Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Analyze My Hijackthis.log


  • This topic is locked This topic is locked
20 replies to this topic

#1 boonkang

boonkang

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 08 November 2005 - 12:11 AM

I started to have Firefox session popups problem after installing a software.
My anit-spyware program (Adware-away) showed an
ASAPPSRV command process and a keylogger but was unable to kill them.
I ran NAV, Spybot and Adaware which didn't solve the problem.

I read a case on bleedingcomputer.com which showed similiar symptoms
of my problem, so I followed the procedure offered in this case
(see: http://tinyurl.com/ab6rj ) : reboot to safe mode and ran
Hijackthis (managed to remove c:\windows\Qm9vbg\command.exe and
c:\windows\Qm9vbg\KA6SV0.vbs ), "sc delete cmdservice, ran Ccleanrer
and Ewido (Ewido removed 170 items) .

After reboot, I still got Firefox popups. Now Ewido alerted a Look2Me
spyware but failed to remove. The problem got worst progressively
after each reboot.

At the end, I saw popup for installed window Fronpage and Firefox popup
whenever I tried to open IE, Window Explorer and even Control panel and
Task Manager (no access to IE, Window Explorer, Control panel,
Task Mamager , etc... !!!!)

I only now boot in safe mode using adminitrator and ran Hijackthis to get this log (I have
the first hihackthis.log of you need it):

Logfile of HijackThis v1.99.1
Scan saved at 3:53:31 PM, on 11/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\HijackThis\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - I:\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - I:\FlashGet\fgiebar.dll
O3 - Toolbar: DIY! - {0A00D11E-B1E7-44b5-AD88-C9190876AAC4} - C:\WINDOWS\system32\diybar2\diybar2.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - I:\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO} /NO_DEFPS
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [gcasServ] "I:\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TotalRecorderScheduler] "I:\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [eBayToolbar] I:\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {3F686D91-4AFA-4ed1-B43F-F1DB46ED480C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Link Filter - {3F686D91-4AFA-4ed1-B43F-F1DB46ED480C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - I:\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - I:\FlashGet\flashget.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [CDNCLIENT] Chinese Navigation
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gisweb3.city.vancouver.bc.ca:8080/web/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\hp4023hmg.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - e:\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - e:\ewido\security suite\ewidoguard.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: FireDaemon Service: prime95 (prime95) - Unknown owner - C:\Program Files\FireDaemon\FireDaemon.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:54 PM

Posted 08 November 2005 - 03:22 PM

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.


#3 boonkang

boonkang
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 09 November 2005 - 10:18 PM

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

  • Click the Free Trial link under to "SpySweeper" to download the program.

  • Install it.

  • Once the program is installed, it will open.

  • It will prompt you to update to the latest definitions, click Yes.

  • Once the definitions are installed, click Sweep Now on the left side.

  • Click the Start button.

  • When it's done scanning, click the Next button.

  • Make sure everything has a check next to it, then click the Next button.

  • It will remove all of the items found.

  • Click Session Log in the upper right corner, copy everything in that window.

  • Click the Summary tab and click Finish.

  • Paste the contents of the session log you copied into your next reply.




Thank you for your quick response, David the Trojanator.

I downloaded the SpySweeper from my other machine.

Since I have no access to anything with my account on XP of this infected machine, I logged in with Administrator account under safe-mode and installed/ran the SpySweeper.

I had to run Spysweeper twice, becasue I missed one drive the first time. However, the second run turned up clean.

I alos ran a HijackThis. The log is enclosed after the SpySweeper session log.

I leave my machine in safe-mode, waiting for your instruction about my next move.


Spysweeper.log:



