Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Many Critical Problems, Maybe Winlogon.exe?


  • This topic is locked This topic is locked
16 replies to this topic

#1 Soriya

Soriya

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 27 September 2006 - 07:29 PM

I have been infected with Adware/Spyware for quite awhile, and have used many programs to try to get rid of them (Spybot, Ad-Aware, etc.) but everytime I do a scan, it seems 100 more appear. It was running okay for awhile despite all this, but recently, I can't even get the computer to get past the logon screen before it freezes up. I'm sorry if I'm not being specific enough, I just don't know how to fix it... Before, I'd be getting error messages related to winlog.exe (winlogon.exe?) and that's really the only thing I caught before I wasn't able to log on at all (I'm only able to type this now because I'm in Safe Mode with enabled Networking....) So please!! Does anyone know how to help? I'm sorry for all the trouble!


Logfile of HijackThis v1.99.1
Scan saved at 6:57:57 PM, on 9/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX01.469\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ev1.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\oaocp.exe
F2 - REG:system.ini: UserInit=userinit.exe,yvvfauk.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\server2.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [] winlog.exe
O4 - HKLM\..\Run: [ms05986390-1125] C:\WINDOWS\ms05986390-1125.exe
O4 - HKLM\..\Run: [vjdxkqgA] C:\WINDOWS\vjdxkqgA.exe
O4 - HKLM\..\Run: [loaddr] C:\topaff.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [win32076390-112598] C:\WINDOWS\win32076390-112598.exe
O4 - HKLM\..\Run: [{2C-CF-FA-AA-ZN}] c:\windows\system32\omdsrego.exe ELT001
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e16.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e16.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [win32100-112598639] C:\WINDOWS\win32100-112598639.exe
O4 - HKLM\..\Run: [ToolbarInstall] C:\WINDOWS\876056.exe
O4 - HKLM\..\RunServices: [] winlog.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

BC AdBot (Login to Remove)

 


#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:14 PM

Posted 28 September 2006 - 01:28 PM

Hi Soriya and welcome to the Bleeping Computer :thumbsup:
You got a nice infection collection there..

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download HijackThis to your desktop -> HijackThis 1.99.1
Create a new folder named HijackThis to your desktop. Move HijackThis.exe into that folder.

1. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C: ) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
2. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

3. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let the program do itís job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows.

4.When normal mode:
  • Download this file - combofix.exe
  • Double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log. (take the HijackThis log in normal mode)
    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

UNITE & ASAP member since 2006
Posted Image
Posted Image

#3 Soriya

Soriya
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 02 October 2006 - 10:04 PM

Thank you for the trouble...Here is the ComboFix log:

Administrator - 06-10-02 21:17:49.21 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKCU\...\Run C:\WINDOWS\SYSTEM32\xqxwpo.exe
O4 - HKLM\...\Run C:\WINDOWS\system32\xqxwpo.exe
F2 -REG:system.ini: Shell C:\WINDOWS\system32\oaocp.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\SYSTEM32\yvvfauk.exe


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\SYSTEM32\xqxwpo.exe
C:\WINDOWS\SYSTEM32\exwxhwu.dll
C:\WINDOWS\SYSTEM32\yvvfauk.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pxjxv.exe
C:\WINDOWS\vleeh.dll
C:\WINDOWS\SYSTEM32\dombc.dat
C:\WINDOWS\SYSTEM32\oaocp.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


09/24/2006 09:16 PM 127488 pxjxv.exe.qoo
09/24/2006 09:16 PM 127488 xqxwpo.exe.qoo
09/27/2006 12:10 PM 127488 dombc.dat.qoo
09/24/2006 09:16 PM 51712 exwxhwu.dll.qoo
09/24/2006 09:16 PM 28672 oaocp.exe.qoo
09/24/2006 09:16 PM 23552 yvvfauk.exe.qoo
09/27/2006 12:16 PM 53 nvowew.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bkd.exe
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll
C:\Program Files\DeluxeCommunications\DxcRepairInstall.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\omdsrego.exe
C:\WINDOWS\system32\WinNB58.dll
C:\WINDOWS\offun.exe
C:\WINDOWS\uninst104.exe
C:\WINDOWS\uni_ehhhh.exe
C:\Program Files\Common Files\Yazzle1438OinAdmin.exe
C:\Program Files\Common Files\Yazzle1438OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1452OinAdmin.exe
C:\Program Files\Common Files\Yazzle1452OinUninstaller.exe
C:\Program Files\Common Files\misc002
C:\Program Files\Deskbar
C:\Program Files\PrintView
C:\Program Files\ToolBar888
C:\Program Files\Common Files\{BCE2CFAA-0958-1033-1202-030512200001}


((((((((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010/02/2006 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2012/01/2004 03:22 AM 87488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\drvmcdb.sys
2011/23/2004 02:56 AM 40480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\drvnddm.sys
2011/08/2002 01:45 PM 17217 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys
2010/19/2005 08:59 AM 807998 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ialmnt5.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"EZNXP"="C:\\PROGRA~1\\EZN\\EVERYO~1\\eznorun.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Internet Download Accelerator"="C:\\Program Files\\IDA\\ida.exe -autorun"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AIM"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"startkey"="C:\\WINDOWS\\server2.exe"
"PSDream"="\"C:\\Program Files\\PSDream\\PSDream.exe\""
"cprocsvc"="C:\\WINDOWS\\system32\\crunner\\cproc.exe"
"fifu"="C:\\PROGRA~1\\COMMON~1\\fifu\\fifum.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"VirusScan Online"="c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\\\NeroCheck.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"startkey"="C:\\WINDOWS\\server2.exe"
"a-squared"="\"C:\\Program Files\\a-squared Anti-Malware\\a2guard.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
@="winlog.exe"
"ms05986390-1125"="C:\\WINDOWS\\ms05986390-1125.exe"
"vjdxkqgA"="C:\\WINDOWS\\vjdxkqgA.exe"
"loaddr"="C:\\topaff.exe"
"win32076390-112598"="C:\\WINDOWS\\win32076390-112598.exe"
"{2C-CF-FA-AA-ZN}"="C:\\windows\\system32\\omdsrego.exe ELT001"
"win32100-112598639"="C:\\WINDOWS\\win32100-112598639.exe"
"ToolbarInstall"="C:\\WINDOWS\\876056.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
@="winlog.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\MSN\\kyzepeg.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Windows Media Player\\howymydyx.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{BCE2CFAA-0958-1033-1202-030512200001}"="\"C:\\Program Files\\Common Files\\{BCE2CFAA-0958-1033-1202-030512200001}\\Update.exe\" mc-110-12-0000137"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (HISOKA-Brittany).job
C:\WINDOWS\tasks\McAfee.com Update Check (DGTYHH71-Owner).job
C:\WINDOWS\tasks\McAfee.com Update Check (HISOKA-Brittany).job
C:\WINDOWS\tasks\McAfee.com Update Check (HISOKA-Kelley).job
C:\WINDOWS\tasks\McAfee.com Update Check (HISOKA-Lauren).job

Completion time: Mon 10/02/2006 21:25:08.02
ComboFix.txt


And then the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 22:00, on 06-10-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ev1.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\server2.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [] winlog.exe
O4 - HKLM\..\Run: [vjdxkqgA] C:\WINDOWS\vjdxkqgA.exe
O4 - HKLM\..\Run: [loaddr] C:\topaff.exe
O4 - HKLM\..\Run: [{2C-CF-FA-AA-ZN}] C:\windows\system32\omdsrego.exe ELT001
O4 - HKLM\..\Run: [win32100-112598639] C:\WINDOWS\win32100-112598639.exe
O4 - HKLM\..\Run: [ToolbarInstall] C:\WINDOWS\876056.exe
O4 - HKLM\..\RunServices: [] winlog.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [tfjqq] C:\WINDOWS\system32\xqxwpo.exe reg_run
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe



You said to do some of this in Normal Windows, but it's impossible for me to do so. It freezes up every time...So I just did it all in safe mode... >.>

#4 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:14 PM

Posted 03 October 2006 - 05:32 AM

Ok so the computer won't run in normal mode at all ?
It is not advisable to use the computer in Safe Mode with enabled Networking because your antivirus and firewall are disabled. This may get more infections to your computer....

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
UNITE & ASAP member since 2006
Posted Image
Posted Image

#5 Soriya

Soriya
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 03 October 2006 - 08:24 AM

I don't really have the resources to reinstall, though a friend made a backup CD of their OS for me. I don't know if it would work though (Does it matter if she made the backup from a HP and it's going to a Dell?) I could try it if you think that's the best idea. I was trying to avoid reformatting, but it looks like I have no choice... If you think the CD will work then I'll try that, but if not, if you could please continue to help me clean the system?

Thank you so much for the time and effort~!! :D

#6 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:14 PM

Posted 03 October 2006 - 01:33 PM

Hi again, we'll begin the cleaning then :thumbsup:
Do not use your friends recovery disk, it wont do any good....

You should print these instructions or save these to a text file. Follow these instructions carefully.

Before we begin the cleaning, I need you to download a few tools while in Safe Mode with enabled Networking

Download and install AVG Anti-Spyware 7.5
  • Open AVG Anti-Spyware
  • Click on the Update icon at the top of the window
    • Click on the Start update button
    • Wait for the update to download and install
  • Click Shield
  • Click under "resident shield is"
  • Change it from active to inactive
  • Quit the program, well use this later.
Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

From now on, you must continue the cleaning in standard safe mode (the one without networking)
This is important because otherwise more infections will come to your computer!

So, restart your computer to the normal safe mode.

Then, make your hidden files visible:
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Uncheck "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.
Open Control Panel -> Add/Remove programs -> Remove all the of the following programs if found:

PSDream
BHO Plugin

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"startkey"=-
"PSDream"=-
"cprocsvc"=-
"fifu"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"startkey"=-
@=-
"ms05986390-1125"=-
"vjdxkqgA"=-
"loaddr"=-
"win32076390-112598"=-
"{2C-CF-FA-AA-ZN}"=-
"win32100-112598639"=-
"ToolbarInstall"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
@=-

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{BCE2CFAA-0958-1033-1202-030512200001}"=-


Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\server2.exe
O4 - HKLM\..\Run: [] winlog.exe
O4 - HKLM\..\Run: [vjdxkqgA] C:\WINDOWS\vjdxkqgA.exe
O4 - HKLM\..\Run: [loaddr] C:\topaff.exe
O4 - HKLM\..\Run: [{2C-CF-FA-AA-ZN}] C:\windows\system32\omdsrego.exe ELT001
O4 - HKLM\..\Run: [win32100-112598639] C:\WINDOWS\win32100-112598639.exe
O4 - HKLM\..\Run: [ToolbarInstall] C:\WINDOWS\876056.exe
O4 - HKLM\..\RunServices: [] winlog.exe
O4 - HKCU\..\Run: [tfjqq] C:\WINDOWS\system32\xqxwpo.exe reg_run
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)

Go to the My Computer and delete the following folders (if present):
C:\Program Files\BHO Plugin
C:\Program Files\PSDream
C:\WINDOWS\system32\crunner
C:\Program Files\Common Files\fifu

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\cfg32p.dll
C:\WINDOWS\cfg32o.dll
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\server2.exe
C:\WINDOWS\ms05986390-1125.exe
C:\WINDOWS\vjdxkqgA.exe
C:\WINDOWS\win32076390-112598.exe
C:\WINDOWS\win32100-112598639.exe
C:\WINDOWS\876056.exe
C:\windows\system32\omdsrego.exe
C:\Program Files\Windows Media Player\howymydyx.html
C:\Program Files\MSN\kyzepeg.html
C:\topaff.exe

Use the Windows search
  • Start
  • Search
  • All files and folders
  • More advanced options
Checkmark these options:
  • "Search system folders"
  • "Search hidden files and folders"
  • "Search subfolders"
  • Search for this and delete if found: winlog.exe
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

NOTE The following will clear all of your cookies, forms and history from FireFox. Feel free to skip this step.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
NOTE: The following will clear all of your cookies, forms and history from Opera. Feel free to skip this step.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now scan your computer with AVG Anti-Spyware.
  • Open AVG Anti-Spyware
  • Click on the Scanner icon at the top of the window
  • Click on the Settings tab then select Recommended Options and choose Quarantine
  • Click on the Scan tab
  • Select Complete System Scan. Ewido will now begin to scan your system
[*]When the scan has completed, if infections were found, press Apply all actions .
[*]Then click on the Save Scan Report button and save the scan to your Desktop where it can be easily found
[*]Copy and paste the scan results into your next post.
[/list]Now, please try to restart the computer to the NORMAL mode.
Hopefully it will run ok :flowers:

When you're ready, post the following logs to here:
- AVG Anti-Spyware's report
- a fresh HijackThis log
UNITE & ASAP member since 2006
Posted Image
Posted Image

#7 Soriya

Soriya
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 07 October 2006 - 10:18 PM

Success! I can actually get into normal mode now, though it's still a little slow. :thumbsup:

Here is the AVG Anti-Spyware Report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:43 06-10-07

+ Scan result:



C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0098051.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107049.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107103.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\AutoSearch.dll -> Adware.AutoSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Desktop\HijackThis\backups\backup-20061007-155448-658.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Desktop\HijackThis\backups\backup-20061007-155449-623.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Desktop\HijackThis\backups\backup-20061007-155449-774.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096976.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096986.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096987.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096988.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107047.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107048.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP224\A0114169.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP224\A0114170.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP224\A0114172.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32s.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BookedSpace.Extension.5 -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096990.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096991.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096978.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096996.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096997.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0097002.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\em.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0097001.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107089.dll -> Adware.Mirar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\KBBar.KBBarBand -> Adware.PowerStrip : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\KBBar.KBBarBand.1 -> Adware.PowerStrip : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CLSID -> Adware.PowerStrip : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CurVer -> Adware.PowerStrip : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP224\A0114176.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\WINDOWS\MirarSetup_876057.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096971.dll -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096973.dll -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096966.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0098048.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107042.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107101.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096972.dll -> Adware.Spysheriff : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107120.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107121.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\WINDOWS\1205.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096982.dll -> Adware.TargetServer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096960.dll -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096963.dll -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0097017.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107058.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107059.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107060.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107088.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\opdsregp.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\TIELT001.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP213\A0043898.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP213\A0044898.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP213\A0044922.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP214\A0044955.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP214\A0045953.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP214\A0046953.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP214\A0047953.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP214\A0048954.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP214\A0049952.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP214\A0050952.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP214\A0051954.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP216\A0053959.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP216\A0053975.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP219\A0059018.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP219\A0061955.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP219\A0062955.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP219\A0063957.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP219\A0063973.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP219\A0064959.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP220\A0069959.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP220\A0069973.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP220\A0070959.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP220\A0072956.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP220\A0073957.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP220\A0074958.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP220\A0075960.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP222\A0077958.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP222\A0078956.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP222\A0079958.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0080083.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0080963.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0082958.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0083958.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0084957.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0085957.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0086958.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0087957.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0088958.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0089963.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0091958.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0092956.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0093958.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0094959.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0097034.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0098029.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0099026.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0105037.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107043.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107046.exe -> Backdoor.Rbot.adx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0089987.exe -> Downloader.Adload.fp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0089980.exe -> Downloader.Adload.fq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107055.exe -> Downloader.Adload.fz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0097016.dll -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107112.dll -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0089991.exe -> Downloader.Agent.aqx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096993.dll -> Downloader.Agent.awb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096995.dll -> Downloader.Agent.awb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107076.exe -> Downloader.Agent.c : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107079.exe -> Downloader.Agent.c : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096989.dll -> Downloader.Dyfuca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0097004.dll -> Downloader.Dyfuca.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096958.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\WINDOWS\srvdcqzcmr.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0089983.exe -> Downloader.Dyfuca.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0089954.exe -> Downloader.Qoologic.at : Cleaned with backup (quarantined).
C:\QooBox\dombc.dat.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\exwxhwu.dll.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\oaocp.exe.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\pxjxv.exe.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\xqxwpo.exe.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\yvvfauk.exe.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107113.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107114.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107115.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107116.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107117.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096980.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096999.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0097000.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0088973.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\WINDOWS\idlemg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096977.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0089984.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\WINDOWS\ac3_0002.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0097007.exe -> Downloader.Small.dnk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0097008.exe -> Downloader.Tibs.dr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096985.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096981.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096984.exe -> Downloader.TSUpdate.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107097.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096983.exe -> Downloader.TSUpdate.p : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107052.exe -> Downloader.VB.alg : Cleaned with backup (quarantined).
C:\bintheredunthat\vjdxkqgA.exe -> Downloader.VB.alu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0089953.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0094977.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0095954.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP224\A0114175.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\WINDOWS\Sos28.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\bintheredunthat\ms05986390-1125.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107090.exe -> Downloader.VB.nw : Cleaned with backup (quarantined).
C:\WINDOWS\vSg21-d.exe -> Downloader.VB.tw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0089982.exe -> Dropper.Mudrop.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP214\A0045005.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP214\A0045007.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107044.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096979.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0097003.exe -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0094979.exe -> Hijacker.Spywad.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0097009.exe -> Hijacker.Spywad.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0097027.exe -> Hijacker.Spywad.o : Cleaned with backup (quarantined).
C:\bintheredunthat\vjdxkqg.exe -> Hijacker.VB.ij : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0096975.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined).
:mozilla.115:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.116:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.75:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.76:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.31:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.32:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.33:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.34:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.66:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.35:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.39:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.36:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.57:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.58:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.68:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.69:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.70:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.71:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.72:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.53:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.54:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.42:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7p6r42sq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP216\A0053988.exe/fun.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP224\A0114174.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0097015.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107111.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0089955.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0095953.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107091.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107092.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\WINDOWS\109uninst.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\WINDOWS\uni_7eh.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\WINDOWS\uninst108.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP214\A0045006.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP223\A0107045.exe -> Worm.VB.an : Cleaned with backup (quarantined).


::Report end


I'll post again later with the HijackThis log, because it won't let me use it for some reason in normal mode, so I'll have to do it in Safe Mode I guess. I'll be back and thanks again~! :flowers:

#8 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:14 PM

Posted 08 October 2006 - 01:56 AM

Ok great :thumbsup:

Please try to rename HijackThis.exe to Scanner.exe before scanning with it in normal mode.
If it still can't run, do it in safe mode.

Do the following in normal mode:

Download F-Secure Blacklight and save it to your desktop.

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next
You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)

Then we'll continue :flowers:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#9 Soriya

Soriya
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 08 October 2006 - 01:30 PM

Here is the new HijackThis log:

---------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 12:04, on 06-10-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ev1.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


But when I try to use F-Secure Blacklight, I get this message:


http://img.photobucket.com/albums/v513/jakotsu101/error.jpg


:thumbsup:

#10 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:14 PM

Posted 08 October 2006 - 02:02 PM

Hi again :thumbsup:

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
UNITE & ASAP member since 2006
Posted Image
Posted Image

#11 Soriya

Soriya
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 08 October 2006 - 02:32 PM

Here it is :thumbsup:

L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{38823E61-04FB-4DF0-562D-E258DB895EE6}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{7D5C4BDD-B015-4401-8731-1507B87DE297}"="QBVersionTool"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess"
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}"="a-squared Context Menu Shell Extension"
"{F2A0535E-41BF-485B-AF8D-6F470B99BEEE}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
fltlib.dll Mon Aug 21 2006 7:21:06a A.... 16,896 16.50 K
hlink.dll Fri Jul 21 2006 3:24:44a A.... 72,704 71.00 K
inetcomm.dll Thu Jul 27 2006 8:24:46a A.... 679,424 663.50 K
mshtml.dll Fri Jul 28 2006 6:28:54a A.... 3,054,080 2.91 M
netapi32.dll Fri Jul 14 2006 10:31:40a A.... 332,288 324.50 K
shell32.dll Thu Jul 13 2006 8:33:28a A.... 8,453,632 8.06 M
urlmon.dll Tue Jul 25 2006 3:33:40p A.... 613,888 599.50 K
x264vfw.dll Mon Jul 17 2006 5:19:26p A.... 579,090 565.52 K

8 items found: 8 files, 0 directories.
Total of file sizes: 13,802,002 bytes 13.16 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is BCE2-CFAA

Directory of C:\WINDOWS\System32

10/02/2006 09:25 PM <DIR> DLLCACHE
07/17/2006 08:03 PM 848 KGyGaAvL.sys
05/18/2005 09:02 PM 56 6E6521D9D6.sys
05/03/2005 11:14 PM <DIR> Microsoft
2 File(s) 904 bytes
2 Dir(s) 9,589,428,224 bytes free

#12 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:14 PM

Posted 09 October 2006 - 12:18 PM

Hi again :thumbsup:

Sorry for the delay, I had a really busy day.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{F2A0535E-41BF-485B-AF8D-6F470B99BEEE}"=-



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Then, go to the L2MFix folder. There is a file named NTrigths.exe . Please copy that file and move/paste it to the following directory:
C:\WINDOWS\System32

Then, go to Start -> Run type the following command to the box and press OK;
ntrights +r SeDebugPrivilege -u Administrators

Please restart your computer and try to run the Blacklight again, post it's log to here when you're ready.

Edited by Mr_JAk3, 09 October 2006 - 12:20 PM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#13 Soriya

Soriya
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 10 October 2006 - 06:53 PM

This is what it gave me...Is this right?

10/10/06 18:25:33 [Info]: BlackLight Engine 1.0.47 initialized
10/10/06 18:25:33 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/10/06 18:25:33 [Note]: 7019 4
10/10/06 18:25:33 [Note]: 7005 0
10/10/06 18:28:21 [Note]: 7006 0
10/10/06 18:28:21 [Note]: 7011 344
10/10/06 18:28:21 [Note]: 7026 0
10/10/06 18:28:21 [Note]: 7026 0
10/10/06 18:28:52 [Note]: FSRAW library version 1.7.1020
10/10/06 18:49:28 [Note]: 2000 1012
10/10/06 18:49:28 [Note]: 2000 1012
10/10/06 18:49:28 [Note]: 2000 1012
10/10/06 18:49:28 [Note]: 2000 1012
10/10/06 18:50:25 [Note]: 7007 0

#14 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:14 PM

Posted 11 October 2006 - 01:02 AM

Ok it didn't find anything which is a good thing :thumbsup:
How is the computer running now ?

You had many infections so we'll run a one more scanner...

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post the Kaspersky log along with a fresh HijackThis log (take it in normal mode),
Please also let me know how the computer is running :flowers:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#15 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:14 PM

Posted 17 October 2006 - 04:58 AM

Hi again :thumbsup:

If you still require help, please respond so that I will continue to monitor this topic; otherwise, I will assume you no longer need help.
UNITE & ASAP member since 2006
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users