Trj/Mitglieder.GB Disinfected D:\Documents and Settings\Pyser\Application Data\Thunderbird\Profiles\7sf83uz1.default\Mail\Local Folders\Trash[12.exe]

and the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:11:27 PM, on 27/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\LTMSG.exe
D:\Program Files\ClamWin\bin\ClamTray.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
D:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ClamWin] "D:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132291094218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C515D26-EEEF-49B3-A08B-7FF5CBDC3111}: NameServer = 203.134.64.66 203.134.65.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C515D26-EEEF-49B3-A08B-7FF5CBDC3111}: NameServer = 203.134.64.66 203.134.65.66
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe



smitfiles.txt:


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 27/12/2005
The current time is: 12:41:11.04

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~

zlbw.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 752 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)


and the ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:13:44 PM, 27/12/2005
+ Report-Checksum: A9CEC3C7

+ Scan result:

C:\windows\timessquare.exe -> Hijacker.StartPage.aw : Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Win32.Renos.ad : Cleaned with backup
:mozilla.15:D:\Documents and Settings\Pyser\Application Data\Mozilla\Firefox\Profiles\v5nmx5a1.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.16:D:\Documents and Settings\Pyser\Application Data\Mozilla\Firefox\Profiles\v5nmx5a1.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.29:D:\Documents and Settings\Pyser\Application Data\Mozilla\Firefox\Profiles\v5nmx5a1.default\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.62:D:\Documents and Settings\Pyser\Application Data\Mozilla\Firefox\Profiles\v5nmx5a1.default\cookies.txt -> Spyware.Cookie.Trafic : Cleaned with backup
:mozilla.103:D:\Documents and Settings\Pyser\Application Data\Mozilla\Firefox\Profiles\v5nmx5a1.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.105:D:\Documents and Settings\Pyser\Application Data\Mozilla\Firefox\Profiles\v5nmx5a1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.106:D:\Documents and Settings\Pyser\Application Data\Mozilla\Firefox\Profiles\v5nmx5a1.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
D:\Documents and Settings\Pyser\Desktop\Cucusoft.iPod.Movie-Video.Converter.v2.0.Retail.Incl.Keymaker-ZWT.ZIP/Cucusoft.iPod.Movie-Video.Converter.v2.0.Retail.Incl.Keymaker-ZWT/keygen.exe -> Spyware.Hijacker.Small.is : Error during cleaning
D:\Documents and Settings\Pyser\run.exe -> Downloader.Small.bfy : Cleaned with backup
D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Trojan.Agent.bu : Cleaned with backup
D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe -> Logger.Small.dg : Cleaned with backup
D:\Program Files\Microsoft AntiSpyware\Quarantine\0BD00005-D00A-49C8-ABFF-DB0168\3E241224-84E8-4DDE-841D-4AF745 -> Proxy.Cimuz.ai : Cleaned with backup
D:\Program Files\Microsoft AntiSpyware\Quarantine\2F570D5B-4835-4052-B284-82FAF2\824F3532-97F8-448F-AC3B-21F6AC -> Proxy.Cimuz.ai : Cleaned with backup
D:\Program Files\Microsoft AntiSpyware\Quarantine\5B049D02-FDEF-4B39-8050-DB82A6\F2C53583-7AB3-43AD-8A5B-B1DA91 -> Proxy.Cimuz.ai : Cleaned with backup
D:\WINDOWS\system32\miemblek.exe -> Proxy.Wopla.n : Cleaned with backup
D:\WINDOWS\system32\msctl32.dll -> Not-A-Virus.SpamTool.Win32.Mailbot.d : Cleaned with backup
D:\WINDOWS\system32\winacpi.dll -> Proxy.Cimuz.ai : Cleaned with backup
D:\WINDOWS\system32\~update.exe -> Backdoor.Small : Cleaned with backup
D:\WINDOWS\tool3.exe -> Downloader.Small.bwr : Cleaned with backup


::Report End



thankyou sooooooo very very much for your help, my computer thanks you!!! :tazz::D:D:D:D:D:D:D
  • 0

#13
Armodeluxe
Posted 27 December 2005 - 07:44 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Your log looks clean.. :tazz: ..I guess you uninstalled Spysweeper, probably we expired the trial period..this entry is a leftover from Spysweeper, you can fix it with HijackThis:

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)


Is this a program you downloaded and use? Ewido detected it as infected but couldn't clean it..I suggest that you rid of it..

D:\Documents and Settings\Pyser\Desktop\Cucusoft.iPod.Movie-Video.Converter.v2.0.Retail.Incl.Keymaker-ZWT.ZIP/Cucusoft.iPod.Movie-Video.Converter.v2.0.Retail.Incl.Keymaker-ZWT/keygen.exe -> Spyware.Hijacker.Small.is : Error during cleaning

Please take the following into consideration to maintain a clean computer.

Now you should go get a firewall. Don't rely on the Windows firewall as it monitors only incoming traffic. Pick one of these, they are all free.
Kerio
Zonealarm
Sygate

Visit Windows Update regularly to get the latest security updates.You can also enable automatic updates.Your antivirus software and antispyware programs should also be updated regularly. Make a habit of running scans on a timely basis. Be careful about what you download, scan every file before clicking on it.

Additional programs to consider:

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.Restricts the actions of potentially unwanted sites in Internet Explorer.
Spywareguard An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
IE/Spyad
Adds a list of malicious sites to your Restricted Sites Zone.
Firefox An alternate browser safer than IE

A good article to read:
So how did I get infected in the first place?

Regards,

Armodeluxe
  • 0

#14
Armodeluxe
Posted 07 January 2006 - 09:59 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP