Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

spy sheriff

Started by revenge100 , Dec 23 2005 12:06 PM

  • Please log in to reply

#16
revenge100
Posted 23 December 2005 - 04:31 PM

revenge100

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
i meant to say that 12mxfix dos batch seems to be working in safe mode ( i did not run it tho) and norton seems to be catching spybot at the mo
  • 0

Advertisements

#17
don77
Posted 23 December 2005 - 04:34 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Fine,
Lets see if we can't get this cleaned up a bit and make it a bit more managable for you,
You will want to print out these instructions or save them to notepad, Save them on your desk top so you have easy access to them

First
Make sure you can view all Hidden Files/Folders


Next
Make sure Ewido is updated,
We will use it in safe mode,

Next
Download and install CleanUp!
Don't run this yet we will use it in safe mode as well.


Next
Go to Add/Remove programs and remove
SurfSideKick 3

once it is done uninstalling it will ask you to restart your computer, Do so

While it is restarting reboot to safe mode, The rest of this will all be done in safe mode

Next
While in safe mode

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [Miscrosoft Windows Explorer] IEEXPLORER.exe
O4 - HKLM\..\Run: [MSOffice32] C:\WINDOWS\System32\msjcf.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\System32\msvcp.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKLM\..\Run: [Microsoft Conference] msconf.exe
O4 - HKLM\..\Run: [Microsoft Configure 32] msgconfigre.exe
O4 - HKLM\..\RunServices: [Miscrosoft Windows Explorer] IEEXPLORER.exe
O4 - HKLM\..\RunServices: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKLM\..\RunServices: [Microsoft Conference] msconf.exe
O4 - HKLM\..\RunServices: [Microsoft Configure 32] msgconfigre.exe
O4 - HKCU\..\Run: [Miscrosoft Windows Explorer] IEEXPLORER.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Microsoft Conference] msconf.exe
O4 - HKCU\..\Run: [Microsoft Configs 32] msgconfigrs.exe
O4 - HKCU\..\Run: [Uwbs] "C:\Program Files\ohil\mbma.exe" -vt mt
O4 - HKCU\..\Run: [Apq] C:\WINDOWS\System32\w?aclt.exe
O4 - HKCU\..\RunServices: [Miscrosoft Windows Explorer] IEEXPLORER.exe
O4 - HKCU\..\RunServices: [Microsoft Conference] msconf.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...artload124a.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangoc.../bridge-c17.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4767
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\System32\msctl32.dll


Search for and delete the Folders highlighted in Blue Files highlighted in BOLD

C:\WINDOWS\System32\msjcf.exe
C:\WINDOWS\sysldr32.exe
C:\WINDOWS\System32\msvcp.exe
C:\Program Files\SurfSideKick 3\
msgconfigrs.exe
msconf.exe
msgconfigre.exe
IEEXPLORER.exe
C:\Program Files\ohil\
C:\WINDOWS\System32\w?aclt.exe
C:\WINDOWS\System32\msctl32.dll

Next

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click No.


Next
:
  • Click on the Ewido icon on your desk top
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.


Next

Restart your computer to normal mode
Run this online scan ActiveScan When the scan has completed it will give you an option to save the log, Please do so and remember where you saved it to,


Next
Rescan with HJT again save the log
Post it back here for me please along with the log from Ewido and the log from the Active scan please
  • 0

#18
revenge100
Posted 23 December 2005 - 04:39 PM

revenge100

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
this may take a while!

Cheers for the help.

Is it ok to go online in safe mode?
  • 0

#19
don77
Posted 23 December 2005 - 04:48 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts

Is it ok to go online in safe mode?

Would rather you did not, I know it will take you a while to fo, I jumped the gun a bit and was working on the fix when you posted the uninstall list but its fine lets,
I will be heading out in a hour or so but should be back on after that for a few hors anyway, Take your tim and just make sure you follow the instructions as closely as possible
  • 0

#20
revenge100
Posted 23 December 2005 - 05:31 PM

revenge100

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
reports on there way.

I am in the UK so its hitting midnight - what would be the best time to log back on?
  • 0

#21
revenge100
Posted 23 December 2005 - 05:33 PM

revenge100

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
here ie ewido

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 23:17:57, 05/12/2005
+ Report-Checksum: C7DD682C

+ Scan result:

HKLM\SOFTWARE\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl\Clsid -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Spyware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\media-motor -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaTickets -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-790525478-884357618-839522115-1003\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-790525478-884357618-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-790525478-884357618-839522115-1003\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
[672] C:\WINDOWS\system32\sotupapi.dll -> Spyware.Look2Me : Error during cleaning
[800] C:\WINDOWS\system32\sotupapi.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Richard\Desktop\cdegfr -> Worm.Locksky.l : Cleaned with backup
C:\Documents and Settings\Richard\Desktop\fdsf -> Hijacker.Spywad.o : Cleaned with backup
C:\Documents and Settings\Richard\Desktop\hijackthis\backups\backup-20051205-225640-153.dll -> Adware.WinAD : Cleaned with backup
C:\Documents and Settings\Richard\Desktop\hijackthis\backups\backup-20051205-225640-612.dll -> Spyware.MediaTickets : Cleaned with backup
C:\Documents and Settings\Richard\Desktop\sdfff -> Downloader.Small.awa : Cleaned with backup
C:\Documents and Settings\Richard\Desktop\zxczxc -> Downloader.Small.cah : Cleaned with backup
C:\emoticonz.exe -> Trojan.LowZones.cf : Cleaned with backup
C:\Program Files\Common Files\fmof\fmofd\fmofc.dll -> Downloader.Small : Cleaned with backup
C:\Program Files\Common Files\fmof\fmofl.exe -> Downloader.TSUpdate.p : Cleaned with backup
C:\Program Files\Common Files\VCClient\installer.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Program Files\Common Files\VCClient\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
C:\Program Files\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\03E62519.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\081D7A13.exe -> Backdoor.Rbot.ul : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\0D004899.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\0E1E145F.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\18531D55.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\1FB75E20.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\21EF2DB9.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\29CD309B.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\43F4061B.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\43F73017.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\43FA5A14.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\45787002.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\470462BC.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\471E32A0.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\47215C9C.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\4E663DED.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\50A13FA9.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\57986727.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\5A01185E.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\5A957C12.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\61A12ADA.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\6F950E9A.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\75D538E9.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\Portal\7CA97455.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\Program Files\Spy-Shield\Quarantine\auto-quarantine 22-12-2005 16-17-16.qua/c:/documents and settings/richard/cookies/richard@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Spy-Shield\Quarantine\auto-quarantine 22-12-2005 16-17-16.qua/c:/documents and settings/richard/cookies/richard@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Spy-Shield\Quarantine\auto-quarantine 22-12-2005 16-17-16.qua/c:/documents and settings/richard/cookies/richard@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Spy-Shield\Quarantine\auto-quarantine 22-12-2005 16-36-46.qua/c:/documents and settings/richard/cookies/richard@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Spy-Shield\Quarantine\auto-quarantine 22-12-2005 16-36-46.qua/c:/documents and settings/richard/cookies/richard@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Program Files\Spy-Shield\Quarantine\auto-quarantine 22-12-2005 16-36-46.qua/c:/documents and settings/richard/cookies/[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Program Files\Spy-Shield\Quarantine\auto-quarantine 22-12-2005 16-36-46.qua/c:/documents and settings/richard/cookies/richard@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Spy-Shield\Quarantine\auto-quarantine 22-12-2005 16-36-46.qua/c:/documents and settings/richard/cookies/richard@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Program Files\Spy-Shield\Quarantine\auto-quarantine 22-12-2005 16-36-46.qua/c:/documents and settings/richard/cookies/[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Program Files\Spy-Shield\Quarantine\auto-quarantine 22-12-2005 16-36-46.qua/c:/documents and settings/richard/cookies/richard@spylog[1].txt -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Program Files\Spy-Shield\Quarantine\auto-quarantine 22-12-2005 16-36-46.qua/C:/WINDOWS/loadnew.exe -> Downloader.Harnig.ax : Cleaned with backup
C:\Program Files\Spy-Shield\Quarantine\auto-quarantine 22-12-2005 16-36-46.qua/c:/program files/spysheriff/heur002.dll -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\Spy-Shield\Quarantine\auto-quarantine 22-12-2005 16-36-46.qua/c:/program files/spysheriff/IESecurity.dll -> Spyware.SpywareNo : Cleaned with backup
C:\Program Files\Spy-Shield\Quarantine\auto-quarantine 22-12-2005 16-36-46.qua/c:/program files/spysheriff/ProcMon.dll -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\Spy-Shield\Quarantine\auto-quarantine 22-12-2005 16-36-46.qua/c:/program files/spysheriff/Uninstall.exe -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.exe -> Spyware.SpySheriff : Cleaned with backup
C:\RECYCLER\NPROTECT\00039177.EXE -> Adware.SurfSide : Cleaned with backup
C:\RECYCLER\NPROTECT\00039191.exe -> Downloader.PurityScan.au : Cleaned with backup
C:\RECYCLER\NPROTECT\00039291.exe -> Downloader.Harnig.ax : Cleaned with backup
C:\RECYCLER\NPROTECT\00039298.DLL -> Spyware.SpywareNo : Cleaned with backup
C:\RECYCLER\NPROTECT\00039299.dll -> Adware.SpySheriff : Cleaned with backup
C:\RECYCLER\NPROTECT\00039300.EXE -> Adware.SpySheriff : Cleaned with backup
C:\RECYCLER\NPROTECT\00039503.TXT -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00039504.TXT -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\RECYCLER\NPROTECT\00039505.TXT -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\RECYCLER\NPROTECT\00039506.TXT -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\RECYCLER\NPROTECT\00039507.TXT -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\RECYCLER\NPROTECT\00039992.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00040276.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00040312.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00040365.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00040366.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00040500.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00040501.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00040510.TXT -> Spyware.Cookie.Bfast : Cleaned with backup
C:\RECYCLER\NPROTECT\00040521.TXT -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\RECYCLER\NPROTECT\00040648.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00040693.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00041401.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00041465.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00041552.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00041628.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00041815.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00041903.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\country.exe -> Dropper.Raven : Cleaned with backup
C:\WINDOWS\DH.dll -> Hijacker.Small.jf : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N57M2112NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
C:\WINDOWS\eti.exe/mrjj.exe -> Trojan.LowZones.am : Cleaned with backup
C:\WINDOWS\kl.exe -> Logger.Small.eg : Cleaned with backup
C:\WINDOWS\mm63.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINDOWS\system32\clfgnt.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3PHL3RP4\bridge-c18[1].cab/MediaGatewayX.dll -> Adware.WinAD : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3PHL3RP4\drsmartload195a[1].exe -> Downloader.Adload.j : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3PHL3RP4\joysaver[1].cab/mm83.ocx -> Downloader.VB.ov : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UGBZG409\drsmartload_js[1].htm -> Downloader.IstBar.j : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UGBZG409\emoticons[1].exe -> Trojan.LowZones.cf : Cleaned with backup
C:\WINDOWS\system32\cqyptnet.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dial32.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\system32\g2220cfoef2c0.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\gbi32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\h8l2li3o18.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hqicons.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\iesecsvc.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\j84o0ih3e84.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\jt8u07l9e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kldhept.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\krdtuq.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\l46o0ej3eho.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lHngwrbk.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\moxbse35.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mtrepl35.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mv8ml9l11.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\n46qlej51ho.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\nmrsfi.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\scmt16.exe -> Downloader.Harnig.ax : Cleaned with backup
C:\WINDOWS\system32\shbrccsp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wpn32spl.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wsashext.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\z11.exe -> Hijacker.Spywad.o : Cleaned with backup
C:\WINDOWS\system32\z12.exe -> Downloader.Small.awa : Cleaned with backup
C:\WINDOWS\system32\z13.exe -> Downloader.Small.cah : Cleaned with backup
C:\WINDOWS\system32\z14.exe -> Worm.Locksky.l : Cleaned with backup
C:\WINDOWS\tool4.exe -> Proxy.Xorpix.i : Cleaned with backup
C:\WINDOWS\toolbar.exe -> Downloader.Adload.j : Cleaned with backup
C:\WINDOWS\UmljaGFyZCBCdXhiYXVt\asappsrv.dll -> Spyware.CommAd : Cleaned with backup
C:\WINDOWS\UmljaGFyZCBCdXhiYXVt\command.exe -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\z5chg8a8.exe -> Downloader.Harnig.ax : Cleaned with backup
C:\winstall.exe -> Hijacker.Spywad.o : Cleaned with backup


::Report End
  • 0

#22
don77
Posted 23 December 2005 - 06:04 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Can you post back a fresh HJT log please
  • 0

#23
revenge100
Posted 23 December 2005 - 06:11 PM

revenge100

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
here is another report i will get the other one in 2 mins, i will need to go into safe mode

L2MFIX find log 121605
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\fpr6039se.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B11C0777-3403-EBD6-D58A-8E1DBD2B2C68}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{5E44E225-A408-11CF-B581-008029601108}"="Roxio DragToDisc Shell Extension"
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}"="My Media"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{9430216F-467D-4424-A265-BE23B99B2D4C}"=""
"{43A02D71-6A98-4D47-92D6-C5356AC43DAE}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9430216F-467D-4424-A265-BE23B99B2D4C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9430216F-467D-4424-A265-BE23B99B2D4C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9430216F-467D-4424-A265-BE23B99B2D4C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9430216F-467D-4424-A265-BE23B99B2D4C}\InprocServer32]
@="C:\\WINDOWS\\system32\\nqlanui.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{43A02D71-6A98-4D47-92D6-C5356AC43DAE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{43A02D71-6A98-4D47-92D6-C5356AC43DAE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{43A02D71-6A98-4D47-92D6-C5356AC43DAE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{43A02D71-6A98-4D47-92D6-C5356AC43DAE}\InprocServer32]
@="C:\\WINDOWS\\system32\\kldhept.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
atmtd.dll Thu 22 Dec 2005 16:29:48 A.... 687,592 671.48 K
fpr603~1.dll Mon 5 Dec 2005 23:25:18 ..S.R 234,521 229.02 K
mevbvm60.dll Mon 5 Dec 2005 23:25:18 ..S.R 233,828 228.35 K
msctl32.dll Thu 22 Dec 2005 16:26:22 A.... 42,496 41.50 K
nqlanui.dll Sat 24 Dec 2005 0:00:30 ..S.R 234,521 229.02 K
p8n80i~1.dll Sat 24 Dec 2005 0:00:30 ..S.R 235,379 229.86 K
rrttpf.dll Thu 22 Dec 2005 21:15:14 A.... 139,264 136.00 K
s32evnt1.dll Thu 1 Dec 2005 12:14:20 A.... 86,091 84.07 K
sirenacm.dll Wed 12 Oct 2005 17:11:06 A.... 118,784 116.00 K
sotupapi.dll Mon 5 Dec 2005 22:47:50 ..S.R 235,868 230.34 K

