Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Log, God Please Help Me


  • Please log in to reply
12 replies to this topic

#1 st0nedsk8er

st0nedsk8er

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 16 November 2005 - 03:13 PM

here is my log, i had to do the scan in safe mode, only way i can access anything without my desktop completely locking up....aim automaticallly loads, and i can log onto that meaning i have internet access but cannot access any browswers unless im in safe mode...so heres my log, hope someone can help..

Logfile of HijackThis v1.99.1
Scan saved at 3:02:12 PM, on 11/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Justin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116376116515
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\l0j80a1ued.dll (file missing)
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\i860lijm18oa.dll
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINDOWS\system32\hlahbmef.dll
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\nellccoc.dll
O21 - SSODL: HIFD0EGD - {66554A6D-7470-69F6-0B64-4B06628F1216} - C:\WINDOWS\system32\Ohajgo32.dll
O21 - SSODL: mtklef - {764485B1-01E8-4C50-3882-377ACD8B1AFF} - C:\WINDOWS\system32\hdkimd32.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SnVzdGluIFJhbw\command.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 st0nedsk8er

st0nedsk8er
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 16 November 2005 - 04:02 PM

update : i dont know what i did but i can access my desktop somewhat, not my start bar, internet is completely down in regular mode..i was able to get a log in regular mode dont know if its any different ...here it is..

Logfile of HijackThis v1.99.1
Scan saved at 3:51:19 PM, on 11/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Justin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Ad-Aware] "C:\Program Files\Lavasoft\Ad-Aware SE Professional yes\Ad-Aware.exe" +c
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116376116515
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\l0j80a1ued.dll (file missing)
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\g640lghm164a.dll
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINDOWS\system32\hlahbmef.dll
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\nellccoc.dll
O21 - SSODL: mtklef - {4E42519E-2D4F-4389-EFAD-DB3785C92D08} - C:\WINDOWS\system32\qqnq32.dll
O21 - SSODL: mtklef - {4E42519E-2D4F-4389-EFAD-DB3785C92D08} - C:\WINDOWS\system32\qqnq32.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SnVzdGluIFJhbw\command.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:42 AM

Posted 17 November 2005 - 02:05 PM

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Then reboot your computer - IMPORTANT
Then post a new HJT log

David

#4 st0nedsk8er

st0nedsk8er
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 17 November 2005 - 03:44 PM

i have 2 webroot logs..i downloaded the program and the first one is when i just got the program didnt get any updates on the definitions, i did a scan it found stuff, i removed it...and then it said it had to restart to remove one last thing, and i restarted and let it go into normal mode, it froze, so then i went back into safe mode updated the defs, did another scan found more stuff, deleted em, still had to restart to remove one last thing, but the problem is it doesnt do it if i go in safe mode, but if i go in regular mode it just freezes...here are the 2 logs..in order..

