Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log, Look2me And Possibly More?


  • This topic is locked This topic is locked
4 replies to this topic

#1 flash85

flash85

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 01 June 2006 - 06:51 AM

Im recieving constant popups with muon.html & tau.html, please help as my boss thinks im constantly surfin the net when im at work!

Logfile of HijackThis v1.99.1
Scan saved at 10:31:15, on 01/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Gmsj\Rwtx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ipwins\ipwins.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AutoCAD LT 2002\aclt.exe
C:\Program Files\Internet Explorer\wiedw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ashley\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Rnpflhs] C:\Program Files\Gmsj\Rwtx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [w1266f7d.dll] RUNDLL32.EXE w1266f7d.dll,I2 0012173901266f7d
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ozqr] C:\PROGRA~1\COMMON~1\ozqr\ozqrm.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000228.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...735352D2D2D.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149066854359
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\i4jqle151h.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Edited by flash85, 01 June 2006 - 06:55 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:19 AM

Posted 01 June 2006 - 08:54 AM

Hello, this is a nasty log :thumbsup:

It is really important you perform next instructions in the right order without missing any step!


First of all, you didn't unzip/extract hijackthis.. and it's still in the tempfolder.
So I strongly advise to unzip/extract hijackthis.zip.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

* Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • (If Look2Me-Destroyer does not reopen automatically, reboot and try again.)
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

------------------------

* Download AlcanShorty from here.
  • Click the download button below and agree to download the fix.
  • Download Alcanshorty to your desktop.
  • DoubleClick alcanshorty_en.exe and click install
  • This will create a new folder on your desktop called alcanshorty_en
  • Open that folder and doubleclick Run.bat
  • Once the fix starts, your icons and desktop will disappear, this is normal.
Make sure you have a working internet connection. In case your firewall gives an alert, don't block it,
because alcanshorty needs to download some additional files to let the tool run properly.
  • Wait for the complete script execution box to popup and press OK.
  • Press exit to terminate the BFU program.
-------------------

Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O4 - HKLM\..\Run: [Rnpflhs] C:\Program Files\Gmsj\Rwtx.exe
O4 - HKLM\..\Run: [w1266f7d.dll] RUNDLL32.EXE w1266f7d.dll,I2 0012173901266f7d
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [ozqr] C:\PROGRA~1\COMMON~1\ozqr\ozqrm.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000228.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...735352D2D2D.exe
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\i4jqle151h.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\Gmsj <== folder
C:\Program Files\ipwins <== folder
C:\Program Files\Internet Explorer\wiedw.exe <== don't delete iedw.exe!!
C:\Program Files\ISTbar <== folder
C:\Windows\system32\w1266f7d.dll
C:\PROGRAM FILES\COMMON FILES\ozqr <== folder
C:\Program Files\Common Files\mc-110-12-0000228.exe

* Still in safe mode... * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Open Ewido anti-malware
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply,
together with the contents of Look2Me-Destroyer.txt present on your desktop and a new HiJackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 flash85

flash85
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 02 June 2006 - 09:28 AM

Thanks very much for your help, super quick and easy to follow and the problem seems to of cleared up i think! Thanks again!

ACTIVE SCAN

Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\ashley\Local Settings\Temporary Internet Files\Ssk.log
Adware:Adware/CommAd Not disinfected C:\WINDOWS\YXNobGV5IHBj\srhCv3pcKJ13.vbs

EWIDO

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 13:45:55, 02/06/2006
+ Report-Checksum: ACB7C0EF

+ Scan result:

HKLM\SOFTWARE\Classes\ISTbar.BarObj -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTbar.BarObj\CLSID -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer\CLSID -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag\CLSID -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag\CurVer -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag.1 -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\SideFind -> Adware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTbar -> Adware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rotue -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-448539723-1326574676-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-448539723-1326574676-725345543-1003\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
C:\bintheredunthat\w1266f7d.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\Documents and Settings\ashley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-657ed063-42c781b9.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup
C:\Program Files\DNS\Catcher.dll -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\DNS\Catcher.exe -> Adware.Agent : Cleaned with backup
C:\Program Files\DNS\cwebpage.dll -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\license.txt -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\readme.txt -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\whAgent.ini -> Adware.Webhancer : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\loader2.exe -> Adware.Azesearch : Cleaned with backup
C:\WINDOWS\drsmartload45a.exe -> Downloader.Adload.bo : Cleaned with backup
C:\WINDOWS\drsmartload46a.exe -> Downloader.Adload.bo : Cleaned with backup
C:\WINDOWS\drsmartload849a.exe -> Downloader.Adload.bo : Cleaned with backup
C:\WINDOWS\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\WINDOWS\system32\ticads.exe -> Adware.Azesearch : Cleaned with backup
C:\WINDOWS\system32\ticont.dll -> Adware.Azesearch : Cleaned with backup
C:\WINDOWS\system32\tisa.dll -> Adware.Azesearch : Cleaned with backup
C:\WINDOWS\system32\ttu.exe -> Adware.Azesearch : Cleaned with backup
C:\WINDOWS\system32\tu.exe -> Adware.Azesearch : Cleaned with backup
C:\WINDOWS\WHCC2.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\WINDOWS\wsem303.dll -> Downloader.Dyfuca.dt : Cleaned with backup
C:\WINDOWS\YXNobGV5IHBj\command.exe -> Adware.CommAd : Cleaned with backup


::Report End


HIJACK THIS


Logfile of HijackThis v1.99.1
Scan saved at 13:58:02, on 02/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\HJT\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AutoCAD LT 2002\aclt.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149066854359
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\HJT\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


LOOK2ME DESTROYER

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/2/2006 12:47:11

Infected! C:\WINDOWS\system32\d4j02e1mgh.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP17\A0017945.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP18\A0018016.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP18\A0018017.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP19\A0018050.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP19\A0018051.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP20\A0018122.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP20\A0018124.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP23\A0018170.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP23\A0018196.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP24\A0018200.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP25\A0018460.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP28\A0018973.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP28\A0019003.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP29\A0019015.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP30\A0019041.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP32\A0019093.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP33\A0019114.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP35\A0019180.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP36\A0019196.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP37\A0019217.dll
Infected! C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP38\A0019229.dll
Infected! C:\WINDOWS\system32\d4j02e1mgh.dll
Infected! C:\WINDOWS\system32\e820lifm182a.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\d4j02e1mgh.dll
C:\WINDOWS\system32\d4j02e1mgh.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP17\A0017945.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP17\A0017945.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP18\A0018016.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP18\A0018016.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP18\A0018017.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP18\A0018017.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP19\A0018050.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP19\A0018050.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP19\A0018051.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP19\A0018051.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP20\A0018122.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP20\A0018122.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP20\A0018124.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP20\A0018124.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP23\A0018170.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP23\A0018170.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP23\A0018196.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP23\A0018196.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP24\A0018200.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP24\A0018200.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP25\A0018460.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP25\A0018460.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP28\A0018973.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP28\A0018973.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP28\A0019003.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP28\A0019003.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP29\A0019015.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP29\A0019015.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP30\A0019041.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP30\A0019041.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP32\A0019093.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP32\A0019093.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP33\A0019114.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP33\A0019114.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP35\A0019180.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP35\A0019180.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP36\A0019196.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP36\A0019196.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP37\A0019217.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP37\A0019217.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP38\A0019229.dll
C:\System Volume Information\_restore{8757D471-BB46-4C56-A2BA-77B0BD7FC9D4}\RP38\A0019229.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\d4j02e1mgh.dll
C:\WINDOWS\system32\d4j02e1mgh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\e820lifm182a.dll
C:\WINDOWS\system32\e820lifm182a.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{FCFED524-35F0-46FE-BAC9-8D9ECB97F34D}"
HKCR\Clsid\{FCFED524-35F0-46FE-BAC9-8D9ECB97F34D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0BDB93B6-0E7A-4E53-A7A9-46008D74E1E7}"
HKCR\Clsid\{0BDB93B6-0E7A-4E53-A7A9-46008D74E1E7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7088D8E9-E52A-4098-9B22-37864063C61C}"
HKCR\Clsid\{7088D8E9-E52A-4098-9B22-37864063C61C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2C737484-90E7-4F64-BBCD-760562E9C7DE}"
HKCR\Clsid\{2C737484-90E7-4F64-BBCD-760562E9C7DE}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{447C29A6-224F-432F-9C01-9B50261DB9C4}"
HKCR\Clsid\{447C29A6-224F-432F-9C01-9B50261DB9C4}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{33ACDD20-7577-4440-B920-EAB92DF66D6A}"
HKCR\Clsid\{33ACDD20-7577-4440-B920-EAB92DF66D6A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1476D482-03BD-49C6-9B31-63CEAF5FF819}"
HKCR\Clsid\{1476D482-03BD-49C6-9B31-63CEAF5FF819}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{347DB0CA-FBA3-43E4-8221-A25663739E29}"
HKCR\Clsid\{347DB0CA-FBA3-43E4-8221-A25663739E29}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E8B5D584-6C62-4E17-A63A-EA86055B0763}"
HKCR\Clsid\{E8B5D584-6C62-4E17-A63A-EA86055B0763}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A470A900-57EF-4D89-85FC-4797FBAFF494}"
HKCR\Clsid\{A470A900-57EF-4D89-85FC-4797FBAFF494}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C83B6D23-C618-4CC6-8FA0-FDB66ACA6C62}"
HKCR\Clsid\{C83B6D23-C618-4CC6-8FA0-FDB66ACA6C62}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6A6C4FE9-0307-4BD2-98EB-FF1BB0739BCD}"
HKCR\Clsid\{6A6C4FE9-0307-4BD2-98EB-FF1BB0739BCD}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7BD79C53-56D3-49ED-9194-6E7397597C09}"
HKCR\Clsid\{7BD79C53-56D3-49ED-9194-6E7397597C09}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5F6E5FC0-22EA-4559-B226-BFC42C291DCB}"
HKCR\Clsid\{5F6E5FC0-22EA-4559-B226-BFC42C291DCB}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{31FD9732-BADF-40EC-8FE8-DEAE3CFD760A}"
HKCR\Clsid\{31FD9732-BADF-40EC-8FE8-DEAE3CFD760A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4D32DCEB-0533-46CC-9A81-CA116DCF6D8F}"
HKCR\Clsid\{4D32DCEB-0533-46CC-9A81-CA116DCF6D8F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{885D4028-14B6-411A-8197-519447C991E9}"
HKCR\Clsid\{885D4028-14B6-411A-8197-519447C991E9}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6B68EBDD-620F-4000-A772-2DA0B28D8CD7}"
HKCR\Clsid\{6B68EBDD-620F-4000-A772-2DA0B28D8CD7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{00BCB3C1-8444-4A21-80F0-80DEB8E8C94B}"
HKCR\Clsid\{00BCB3C1-8444-4A21-80F0-80DEB8E8C94B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E7D321D4-AD60-469C-87CB-80388037EA8D}"
HKCR\Clsid\{E7D321D4-AD60-469C-87CB-80388037EA8D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C33E2065-3A49-4DFF-8A42-2DFEBCBE5168}"
HKCR\Clsid\{C33E2065-3A49-4DFF-8A42-2DFEBCBE5168}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BDFB55A0-DF85-4A84-A7C6-8887280954FB}"
HKCR\Clsid\{BDFB55A0-DF85-4A84-A7C6-8887280954FB}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0182CD63-4A83-4BE8-96C5-98C7D63EA107}"
HKCR\Clsid\{0182CD63-4A83-4BE8-96C5-98C7D63EA107}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B28D82AB-DC4A-4C36-BD73-165D707DB73D}"
HKCR\Clsid\{B28D82AB-DC4A-4C36-BD73-165D707DB73D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6A7A71BD-C6E5-48EF-8F18-4925D748CC46}"
HKCR\Clsid\{6A7A71BD-C6E5-48EF-8F18-4925D748CC46}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{05A4AD54-9613-4A2B-A18E-2E8763587F06}"
HKCR\Clsid\{05A4AD54-9613-4A2B-A18E-2E8763587F06}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9A8145F3-00C9-4193-B367-548DFF7FFF5B}"
HKCR\Clsid\{9A8145F3-00C9-4193-B367-548DFF7FFF5B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{90D0A92E-67CF-4E31-8117-961CC9289EE5}"
HKCR\Clsid\{90D0A92E-67CF-4E31-8117-961CC9289EE5}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5CA1C17C-4447-449D-BAB8-25019474B83A}"
HKCR\Clsid\{5CA1C17C-4447-449D-BAB8-25019474B83A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B2FA0AE4-27DA-4F86-B184-62615E2CD45A}"
HKCR\Clsid\{B2FA0AE4-27DA-4F86-B184-62615E2CD45A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8233F75D-E86F-4758-A87C-896881588EC4}"
HKCR\Clsid\{8233F75D-E86F-4758-A87C-896881588EC4}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{370592E8-CE37-45E8-81A2-AF123B18181C}"
HKCR\Clsid\{370592E8-CE37-45E8-81A2-AF123B18181C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{90F22888-62BB-47DC-B3A4-E6F72DD71D85}"
HKCR\Clsid\{90F22888-62BB-47DC-B3A4-E6F72DD71D85}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C2A8A416-2C2D-4071-9E3E-8377FA2927F8}"
HKCR\Clsid\{C2A8A416-2C2D-4071-9E3E-8377FA2927F8}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:19 AM

Posted 02 June 2006 - 10:02 AM

Big improvement here. :thumbsup:

Your hijackthislog looks clean again.

Delete next folder:

C:\WINDOWS\YXNobGV5IHBj

This will be a hidden folder, so make sure hidden files and folders are shown as explained here:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Delete next file:

C:\Documents and Settings\ashley\Local Settings\Temporary Internet Files\Ssk.log

It could be possible you won't find this file, even when hidden files and folders are shown. So in this case, you can use the delete on reboot option in hijackthis to get rid of it, since that should *see the file.

To use the delete on reboot option:

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\Documents and Settings\ashley\Local Settings\Temporary Internet Files\Ssk.log

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

Let me know in your next reply how things are running now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:19 AM

Posted 09 June 2006 - 12:42 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users