Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remove This Spyware


  • This topic is locked This topic is locked
37 replies to this topic

#1 Raines

Raines

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 03 February 2006 - 10:00 AM

Hello,

Yesterday I posted a problem regarding the surf side kick spyware however I didn't provide a logfile... I managed to remove it in safe mode however when I reboot the system I keep getting new spyware. I also get the error message:
loading 00KK018o.dll- The specified module cannot be found

Can someone please help with this as it's already been 4 days that I am not able to use my PC. I am keeping it in safe mode for fear that the spyware will replicate itself and allow more potentially harming malware into my system.

Thank you!
R.

(Moderator edit: post moved to HJT log forum for team review. jgweed)

Logfile of HijackThis v1.99.1
Scan saved at 1:18:11 AM, on 2/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\1131946386\ee\AOLHostManager.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wgse.exe
C:\Program Files\Common Files\AOL\1131946386\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cba\xfr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
c:\program files\common files\aol\1131946386\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\1131946386\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\hpsw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Eric Ramirez\Desktop\HijackThis.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O1 - Hosts: 206.40.48.202 EHOST006
O1 - Hosts: 206.40.48.202 EHOST006.exch005intermedia.net
O1 - Hosts: 206.40.48.172 DC005-1.exch005intermedia.net
O1 - Hosts: 64.78.61.6 DDC005.exch005intermedia.net
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131946386\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [00kk0l8o.dll] RUNDLL32.EXE 00kk0l8o.dll,b 76063937
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZZ
O8 - Extra context menu item: Add to Ads Filter... - res://C:\PROGRA~1\Helexis\ADSFIL~1\ADSFIL~1.DLL/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Ads Filter - {8EFDC38F-314A-4364-A2B9-789A3B4DA0F7} - C:\PROGRA~1\Helexis\ADSFIL~1\ADSFIL~1.DLL
O9 - Extra 'Tools' menuitem: Ads Filter - {8EFDC38F-314A-4364-A2B9-789A3B4DA0F7} - C:\PROGRA~1\Helexis\ADSFIL~1\ADSFIL~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131985193046
O16 - DPF: {70F72504-0622-45B0-87A1-19F4C40BBBA2} (PortPingCOM Class) - https://exchange.intermedia.net/Customizati...PortPingCOM.DLL
O16 - DPF: {83EF1847-D835-490B-8D9D-90B2987D66E8} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....der.9.3.2.3.cab
O16 - DPF: {A97B2058-825A-4B18-93CE-1483855578D1} (AOL Newport Editor Ctrl) - http://pictures.aolcdn.com/ap/Resources/1....-US.9.3.2.1.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\ktnul7591.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\i2nm0c51ef.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by jgweed, 03 February 2006 - 11:09 AM.


BC AdBot (Login to Remove)

 


m

#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:42 PM

Posted 04 February 2006 - 08:49 AM

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 Raines

Raines
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 05 February 2006 - 10:25 AM

Hi Daemon,

Ok. I am including here the l2mfix log for your records as per your request.... Can you please tell me what to do next?

Thanks for your help!

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ktnul7591.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"StartShell"="NavStartShellEvent"
"DllName"="C:\\WINDOWS\\system32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jtp2077oe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{EE359701-106E-8225-5AAF-B8D43DA2DF3F}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{20082881-FC36-4E47-9A7A-644C95FF749F}"="IntelliPoint Wireless Control Panel Property Page"
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}"="IntelliPoint Wheel Control Panel Property Page"
"{653DCCC2-13DB-45B2-A389-427885776CFE}"="IntelliPoint Activities Control Panel Property Page"
"{124597D8-850A-41AE-849C-017A4FA99CA2}"="IntelliPoint Buttons Control Panel Property Page"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{B7FA0B2A-337C-456B-8917-573D129FD13C}"=""
"{00855D65-AC5F-4EF1-93D4-DB34F50D86D1}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{00855D65-AC5F-4EF1-93D4-DB34F50D86D1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{00855D65-AC5F-4EF1-93D4-DB34F50D86D1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{00855D65-AC5F-4EF1-93D4-DB34F50D86D1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{00855D65-AC5F-4EF1-93D4-DB34F50D86D1}\InprocServer32]
@="C:\\WINDOWS\\system32\\uxrrtosa.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
00kkujcu.dll Sun Jan 29 2006 7:22:14p A.... 44,544 43.50 K
browseui.dll Wed Nov 23 2005 8:06:34p A.... 1,022,464 998.50 K
gccoll~1.dll Tue Nov 15 2005 12:12:08p A.... 126,680 123.71 K
gcunco~1.dll Tue Nov 15 2005 12:12:06p A.... 95,448 93.21 K
gdi32.dll Wed Dec 28 2005 9:54:36p A.... 280,064 273.50 K
h40qle~1.dll Fri Feb 3 2006 12:18:28p ..S.R 234,768 229.27 K
hashlib.dll Tue Nov 15 2005 12:12:08p A.... 117,976 115.21 K
jtp207~1.dll Fri Feb 3 2006 9:49:24a ..S.R 234,054 228.57 K
kudgr.dll Fri Feb 3 2006 1:15:16a ..S.R 236,234 230.70 K
mjvidc32.dll Fri Feb 3 2006 12:19:26p ..S.R 234,054 228.57 K
mshtml.dll Wed Nov 23 2005 8:06:34p A.... 3,015,680 2.88 M
msupda~1.dll Sun Jan 29 2006 7:22:02p A.... 479,744 468.50 K
p04ula~1.dll Sun Feb 5 2006 10:06:46a ..S.R 235,994 230.46 K
pncrt.dll Mon Nov 14 2005 12:34:08a A.... 278,528 272.00 K
pndx5016.dll Sun Nov 20 2005 12:21:30a A.... 6,656 6.50 K
pndx5032.dll Sun Nov 20 2005 12:21:30a A.... 5,632 5.50 K
rmoc3260.dll Sun Nov 20 2005 12:21:56a A.... 176,167 172.04 K
s32evnt1.dll Sat Jan 21 2006 8:06:38p A.... 83,672 81.71 K
shdocvw.dll Wed Nov 30 2005 10:59:30p A.... 1,492,480 1.42 M
sporder.dll Sun Jan 29 2006 7:24:48p A.... 8,464 8.27 K
uxrrtosa.dll Sun Feb 5 2006 10:06:46a ..S.R 234,054 228.57 K
wepsrcwp.dll Fri Feb 3 2006 9:48:24a ..S.R 234,054 228.57 K

22 items found: 22 files (7 H/S), 0 directories.
Total of file sizes: 8,877,411 bytes 8.46 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is E433-2123

Directory of C:\WINDOWS\System32

02/05/2006 10:06 AM 234,054 uxrrtosa.dll
02/05/2006 10:06 AM 235,994 p04ulah91d4.dll
02/03/2006 12:19 PM 234,054 mjvidc32.dll
02/03/2006 12:18 PM 234,768 h40qled51h0.dll
02/03/2006 09:49 AM 234,054 jtp2077oe.dll
02/03/2006 09:48 AM 234,054 wepsrcwp.dll
02/03/2006 01:17 AM <DIR> dllcache
02/03/2006 01:15 AM 236,234 kudgr.dll
11/14/2005 10:09 AM <DIR> Microsoft
7 File(s) 1,643,212 bytes
2 Dir(s) 65,723,645,952 bytes free

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:42 PM

Posted 05 February 2006 - 10:32 AM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 Raines

Raines
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 05 February 2006 - 11:45 AM

Daemon,

After reviewing these can you tell if I still have any traces of any spyware in my system?
Okay, here are both log files:
Thanks again!


L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 404 'smss.exe'
Killing PID 404 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 484 'winlogon.exe'
Killing PID 484 'winlogon.exe'
Killing PID 484 'winlogon.exe'
Killing PID 484 'winlogon.exe'
Killing PID 484 'winlogon.exe'
Killing PID 484 'winlogon.exe'
Killing PID 484 'winlogon.exe'
Killing PID 484 'winlogon.exe'
Killing PID 484 'winlogon.exe'
Killing PID 484 'winlogon.exe'
Killing PID 484 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1444 'explorer.exe'
Killing PID 1444 'explorer.exe'
Killing PID 1444 'explorer.exe'
Killing PID 1444 'explorer.exe'
Killing PID 1444 'explorer.exe'
Killing PID 1444 'explorer.exe'
Killing PID 1444 'explorer.exe'
Killing PID 1444 'explorer.exe'
Killing PID 1444 'explorer.exe'
Killing PID 1444 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1216 'rundll32.exe'
Killing PID 1216 'rundll32.exe'
Killing PID 1216 'rundll32.exe'
Killing PID 1216 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\ddvenum.dll
Successfully Deleted: C:\WINDOWS\system32\ddvenum.dll
Deleting: C:\WINDOWS\system32\f82mlif1182.dll
Successfully Deleted: C:\WINDOWS\system32\f82mlif1182.dll
Deleting: C:\WINDOWS\system32\h40qled51h0.dll
Successfully Deleted: C:\WINDOWS\system32\h40qled51h0.dll
Deleting: C:\WINDOWS\system32\kudgr.dll
Successfully Deleted: C:\WINDOWS\system32\kudgr.dll
Deleting: C:\WINDOWS\system32\mjvidc32.dll
Successfully Deleted: C:\WINDOWS\system32\mjvidc32.dll
Deleting: C:\WINDOWS\system32\p26slcj71fo.dll
Successfully Deleted: C:\WINDOWS\system32\p26slcj71fo.dll
Deleting: C:\WINDOWS\system32\wepsrcwp.dll
Successfully Deleted: C:\WINDOWS\system32\wepsrcwp.dll
Deleting: C:\WINDOWS\system32\wnpencen.dll
Successfully Deleted: C:\WINDOWS\system32\wnpencen.dll

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\p26slcj71fo.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"StartShell"="NavStartShellEvent"
"DllName"="C:\\WINDOWS\\system32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\ddvenum.dll
C:\WINDOWS\system32\f82mlif1182.dll
C:\WINDOWS\system32\h40qled51h0.dll
C:\WINDOWS\system32\kudgr.dll
C:\WINDOWS\system32\mjvidc32.dll
C:\WINDOWS\system32\p26slcj71fo.dll
C:\WINDOWS\system32\wepsrcwp.dll
C:\WINDOWS\system32\wnpencen.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{00855D65-AC5F-4EF1-93D4-DB34F50D86D1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{00855D65-AC5F-4EF1-93D4-DB34F50D86D1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{00855D65-AC5F-4EF1-93D4-DB34F50D86D1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{00855D65-AC5F-4EF1-93D4-DB34F50D86D1}\InprocServer32]
@="C:\\WINDOWS\\system32\\wnpencen.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B7FA0B2A-337C-456B-8917-573D129FD13C}"=-
"{00855D65-AC5F-4EF1-93D4-DB34F50D86D1}"=-
[-HKEY_CLASSES_ROOT\CLSID\{B7FA0B2A-337C-456B-8917-573D129FD13C}]
[-HKEY_CLASSES_ROOT\CLSID\{00855D65-AC5F-4EF1-93D4-DB34F50D86D1}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/ddvenum.dll (164 bytes security) (deflated 5%)
adding: dlls/f82mlif1182.dll (164 bytes security) (deflated 6%)
adding: dlls/h40qled51h0.dll (164 bytes security) (deflated 5%)
adding: dlls/kudgr.dll (164 bytes security) (deflated 5%)
adding: dlls/mjvidc32.dll (164 bytes security) (deflated 4%)
adding: dlls/p26slcj71fo.dll (164 bytes security) (deflated 5%)
adding: dlls/wepsrcwp.dll (164 bytes security) (deflated 4%)
adding: dlls/wnpencen.dll (164 bytes security) (deflated 5%)
adding: backregs/00855D65-AC5F-4EF1-93D4-DB34F50D86D1.reg (188 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)




Logfile of HijackThis v1.99.1
Scan saved at 11:41:15 AM, on 2/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\hpsw.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\1131946386\ee\AOLHostManager.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\1131946386\ee\AOLServiceHost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cba\xfr.exe
C:\Palm\HOTSYNC.EXE
c:\program files\common files\aol\1131946386\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1131946386\ee\AOLServiceHost.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Eric Ramirez\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://netscape.com/
R3 - Default URLSearchHook is missing
O1 - Hosts: 206.40.48.202 EHOST006
O1 - Hosts: 206.40.48.202 EHOST006.exch005intermedia.net
O1 - Hosts: 206.40.48.172 DC005-1.exch005intermedia.net
O1 - Hosts: 64.78.61.6 DDC005.exch005intermedia.net
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131946386\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [00kk0l8o.dll] RUNDLL32.EXE 00kk0l8o.dll,b 76063937
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZZ
O8 - Extra context menu item: Add to Ads Filter... - res://C:\PROGRA~1\Helexis\ADSFIL~1\ADSFIL~1.DLL/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Ads Filter - {8EFDC38F-314A-4364-A2B9-789A3B4DA0F7} - C:\PROGRA~1\Helexis\ADSFIL~1\ADSFIL~1.DLL
O9 - Extra 'Tools' menuitem: Ads Filter - {8EFDC38F-314A-4364-A2B9-789A3B4DA0F7} - C:\PROGRA~1\Helexis\ADSFIL~1\ADSFIL~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131985193046
O16 - DPF: {70F72504-0622-45B0-87A1-19F4C40BBBA2} (PortPingCOM Class) - https://exchange.intermedia.net/Customizati...PortPingCOM.DLL
O16 - DPF: {83EF1847-D835-490B-8D9D-90B2987D66E8} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....der.9.3.2.3.cab
O16 - DPF: {A97B2058-825A-4B18-93CE-1483855578D1} (AOL Newport Editor Ctrl) - http://pictures.aolcdn.com/ap/Resources/1....-US.9.3.2.1.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\p26slcj71fo.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#6 Raines

Raines
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 05 February 2006 - 11:48 AM

I forgot to mention that when I rebooted my computer and everything loaded I still get an error message as follows:

RUNDLL
Error loading 00kk0l8o.dll
The specified module cannot be found

What does this mean?

THank you.
R.

#7 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:42 PM

Posted 05 February 2006 - 11:57 AM

There's still more to do. You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R3 - Default URLSearchHook is missing
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKLM\..\Run: [00kk0l8o.dll] RUNDLL32.EXE 00kk0l8o.dll,b 76063937
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\p26slcj71fo.dll (file missing)


Exit HijackThis when done. Reboot into Safe Mode by tapping F8 after the BIOS has loaded. Using Windows Explorer, find and delete the following:

C:\WINDOWS\system32\hpsw.exe

Exit Explorer and reboot into Normal Mode. Rescan with HijackThis and post a new log here.

Does this mean anything to you: Intermedia Corporation
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#8 Raines

Raines
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 05 February 2006 - 02:58 PM

Yes, Intermedia Corporation is the name of the company who is the serves as the email exchange server (Outlook)for my job. I have also downloaded it to my home computer so that I can access my work emails...

I will complete what you listed and will get that out to you as soon as I can...
thanks!

Raines

#9 Raines

Raines
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 05 February 2006 - 04:19 PM

Okay, so far everything is looking good!! I rebooted and loaded with no error messages and my applications/ programs loaded fairly quickly...

Below is the Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 4:12:53 PM, on 2/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\1131946386\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1131946386\ee\AOLServiceHost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Palm\HOTSYNC.EXE
c:\program files\common files\aol\1131946386\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1131946386\ee\AOLServiceHost.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Eric Ramirez\My Documents\HJT Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://netscape.com/
O1 - Hosts: 206.40.48.202 EHOST006
O1 - Hosts: 206.40.48.202 EHOST006.exch005intermedia.net
O1 - Hosts: 206.40.48.172 DC005-1.exch005intermedia.net
O1 - Hosts: 64.78.61.6 DDC005.exch005intermedia.net
O2 - BHO: (no name) - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131946386\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZZ
O8 - Extra context menu item: Add to Ads Filter... - res://C:\PROGRA~1\Helexis\ADSFIL~1\ADSFIL~1.DLL/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Ads Filter - {8EFDC38F-314A-4364-A2B9-789A3B4DA0F7} - C:\PROGRA~1\Helexis\ADSFIL~1\ADSFIL~1.DLL
O9 - Extra 'Tools' menuitem: Ads Filter - {8EFDC38F-314A-4364-A2B9-789A3B4DA0F7} - C:\PROGRA~1\Helexis\ADSFIL~1\ADSFIL~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131985193046
O16 - DPF: {70F72504-0622-45B0-87A1-19F4C40BBBA2} (PortPingCOM Class) - https://exchange.intermedia.net/Customizati...PortPingCOM.DLL
O16 - DPF: {83EF1847-D835-490B-8D9D-90B2987D66E8} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....der.9.3.2.3.cab
O16 - DPF: {A97B2058-825A-4B18-93CE-1483855578D1} (AOL Newport Editor Ctrl) - http://pictures.aolcdn.com/ap/Resources/1....-US.9.3.2.1.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Is it safe to assume that it's all gone?

Raines

#10 Raines

Raines
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 05 February 2006 - 05:34 PM

Hi Daemon,

Okay I still have some spyware running in my system... What next?

R.

#11 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:42 PM

Posted 05 February 2006 - 06:24 PM

What is it that you have running in your system - give me more info.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#12 Raines

Raines
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 05 February 2006 - 10:12 PM

When I ran the Microsoft anti-spyware right after I sent you the post at 4:19 that everything looked good - I got this from the scan results:

Also, below this I have also included my scan log from the Adaware results....