********
2:59 PM: | Start of Session, Thursday, November 17, 2005 |
2:59 PM: Spy Sweeper started
2:59 PM: Sweep initiated using definitions version 556
2:59 PM: Starting Memory Sweep
2:59 PM: Found Adware: icannnews
2:59 PM: Detected running threat: C:\WINDOWS\system32\jtpm0771e.dll (ID = 83)
3:00 PM: Detected running threat: C:\WINDOWS\system32\kadca.dll (ID = 83)
3:00 PM: Memory Sweep Complete, Elapsed Time: 00:00:47
3:00 PM: Starting Registry Sweep
3:00 PM: Found System Monitor: perfect keylogger
3:00 PM: HKCR\interface\{1e1b2878-88ff-11d3-8d96-d7acac95951a}\ (8 subtraces) (ID = 136696)
3:00 PM: HKLM\software\classes\interface\{1e1b2878-88ff-11d3-8d96-d7acac95951a}\ (8 subtraces) (ID = 136703)
3:00 PM: Found Trojan Horse: trojan-backdoor-zubox
3:00 PM: HKCR\*\shellex\contextmenuhandlers\sysacpildap\ (ID = 484093)
3:00 PM: HKLM\software\classes\*\shellex\contextmenuhandlers\sysacpildap\ (ID = 484152)
3:00 PM: Found Trojan Horse: trojan - zerotollerance
3:00 PM: HKCR\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (3 subtraces) (ID = 608255)
3:00 PM: HKLM\software\classes\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (3 subtraces) (ID = 609144)
3:00 PM: HKCR\appid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (ID = 650832)
3:00 PM: HKCR\clsid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (3 subtraces) (ID = 650833)
3:00 PM: HKLM\software\windows\ || shots (ID = 650869)
3:00 PM: HKLM\software\classes\appid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (ID = 650872)
3:00 PM: HKLM\software\classes\clsid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (3 subtraces) (ID = 650873)
3:00 PM: Found Trojan Horse: berbew trojan
3:00 PM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || mtklef (ID = 837545)
3:00 PM: Registry Sweep Complete, Elapsed Time:00:00:09
3:00 PM: Starting Cookie Sweep
3:00 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:00 PM: Starting File Sweep
3:00 PM: Found Adware: look2me
3:00 PM: appwrap[2].exe (ID = 65739)
3:00 PM: bpkhk.dll (ID = 72412)
3:01 PM: Found Adware: delfin
3:01 PM: mon1215.dbd (ID = 57687)
3:01 PM: hifd0egd.exe (ID = 158017)
3:01 PM: icont.exe (ID = 65739)
3:01 PM: appwrap[1].exe (ID = 65722)
3:01 PM: mon2007.dbd (ID = 57693)
3:02 PM: Found Adware: apropos
3:02 PM: wingenerics.dll (ID = 50187)
3:02 PM: mon0104.dbd (ID = 57676)
3:02 PM: mon1920.dbd (ID = 57692)
3:02 PM: Found Adware: targetsaver
3:02 PM: class-barrel (ID = 78229)
3:02 PM: vocabulary (ID = 78283)
3:02 PM: mon0204.ddx (ID = 57686)
3:02 PM: mon0504.ddx (ID = 57686)
3:02 PM: mon0412.ddx (ID = 57686)
3:02 PM: mon0904.ddx (ID = 57691)
3:02 PM: mon0106.ddx (ID = 57679)
3:02 PM: mon0315.ddx (ID = 57686)
3:02 PM: mon1204.ddx (ID = 57686)
3:02 PM: mon1125.ddx (ID = 57685)
3:02 PM: mon1909.ddx (ID = 57691)
3:02 PM: File Sweep Complete, Elapsed Time: 00:02:18
3:02 PM: Full Sweep has completed. Elapsed time 00:03:22
3:02 PM: Traces Found: 63
********
2:59 PM: | Start of Session, Thursday, November 17, 2005 |
2:59 PM: Spy Sweeper started
2:59 PM: Program Version 4.5.7 (Build 656) Using Spyware Definitions 556
2:59 PM: | End of Session, Thursday, November 17, 2005 |
______________________________________________________________


********
3:15 PM: | Start of Session, Thursday, November 17, 2005 |
3:15 PM: Spy Sweeper started
3:15 PM: Sweep initiated using definitions version 573
3:15 PM: Starting Memory Sweep
3:15 PM: Found Trojan Horse: trojan-backdoor-superbgirlz
3:15 PM: Detected running threat: C:\WINDOWS\system32\child.dll (ID = 183971)
3:16 PM: Memory Sweep Complete, Elapsed Time: 00:00:56
3:16 PM: Starting Registry Sweep
3:16 PM: Found Trojan Horse: spamrelayer_alpiok
3:16 PM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || systray.excn2 (ID = 790580)
3:16 PM: Found Trojan Horse: berbew trojan
3:16 PM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || mtklef (ID = 837545)
3:16 PM: HKCR\clsid\{7368d5fc-6f5c-4f5b-b964-e67214f67852}\ (3 subtraces) (ID = 913291)
3:16 PM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || systray.exys (ID = 913416)
3:16 PM: HKLM\software\classes\clsid\{7368d5fc-6f5c-4f5b-b964-e67214f67852}\ (3 subtraces) (ID = 913513)
3:16 PM: Found Adware: command
3:16 PM: HKLM\system\currentcontrolset\services\cmdservice\ (5 subtraces) (ID = 958670)
3:16 PM: HKU\S-1-5-21-1123561945-1844237615-682003330-1004\software\classes\clsid\{4f141cba-1457-6cca-03a7-7aa21b61ea0f}\ (3 subtraces) (ID = 954563)
3:16 PM: Registry Sweep Complete, Elapsed Time:00:00:10
3:16 PM: Starting Cookie Sweep
3:16 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:16 PM: Starting File Sweep
3:16 PM: oppuxc32.dll (ID = 157814)
3:16 PM: nellccoc.dll (ID = 182718)
3:17 PM: Found System Monitor: win-spy monitor
3:17 PM: private_message_new.wav (ID = 168138)
3:17 PM: Found Trojan Horse: trojan-backdoor-us15info
3:17 PM: tool5.exe (ID = 183857)
3:17 PM: Found Adware: spysheriff
3:17 PM: secure32.html (ID = 184319)
3:17 PM: hifd0egd.exe (ID = 158017)
3:17 PM: nnpgqjii.exe (ID = 183253)
3:18 PM: 74.tmp (ID = 183963)
3:18 PM: child.dll (ID = 183971)
3:19 PM: mbpwx35rkil1vt.vbs (ID = 185675)
3:19 PM: File Sweep Complete, Elapsed Time: 00:02:51
3:19 PM: Full Sweep has completed. Elapsed time 00:04:04
3:19 PM: Traces Found: 32
3:19 PM: Removal process initiated
3:19 PM: Quarantining All Traces: spamrelayer_alpiok
3:19 PM: Quarantining All Traces: spysheriff
3:19 PM: Quarantining All Traces: trojan-backdoor-us15info
3:19 PM: Quarantining All Traces: win-spy monitor
3:19 PM: Quarantining All Traces: berbew trojan
3:19 PM: Quarantining All Traces: trojan-backdoor-superbgirlz
3:19 PM: trojan-backdoor-superbgirlz is in use. It will be removed on reboot.
3:19 PM: child.dll is in use. It will be removed on reboot.
3:19 PM: C:\WINDOWS\system32\child.dll is in use. It will be removed on reboot.
3:19 PM: Quarantining All Traces: command
3:19 PM: Warning: Launched explorer.exe
3:19 PM: Warning: Quarantine process could not restart Explorer.
3:20 PM: Removal process completed. Elapsed time 00:00:45
********
2:59 PM: | Start of Session, Thursday, November 17, 2005 |
2:59 PM: Spy Sweeper started
2:59 PM: Sweep initiated using definitions version 556
2:59 PM: Starting Memory Sweep
2:59 PM: Found Adware: icannnews
2:59 PM: Detected running threat: C:\WINDOWS\system32\jtpm0771e.dll (ID = 83)
3:00 PM: Detected running threat: C:\WINDOWS\system32\kadca.dll (ID = 83)
3:00 PM: Memory Sweep Complete, Elapsed Time: 00:00:47
3:00 PM: Starting Registry Sweep
3:00 PM: Found System Monitor: perfect keylogger
3:00 PM: HKCR\interface\{1e1b2878-88ff-11d3-8d96-d7acac95951a}\ (8 subtraces) (ID = 136696)
3:00 PM: HKLM\software\classes\interface\{1e1b2878-88ff-11d3-8d96-d7acac95951a}\ (8 subtraces) (ID = 136703)
3:00 PM: Found Trojan Horse: trojan-backdoor-zubox
3:00 PM: HKCR\*\shellex\contextmenuhandlers\sysacpildap\ (ID = 484093)
3:00 PM: HKLM\software\classes\*\shellex\contextmenuhandlers\sysacpildap\ (ID = 484152)
3:00 PM: Found Trojan Horse: trojan - zerotollerance
3:00 PM: HKCR\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (3 subtraces) (ID = 608255)
3:00 PM: HKLM\software\classes\clsid\{1722ecff-4356-4f5b-b534-e67294fe75e9}\ (3 subtraces) (ID = 609144)
3:00 PM: HKCR\appid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (ID = 650832)
3:00 PM: HKCR\clsid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (3 subtraces) (ID = 650833)
3:00 PM: HKLM\software\windows\ || shots (ID = 650869)
3:00 PM: HKLM\software\classes\appid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (ID = 650872)
3:00 PM: HKLM\software\classes\clsid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (3 subtraces) (ID = 650873)
3:00 PM: Found Trojan Horse: berbew trojan
3:00 PM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || mtklef (ID = 837545)
3:00 PM: Registry Sweep Complete, Elapsed Time:00:00:09
3:00 PM: Starting Cookie Sweep
3:00 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:00 PM: Starting File Sweep
3:00 PM: Found Adware: look2me
3:00 PM: appwrap[2].exe (ID = 65739)
3:00 PM: bpkhk.dll (ID = 72412)
3:01 PM: Found Adware: delfin
3:01 PM: mon1215.dbd (ID = 57687)
3:01 PM: hifd0egd.exe (ID = 158017)
3:01 PM: icont.exe (ID = 65739)
3:01 PM: appwrap[1].exe (ID = 65722)
3:01 PM: mon2007.dbd (ID = 57693)
3:02 PM: Found Adware: apropos
3:02 PM: wingenerics.dll (ID = 50187)
3:02 PM: mon0104.dbd (ID = 57676)
3:02 PM: mon1920.dbd (ID = 57692)
3:02 PM: Found Adware: targetsaver
3:02 PM: class-barrel (ID = 78229)
3:02 PM: vocabulary (ID = 78283)
3:02 PM: mon0204.ddx (ID = 57686)
3:02 PM: mon0504.ddx (ID = 57686)
3:02 PM: mon0412.ddx (ID = 57686)
3:02 PM: mon0904.ddx (ID = 57691)
3:02 PM: mon0106.ddx (ID = 57679)
3:02 PM: mon0315.ddx (ID = 57686)
3:02 PM: mon1204.ddx (ID = 57686)
3:02 PM: mon1125.ddx (ID = 57685)
3:02 PM: mon1909.ddx (ID = 57691)
3:02 PM: File Sweep Complete, Elapsed Time: 00:02:18
3:02 PM: Full Sweep has completed. Elapsed time 00:03:22
3:02 PM: Traces Found: 63
3:08 PM: Removal process initiated
3:08 PM: Quarantining All Traces: icannnews
3:08 PM: Warning: Launched explorer.exe
3:08 PM: Warning: Quarantine process could not restart Explorer.
3:08 PM: icannnews is in use. It will be removed on reboot.
3:08 PM: C:\WINDOWS\system32\jtpm0771e.dll is in use. It will be removed on reboot.
3:08 PM: C:\WINDOWS\system32\kadca.dll is in use. It will be removed on reboot.
3:08 PM: Quarantining All Traces: perfect keylogger
3:08 PM: Quarantining All Traces: trojan-backdoor-zubox
3:08 PM: Quarantining All Traces: trojan - zerotollerance
3:08 PM: Quarantining All Traces: berbew trojan
3:08 PM: Quarantining All Traces: look2me
3:09 PM: Quarantining All Traces: delfin
3:09 PM: Quarantining All Traces: apropos
3:09 PM: Quarantining All Traces: targetsaver
3:09 PM: Preparing to restart youar computer. Please wait...
3:09 PM: Removal process completed. Elapsed time 00:00:56
3:14 PM: Your spyware definitions have been updated.
3:15 PM: | End of Session, Thursday, November 17, 2005 |
********
2:59 PM: | Start of Session, Thursday, November 17, 2005 |
2:59 PM: Spy Sweeper started
2:59 PM: Program Version 4.5.7 (Build 656) Using Spyware Definitions 556
2:59 PM: | End of Session, Thursday, November 17, 2005 |
_______________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 3:35:27 PM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Justin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116376116515
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\l0j80a1ued.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: HIFD0EGD - {66554A6D-7470-69F6-0B64-4B06628F1216} - C:\WINDOWS\system32\Ohajgo32.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:42 AM

Posted 19 November 2005 - 07:49 AM

Great, well done, here comes part 2:

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck.
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful") Posted Image
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Post a new HJT log and the ewido log at the end! :thumbsup:
David

#6 st0nedsk8er

st0nedsk8er
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 19 November 2005 - 11:40 AM

Here you go

Logfile of HijackThis v1.99.1
Scan saved at 11:32:45 AM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\Justin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116376116515
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\l0j80a1ued.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: HIFD0EGD - {66554A6D-7470-69F6-0B64-4B06628F1216} - C:\WINDOWS\system32\Ohajgo32.dll (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

________________


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:31:04 AM, 11/19/2005
+ Report-Checksum: F35DBC4A

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e6g3yoos.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\r6ed3kf4.Default User\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\r6ed3kf4.Default User\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\r6ed3kf4.Default User\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\r6ed3kf4.Default User\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\r6ed3kf4.Default User\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\r6ed3kf4.Default User\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\r6ed3kf4.Default User\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\r6ed3kf4.Default User\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\r6ed3kf4.Default User\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\r6ed3kf4.Default User\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\r6ed3kf4.Default User\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Justin\Local Settings\Temp\73.tmp -> TrojanDownloader.Small.bve : Cleaned with backup
C:\Documents and Settings\Justin\Local Settings\Temp\Temporary Directory 2 for Ableton_Live_v4.04-H2O.zip\crack.exe -> TrojanDownloader.Small.bws : Cleaned with backup
C:\Documents and Settings\Justin\My Documents\My Music\Lavasoft Ad-Aware SE Professional 1.06 New Retail.rar/Lavasoft Ad-Aware SE Professional 1.06 New Retail\Lavasoft Ad-Aware SE Professional 1.06.exe -> TrojanDropper.Agent.fr : Cleaned with backup
C:\Documents and Settings\Justin\My Documents\My Music\LimeWire Pro 4.9.4.1.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\Documents and Settings\Justin\My Documents\My Music\Oltmann s CD-Cover 2.02.zip/setup.exe -> Trojan.Crypt.e : Error during cleaning
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\Common Files\iwfw\iwfwa.exe -> TrojanDownloader.TSUpdate.l : Cleaned with backup
C:\Program Files\Common Files\iwfw\iwfwm.exe -> TrojanDownloader.TSUpdate.n : Cleaned with backup
C:\WINDOWS\73.tmp -> TrojanDownloader.Small.bve : Cleaned with backup
C:\WINDOWS\kl.exe -> TrojanDropper.Agent.abo : Cleaned with backup
C:\WINDOWS\sstray.exe -> TrojanSpy.Goldun.dn : Cleaned with backup
C:\WINDOWS\system32\afsldp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\aiivvaxx.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\Apglig32.exe -> TrojanDropper.Agent.abh : Cleaned with backup
C:\WINDOWS\system32\appwiz.dll -> TrojanSpy.Goldun.dn : Cleaned with backup
C:\WINDOWS\system32\bpkr.exe -> TrojanDownloader.Agent.fz : Cleaned with backup
C:\WINDOWS\system32\denhupnp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\diserver.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dnnq0155e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dtdlgs.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dywsock.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\en08l1du1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ennql1551.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\fp6o03j3e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\fpj6031se.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\fpn2035oe.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\g0220afoed2c0.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\g2220cfoef2c0.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\g804lidq180e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\h20q0cd5ef0.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hcfgdhqh.exe -> TrojanProxy.Wopla.m : Cleaned with backup
C:\WINDOWS\system32\hecoin.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\HIFD0EGD.exe -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\hlahbmef.dll -> TrojanProxy.Wopla.m : Cleaned with backup
C:\WINDOWS\system32\hr2o05f3e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hrns0557e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\i660lgjm16oa.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ip50_32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\irlql5351.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\j2n20c5oef.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\jtn4075qe.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ktjsl7171.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ktl2l73o1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\l26o0cj3efo.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lKprxy.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ll.exe -> Trojan.Crypt.l : Cleaned with backup
C:\WINDOWS\system32\m0ju0a19ed.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\m9hkv9a679.ini -> Backdoor.Ciadoor.13 : Cleaned with backup
C:\WINDOWS\system32\mjacm32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mo26l9fs1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mrdart.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mrxex.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mv26l9fs1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\o066lajs1do6.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\Ohajgo32.dll -> Worm.Padobot.z : Cleaned with backup
C:\WINDOWS\system32\p04u0ah9ed4.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\p28q0cl5efq.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\p28qlcl51fq.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\p6p60g7se6.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\Pr0n3.exe -> Backdoor.Ciadoor.13 : Cleaned with backup
C:\WINDOWS\system32\vidmon\vidmon.exe -> Spyware.DelphinMediaViewer : Cleaned with backup
C:\WINDOWS\system32\~update.exe -> Trojan.Crypt.l : Cleaned with backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Renos.x : Cleaned with backup
C:\WINDOWS\tool3.exe -> TrojanDownloader.Small.bwr : Cleaned with backup
C:\WINDOWS\toolbar.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\WINDOWS\tskmgr.exe -> TrojanDownloader.Small.bwk : Cleaned with backup