********
3:54 PM: | Start of Session, Wednesday, November 09, 2005 |
3:54 PM: Spy Sweeper started
3:54 PM: Sweep initiated using definitions version 556
3:54 PM: Starting Memory Sweep
3:55 PM: Memory Sweep Complete, Elapsed Time: 00:00:51
3:55 PM: Starting Registry Sweep
3:55 PM: Found Adware: blazefind_adman
3:55 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/admanctlx.dll\ (2 subtraces) (ID = 104581)
3:55 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\admanctlx.dll (ID = 104583)
3:55 PM: Found Adware: cnsmin
3:55 PM: HKLM\software\cnnic\ (20 subtraces) (ID = 106210)
3:55 PM: Found Adware: ist istbar
3:55 PM: HKCR\interface\{2ddd90d6-f153-4ea7-a324-4b2d83d1027e}\ (8 subtraces) (ID = 129064)
3:55 PM: HKLM\software\classes\interface\{2ddd90d6-f153-4ea7-a324-4b2d83d1027e}\ (8 subtraces) (ID = 129087)
3:55 PM: Found Adware: searchbar toolbar
3:55 PM: HKCR\clsid\{aa8c93e1-7e5f-497e-b67c-cc8fe2a40d3b}\ (10 subtraces) (ID = 140791)
3:55 PM: HKCR\interface\{9ce15eb5-6b39-4656-9e1f-2d219ee42e0e}\ (8 subtraces) (ID = 140792)
3:55 PM: HKLM\software\classes\clsid\{aa8c93e1-7e5f-497e-b67c-cc8fe2a40d3b}\ (10 subtraces) (ID = 140796)
3:55 PM: HKLM\software\classes\interface\{9ce15eb5-6b39-4656-9e1f-2d219ee42e0e}\ (8 subtraces) (ID = 140797)
3:55 PM: HKLM\software\microsoft\windows\currentversion\shell extensions\approved\ || {0a8ce102-fa03-4612-9bee-7fe5452f4cb1} (ID = 140807)
3:55 PM: Found Adware: searchrelevancy
3:55 PM: HKLM\software\searchrelevancy\ (1 subtraces) (ID = 141300)
3:55 PM: Found Trojan Horse: trojan-downloader-domcom
3:55 PM: HKCR\interface\{cc1725cd-1efa-4d88-8987-5ebf66347856}\ (8 subtraces) (ID = 144511)
3:55 PM: HKLM\software\classes\interface\{cc1725cd-1efa-4d88-8987-5ebf66347856}\ (8 subtraces) (ID = 144515)
3:55 PM: HKLM\software\classes\typelib\{4a31e565-08cb-4272-8817-7bf729b6a96f}\ (9 subtraces) (ID = 144516)
3:55 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/ipreg32.dll\ (2 subtraces) (ID = 144519)
3:55 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ipreg32.dll (ID = 144520)
3:55 PM: HKCR\typelib\{4a31e565-08cb-4272-8817-7bf729b6a96f}\ (9 subtraces) (ID = 144521)
3:55 PM: Found Adware: webrebates
3:55 PM: HKCR\clsid\{01fc5803-8644-45d7-877b-5a3924d8ecc4}\ (13 subtraces) (ID = 146292)
3:55 PM: HKCR\imgconv.clsimgconv\ (3 subtraces) (ID = 146293)
3:55 PM: HKLM\software\classes\clsid\{01fc5803-8644-45d7-877b-5a3924d8ecc4}\ (13 subtraces) (ID = 146294)
3:55 PM: HKLM\software\classes\imgconv.clsimgconv\ (3 subtraces) (ID = 146295)
3:55 PM: HKLM\software\classes\typelib\{15e7d23b-736e-46fa-bffd-cbec4126befd}\ (9 subtraces) (ID = 146296)
3:55 PM: HKCR\typelib\{15e7d23b-736e-46fa-bffd-cbec4126befd}\ (9 subtraces) (ID = 146304)
3:55 PM: Found Adware: winad
3:55 PM: HKCR\loaderx.installer\ (5 subtraces) (ID = 147156)
3:55 PM: HKCR\mediapassx.installer\ (3 subtraces) (ID = 147160)
3:55 PM: HKLM\software\classes\loaderx.installer\ (5 subtraces) (ID = 147170)
3:55 PM: HKLM\software\classes\mediapassx.installer\ (3 subtraces) (ID = 147174)
3:55 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
3:55 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediapassx.dll\ (2 subtraces) (ID = 147192)
3:55 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediapassx.dll (ID = 147222)
3:55 PM: HKCR\cdn.cdnobj\ (5 subtraces) (ID = 393263)
3:55 PM: HKCR\cdn.cdnobj.1\ (3 subtraces) (ID = 393269)
3:55 PM: HKCR\cndniehelper.cndniehlprobj\ (5 subtraces) (ID = 393273)
3:55 PM: HKCR\cndniehelper.cndniehlprobj.1\ (3 subtraces) (ID = 393279)
3:55 PM: HKCR\clsid\{35980f6e-a137-4e50-953d-813bb8556899}\ (11 subtraces) (ID = 393301)
3:55 PM: HKCR\clsid\{9a578c98-3c2f-4630-890b-fc04196ef420}\ (11 subtraces) (ID = 393322)
3:55 PM: HKCR\typelib\{01833110-7c51-4d41-a09f-69ef74606e5b}\ (9 subtraces) (ID = 393346)
3:55 PM: HKCR\typelib\{c24a5a5c-0874-4386-85c7-e669f90997a9}\ (9 subtraces) (ID = 393366)
3:55 PM: HKLM\software\classes\cdn.cdnobj.1\ (3 subtraces) (ID = 393400)
3:55 PM: HKLM\software\classes\cndniehelper.cndniehlprobj\ (5 subtraces) (ID = 393404)
3:55 PM: HKLM\software\classes\cndniehelper.cndniehlprobj.1\ (3 subtraces) (ID = 393410)
3:55 PM: HKLM\software\classes\clsid\{35980f6e-a137-4e50-953d-813bb8556899}\ (11 subtraces) (ID = 393432)
3:55 PM: HKLM\software\classes\clsid\{9a578c98-3c2f-4630-890b-fc04196ef420}\ (11 subtraces) (ID = 393453)
3:55 PM: HKLM\software\classes\typelib\{01833110-7c51-4d41-a09f-69ef74606e5b}\ (9 subtraces) (ID = 393477)
3:55 PM: HKLM\software\classes\typelib\{c24a5a5c-0874-4386-85c7-e669f90997a9}\ (9 subtraces) (ID = 393497)
3:55 PM: HKLM\software\microsoft\internet explorer\advancedoptions\cdnclient\ (101 subtraces) (ID = 393507)
3:55 PM: HKLM\software\microsoft\windows\currentversion\uninstall\cdnclient\ (2 subtraces) (ID = 393610)
3:56 PM: HKU\WRSS_Profile_S-1-5-21-784569582-1417066420-3376078148-1009\software\down\ (ID = 144517)
3:56 PM: HKU\WRSS_Profile_S-1-5-21-784569582-1417066420-3376078148-1006\software\e-ventures n.v.\ (ID = 140801)
3:56 PM: HKU\WRSS_Profile_S-1-5-21-784569582-1417066420-3376078148-1006\software\down\ (2 subtraces) (ID = 144517)
3:56 PM: HKU\WRSS_Profile_S-1-5-21-784569582-1417066420-3376078148-1006\software\cnnic\ (18 subtraces) (ID = 393376)
3:56 PM: Registry Sweep Complete, Elapsed Time:00:00:34
3:56 PM: Starting Cookie Sweep
3:56 PM: Found Spy Cookie: about cookie
3:56 PM: ming@about[1].txt (ID = 2037)
3:56 PM: Found Spy Cookie: atwola cookie
3:56 PM: ming@atwola[1].txt (ID = 2255)
3:56 PM: Found Spy Cookie: bizrate cookie
3:56 PM: ming@bizrate[1].txt (ID = 2308)
3:56 PM: ming@camping.about[1].txt (ID = 2038)
3:56 PM: Found Spy Cookie: dealtime cookie
3:56 PM: ming@dealtime[1].txt (ID = 2505)
3:56 PM: Found Spy Cookie: go2net.com cookie
3:56 PM: ming@go2net[1].txt (ID = 2730)
3:56 PM: Found Spy Cookie: gorillanation cookie
3:56 PM: ming@gorillanation[2].txt (ID = 2746)
3:56 PM: Found Spy Cookie: go.com cookie
3:56 PM: ming@go[1].txt (ID = 2728)
3:56 PM: Found Spy Cookie: infospace cookie
3:56 PM: ming@infospace[2].txt (ID = 2865)
3:56 PM: Found Spy Cookie: metareward.com cookie
3:56 PM: ming@metareward[1].txt (ID = 2990)
3:56 PM: ming@nascar.about[1].txt (ID = 2038)
3:56 PM: Found Spy Cookie: nextag cookie
3:56 PM: ming@nextag[2].txt (ID = 5014)
3:56 PM: Found Spy Cookie: pricegrabber cookie
3:56 PM: ming@pcmag.pricegrabber[1].txt (ID = 3186)
3:56 PM: ming@pricegrabber[2].txt (ID = 3185)
3:56 PM: ming@seattle.about[1].txt (ID = 2038)
3:56 PM: Found Spy Cookie: stamps.com cookie
3:56 PM: ming@stamps[1].txt (ID = 3437)
3:56 PM: ming@stat.dealtime[2].txt (ID = 2506)
3:56 PM: ming@www.stamps[1].txt (ID = 3438)
3:56 PM: Found Spy Cookie: web-stat cookie
3:56 PM: ming@www.web-stat[1].txt (ID = 3649)
3:56 PM: Found Spy Cookie: 2o7.net cookie
3:56 PM: ross@112.2o7[1].txt (ID = 1958)
3:56 PM: ross@abc.go[1].txt (ID = 2729)
3:56 PM: ross@about[1].txt (ID = 2037)
3:56 PM: Found Spy Cookie: adrevservice cookie
3:56 PM: ross@adrevservice[1].txt (ID = 2091)
3:56 PM: Found Spy Cookie: linksponsor cookie
3:56 PM: ross@ads.linksponsor[1].txt (ID = 2925)
3:56 PM: Found Spy Cookie: specificclick.com cookie
3:56 PM: ross@ads.specificclick[2].txt (ID = 3400)
3:56 PM: Found Spy Cookie: ads.stileproject cookie
3:56 PM: ross@ads.stileproject[1].txt (ID = 2127)
3:56 PM: ross@atwola[1].txt (ID = 2255)
3:56 PM: Found Spy Cookie: a cookie
3:56 PM: ross@a[1].txt (ID = 2027)
3:56 PM: Found Spy Cookie: bannerspace cookie
3:56 PM: ross@bannerspace[2].txt (ID = 2284)
3:56 PM: ross@bbq.about[2].txt (ID = 2038)
3:56 PM: ross@bizrate[1].txt (ID = 2308)
3:56 PM: Found Spy Cookie: barelylegal cookie
3:56 PM: ross@c.fsx[1].txt (ID = 2286)
3:56 PM: Found Spy Cookie: gostats cookie
3:56 PM: ross@c2.gostats[1].txt (ID = 2748)
3:56 PM: ross@dealtime[1].txt (ID = 2505)
3:56 PM: Found Spy Cookie: multipops cookie
3:56 PM: ross@emode[2].txt (ID = 2603)
3:56 PM: ross@espn.go[1].txt (ID = 2729)
3:56 PM: Found Spy Cookie: exitfuel cookie
3:56 PM: ross@exitfuel[2].txt (ID = 2635)
3:56 PM: ross@go2net[1].txt (ID = 2730)
3:56 PM: ross@goaustralia.about[2].txt (ID = 2038)
3:56 PM: ross@gorillanation[2].txt (ID = 2746)
3:56 PM: ross@go[1].txt (ID = 2728)
3:56 PM: Found Spy Cookie: touchclarity cookie
3:56 PM: ross@hsbc.touchclarity[1].txt (ID = 3566)
3:56 PM: ross@infospace[2].txt (ID = 2865)
3:56 PM: Found Spy Cookie: linkexchange cookie
3:56 PM: ross@linkexchange[1].txt (ID = 2920)
3:56 PM: ross@macworld.pricegrabber[2].txt (ID = 3186)
3:56 PM: Found Spy Cookie: ugo cookie
3:56 PM: ross@mediamgr.ugo[2].txt (ID = 3609)
3:56 PM: ross@metareward[1].txt (ID = 2990)
3:56 PM: ross@movies.go[1].txt (ID = 2729)
3:56 PM: Found Spy Cookie: netratingsselect cookie
3:56 PM: ross@nnselect[2].txt (ID = 3065)
3:56 PM: Found Spy Cookie: one-time-offer cookie
3:56 PM: ross@one-time-offer[2].txt (ID = 3095)
3:56 PM: Found Spy Cookie: pokerroom cookie
3:56 PM: ross@pokerroom[1].txt (ID = 3149)
3:56 PM: ross@pricegrabber[2].txt (ID = 3185)
3:56 PM: Found Spy Cookie: rc cookie
3:56 PM: ross@rc[1].txt (ID = 3231)
3:56 PM: Found Spy Cookie: rn11 cookie
3:56 PM: ross@rn11[1].txt (ID = 3261)
3:56 PM: Found Spy Cookie: smni cookie
3:56 PM: ross@smni[1].txt (ID = 3389)
3:56 PM: ross@sports.espn.go[1].txt (ID = 2729)
3:56 PM: ross@stat.dealtime[1].txt (ID = 2506)
3:56 PM: Found Spy Cookie: stats.klsoft.com cookie
3:56 PM: ross@stats.klsoft[1].txt (ID = 3451)
3:56 PM: ross@webworst.about[1].txt (ID = 2038)
3:56 PM: Found Spy Cookie: adminder cookie
3:56 PM: ross@www.adminder[1].txt (ID = 2079)
3:56 PM: Found Spy Cookie: ask cookie
3:56 PM: ross@www.ask[2].txt (ID = 2246)
3:56 PM: Found Spy Cookie: expage cookie
3:56 PM: ross@www.expage[1].txt (ID = 2638)
3:56 PM: Found Spy Cookie: eyeblaster cookie
3:56 PM: ross@www.eyeblaster-ds[1].txt (ID = 2644)
3:56 PM: ross@www.pricegrabber[1].txt (ID = 3186)
3:56 PM: Found Spy Cookie: starpulse cookie
3:56 PM: ross@www.starpulse[1].txt (ID = 3440)
3:56 PM: Found Spy Cookie: stiffycash cookie
3:56 PM: ross@www.stiffycash[1].txt (ID = 3460)
3:56 PM: ross@www.web-stat[1].txt (ID = 3649)
3:56 PM: Found Spy Cookie: xiti cookie
3:56 PM: ross@xiti[1].txt (ID = 3717)
3:56 PM: Found Spy Cookie: 412 cookie
3:56 PM: sue@412[1].txt (ID = 1969)
3:56 PM: Found Spy Cookie: 888 cookie
3:56 PM: sue@888[2].txt (ID = 2019)
3:56 PM: sue@abcnews.go[1].txt (ID = 2729)
3:56 PM: sue@about[1].txt (ID = 2037)
3:56 PM: sue@ads.gorillanation[1].txt (ID = 2744)
3:56 PM: sue@animatedtv.about[1].txt (ID = 2038)
3:56 PM: sue@att.dealtime[1].txt (ID = 2506)
3:56 PM: sue@atwola[1].txt (ID = 2255)
3:56 PM: sue@a[1].txt (ID = 2027)
3:56 PM: sue@bannerspace[1].txt (ID = 2284)
3:56 PM: Found Spy Cookie: banner cookie
3:56 PM: sue@banner[2].txt (ID = 2276)
3:56 PM: Found Spy Cookie: belnk cookie
3:56 PM: sue@belnk[1].txt (ID = 2292)
3:56 PM: sue@bizrate[2].txt (ID = 2308)
3:56 PM: sue@budgettravel.about[2].txt (ID = 2038)
3:56 PM: sue@busycooks.about[2].txt (ID = 2038)
3:56 PM: sue@c2.gostats[2].txt (ID = 2748)
3:56 PM: sue@canadaonline.about[1].txt (ID = 2038)
3:56 PM: Found Spy Cookie: cardomain cookie
3:56 PM: sue@cardomain[1].txt (ID = 2350)
3:56 PM: sue@chineseculture.about[1].txt (ID = 2038)
3:56 PM: sue@chinesefood.about[1].txt (ID = 2038)
3:56 PM: Found Spy Cookie: customer cookie
3:56 PM: sue@customer[1].txt (ID = 2481)
3:56 PM: Found Spy Cookie: dcskqeg2voifwznnd6alhtnei_8f3u cookie
3:56 PM: sue@dcskqeg2voifwznnd6alhtnei_8f3u[1].txt (ID = 2501)
3:56 PM: sue@dealtime[1].txt (ID = 2505)
3:56 PM: Found Spy Cookie: did-it cookie
3:56 PM: sue@did-it[2].txt (ID = 2523)
3:56 PM: sue@disneyland.disney.go[1].txt (ID = 2729)
3:56 PM: sue@dist.belnk[2].txt (ID = 2293)
3:56 PM: sue@exitfuel[2].txt (ID = 2635)
3:56 PM: sue@geography.about[2].txt (ID = 2038)
3:56 PM: sue@go2net[1].txt (ID = 2730)
3:56 PM: sue@goasia.about[2].txt (ID = 2038)
3:56 PM: sue@gocalifornia.about[2].txt (ID = 2038)
3:56 PM: sue@gofrance.about[2].txt (ID = 2038)
3:56 PM: sue@gostats[2].txt (ID = 2747)
3:56 PM: Found Spy Cookie: gotoast cookie
3:56 PM: sue@gotoast[2].txt (ID = 2751)
3:56 PM: sue@go[2].txt (ID = 2728)
3:56 PM: sue@heartdisease.about[2].txt (ID = 2038)
3:56 PM: sue@hsbc.touchclarity[1].txt (ID = 3566)
3:56 PM: Found Spy Cookie: kmpads cookie
3:56 PM: sue@kmpads[2].txt (ID = 2909)
3:56 PM: Found Spy Cookie: kount cookie
3:56 PM: sue@kount[2].txt (ID = 2911)
3:56 PM: sue@mentalhealth.about[2].txt (ID = 2038)
3:56 PM: sue@natwest.touchclarity[1].txt (ID = 3566)
3:56 PM: sue@nextag[1].txt (ID = 5014)
3:56 PM: sue@nnselect[2].txt (ID = 3065)
3:56 PM: sue@one-time-offer[2].txt (ID = 3095)
3:56 PM: Found Spy Cookie: mircx cookie
3:56 PM: sue@pop.mircx[1].txt (ID = 2998)
3:56 PM: sue@pricegrabber[2].txt (ID = 3185)
3:56 PM: Found Spy Cookie: pub cookie
3:56 PM: sue@pub[1].txt (ID = 3205)
3:56 PM: sue@rc[1].txt (ID = 3231)
3:56 PM: sue@rn11[2].txt (ID = 3261)
3:56 PM: Found Spy Cookie: domainsponsor cookie
3:56 PM: sue@search.domainsponsor[1].txt (ID = 2534)
3:56 PM: Found Spy Cookie: servlet cookie
3:56 PM: sue@servlet[1].txt (ID = 3345)
3:56 PM: sue@servlet[2].txt (ID = 3345)
3:56 PM: sue@servlet[4].txt (ID = 3345)
3:56 PM: sue@servlet[5].txt (ID = 3345)
3:56 PM: sue@stat.dealtime[2].txt (ID = 2506)
3:56 PM: Found Spy Cookie: clicktracks cookie
3:56 PM: sue@stats2.clicktracks[2].txt (ID = 2407)
3:56 PM: Found Spy Cookie: tracking cookie
3:56 PM: sue@tracking[2].txt (ID = 3571)
3:56 PM: Found Spy Cookie: tickle cookie
3:56 PM: sue@web.tickle[1].txt (ID = 3530)
3:56 PM: sue@www.cardomain[1].txt (ID = 2351)
3:56 PM: sue@xiti[1].txt (ID = 3717)
3:56 PM: Found Spy Cookie: yadro cookie
3:56 PM: sue@yadro[2].txt (ID = 3743)
3:56 PM: Cookie Sweep Complete, Elapsed Time: 00:00:24
3:56 PM: Starting File Sweep
3:57 PM: c:\program files\cnnic (18 subtraces) (ID = -2147477717)
3:58 PM: Found Adware: look2me
3:58 PM: icont.exe (ID = 65722)
3:59 PM: cdn.dll (ID = 111474)
4:01 PM: cdnaux.dll (ID = 111478)
4:01 PM: bw2.com (ID = 65722)
4:01 PM: appwrap[1].exe (ID = 65739)
4:01 PM: appwrap[1].exe (ID = 65722)
4:04 PM: imgconv.dll (ID = 83909)
4:07 PM: Found Adware: ietop100
4:07 PM: ietop100.dll (ID = 63440)
4:14 PM: Found Adware: 7adpower
4:14 PM: int_ver32b[1].cab (ID = 156516)
4:15 PM: idnconvs.dll (ID = 111484)
4:17 PM: Found Adware: shopathomeselect
4:17 PM: setup4002b.ini (ID = 75934)
4:17 PM: ipreg32.inf (ID = 80471)
4:17 PM: cdndisp.dat (ID = 125227)
4:17 PM: hochkaod3.ini (ID = 75788)
4:20 PM: Found Trojan Horse: trojan-backdoor-haxdoor
4:20 PM: fileinfo.db4 (ID = 79874)
4:20 PM: fileinfo.db4 (ID = 79874)
4:29 PM: 8d7408bf-ce01-4269-9735-da888e (ID = 90386)
4:32 PM: Found Adware: effective-i toolbar
4:32 PM: 064b49f3-e57d-401c-a16f-698354 (ID = 59838)
4:32 PM: 9ddca8b1-6cdd-4f8c-a237-028f59 (ID = 59855)
4:32 PM: Warning: Unhandled Archive Type
4:32 PM: Warning: Unhandled Archive Type
4:32 PM: Warning: Unhandled Archive Type
4:32 PM: Warning: Unhandled Archive Type
4:32 PM: Warning: Unhandled Archive Type
4:32 PM: Warning: Unhandled Archive Type
4:33 PM: Found Adware: java byteverify
4:33 PM: a.jar-18714bd2-14627f96.zip (ID = 64822)
4:33 PM: Warning: Unhandled Archive Type
4:33 PM: Warning: Unhandled Archive Type
4:33 PM: Warning: Unhandled Archive Type
4:37 PM: File Sweep Complete, Elapsed Time: 00:40:35
4:37 PM: Full Sweep has completed. Elapsed time 00:42:39
4:37 PM: Traces Found: 630
4:41 PM: Removal process initiated
4:41 PM: Quarantining All Traces: look2me
4:41 PM: Quarantining All Traces: trojan-backdoor-haxdoor
4:41 PM: Quarantining All Traces: trojan-downloader-domcom
4:41 PM: Quarantining All Traces: 7adpower
4:41 PM: Quarantining All Traces: blazefind_adman
4:41 PM: Quarantining All Traces: cnsmin
4:41 PM: Quarantining All Traces: effective-i toolbar
4:41 PM: Quarantining All Traces: ietop100
4:41 PM: Quarantining All Traces: ist istbar
4:41 PM: Quarantining All Traces: java byteverify
4:41 PM: Quarantining All Traces: searchbar toolbar
4:41 PM: Quarantining All Traces: searchrelevancy
4:41 PM: Quarantining All Traces: shopathomeselect
4:41 PM: Quarantining All Traces: webrebates
4:41 PM: Quarantining All Traces: winad
4:41 PM: Quarantining All Traces: 2o7.net cookie
4:41 PM: Quarantining All Traces: 412 cookie
4:41 PM: Quarantining All Traces: 888 cookie
4:41 PM: Quarantining All Traces: a cookie
4:41 PM: Quarantining All Traces: about cookie
4:41 PM: Quarantining All Traces: adminder cookie
4:41 PM: Quarantining All Traces: adrevservice cookie
4:41 PM: Quarantining All Traces: ads.stileproject cookie
4:41 PM: Quarantining All Traces: ask cookie
4:41 PM: Quarantining All Traces: atwola cookie
4:41 PM: Quarantining All Traces: banner cookie
4:41 PM: Quarantining All Traces: bannerspace cookie
4:41 PM: Quarantining All Traces: barelylegal cookie
4:41 PM: Quarantining All Traces: belnk cookie
4:41 PM: Quarantining All Traces: bizrate cookie
4:41 PM: Quarantining All Traces: cardomain cookie
4:41 PM: Quarantining All Traces: clicktracks cookie
4:41 PM: Quarantining All Traces: customer cookie
4:41 PM: Quarantining All Traces: dcskqeg2voifwznnd6alhtnei_8f3u cookie
4:41 PM: Quarantining All Traces: dealtime cookie
4:41 PM: Quarantining All Traces: did-it cookie
4:41 PM: Quarantining All Traces: domainsponsor cookie
4:41 PM: Quarantining All Traces: exitfuel cookie
4:41 PM: Quarantining All Traces: expage cookie
4:41 PM: Quarantining All Traces: eyeblaster cookie
4:41 PM: Quarantining All Traces: go.com cookie
4:41 PM: Quarantining All Traces: go2net.com cookie
4:41 PM: Quarantining All Traces: gorillanation cookie
4:41 PM: Quarantining All Traces: gostats cookie
4:41 PM: Quarantining All Traces: gotoast cookie
4:41 PM: Quarantining All Traces: infospace cookie
4:41 PM: Quarantining All Traces: kmpads cookie
4:41 PM: Quarantining All Traces: kount cookie
4:41 PM: Quarantining All Traces: linkexchange cookie
4:41 PM: Quarantining All Traces: linksponsor cookie
4:41 PM: Quarantining All Traces: metareward.com cookie
4:41 PM: Quarantining All Traces: mircx cookie
4:41 PM: Quarantining All Traces: multipops cookie
4:41 PM: Quarantining All Traces: netratingsselect cookie
4:41 PM: Quarantining All Traces: nextag cookie
4:41 PM: Quarantining All Traces: one-time-offer cookie
4:41 PM: Quarantining All Traces: pokerroom cookie
4:41 PM: Quarantining All Traces: pricegrabber cookie
4:41 PM: Quarantining All Traces: pub cookie
4:41 PM: Quarantining All Traces: rc cookie
4:41 PM: Quarantining All Traces: rn11 cookie
4:41 PM: Quarantining All Traces: servlet cookie
4:41 PM: Quarantining All Traces: smni cookie
4:41 PM: Quarantining All Traces: specificclick.com cookie
4:41 PM: Quarantining All Traces: stamps.com cookie
4:41 PM: Quarantining All Traces: starpulse cookie
4:41 PM: Quarantining All Traces: stats.klsoft.com cookie
4:41 PM: Quarantining All Traces: stiffycash cookie
4:41 PM: Quarantining All Traces: tickle cookie
4:41 PM: Quarantining All Traces: touchclarity cookie
4:41 PM: Quarantining All Traces: tracking cookie
4:41 PM: Quarantining All Traces: ugo cookie
4:41 PM: Quarantining All Traces: web-stat cookie
4:41 PM: Quarantining All Traces: xiti cookie
4:41 PM: Quarantining All Traces: yadro cookie
4:43 PM: Removal process completed. Elapsed time 00:02:21
********
3:53 PM: | Start of Session, Wednesday, November 09, 2005 |
3:53 PM: Spy Sweeper started
3:53 PM: Sweep initiated using definitions version 556
3:54 PM: Starting Memory Sweep
3:54 PM: Sweep Canceled
3:54 PM: Memory Sweep Complete, Elapsed Time: 00:00:09
3:54 PM: Traces Found: 0
3:54 PM: | End of Session, Wednesday, November 09, 2005 |
********
3:50 PM: | Start of Session, Wednesday, November 09, 2005 |
3:50 PM: Spy Sweeper started
3:52 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
3:53 PM: | End of Session, Wednesday, November 09, 2005 |


New HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 7:27:06 PM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
E:\HijackThis\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Adobe\Acrobat_rdr_ 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - I:\SuperBT\Plugins\RazaWebHook.dll (file missing)
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - I:\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - I:\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - I:\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - I:\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - I:\FlashGet\fgiebar.dll
O3 - Toolbar: DIY! - {0A00D11E-B1E7-44b5-AD88-C9190876AAC4} - C:\WINDOWS\system32\diybar2\diybar2.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - I:\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO} /NO_DEFPS
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [gcasServ] "I:\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TotalRecorderScheduler] "I:\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [eBayToolbar] I:\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] I:\Nero\InCD\InCD\InCD.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {3F686D91-4AFA-4ed1-B43F-F1DB46ED480C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Link Filter - {3F686D91-4AFA-4ed1-B43F-F1DB46ED480C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - I:\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - I:\FlashGet\flashget.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {54F8C0E2-34F9-474F-B47F-2CFCFE2300A2} (IEBHOLiver Class) - http://download.imu.com.cn/client/chatatwill/ie/imuliver.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gisweb3.city.vancouver.bc.ca:8080/web/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - I:\Nero\InCD\InCD\InCDsrv.exe (file missing)
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: FireDaemon Service: prime95 (prime95) - Unknown owner - C:\Program Files\FireDaemon\FireDaemon.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

Edited by boonkang, 09 November 2005 - 10:33 PM.


#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:54 PM

Posted 10 November 2005 - 05:59 PM

Good job! :thumbsup:

Boot back to normal mode

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.

There is a bit to do on the log - i can almost guaruntee ewido will remove something - it's also a good free tool to keep in your arsenal! :flowers:

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck.
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful") Posted Image
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Post a new HJT log and the ewido log at the end! :trumpet:
David

#5 boonkang

boonkang
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 10 November 2005 - 06:27 PM

Good job! :thumbsup:

Boot back to normal mode

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.

There is a bit to do on the log - i can almost guaruntee ewido will remove something - it's also a good free tool to keep in your arsenal! :flowers:

Please download ewido security suite it is a free version of the program.

  • Install ewido security suite
  • When installing, under "Additional Options" uncheck.
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful") Posted Image
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Post a new HJT log and the ewido log at the end! :trumpet:
David



Thank you, David.
I haven't reboot to normal mofe yet.
Just want to check with 2 things before I go on to reboot to normal mode.

1. I already installed ewido security suite when I used the procedure in http://tinyurl.com/ab6rj , but I didn't uncheck the 2 options, therefore background guard nad scan via context menu were installed. Could I run ewido in normal mode ?

2. While I was still in safe-mode waiting for your further instructions, I took the liberty to run Ad-aware, Spybot, and ewido again (in safe-mode). Ewido caught 90 objects. see the Ewido report belows.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:33:05 AM, 11/10/2005
+ Report-Checksum: E8005220

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{54F8C0E2-34F9-474F-B47F-2CFCFE2300A2} -> Spyware.Imucomcn : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B1D147E7-873E-4909-8127-695D9BB78728} -> Spyware.t2t2com : Cleaned with backup
HKLM\SOFTWARE\Classes\DownloadBHO.T2BHO\CLSID\\ -> Spyware.t2t2com : Cleaned with backup
HKLM\SOFTWARE\Classes\DownloadBHO.T2BHO.1\CLSID\\ -> Spyware.t2t2com : Cleaned with backup
HKLM\SOFTWARE\Classes\HDTBar.HDTBarObj\CLSID\\ -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HDTBar.HDTBarObj.1\CLSID\\ -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HDT_BAR.HDT_BARObj\CLSID\\ -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HDT_BAR.HDT_BARObj.1\CLSID\\ -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\IMULiver.IEBHOLiver\CLSID\\ -> Spyware.Imucomcn : Cleaned with backup
HKLM\SOFTWARE\Classes\IMULiver.IEBHOLiver.1\CLSID\\ -> Spyware.Imucomcn : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{54F8C0E2-34F9-474F-B47F-2CFCFE2300A2} -> Spyware.Imucomcn : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/barhelp.dll\\{56A7DC70-E102-4408-A34A-AE06FEF01586} -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/hdtbar.xml\\.Owner -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/hdtbar.xml\\{56A7DC70-E102-4408-A34A-AE06FEF01586} -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/iebar22.0.dll\\.Owner -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/iebar22.0.dll\\{56A7DC70-E102-4408-A34A-AE06FEF01586} -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/toolbar.bmp\\.Owner -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/toolbar.bmp\\{56A7DC70-E102-4408-A34A-AE06FEF01586} -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.2/hdtbar.xml\\.Owner -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.2/hdtbar.xml\\{56A7DC70-E102-4408-A34A-AE06FEF01586} -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.2/iebar22.0.dll\\.Owner -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.2/iebar22.0.dll\\{56A7DC70-E102-4408-A34A-AE06FEF01586} -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.2/toolbar.bmp\\.Owner -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.2/toolbar.bmp\\{56A7DC70-E102-4408-A34A-AE06FEF01586} -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.3/hdtbar.xml\\.Owner -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.3/hdtbar.xml\\{56A7DC70-E102-4408-A34A-AE06FEF01586} -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.3/iebar22.0.dll\\.Owner -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.3/iebar22.0.dll\\{56A7DC70-E102-4408-A34A-AE06FEF01586} -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.3/toolbar.bmp\\.Owner -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.3/toolbar.bmp\\{56A7DC70-E102-4408-A34A-AE06FEF01586} -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/hdtbar.xml\\.Owner -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/hdtbar.xml\\{56A7DC70-E102-4408-A34A-AE06FEF01586} -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/iebar22.0.dll\\.Owner -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/iebar22.0.dll\\{56A7DC70-E102-4408-A34A-AE06FEF01586} -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/toolbar.bmp\\.Owner -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/toolbar.bmp\\{56A7DC70-E102-4408-A34A-AE06FEF01586} -> Spyware.HDTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/IMULiver.dll\\.Owner -> Spyware.Imucomcn : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/IMULiver.dll\\{54F8C0E2-34F9-474F-B47F-2CFCFE2300A2} -> Spyware.Imucomcn : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Boon\Application Data\Mozilla\Firefox\Profiles\1xvhx5k8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Boon\Local Settings\Temp\Cookies\boon@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Boon\Local Settings\Temp\Cookies\boon@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Boon\Local Settings\Temp\Temporary Internet Files\Content.IE5\EHGVUB65\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\WINDOWS\SYSTEM32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\k8800ilme8qa0.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\KKDBE.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\LDFAX12n.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\m046lahs1d46.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\nbwrsru.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\UKRVOICA.DLL -> Spyware.Look2Me : Cleaned with backup
E:\download\UnInstaller.exe -> Spyware.Zestyfind : Cleaned with backup
E:\download\eMule-0.46c-VeryCD0913.exe -> TrojanDropper.Agent.ug : Cleaned with backup