Spyware Scan Details
Start Date: 2/5/2006 4:32:56 PM
End Date: 2/5/2006 4:39:08 PM
Total Time: 6 mins 12 secs

Detected Threats

QuickLinks Monitoring Software more information...
Details: QuickLinks is Adware that redirects your searches to affiliate sites and may monitor your search terms.
Status: Removed
Elevated threat - Elevated-risk items have some potential for harm. Users should review such programs and remove them if unwanted.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}\InprocServer32 ThreadingModel both
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}\KeyPhrasesFileName arpf.cfg
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}\ProgID Permeation.Permeater.1
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}\VersionIndependentProgID Permeation.Permeater
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} Permeater Class
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39C78B50-7E98-4aa0-B007-D83114EA6E0F}
HKEY_CLASSES_ROOT\clsid\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}\InprocServer32 C:\PROGRA~1\Jalmp\jalmp.dll
HKEY_CLASSES_ROOT\clsid\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}\InprocServer32 ThreadingModel both
HKEY_CLASSES_ROOT\clsid\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}\KeyPhrasesFileName arpf.cfg
HKEY_CLASSES_ROOT\clsid\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}\ProgID Permeation.Permeater.1
HKEY_CLASSES_ROOT\clsid\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}\VersionIndependentProgID Permeation.Permeater
HKEY_CLASSES_ROOT\clsid\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} Permeater Class
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}\InprocServer32 C:\PROGRA~1\Jalmp\jalmp.dll


Maxifiles Adware more information...
Status: Removed
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

Infected files detected
c:\program files\jalmp\arpf.cfg
c:\program files\jalmp\uninstall.exe

Infected folders detected
c:\program files\jalmp


Also I'm including the scan log from Adaware as well


Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, February 05, 2006 8:51:53 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R90 03.02.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):14 total references
e2give(TAC index:7):7 total references
MegaSearch Toolbar(TAC index:4):1 total references
Prutect(TAC index:8):6 total references
Tracking Cookie(TAC index:3):7 total references
UCmore(TAC index:3):4 total references
Win32.TrojanDownloader.Qoologic(TAC index:10):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


2-5-2006 8:51:53 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 408
ThreadCreationTime : 2-6-2006 1:45:44 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 464
ThreadCreationTime : 2-6-2006 1:45:46 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 488
ThreadCreationTime : 2-6-2006 1:45:46 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 532
ThreadCreationTime : 2-6-2006 1:45:46 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 544
ThreadCreationTime : 2-6-2006 1:45:46 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 692
ThreadCreationTime : 2-6-2006 1:45:47 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 748
ThreadCreationTime : 2-6-2006 1:45:47 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 812
ThreadCreationTime : 2-6-2006 1:45:47 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 868
ThreadCreationTime : 2-6-2006 1:45:47 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 992
ThreadCreationTime : 2-6-2006 1:45:48 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1188
ThreadCreationTime : 2-6-2006 1:45:49 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:12 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1244
ThreadCreationTime : 2-6-2006 1:45:49 AM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [aolacsd.exe]
FilePath : C:\Program Files\Common Files\AOL\ACS\
ProcessID : 1532
ThreadCreationTime : 2-6-2006 1:45:57 AM
BasePriority : Normal
FileVersion : 3.0.0.1
ProductVersion : 3.0.0.1
ProductName : AOL Connectivity Service
CompanyName : America Online
FileDescription : AOL Connectivity Service
InternalName : AOLacsd
LegalCopyright : Copyright © 2004 America Online
OriginalFilename : AOLacsd.exe

#:14 [aoltsmon.exe]
FilePath : C:\Program Files\Common Files\AOL\TopSpeed\2.0\
ProcessID : 1544
ThreadCreationTime : 2-6-2006 1:45:57 AM
BasePriority : Normal
FileVersion : 2, 0, 0, 0
ProductVersion : 2, 0, 0, 0
ProductName : AOL TopSpeed™ Monitor
CompanyName : America Online, Inc
FileDescription : AOL TopSpeed™ Monitor
InternalName : AOL TopSpeed™ Monitor
LegalCopyright : Copyright © 2004 America Online, Inc.
OriginalFilename : aoltsmon.exe

#:15 [pds.exe]
FilePath : C:\WINDOWS\system32\cba\
ProcessID : 1576
ThreadCreationTime : 2-6-2006 1:45:57 AM
BasePriority : Normal
FileVersion : 6.12.0.71 E
ProductVersion : 6.12.0.71
ProductName : Intel Common Base Agent
CompanyName : Intel® Corporation
FileDescription : CBA -- Ping Discovery Service
InternalName : PDS
LegalCopyright : Copyright © 1997-2001 Intel® Corporation
LegalTrademarks : LANDesk® is a registered trademark of Intel Corporation
OriginalFilename : PDS.EXE

#:16 [aoltpspd.exe]
FilePath : C:\Program Files\Common Files\AOL\TopSpeed\2.0\
ProcessID : 1592
ThreadCreationTime : 2-6-2006 1:45:57 AM
BasePriority : Normal
FileVersion : 2, 0, 0, 0
ProductVersion : 2, 0, 0, 0
ProductName : AOL TopSpeed™
CompanyName : America Online Inc
FileDescription : AOL TopSpeed™
InternalName : AOL TopSpeed™ Loader
LegalCopyright : Copyright © 2003-2004
LegalTrademarks : AOL TopSpeed™
OriginalFilename : aoltpspd.exe

#:17 [rtvscan.exe]
FilePath : C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\
ProcessID : 1640
ThreadCreationTime : 2-6-2006 1:45:58 AM
BasePriority : Normal
FileVersion : 8.00.00.9374
ProductVersion : 8.00.00.9374
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright © Symantec Corporation 1991-2002

#:18 [nsctop.exe]
FilePath : C:\PROGRA~1\Symantec\SYMANT~1\
ProcessID : 1696
ThreadCreationTime : 2-6-2006 1:46:01 AM
BasePriority : Normal
FileVersion : 8.00.00.374
ProductVersion : 8.00.00.374
ProductName : Symantec System Center
CompanyName : Symantec Corporation
FileDescription : NscTop Module
InternalName : NscTop
LegalCopyright : Copyright © 2002 Symantec Corporation
OriginalFilename : NscTop.EXE

#:19 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1804
ThreadCreationTime : 2-6-2006 1:46:01 AM
BasePriority : Normal
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
ProductName : NVIDIA Driver Helper Service, Version 52.16
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:20 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1888
ThreadCreationTime : 2-6-2006 1:46:01 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:21 [hndlrsvc.exe]
FilePath : C:\WINDOWS\system32\ams_ii\
ProcessID : 1936
ThreadCreationTime : 2-6-2006 1:46:01 AM
BasePriority : Normal
FileVersion : 6.12.0.71 E
ProductVersion : 6.12.0.71
ProductName : Intel Alert Management System 2
CompanyName : Intel® Corporation
FileDescription : AMS2 Handler Manager Service
InternalName : Hndlrsvc
LegalCopyright : Copyright © 1997-2001 Intel® Corporation
LegalTrademarks : LANDesk® is a registered trademark of Intel Corporation
OriginalFilename : Hndlrsvc.exe

#:22 [msgsys.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2020
ThreadCreationTime : 2-6-2006 1:46:02 AM
BasePriority : Normal
FileVersion : 6.12.0.71 E
ProductVersion : 6.12.0.71
ProductName : Intel Common Base Agent
CompanyName : Intel® Corporation
FileDescription : CBA -- Message System
InternalName : MsgExe
LegalCopyright : Copyright © 1997-2001 Intel® Corporation
LegalTrademarks : LANDesk® is a registered trademark of Intel Corporation
OriginalFilename : MsgSys.EXE

#:23 [xfr.exe]
FilePath : C:\WINDOWS\system32\cba\
ProcessID : 164
ThreadCreationTime : 2-6-2006 1:46:02 AM
BasePriority : Normal
FileVersion : 6.12.0.71 E
ProductVersion : 6.12.0.71
ProductName : Intel Common Base Agent
CompanyName : Intel® Corporation
FileDescription : CBA - Message Resource
InternalName : xfrrc
LegalCopyright : Copyright © 1997-2001 Intel® Corporation
LegalTrademarks : LANDesk® is a registered trademark of Intel Corporation
OriginalFilename : XFR.EXE

#:24 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1288
ThreadCreationTime : 2-6-2006 1:46:10 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:25 [wscntfy.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 968
ThreadCreationTime : 2-6-2006 1:46:10 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Security Center Notification App
InternalName : wscntfy.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wscntfy.exe

#:26 [printray.exe]
FilePath : C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\
ProcessID : 2132
ThreadCreationTime : 2-6-2006 1:47:35 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 7
ProductVersion : 1, 0, 0, 7
ProductName : Lexmark PrinTray
CompanyName : Lexmark
FileDescription : PrinTray
InternalName : PrinTray
LegalCopyright : Copyright © 2001
OriginalFilename : PrinTray.exe

#:27 [aoldial.exe]
FilePath : C:\Program Files\Common Files\AOL\ACS\
ProcessID : 2156
ThreadCreationTime : 2-6-2006 1:47:38 AM
BasePriority : Normal
FileVersion : 3.0.0.1
ProductVersion : 3.0.0.1
ProductName : AOL Connectivity Service
CompanyName : America Online
FileDescription : AOL Connectivity Service Dialer
InternalName : AOLdial
LegalCopyright : Copyright © 2004 America Online
OriginalFilename : AOLdial.exe

#:28 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_06\bin\
ProcessID : 2352
ThreadCreationTime : 2-6-2006 1:47:43 AM
BasePriority : Normal


#:29 [aolhostmanager.exe]
FilePath : C:\Program Files\Common Files\AOL\1131946386\ee\
ProcessID : 2384
ThreadCreationTime : 2-6-2006 1:47:43 AM
BasePriority : Normal
FileVersion : 1.3.6.0
ProductVersion : 1.3.6.0
ProductName : AOL Service Libraries
CompanyName : America Online, Inc.
FileDescription : AOLHostManager
InternalName : AOLHostManager
LegalCopyright : © 2005 America Online, Inc.
OriginalFilename : AOLHostManager.exe

#:30 [gcasserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 2392
ThreadCreationTime : 2-6-2006 1:47:43 AM
BasePriority : Idle
FileVersion : 1.00.0701
ProductVersion : 1.00.0701
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Service
InternalName : gcasServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasServ.exe

#:31 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 2444
ThreadCreationTime : 2-6-2006 1:47:44 AM
BasePriority : Normal
FileVersion : 0.1.0.3427
ProductVersion : 0.1.0.3427
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:32 [acmonitor_x83.exe]
FilePath : C:\PROGRA~1\LEXMAR~1\
ProcessID : 2452
ThreadCreationTime : 2-6-2006 1:47:44 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Jetsoft Development Company ACMonitor
CompanyName : Jetsoft Development Company
FileDescription : ACMonitor
InternalName : ACMonitor
LegalCopyright : Copyright © 2000
OriginalFilename : ACMonitor.exe
Comments : By: Alan S Hong

#:33 [acbtnmgr_x83.exe]
FilePath : C:\PROGRA~1\LEXMAR~1\
ProcessID : 2460
ThreadCreationTime : 2-6-2006 1:47:44 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Jetsoft Development Company AcBtnMgr
CompanyName : Jetsoft Development Company
FileDescription : AcBtnMgr
InternalName : AcBtnMgr
LegalCopyright : Copyright © 2000
OriginalFilename : AcBtnMgr.exe
Comments : By: Alan S Hong

#:34 [aolservicehost.exe]
FilePath : C:\Program Files\Common Files\AOL\1131946386\ee\
ProcessID : 2464
ThreadCreationTime : 2-6-2006 1:47:44 AM
BasePriority : Normal
FileVersion : 1.3.6.0
ProductVersion : 1.3.6.0
ProductName : AOL Service Libraries
CompanyName : America Online, Inc.
FileDescription : AOL
InternalName : AOLServiceHost
LegalCopyright : © 2005 America Online, Inc.
OriginalFilename : AOLServiceHost.exe

#:35 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 2520
ThreadCreationTime : 2-6-2006 1:47:46 AM
BasePriority : Normal
FileVersion : 6.0.2.23
ProductVersion : 6.0.2.23
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:36 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 2532
ThreadCreationTime : 2-6-2006 1:47:47 AM
BasePriority : Normal
FileVersion : 7.0.4
ProductVersion : QuickTime 7.0.4
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
FileDescription : QuickTime Task
InternalName : QuickTime Task
LegalCopyright : Copyright Apple Computer, Inc. 1989-2006
OriginalFilename : QTTask.exe

#:37 [vptray.exe]
FilePath : C:\PROGRA~1\SYMANT~1\SYMANT~1\
ProcessID : 2548
ThreadCreationTime : 2-6-2006 1:47:47 AM
BasePriority : Normal
FileVersion : 8.00.00.9374
ProductVersion : 8.00.00.9374
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright © Symantec Corporation 1991-2002

#:38 [gcasdtserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 2556
ThreadCreationTime : 2-6-2006 1:47:47 AM
BasePriority : Normal
FileVersion : 1.00.0701
ProductVersion : 1.00.0701
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasDtServ.exe

#:39 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 2728
ThreadCreationTime : 2-6-2006 1:47:56 AM
BasePriority : Normal
FileVersion : 6.0.2.23
ProductVersion : 6.0.2.23
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:40 [wmiprvse.exe]
FilePath : C:\WINDOWS\System32\wbem\
ProcessID : 3132
ThreadCreationTime : 2-6-2006 1:48:10 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI
InternalName : Wmiprvse.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Wmiprvse.exe

#:41 [point32.exe]
FilePath : C:\Program Files\Microsoft IntelliPoint\
ProcessID : 3148
ThreadCreationTime : 2-6-2006 1:48:11 AM
BasePriority : Normal


#:42 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 3320
ThreadCreationTime : 2-6-2006 1:48:19 AM
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:43 [aolsp scheduler.exe]
FilePath : c:\program files\common files\aol\1131946386\ee\services\antiSpywareApp\ver2_0_7\
ProcessID : 3376
ThreadCreationTime : 2-6-2006 1:48:19 AM
BasePriority : Normal


#:44 [aolservicehost.exe]
FilePath : C:\Program Files\Common Files\AOL\1131946386\ee\
ProcessID : 3384
ThreadCreationTime : 2-6-2006 1:48:19 AM
BasePriority : Normal
FileVersion : 1.3.6.0
ProductVersion : 1.3.6.0
ProductName : AOL Service Libraries
CompanyName : America Online, Inc.
FileDescription : AOL
InternalName : AOLServiceHost
LegalCopyright : © 2005 America Online, Inc.
OriginalFilename : AOLServiceHost.exe

#:45 [weather.exe]
FilePath : C:\PROGRA~1\AWS\WEATHE~1\
ProcessID : 3492
ThreadCreationTime : 2-6-2006 1:48:22 AM
BasePriority : Normal
FileVersion : 6, 6, 0, 0
ProductVersion : 6, 6, 0, 0
ProductName : WeatherBug
CompanyName : AWS Convergence Technologies, Inc.
InternalName : Desktop Weather
LegalCopyright : Copyright © 2001-2005
OriginalFilename : Weather.exe
Comments : World Largest Weather Network

#:46 [reader_sl.exe]
FilePath : C:\Program Files\Adobe\Acrobat 7.0\Reader\
ProcessID : 3536
ThreadCreationTime : 2-6-2006 1:48:23 AM
BasePriority : Normal
FileVersion : 7.0.5.2005092300
ProductVersion : 7.0.5.2005092300
ProductName : Adobe Acrobat
CompanyName : Adobe Systems Incorporated
FileDescription : Adobe Acrobat SpeedLauncher
LegalCopyright : Copyright 1984-2005 Adobe Systems Incorporated and its licensors. All rights reserved.
OriginalFilename : AcroSpeedLaunch.exe

#:47 [waol.exe]
FilePath : C:\Program Files\America Online 9.0\
ProcessID : 3556
ThreadCreationTime : 2-6-2006 1:48:23 AM
BasePriority : Idle


#:48 [hotsync.exe]
FilePath : C:\Palm\
ProcessID : 3568
ThreadCreationTime : 2-6-2006 1:48:23 AM
BasePriority : Normal
FileVersion : 3.1.0
ProductVersion : 3.1.0
ProductName : HotSync® Manager
CompanyName : Palm Computing, Inc.
FileDescription : HotSync® Manager Application
InternalName : HotSync®
LegalCopyright : Copyright © 1995-1999 Palm Computing, Inc.
LegalTrademarks : HotSync® is a registered trademark of Palm Computing, Inc.
OriginalFilename : Hotsync.exe

#:49 [sonytray.exe]
FilePath : C:\Program Files\Sony Corporation\Image Transfer\
ProcessID : 3588
ThreadCreationTime : 2-6-2006 1:48:24 AM
BasePriority : Normal


#:50 [qbdagent2002.exe]
FilePath : C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\
ProcessID : 3656
ThreadCreationTime : 2-6-2006 1:48:25 AM
BasePriority : Normal
FileVersion : 10, 1, 0, 0
ProductVersion : 10, 1, 0, 0
ProductName : QuickBooks
FileDescription : QBDAgent Module
InternalName : QBDAgent
LegalCopyright : Copyright © 1999-2002 by Intuit
LegalTrademarks : QuickBooks® and Quicken® are registered trademarks of Intuit Inc.
OriginalFilename : QBDAgent.EXE

#:51 [wzqkpick.exe]
FilePath : C:\Program Files\WinZip\
ProcessID : 3676
ThreadCreationTime : 2-6-2006 1:48:26 AM
BasePriority : Normal
FileVersion : 1.0 (32-bit)
ProductVersion : 10.0 (6595)
ProductName : WinZip
CompanyName : WinZip Computing LP
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
LegalCopyright : Copyright © WinZip International LLC 1991-2005 - All Rights Reserved
LegalTrademarks : WinZip is a registered trademark of WinZip International LLC
OriginalFilename : WZQKPICK.EXE
Comments : StringFileInfo: U.S. English

#:52 [shellmon.exe]
FilePath : C:\Program Files\America Online 9.0\
ProcessID : 2148
ThreadCreationTime : 2-6-2006 1:49:15 AM
BasePriority : Normal


#:53 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 3008
ThreadCreationTime : 2-6-2006 1:51:34 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

UCmore Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1606980848-1844237615-725345543-1004\software\maxthon\plugin\toolbar\{44be0690-5429-47f0-85bb-3ffd8020233e}

UCmore Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Data Miner
Comment : "{44BE0690-5429-47F0-85BB-3FFD8020233E}"
Rootkey : HKEY_USERS
Object : S-1-5-21-1606980848-1844237615-725345543-1004\software\microsoft\internet explorer\toolbar\webbrowser
Value : {44BE0690-5429-47F0-85BB-3FFD8020233E}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 2


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : eric ramirez@clickbank[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:eric ramirez@clickbank.net/
Expires : 8-1-2006 10:53:44 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : eric ramirez@banner.usacasino[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:eric ramirez@banner.usacasino.com/
Expires : 2-2-2006 11:03:14 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : eric ramirez@z1.adserver[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:eric ramirez@z1.adserver.com/
Expires : 2-2-2007 10:32:22 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : eric ramirez@adserve.webtoolcafe[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:eric ramirez@adserve.webtoolcafe.com/
Expires : 2-2-2007 10:54:16 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 6



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.TrojanDownloader.Qoologic Object Recognized!
Type : File
Data : B0B8AA75-F15A-4354-B249-A88BAD
TAC Rating : 10
Category : Malware
Comment :
Object : C:\Program Files\Microsoft AntiSpyware\Quarantine\1FE9A7A6-8579-49B0-B1A9-529EA1\



e2give Object Recognized!
Type : File
Data : 24C68246-848E-4323-B72B-27C529
TAC Rating : 7
Category : Malware
Comment :
Object : C:\Program Files\Microsoft AntiSpyware\Quarantine\6F350B63-CAD9-4315-B0A1-5DD894\
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
ProductName : e2g plugin
CompanyName : e2give, LLC
FileDescription : http://e2give.com/license.html
InternalName : IeBHOs.dll
LegalCopyright : Copyright © 2003 e2give, LLC
OriginalFilename : IeBHOs.dll
Comments : e2g plugin


Win32.TrojanDownloader.Qoologic Object Recognized!
Type : File
Data : A8E25C57-117A-4809-A028-C4751F
TAC Rating : 10
Category : Malware
Comment :
Object : C:\Program Files\Microsoft AntiSpyware\Quarantine\ACEE2A7B-AC0A-4147-8CED-491B0B\



e2give Object Recognized!
Type : File
Data : F64CFFB0-5BAE-4D2D-BFCF-026CD6
TAC Rating : 7
Category : Malware
Comment :
Object : C:\Program Files\Microsoft AntiSpyware\Quarantine\BBAF6A42-9964-406C-AB83-95DAAC\
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
ProductName : e2g plugin
CompanyName : e2give, LLC
FileDescription : http://e2give.com/license.html
InternalName : IeBHOs.dll
LegalCopyright : Copyright © 2003 e2give, LLC
OriginalFilename : IeBHOs.dll
Comments : e2g plugin


e2give Object Recognized!
Type : File
Data : 6B679EB9-4941-4240-AA68-D2E2C2
TAC Rating : 7
Category : Malware
Comment :
Object : C:\Program Files\Microsoft AntiSpyware\Quarantine\D35B60A6-EE95-4A9E-B64D-A1BFD4\
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
ProductName : e2g plugin
CompanyName : e2give, LLC
FileDescription : http://e2give.com/license.html
InternalName : IeBHOs.dll
LegalCopyright : Copyright © 2003 e2give, LLC
OriginalFilename : IeBHOs.dll
Comments : e2g plugin


CoolWebSearch Object Recognized!
Type : File
Data : A0016308.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP116\



CoolWebSearch Object Recognized!
Type : File
Data : A0016309.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP116\



CoolWebSearch Object Recognized!
Type : File
Data : A0016310.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP116\



e2give Object Recognized!
Type : File
Data : A0016342.dll
TAC Rating : 7
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP117\
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
ProductName : e2g plugin
CompanyName : e2give, LLC
FileDescription : http://e2give.com/license.html
InternalName : IeBHOs.dll
LegalCopyright : Copyright © 2003 e2give, LLC
OriginalFilename : IeBHOs.dll
Comments : e2g plugin


Prutect Object Recognized!
Type : File
Data : A0016345.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP117\



Prutect Object Recognized!
Type : File
Data : A0016346.dll
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP117\



e2give Object Recognized!
Type : File
Data : A0016417.dll
TAC Rating : 7
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP117\
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
ProductName : e2g plugin
CompanyName : e2give, LLC
FileDescription : http://e2give.com/license.html
InternalName : IeBHOs.dll
LegalCopyright : Copyright © 2003 e2give, LLC
OriginalFilename : IeBHOs.dll
Comments : e2g plugin


Win32.TrojanDownloader.Qoologic Object Recognized!
Type : File
Data : A0018462.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP117\



Prutect Object Recognized!
Type : File
Data : A0018464.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP117\



Prutect Object Recognized!
Type : File
Data : A0018465.dll
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP117\



e2give Object Recognized!
Type : File
Data : A0018467.dll
TAC Rating : 7
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP117\
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
ProductName : e2g plugin
CompanyName : e2give, LLC
FileDescription : http://e2give.com/license.html
InternalName : IeBHOs.dll
LegalCopyright : Copyright © 2003 e2give, LLC
OriginalFilename : IeBHOs.dll
Comments : e2g plugin


Prutect Object Recognized!
Type : File
Data : A0018568.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP117\



Prutect Object Recognized!
Type : File
Data : A0018569.dll
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP117\



CoolWebSearch Object Recognized!
Type : File
Data : A0020850.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP117\



CoolWebSearch Object Recognized!
Type : File
Data : A0020851.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP117\



CoolWebSearch Object Recognized!
Type : File
Data : A0020868.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP117\



CoolWebSearch Object Recognized!
Type : File
Data : A0020869.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP117\



e2give Object Recognized!
Type : File
Data : pi1_58.exe
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\system32\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 29


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : eric ramirez@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : D:\Documents and Settings\Eric Ramirez\Cookies\eric ramirez@2o7[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : eric ramirez@ads.pointroll[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : D:\Documents and Settings\Eric Ramirez\Cookies\eric ramirez@ads.pointroll[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : eric ramirez@centrport[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : D:\Documents and Settings\Eric Ramirez\Cookies\eric ramirez@centrport[2].txt

MegaSearch Toolbar Object Recognized!
Type : File
Data : A0014162.dll
TAC Rating : 4
Category : Data Miner
Comment :
Object : D:\System Volume Information\_restore{D0F798D7-87E2-4374-B220-7170010B4D9F}\RP101\
FileVersion : 3.0.0.5
ProductVersion : 3.0


Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 33


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
34 entries scanned.
New critical objects:0
Objects found so far: 33




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

UCmore Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\effective-i

UCmore Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\effective-i

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\downloadmanager

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\new windows
Value : PopupMgr

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Enable Browser Extensions

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Search Bar

CoolWebSearch Object Recognized!
Type : File
Data : wbemess.log
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\system32\wbem\logs\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 9
Objects found so far: 42

10:00:04 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:01:08:10.937
Objects scanned:213268
Objects identified:42
Objects ignored:0
New critical objects:42


What do I do next? I am also running another scan right now from aol spyware that is still running ad so far it has detected Trojan- Download.win32.adload.j as well as Trojan.win32.qhost... I'll include those results as soon as its done scanning my system...

#13 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:42 PM

Posted 06 February 2006 - 02:50 AM

Allow them to quarantine what they find. Mostly old registry entries and cookies. AAW is actually detecting the MSAS quarantine file if you look carefully.

Click here to download ewido anti-malware - it is a trial version of the program.
  • Install ewido.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen.
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed. Then:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido.

Rescan with HJT and post a new log here together with the ewido log so that any remnants can be removed manually.

Grab a copy of this little free application to help control those tracking cookies in future:

http://www.analogx.com/contents/download/network/cookie.htm
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#14 Raines

Raines
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 06 February 2006 - 10:02 AM

Okay, here are both logs- Should I be doing anything else after this? Right now when I leave the computer unattended for a long period of time and return to the screen, my desktop is gone and the screen is balck and no matter how much I move the mouse or hit the key board I have to reboot the computer to gain access to my applications/ programs- it seems like it's frozen... Thought you should know.

Thanks again for your help!


ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:50:56 AM, 2/6/2006
+ Report-Checksum: 7285300D

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-1606980848-1844237615-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-1606980848-1844237615-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-1606980848-1844237615-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-1606980848-1844237615-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKU\S-1-5-21-1606980848-1844237615-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44BE0690-5429-47F0-85BB-3FFD8020233E} -> Spyware.UCmore : Cleaned with backup
HKU\S-1-5-21-1606980848-1844237615-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Eric Ramirez\Application Data\Netscape\NSB\Profiles\y3z0ya92.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Cookies\eric ramirez@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Cookies\eric ramirez@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Cookies\eric ramirez@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Cookies\eric ramirez@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Cookies\eric ramirez@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\l2mfix\backup.zip/dlls/ddvenum.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\l2mfix\backup.zip/dlls/f82mlif1182.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\l2mfix\backup.zip/dlls/h40qled51h0.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\l2mfix\backup.zip/dlls/kudgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\l2mfix\backup.zip/dlls/mjvidc32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\l2mfix\backup.zip/dlls/p26slcj71fo.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\l2mfix\backup.zip/dlls/wepsrcwp.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\l2mfix\backup.zip/dlls/wnpencen.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\l2mfix\dlls\ddvenum.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\l2mfix\dlls\f82mlif1182.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\l2mfix\dlls\h40qled51h0.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\l2mfix\dlls\kudgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\l2mfix\dlls\mjvidc32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\l2mfix\dlls\p26slcj71fo.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\l2mfix\dlls\wepsrcwp.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\l2mfix\dlls\wnpencen.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Desktop\SmileyCentralSetup2.0.4.2.exe -> Spyware.MyWebSearch : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Local Settings\Temp\Cookies\eric ramirez@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Local Settings\Temp\Cookies\eric ramirez@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Local Settings\Temp\D0BE.tmp/titno.exe -> Adware.MDH : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\Local Settings\Temp\i1A.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Eric Ramirez\My Documents\HJT Files\backups\backup-20060205-160501-469.dll -> Adware.Suggestor : Cleaned with backup
C:\gimmygames.exe -> Downloader.VB.vr : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6CCFEFE7-94AC-472E-AF19-120127\C21463A1-07C3-46A3-81EE-CB5418 -> Adware.Suggestor : Cleaned with backup
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-1606980848-1844237615-725345543-1004\Dc12.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\gimmygames.exe -> Downloader.VB.vr : Cleaned with backup
C:\WINDOWS\system32\msupdate32.dll -> Proxy.Agent.ij : Cleaned with backup
C:\WINDOWS\tool4.exe -> Downloader.Small.arj : Cleaned with backup
C:\WINDOWS\winsysban5.exe -> Hijacker.VB.kc : Cleaned with backup
C:\WINDOWS\winsysupd5.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\winsysban5.exe -> Hijacker.VB.kc : Cleaned with backup


::Report End




Logfile of HijackThis v1.99.1
Scan saved at 9:54:14 AM, on 2/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\1131946386\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1131946386\ee\AOLServiceHost.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cba\xfr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\program files\common files\aol\1131946386\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1131946386\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Eric Ramirez\My Documents\HJT Files\HijackThis.exe

#15 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:42 PM

Posted 06 February 2006 - 10:32 AM

That's not a complete HJT log - could you repost it?

Have you disabled anything using MSConfig?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users