::Report End

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:42 AM

Posted 19 November 2005 - 11:47 AM

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
==================

#8 st0nedsk8er

st0nedsk8er
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 19 November 2005 - 11:53 AM

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l0j80a1ued.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{84C42DFD-C954-232A-B97F-E93FD91134F5}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6b5 (beta test) Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6b5 (beta test) DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6b5 (beta test) Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6b5 (beta test) Property Sheet Shell Extension"
"{FED7043D-346A-414D-ACD7-550D052499A7}"="dBpowerAMP Music Converter 1"
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}"="dBpowerAMP Music Converter"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="st"
"{2866CFDF-DFA0-493A-B53A-5359FA7665F4}"=""
"{9282EB0D-B399-466E-BDCD-F993FDACB8D1}"=""
"{35BBED1C-9CD6-42E8-9700-8F01D4AD5B4B}"=""
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9282EB0D-B399-466E-BDCD-F993FDACB8D1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9282EB0D-B399-466E-BDCD-F993FDACB8D1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9282EB0D-B399-466E-BDCD-F993FDACB8D1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9282EB0D-B399-466E-BDCD-F993FDACB8D1}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{35BBED1C-9CD6-42E8-9700-8F01D4AD5B4B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{35BBED1C-9CD6-42E8-9700-8F01D4AD5B4B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{35BBED1C-9CD6-42E8-9700-8F01D4AD5B4B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{35BBED1C-9CD6-42E8-9700-8F01D4AD5B4B}\InprocServer32]
@="C:\\WINDOWS\\system32\\hecoin.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Fri Sep 2 2005 6:52:04p A.... 1,019,904 996.00 K
cdfview.dll Fri Sep 2 2005 6:52:04p A.... 151,040 147.50 K
cdosys.dll Fri Sep 9 2005 8:53:42p A.... 2,067,968 1.97 M
danim.dll Fri Sep 2 2005 6:52:04p A.... 1,053,696 1.00 M
dpu32d20.dll Tue Nov 15 2005 9:45:36p A.... 45,056 44.00 K
dxtrans.dll Fri Sep 2 2005 6:52:04p A.... 205,312 200.50 K
extmgr.dll Fri Sep 2 2005 6:52:04p A.... 55,808 54.50 K
gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K
iepeers.dll Fri Sep 2 2005 6:52:04p A.... 251,392 245.50 K
inseng.dll Fri Sep 2 2005 6:52:04p A.... 96,256 94.00 K
linkinfo.dll Wed Aug 31 2005 8:41:54p A.... 19,968 19.50 K
mshtml.dll Tue Oct 4 2005 4:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Fri Sep 2 2005 6:52:06p A.... 448,512 438.00 K
msrating.dll Fri Sep 2 2005 6:52:06p A.... 146,432 143.00 K
mstime.dll Fri Sep 2 2005 6:52:06p A.... 530,432 518.00 K
netman.dll Mon Aug 22 2005 1:29:46p A.... 197,632 193.00 K
pngfilt.dll Fri Sep 2 2005 6:52:06p A.... 39,424 38.50 K
quartz.dll Mon Aug 29 2005 10:54:26p A.... 1,287,168 1.23 M
shdocvw.dll Fri Sep 2 2005 6:52:06p A.... 1,483,776 1.41 M
shell32.dll Thu Sep 22 2005 10:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Fri Sep 2 2005 6:52:06p A.... 473,600 462.50 K
umpnpmgr.dll Mon Aug 22 2005 10:35:42p A.... 123,392 120.50 K
urlmon.dll Fri Sep 2 2005 6:52:06p A.... 608,768 594.50 K
vsdata.dll Mon Aug 29 2005 6:08:34p A.... 83,712 81.75 K
vsinit.dll Mon Aug 29 2005 6:08:46p A.... 141,056 137.75 K
vsmonapi.dll Mon Aug 29 2005 6:08:54p A.... 104,192 101.75 K
vspubapi.dll Mon Aug 29 2005 6:08:58p A.... 227,072 221.75 K
vsregexp.dll Mon Aug 29 2005 6:09:02p A.... 71,424 69.75 K
vsutil.dll Mon Aug 29 2005 6:09:14p A.... 382,720 373.75 K
vsxml.dll Mon Aug 29 2005 6:09:22p A.... 100,096 97.75 K
wininet.dll Fri Sep 2 2005 6:52:06p A.... 658,432 643.00 K
winsrv.dll Wed Aug 31 2005 8:41:54p A.... 291,840 285.00 K
wrlogo~1.dll Wed Nov 16 2005 2:38:16p A.... 492,544 481.00 K
wrlzma.dll Wed Nov 16 2005 2:38:12p A.... 17,920 17.50 K
zlcomm.dll Mon Aug 29 2005 6:09:42p A.... 79,616 77.75 K
zlcommdb.dll Mon Aug 29 2005 6:09:46p A.... 71,424 69.75 K