10 items found: 10 files (5 H/S), 0 directories.
Total of file sizes: 2,248,344 bytes 2.14 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is Hard Disk
Volume Serial Number is 70CF-8EEA

Directory of C:\WINDOWS\System32

24/12/2005 00:00 234,521 nqlanui.dll
24/12/2005 00:00 235,379 p8n80i5ue8.dll
23/12/2005 23:54 <DIR> dllcache
22/12/2005 21:15 405,504 w?aclt.exe
22/12/2005 19:29 99,328 msgconfigrs.exe
05/12/2005 23:25 233,828 mevbvm60.dll
05/12/2005 23:25 234,521 fpr6039se.dll
05/12/2005 22:47 235,868 sotupapi.dll
31/07/2005 05:59 32 {CE95D67F-49E0-437F-8A53-960697B29D7A}.dat
31/07/2005 05:58 32 {DE8EF0C5-4F80-484A-B99F-275BD2E0F00F}.dat
31/07/2005 05:57 32 {9CDB9FDE-F629-42EE-A90B-B2376AE1AAEF}.dat
31/07/2005 05:56 32 {1AC51C46-03D7-4C52-B2B2-E6AE5706031A}.dat
31/07/2005 05:56 32 {6C0BE323-233A-4485-9F44-C6F2A4CCFF28}.dat
31/07/2005 05:56 32 {FFFA31C6-4CC0-4FCA-9FBE-713D8B25DE5C}.dat
31/07/2005 05:55 32 {781C5EA2-F5F6-40D5-BF13-12640A72DCFA}.dat
30/07/2005 20:12 <DIR> Microsoft
14 File(s) 1,679,173 bytes
2 Dir(s) 193,610,784,768 bytes free
  • 0

#24
revenge100
Posted 23 December 2005 - 06:18 PM

revenge100

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
i could not get a active scan report for some reason but here is the hjt scan

Logfile of HijackThis v1.99.1
Scan saved at 00:14:00, on 05/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Richard\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Conference] msconf.exe
O4 - HKLM\..\RunServices: [Microsoft Conference] msconf.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Miscrosoft Windows Explorer] IEEXPLORER.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Microsoft Conference] msconf.exe
O4 - HKCU\..\RunServices: [Microsoft Conference] msconf.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup161.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\l8j80i1ue8.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UmljaGFyZCBCdXhiYXVt\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#25
don77
Posted 23 December 2005 - 06:20 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
OK Great, Good Job :tazz:

Lets finish with the L2M infection

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the log does not open double click on it in the l2mfix folder.
  • 0

Advertisements

#26
revenge100
Posted 23 December 2005 - 06:23 PM

revenge100

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
this will be in safemode is that ok (it doesnt work other wise!)

Again cheers for your ghelp
  • 0

#27
don77
Posted 23 December 2005 - 06:28 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Fine,
Just be sure and give me a fresh HJT log with it as well, I would like to see another uninstall list from HJT,

I m about to head out for a couple hours, I know its late where you are but I will be back on in the morning as well

We are getting very close to getting you sorted out :tazz:
  • 0

#28
revenge100
Posted 23 December 2005 - 06:34 PM

revenge100

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
L2mfix Beta 121605
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
  • 0

#29
revenge100
Posted 23 December 2005 - 06:35 PM

revenge100

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Logfile of HijackThis v1.99.1
Scan saved at 00:29:34, on 05/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Richard\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Conference] msconf.exe
O4 - HKLM\..\RunServices: [Microsoft Conference] msconf.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Miscrosoft Windows Explorer] IEEXPLORER.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Microsoft Conference] msconf.exe
O4 - HKCU\..\RunServices: [Microsoft Conference] msconf.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup161.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\p6p60g7se6.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UmljaGFyZCBCdXhiYXVt\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#30
revenge100
Posted 23 December 2005 - 06:37 PM

revenge100

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
thought i would put those up asap - i can keep going as long as it is suitable for you, i can limit my pc use until i see you online!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP