Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spybot S&D, AdAware and AVG don't fix it


  • Please log in to reply
14 replies to this topic

#1 PA31T1

PA31T1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 05 October 2005 - 09:33 AM

:thumbsup: This is driving me crazy! I have run AVAST, AVG, Bsafe(SOFOHS), Spybot S&D, AdAware and Microsoft AntiSpyware and there is STILL spybots and Trojans embeded in my system. I have run HackThis and will post the log below. Can anyone help me with this? :flowers:

Logfile of HijackThis v1.99.1
Scan saved at 10:33:19 PM, on 10/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ZipToA.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\InetCntrl\InetCntrl.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\LxrJD31c.exe
C:\Documents and Settings\Mark\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.allvantage.com/myvantage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.allvantage.com/myvantage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = -
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINDOWS\System32\InetCntrl\PopupKil\BsafeBHO.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINDOWS\System32\InetCntrl\PopupKil\BsafeBHO.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [InetCntrl] C:\WINDOWS\System32\InetCntrl\InetCntrl.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm082YYUS
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - blank (file missing)
O10 - Broken Internet access because of LSP provider 'inetcntrl.dll' missing
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.bestmark.com/support/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/153f42f213e0a4053502/...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121054153309
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content-g.kontiki.com/kdx/v2.10/kon...current/kdx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINDOWS\System32\netddesrv.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

Any help would be much appreciated! :trumpet:

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 October 2005 - 06:19 AM

Hi PA31T1 and Welcome to the Bleeping Computer!

Click Start-> Run-> Type in Services.msc and Click OK!

Scroll that list and locate this entry

NetDDE Server

Right Click that entry and Select Properties-> Click Stop-> Go up and change the Startup Type to Disabled!

Click Apply-> OK and Exit the Services Page!


Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


Download CleanUp
Install the program, dont run it yet, we will later.


Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingcomputer.com/forums/ind...torial=62#winxp


Locate and Delete this file

C:\WINDOWS\System32\netddesrv.exe


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = -

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - blank (file missing)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/153f42f213e0a4053502/...ip/RdxIE601.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab

O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINDOWS\System32\netddesrv.exe (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!


Click Start-> Run-> Copy&Paste the bold text below into the Open Box and Click OK!

sc delete NetDDEsrv


Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates


Post back with a fresh HijackThis log and the reports from Ewido and Panda!

#3 PA31T1

PA31T1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 10 October 2005 - 01:55 PM

Thank you for your response. I have started working on this and hope to post the new logs tonight.
Thanks again for your help!

#4 PA31T1

PA31T1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 10 October 2005 - 10:44 PM

I have gone through the instructions step by step, but have encountered a few problems...
I was unable to find C:\WINDOWS\System32\netddesrv.exe.
everything else went like clockwork until Panda ActiveScan hung-up on C:\WINDOWS\Explorer.EXE
I let it work on it for about a half an hour until I finally closed it down using Task Manager. I tried it again but the same thing happened again. I only have a dial-up connection (33.2Kbps) Is that the problem?
Anyway for what it's worth I've included the latest HiJackThis log and the log generated by Ewido.



Logfile of HijackThis v1.99.1
Scan saved at 10:26:37 PM, on 10/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ZipToA.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\InetCntrl\InetCntrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\PROGRA~1\AllVantage\dunnow.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.allvantage.com/myvantage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.allvantage.com/myvantage/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINDOWS\System32\InetCntrl\PopupKil\BsafeBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINDOWS\System32\InetCntrl\PopupKil\BsafeBHO.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [InetCntrl] C:\WINDOWS\System32\InetCntrl\InetCntrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [USB Driver4] UpdateXP6.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm082YYUS
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O10 - Broken Internet access because of LSP provider 'inetcntrl.dll' missing
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.bestmark.com/support/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121054153309
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content-g.kontiki.com/kdx/v2.10/kon...current/kdx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E349C8F1-3FFF-4DA5-905B-A793854982F3}: NameServer = 205.171.3.65 205.171.2.65
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe




---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:29:42 PM, 10/10/2005
+ Report-Checksum: B0B10F5B

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{665ABE65-2C16-4341-B4B8-01FF799E8F4C} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{665ABE65-2C16-4341-B4B8-01FF799E8F4C}\TypeLib\\ -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{014DA6C9-189F-421a-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
HKU\S-1-5-21-2038945071-954458941-3319609376-1006\Software\Microsoft\Internet Explorer\Explorer Bars\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E} -> Spyware.CometCursor : Cleaned with backup
HKU\S-1-5-21-2038945071-954458941-3319609376-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{014DA6C9-189F-421A-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\2CBAF4B5-E6A5-4D5B-AB73-38C391\D9EDA6BE-E753-43D2-B2AA-EA3704 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\B1077E49-60C3-4C18-A0EA-F28AF0\8EE7A36B-CC12-4595-93E9-CD1436 -> Adware.SAHA : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Advertisingcom.zip/mark@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Advertisingcom1.zip/mark@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Advertisingcom2.zip/mark@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Advertisingcom3.zip/mark@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Advertisingcom4.zip/mark@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Advertisingcom5.zip/mark@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Advertisingcom6.zip/mark@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Advertisingcom7.zip/mark@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\AvenueAInc.zip/mark@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\AvenueAInc1.zip/mark@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\AvenueAInc2.zip/mark@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\AvenueAInc3.zip/mark@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\AvenueAInc4.zip/mark@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\AvenueAInc5.zip/mark@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\BFast.zip/mark@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\BFast1.zip/mark@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\BFast2.zip/mark@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\BFast3.zip/mark@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\CommissionJunction.zip/mark@www.qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\CommissionJunction1.zip/mark@www.commission-junction[1].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\CommissionJunction2.zip/mark@www.qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\CommissionJunction3.zip/mark@www.commission-junction[2].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\CommissionJunction4.zip/mark@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\CommissionJunction5.zip/mark@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\CommissionJunction6.zip/mark@commission-junction[1].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\CoreMetrics.zip/mark@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\CoreMetrics1.zip/mark@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Cydoor2.zip/cd_htm.dll -> Spyware.Cydoor : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Cydoor3.zip/cd_clint.dll -> Spyware.Cydoor : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\DoubleClick.zip/mark@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\DoubleClick1.zip/mark@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\DoubleClick2.zip/mark@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\DoubleClick3.zip/mark@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\DSSAgent1.zip/DSSAGENT.EXE -> Spyware.Background : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\DSSAgent3.zip/DSSAGENT.EXE -> Spyware.Background : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\DSSAgent4.zip/DSSAGENT.EXE -> Spyware.Background : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\FastClick.zip/mark@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\FastClick1.zip/mark@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\FastClick2.zip/mark@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Gator3.zip/GMT.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Gator5.zip/CMESys.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Gator5.zip/CMEUpd.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Gator7.zip/CMESys.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Gator8.zip/GMT.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox.zip/mark@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox1.zip/mark@ehg-hitent.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox2.zip/mark@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox3.zip/mark@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox4.zip/mark@ehg-lattelove.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox5.zip/mark@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox6.zip/mark@ehg.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitBox7.zip/mark@ehg-sierratradingpost.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\HitsLink.zip/mark@counter2.hitslink[2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@a.as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@ad-flow[2].txt -> Spyware.Cookie.Ad-flow : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@ads.specificpop[1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@mysearch[2].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@pro-market[1].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@webpdp.gator[1].txt -> Spyware.Cookie.Gator : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@www.wet.com.22545.fb.dbbsrv[1].txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer2.zip/mark@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\MediaPlex.zip/mark@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\MediaPlex1.zip/mark@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\MediaPlex2.zip/mark@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\ValueClick.zip/mark@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\ValueClick1.zip/mark@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\ValueClick2.zip/mark@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\updatees.exe -> Trojan.LowZones : Cleaned with backup
C:\WINDOWS\hucqtif.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\lcmmigxulx.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4BKGDAQZ\ashley2[1].png -> Trojan.LowZones : Cleaned with backup
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\B4BF6376\ashley2[1].png -> Trojan.LowZones : Cleaned with backup
C:\WINDOWS\SYSTEM32\exdl1.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\f3PSSavr.scr -> Spyware.MyWebSearch : Cleaned with backup


::Report End



Any suggestions?
Mark :thumbsup:

#5 PA31T1

PA31T1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 11 October 2005 - 07:10 PM

Panda Activescan finaly finished the log is as follows...


Incident Status Location

Spyware:spyware/cydoor No disinfected C:\WINDOWS\SYSTEM32\cd_clint.dll
Spyware:spyware/smitfraud No disinfected C:\WINDOWS\SYSTEM32\ptainfo1.ico
Adware:Adware/WurldMedia No disinfected C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\WurldMedia2.zip[mbho.dll]
Virus:W32/Smitfraud.E Disinfected C:\WINDOWS\$NtUninstallKB834707-IE6-20040929.115007$\wininet.dll
Hope this helps!
Thank you for yours!

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 October 2005 - 02:24 AM

Lets make sure there are any other leftovers lurking around!

Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!

Post the log from WinPFind in the next reply please!

#7 PA31T1

PA31T1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 12 October 2005 - 03:51 PM

I am downloading WinPFind right now and hope to post the results later on tonight.
Thanks again!

#8 PA31T1

PA31T1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 12 October 2005 - 06:54 PM

Here is the log

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Current Build Number: 2600
Internet Explorer Version: 6.0.2600.0000

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/18/2001 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
SAHAgent 8/10/2005 12:48:38 AM 3477 C:\WINDOWS\SYSTEM32\hh44d5oq.ini
Umonitor 5/15/2002 6:09:14 PM 324096 C:\WINDOWS\SYSTEM32\ipebase11.dll
SAHAgent 8/9/2005 9:43:08 PM 35 C:\WINDOWS\SYSTEM32\j509keu4.ini
PTech 8/3/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 9/8/2005 10:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 10:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
SAHAgent 8/9/2005 9:43:08 PM 35 C:\WINDOWS\SYSTEM32\n97uh4n9.ini
Umonitor 8/18/2001 8:00:00 AM 630784 C:\WINDOWS\SYSTEM32\RASDLG.DLL
UPX! 7/23/2001 12:29:32 AM 552960 C:\WINDOWS\SYSTEM32\saxzip.ocx
winsync 8/18/2001 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...
UPX! 9/2/2005 7:30:48 AM 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 9/2/2005 7:30:48 AM 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 9/2/2005 7:30:48 AM 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 9/2/2005 7:30:48 AM 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/12/2005 6:26:12 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
10/10/2005 9:09:38 PM H 0 C:\WINDOWS\LastGood\INF\oem14.inf
10/10/2005 9:09:38 PM H 0 C:\WINDOWS\LastGood\INF\oem14.PNF
10/10/2005 10:52:50 PM H 93122851 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\download\BIT10.tmp
10/11/2005 2:31:50 PM H 233 C:\WINDOWS\SYSTEM\data.dat
10/10/2005 9:05:18 PM H 50 C:\WINDOWS\SYSTEM\lw.dat
10/10/2005 8:36:18 PM H 31767 C:\WINDOWS\SYSTEM32\vsconfig.xml
9/19/2005 6:19:20 PM H 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat
10/12/2005 6:26:02 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
10/12/2005 6:26:34 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
10/12/2005 6:26:16 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
10/12/2005 6:27:36 PM H 98304 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
10/12/2005 6:26:18 PM H 974848 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
10/1/2005 2:19:02 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
10/11/2005 9:45:54 PM H 10854 C:\WINDOWS\SYSTEM32\InetCntrl\Help\Control Center.GID
10/12/2005 6:25:26 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/18/2001 8:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 558592 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
Iomega Corp. 6/21/2001 9:52:40 AM 188416 C:\WINDOWS\SYSTEM32\AutoDisk.cpl
Microsoft Corporation 8/18/2001 8:00:00 AM 130048 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 294912 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 119808 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 65536 C:\WINDOWS\SYSTEM32\JOY.CPL
Sun Microsystems 2/20/2003 5:42:34 PM 229487 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/18/2001 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
Intel Corporation 8/16/2002 4:52:12 PM 774144 C:\WINDOWS\SYSTEM32\PROSetp.cpl
Apple Computer, Inc. 8/27/1996 2:12:00 AM 259280 C:\WINDOWS\SYSTEM32\QTW16.CPL
Apple Computer, Inc. 8/26/1996 2:12:00 AM 341504 C:\WINDOWS\SYSTEM32\QTW32.CPL
Apple Computer, Inc. 9/27/2001 8:41:50 PM 287232 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/18/2001 8:00:00 AM 270848 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/18/2001 8:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/31/2001 11:50:56 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
1/27/2003 2:14:46 PM 1725 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
11/16/2002 11:55:38 AM 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
10/26/2004 7:24:16 PM 1728 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/31/2001 11:40:22 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
8/21/2005 12:22:58 AM 4 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameD.txt

Checking files in %USERPROFILE%\Startup folder...
8/31/2001 11:50:56 AM HS 84 C:\Documents and Settings\Mark\Start Menu\Programs\Startup\DESKTOP.INI
3/14/2004 10:37:54 PM 1307 C:\Documents and Settings\Mark\Start Menu\Programs\Startup\HotSync Manager.lnk

Checking files in %USERPROFILE%\Application Data folder...
8/31/2001 11:40:22 AM HS 62 C:\Documents and Settings\Mark\Application Data\DESKTOP.INI
4/18/2003 3:39:04 PM 0 C:\Documents and Settings\Mark\Application Data\dm.ini
1/14/2004 10:51:48 PM 85136 C:\Documents and Settings\Mark\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E0019445-4C1F-414D-A70E-AD80F231C584}
Bsecure Popup Blocker = C:\WINDOWS\System32\InetCntrl\PopupKil\BsafeBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{E0019445-4C1F-414D-A70E-AD80F231C584} = Bsecure Popup Blocker : C:\WINDOWS\System32\InetCntrl\PopupKil\BsafeBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
InetCntrl C:\WINDOWS\System32\InetCntrl\InetCntrl.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
x3watch C:\Program Files\X3watch\x3watch.exe
USB Driver4 UpdateXP6.exe
SetDefPrt C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Pop-Up Stopper "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
ControlCenter2.0 C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\InetCntrl
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item InetCntrl
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
notepad.exe msmsgs.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/12/2005 6:34:03 PM

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 13 October 2005 - 03:48 AM

Copy the text below into a blank notepad page and Save it to the Desktop as Clr.reg


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]



Double Click Clr.reg and allow it to merge into the registry!


Locate and Delete these 2 files

C:\WINDOWS\SYSTEM32\j509keu4.ini

C:\WINDOWS\SYSTEM32\n97uh4n9.ini


Restart the PC and visit the Windows Update site ASAP,just open Internet Explorer and click Tools and then Windows Update

Install all available updates please!


SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Post back and let me know how things are?

Edited by Cretemonster, 13 October 2005 - 03:58 AM.


#10 PA31T1

PA31T1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 14 October 2005 - 02:02 PM

I finally was able to download SP2 we only have dial-up and it took over 6hrs!
I have installed it and have run HiJackThis again with the following results...

Logfile of HijackThis v1.99.1
Scan saved at 1:47:20 PM, on 10/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\InetCntrl\InetCntrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.allvantage.com/myvantage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.allvantage.com/myvantage/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINDOWS\System32\InetCntrl\PopupKil\BsafeBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINDOWS\System32\InetCntrl\PopupKil\BsafeBHO.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [InetCntrl] C:\WINDOWS\System32\InetCntrl\InetCntrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [USB Driver4] UpdateXP6.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm082YYUS
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'inetcntrl.dll' missing
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.bestmark.com/support/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121054153309
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content-g.kontiki.com/kdx/v2.10/kon...current/kdx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

Please let me know if there is more that needs to be done.
Thank you for sticking with me through this process.

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 October 2005 - 04:56 AM

I am so sorry for all the delays,its been a real hectic week!

Sorry the updates took so long but there are well worth it!

Go ahead and renable System Restore!


Do you still use Bsafe Online Internet Content Filter?

#12 PA31T1

PA31T1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 15 October 2005 - 09:25 AM

Yes we still use the Bsafe filter (I highly recommend it :thumbsup: )
For some reason a month or so ago Bsafe quit scanning for viruses, even if I tried to manually start the scan
it would immediately say scan complete and never really do anything :flowers:

...Possibly disabled by a virus???

One item I noticed after the SP2 update.... My dial-up connection speed is now much slower.
I used to connect at 45~46Kbs and now I can only seem to connect at 33.2Kbs any suggestions?

What does SP2 change as far as internet settings etc.?

#13 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 16 October 2005 - 04:34 AM

SP2 changes quite a bit System Wide because it fixes so many security flaws!

Im not real sure why it would slow down you Internet speeds!

#14 PA31T1

PA31T1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 16 October 2005 - 06:50 PM

Thank you for all your help!

Just to verify......

Was the last HJT log that I posted clean?

OR is there more work to be done?

#15 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 16 October 2005 - 07:03 PM

The only thing I think you have left to do is Uninstall and Reinstall BeSafe

This entry in HijackThis

O10 - Broken Internet access because of LSP provider 'inetcntrl.dll' missing

Says the Software may be corrupt and the safest way to fix it is to Uninstall and Reinstall!

Do not attempt to remove that 010 with HijackThis!

That could cause a lose of Internet Connection!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users