::Report End

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:54 PM

Posted 11 November 2005 - 11:33 AM

Great! Good job with ewido! :thumbsup: :flowers:

Let's just make sure that everything has gone:

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

David

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:54 PM

Posted 11 November 2005 - 11:35 AM

.........and yes you can boot to normal mode and carry on from there.

David :thumbsup:

#8 boonkang

boonkang
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 11 November 2005 - 01:23 PM

.........and yes you can boot to normal mode and carry on from there.

David :thumbsup:



Thank you, David.
Since I stil have some serious problems, I foolishly restored my registry to an old copy hoping to
solve the problem (it didn't). I don't know if this would affrect l2mfix:

1. "MS installer" (to install MS Office Frontpage) popped up several time after reboot.
2. "MS installer popped up everytime I started a program.
3. My IE failed (FirFox is OK)
4. Task Manager failed
5. Windows Exploerer failed.



L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{0A082D00-EC93-11D0-B1E6-80580BC10627}"="Corel Media Folder Root Menu Handler"
"{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}"="Folder To Corel Media Folder Menu Handler"
"{854AF161-1AE1-11D1-AB9B-00C0F00683EB}"="Corel Media Folder"
"{E856F161-1AE5-11d1-AB9B-00C0F00683EB}"="Corel Media Folder"
"{CDB89701-262F-11D1-AB9C-00C0F00683EB}"="Corel Media Find Folder"
"{F8152501-455F-11D1-B1E6-444553540000}"="Corel Media Folder Copy Hook Handler"
"{8E524B0D-04F0-11D1-B74A-00A0C90646A4}"="IconFactTemp.NSIconHandlerFactory"
"{A2AC368A-F883-11D0-B745-00A0C90646A4}"="NSFiltManDll.FiltManCom"
"{B63FCD5A-2396-11D1-B762-00A0C90646A4}"=""
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{33D0B7CC-535E-4CD0-B33A-934372B1AEFD}"="Wise-FTP Network Places"
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{FED7043D-346A-414D-ACD7-550D052499A7}"="dBpowerAMP Music Converter 1"
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}"="dBpowerAMP Music Converter"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{0A8CE102-FA03-4612-9BEE-7FE5452F4CB1}"="Search Bar"
"{65929490-CD79-4C89-BCC7-9D4224A3534B}"="Digimarc ImageBridge™ reader for Windows"
"{65929490-CD79-4C89-BCC7-9D4224A35150}"="Digimarc ImageBridge™ reader for Windows"
"{a90d5ea0-a1d7-11cf-8dc1-00805fc2353f}"="DecExt"
"{B446400D-0030-457b-8F64-422A19605186}"="Logitech Gallery"
"{92085AD4-F48A-450D-BD93-B28CC7DF67CE}"="eBay Toolbar"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B63FCD5A-2396-11D1-B762-00A0C90646A4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B63FCD5A-2396-11D1-B762-00A0C90646A4}\InprocServer32]
@="I:\\Corel\\Graphics8\\programs\\CMFFnd80.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Invalid keyboard code specified

C:\WINDOWS\SYSTEM32\
browseui.dll Fri Sep 2 2005 3:52:04p A.... 1,019,904 996.00 K
cdfview.dll Fri Sep 2 2005 3:52:04p A.... 151,040 147.50 K
cdosys.dll Fri Sep 9 2005 5:53:42p A.... 2,067,968 1.97 M
danim.dll Fri Sep 2 2005 3:52:04p A.... 1,053,696 1.00 M
divx.dll Wed Sep 28 2005 1:29:14p A.... 693,248 677.00 K
divx_x~1.dll Wed Sep 28 2005 1:29:12p A.... 688,128 672.00 K
divx_x~2.dll Wed Sep 28 2005 1:29:12p A.... 688,128 672.00 K
divx_x~3.dll Wed Sep 28 2005 1:29:12p A.... 671,744 656.00 K
dpl100.dll Thu Oct 27 2005 11:37:46a A.... 86,016 84.00 K
dpu10.dll Thu Oct 27 2005 11:37:44a A.... 294,912 288.00 K
dpu11.dll Thu Oct 27 2005 11:37:44a A.... 294,912 288.00 K
dpugui10.dll Thu Oct 27 2005 11:37:48a A.... 53,248 52.00 K
dpugui11.dll Thu Oct 27 2005 11:37:46a A.... 593,920 580.00 K
dpus11.dll Thu Oct 27 2005 11:37:44a A.... 339,968 332.00 K
dpv11.dll Thu Oct 27 2005 11:37:44a A.... 57,344 56.00 K
dtu100.dll Thu Oct 27 2005 11:37:44a A.... 200,704 196.00 K
dxtrans.dll Fri Sep 2 2005 3:52:04p A.... 205,312 200.50 K
extmgr.dll Fri Sep 2 2005 3:52:04p ..... 55,808 54.50 K
iepeers.dll Fri Sep 2 2005 3:52:04p A.... 251,392 245.50 K
inseng.dll Fri Sep 2 2005 3:52:04p A.... 96,256 94.00 K
islzma.dll Fri Oct 21 2005 3:50:14p A.... 102,912 100.50 K
libdivx.dll Wed Sep 28 2005 10:50:06a A.... 1,044,480 1020.00 K
linkinfo.dll Wed Aug 31 2005 5:41:54p A.... 19,968 19.50 K
mshtml.dll Tue Oct 4 2005 4:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Fri Sep 2 2005 3:52:06p A.... 448,512 438.00 K
msrating.dll Fri Sep 2 2005 3:52:06p A.... 146,432 143.00 K
mstime.dll Fri Sep 2 2005 3:52:06p A.... 530,432 518.00 K
netman.dll Mon Aug 22 2005 10:29:46a A.... 197,632 193.00 K
pngfilt.dll Fri Sep 2 2005 3:52:06p A.... 39,424 38.50 K
quartz.dll Mon Aug 29 2005 7:54:26p A.... 1,287,168 1.23 M
shdocvw.dll Fri Sep 2 2005 3:52:06p A.... 1,483,776 1.41 M
shell32.dll Thu Sep 22 2005 7:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Fri Sep 2 2005 3:52:06p A.... 473,600 462.50 K
ssldivx.dll Wed Sep 28 2005 10:50:04a A.... 200,704 196.00 K
umpnpmgr.dll Mon Aug 22 2005 7:35:42p A.... 123,392 120.50 K
urlmon.dll Fri Sep 2 2005 3:52:06p A.... 608,768 594.50 K
vsdata.dll Mon Aug 29 2005 6:08:34p A.... 83,712 81.75 K
vsinit.dll Mon Aug 29 2005 6:08:46p A.... 141,056 137.75 K
wininet.dll Fri Sep 2 2005 3:52:06p A.... 658,432 643.00 K
winsrv.dll Wed Aug 31 2005 5:41:54p A.... 291,840 285.00 K
wrlogo~1.dll Mon Oct 24 2005 12:19:50p A.... 492,544 481.00 K
wrlzma.dll Mon Oct 24 2005 12:19:46p A.... 17,920 17.50 K
xvidcore.dll Sat Sep 24 2005 6:27:42a A.... 843,776 824.00 K
xvidvfw.dll Thu Sep 15 2005 1:38:44a A.... 151,552 148.00 K