36 items found: 36 files, 0 directories.
Total of file sizes: 24,773,376 bytes 23.63 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 7853-0E6D

Directory of C:\WINDOWS\System32

11/19/2005 11:50 AM <DIR> ..
11/19/2005 11:50 AM <DIR> .
10/19/2005 09:59 PM <DIR> dllcache
05/16/2005 10:10 PM <DIR> Microsoft
0 File(s) 0 bytes
4 Dir(s) 79,518,326,784 bytes free

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:42 AM

Posted 19 November 2005 - 11:54 AM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder.

#10 st0nedsk8er

st0nedsk8er
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 19 November 2005 - 12:29 PM

Ok i did what you said, i was in safe mode when i opened the l2mfix.bat and did the option # 2...i restarted, let it go into it regular mode, it brought up a command prompt and it said
Killing Processes!
The system cannot find the path specified
0 Files Coped

along with that 2 error messages popped up..one.. cannot export backreds\9282Eb0D-b3990-466e-bdcd-f993fdacb8d1.reg Error Opening File - There may be a disk or file system error...i clicked ok, had the same error but it was 35bbed1c-9cd6-42e8-9700-8f01d4ad58b4b.reg...i clicked ok...then the command prompt said Scanning first pass, then it completed, then it did second pass scanning and completed..then it went to my desktop(no icons showing and after several minutes of it just sitting there i restarted and went into safe mode) and ran the option #2, but restarted it in safe mode this time and it did the same thing without the "cannot export backregs" erros..it said Killing processes! the system cannot find the path specified, 0 files copied, did the scanning first and second passes , completed those, oh and i forgot 2 mention on both times after the pass scans, it said some thing in the prompt really fast couldnt quite read it and THEN went to my desktop with no icons and just sat there..then restarted let it go in regular mode. now my computers running normally everythings good, musics working, internets workin, all in regular mode, seems like everythings okay, but i wanted to tell u this just in case there might still be a problem i dunno, what should i do?

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:42 AM

Posted 19 November 2005 - 12:31 PM

Ok, that's fine - there is another way. I need to check every bit of the infection you had is gone! :

Download the following file:

http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip

and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

#12 st0nedsk8er

st0nedsk8er
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 19 November 2005 - 12:58 PM

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Justin\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7853-0E6D

Directory of C:\WINDOWS\System32

11/19/2005 12:49 PM <DIR> ..
11/19/2005 12:49 PM <DIR> .
10/19/2005 09:59 PM <DIR> dllcache
05/16/2005 10:10 PM <DIR> Microsoft
0 File(s) 0 bytes
4 Dir(s) 79,569,235,968 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7853-0E6D

Directory of C:\WINDOWS\System32

11/19/2005 12:49 PM <DIR> ..
11/19/2005 12:49 PM <DIR> .
11/19/2005 12:18 PM 31,841 vsconfig.xml
11/15/2005 09:49 PM <DIR> vidmon
10/19/2005 09:59 PM <DIR> dllcache
09/24/2005 07:00 PM 4,212 zllictbl.dat
05/16/2005 09:33 PM 488 WindowsLogon.manifest
05/16/2005 09:33 PM 488 logonui.exe.manifest
05/16/2005 09:33 PM 749 cdplayer.exe.manifest
05/16/2005 09:33 PM 749 sapi.cpl.manifest
05/16/2005 09:33 PM 749 wuaucpl.cpl.manifest
05/16/2005 09:33 PM 749 nwc.cpl.manifest
05/16/2005 09:33 PM 749 ncpa.cpl.manifest
9 File(s) 40,774 bytes
4 Dir(s) 79,569,231,872 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 7853-0E6D

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 7853-0E6D

Directory of C:\WINDOWS\System32

03/31/2003 07:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 79,569,231,872 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l0j80a1ued.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
vsconfig.xml Sat Nov 19 2005 12:18:20p A..H. 31,841 31.09 K
zllictbl.dat Sat Sep 24 2005 7:00:42p ...H. 4,212 4.11 K

2 items found: 2 files, 0 directories.
Total of file sizes: 36,053 bytes 35.21 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\MRT.exe: (ASPack)
C:\WINDOWS\system32\MRT.exe: (AsPack2k)
C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.1)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.12)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.000)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.001)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x)
C:\WINDOWS\system32\MRT.exe: ASPack2000
C:\WINDOWS\system32\MRT.exe: ASPack 1.61
C:\WINDOWS\system32\MRT.exe: ASPack 1.084
C:\WINDOWS\system32\MRT.exe: ASPack 1.083
C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\system32\MRT.exe: ASPack 1.07b
C:\WINDOWS\system32\MRT.exe: ASPack 1.05b
C:\WINDOWS\system32\MRT.exe: ASPack 1.02
C:\WINDOWS\system32\MRT.exe: ASPACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"


btw my fonts are all messed up for mozilla, u think u can give me the default everything in the whole Fonts & Colors..if not thats fine..

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:42 AM

Posted 20 November 2005 - 06:18 AM

Download killbox from here:

KillBox

Unzip the folder to your desktop.

1. Start Killbox.exe
2. Select the Delete on Reboot option.
3. Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\l0j80a1ued.dll
C:\WINDOWS\system32\guard.tmp


4. Go to the File menu of Killbox, and choose Paste from Clipboard.
5. Click the Delete File button that is a red-and-white X. When asked if you want to delete these files say Yes. When asked if you want to reboot now, say No.
6. Exit Killbox.

btw my fonts are all messed up for mozilla, u think u can give me the default everything in the whole Fonts & Colors..if not thats fine..


Is it just for mozilla, or for XP? Can you be more specific! Thanks very much! :thumbsup:

Post a new HJT log and find it log

David :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users