44 items found: 44 files, 0 directories.
Total of file sizes: 30,417,408 bytes 29.01 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is XP
Volume Serial Number is 1054-0C71

Directory of C:\WINDOWS\System32

01/11/2005 07:20 PM <DIR> DLLCACHE
13/07/2005 05:40 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 2,065,969,152 bytes free

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:54 PM

Posted 11 November 2005 - 01:27 PM

Are you able to reverse the registry change?

Can you post a new HJT log

David

#10 boonkang

boonkang
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 11 November 2005 - 01:37 PM

Are you able to reverse the registry change?

Can you post a new HJT log

David



I am afraid not, David. I was so foolish not to make a backup copy.


Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:33:46 AM, on 11/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
I:\Microsoft AntiSpyware\gcasServ.exe
I:\TotalRecorder\TotRecSched.exe
C:\WINDOWS\system32\WService.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
I:\eBay\eBay Toolbar2\eBayTBDaemon.exe
I:\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
I:\DIGIMA~1\WMCache.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
E:\HijackThis\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Adobe\Acrobat_rdr_ 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - I:\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - I:\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - I:\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - I:\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - I:\FlashGet\fgiebar.dll
O3 - Toolbar: DIY! - {0A00D11E-B1E7-44b5-AD88-C9190876AAC4} - C:\WINDOWS\system32\diybar2\diybar2.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - I:\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO} /NO_DEFPS
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [gcasServ] "I:\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TotalRecorderScheduler] "I:\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [eBayToolbar] I:\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O8 - Extra context menu item: &eBay Search - res://I:\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Access Internet Keyword - C:\Program Files\CNNIC\Cdn\cnnic.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - I:\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - I:\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with &Shareaza - res://I:\SuperBT\Plugins\RazaWebHook.dll/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {3F686D91-4AFA-4ed1-B43F-F1DB46ED480C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Link Filter - {3F686D91-4AFA-4ed1-B43F-F1DB46ED480C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - I:\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - I:\FlashGet\flashget.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [CDNCLIENT] Chinese Navigation
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {54F8C0E2-34F9-474F-B47F-2CFCFE2300A2} (IEBHOLiver Class) - http://download.imu.com.cn/client/chatatwill/ie/imuliver.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gisweb3.city.vancouver.bc.ca:8080/web/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: MAFUR - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Boon\LOCALS~1\Temp\MAFUR.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: FireDaemon Service: prime95 (prime95) - Unknown owner - C:\Program Files\FireDaemon\FireDaemon.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:54 PM

Posted 11 November 2005 - 01:51 PM

Please visit http://virusscan.jotti.org/
Click on Browse... and navigate to the following file:
C:\Documents and Settings\Boon\Local Settings\Temp\MAFUR.exe

Click Open
Please let me know the results.
David

Edited by D-Trojanator, 11 November 2005 - 01:51 PM.


#12 boonkang

boonkang
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 11 November 2005 - 02:05 PM

Please visit http://virusscan.jotti.org/
Click on Browse... and navigate to the following file:
C:\Documents and Settings\Boon\Local Settings\Temp\MAFUR.exe

Click Open
Please let me know the results.
David


Sorry, David.
I cannot start IE so I used FireFox, but I cannot access any website from FirFox.
I also cannot start Windows Explorer.

Can I try in "safe-mode with network" ?

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:54 PM

Posted 11 November 2005 - 02:08 PM

Ok try that, as you got it work last time like that!

#14 boonkang

boonkang
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 11 November 2005 - 02:12 PM

Ok try that, as you got it work last time like that!


I will try that.
I managed to switch to other user and started IE, but still cannot access any website.

I could also start Windows Explorer and found:

C:\Documents and Settings\Boon\Local Settings\Temp\MAFUR.exe

and

C:\Documents and Settings\Boon\Local Settings\Temp\PWSTWRUSEZWLJUQM.exe

#15 boonkang

boonkang
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 11 November 2005 - 02:27 PM


Ok try that, as you got it work last time like that!


I will try that.
I managed to switch to other user and started IE, but still cannot access any website.

I could also start Windows Explorer and found:

C:\Documents and Settings\Boon\Local Settings\Temp\MAFUR.exe

and

C:\Documents and Settings\Boon\Local Settings\Temp\PWSTWRUSEZWLJUQM.exe



Ooops, David. I unplugged the Internet cab, therefore couldn't access website.

I opened and submiited MAFUR in virusscan,jotti.org, nothing was found, but here is the note:

MAFUR.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 641b78a00501c94108b80a854aa9b8bd
Packers detected: UPX

Same result for PWSTWRUSEZWLJUQM.exe:

PWSTWRUSEZWLJUQM.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 641b78a00501c94108b80a854aa9b8bd
Packers detected: UPX




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users