Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Qoologic +adware Please Help


  • This topic is locked This topic is locked
19 replies to this topic

#1 gregafish

gregafish

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:norfolk engalnd
  • Local time:05:28 PM

Posted 10 October 2006 - 12:46 PM

hi i was sent here from http://www.bleepingcomputer.com/forums/t/67836/trojan-collected-z/ and followed the step however did not get an online virus program to work succesfully here is my log, any help greatly recived

Logfile of HijackThis v1.99.1
Scan saved at 18:40:47, on 10/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\kjqafs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\bshee.exe
C:\WINDOWS\system32\bshee.exe
C:\WINDOWS\system32\bshee.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\greg\My Documents\CMSPEEDER2KXP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: (no name) - {114FD211-3FA3-6276-A0AB-6143B562F099} - C:\WINDOWS\system32\afzadeq.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\bshee.exe
F2 - REG:system.ini: UserInit=userinit.exe,lnoipxe.exe
O2 - BHO: (no name) - {114FD211-3FA3-6276-A0AB-6143B562F099} - C:\WINDOWS\system32\afzadeq.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\greg\Desktop\Yinstall.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e25.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [jbureq] C:\WINDOWS\system32\kjqafs.exe reg_run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [gwbsg] C:\WINDOWS\system32\kjqafs.exe reg_run
O4 - HKCU\..\Run: [Pcaw] "C:\DOCUME~1\greg\APPLIC~1\CURITY~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Kuoxz] C:\Program Files\?icrosoft\w?wexec.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: dqcbl.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm801AXGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...133352D2D2D.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://express.foto.com/FUploader/SpeedUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E066548-991B-4DD8-B5D6-F8372BF32ACC}: NameServer = 194.72.9.38 194.74.65.68
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\p6n8lg5u16.dll
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\i024lafq1d2e.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dXNlcg\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:28 PM

Posted 11 October 2006 - 02:32 AM

Hi gregafish and welcome to Bleeping Computer :thumbsup:

You got a nice collection of infections there. We need several steps before you're clean...

You may have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
UNITE & ASAP member since 2006
Posted Image
Posted Image

#3 gregafish

gregafish
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:norfolk engalnd
  • Local time:05:28 PM

Posted 11 October 2006 - 03:11 AM

hi mr jak3 and thank you for your help
L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\p6n8lg5u16.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\i024lafq1d2e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000019
"InstallNotifyShown"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,3c,50,f8,c8,69,69,ba,49,93,f2,d5,5a,44,ae,88,70,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,22,57,2b,84,a1,7c,95,6e,\
23,05,6f,81,ee,22,71,ff,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,22,\
3d,a1,3d,9a,ab,aa,d2,c4,8e,ec,cf,be,40,6d,68,70,06,00,00,34,10,0e,85,60,5e,\
a2,5c,58,53,e8,01,bc,7f,d7,33,73,02,b0,fd,68,28,ed,20,25,c5,41,d6,16,10,34,\
e3,3e,85,ba,82,d8,84,6b,23,79,0d,73,b5,c0,4b,35,dc,59,09,99,97,ab,b7,82,d6,\
ad,6c,3d,80,15,90,86,05,de,f4,00,3b,11,e0,ed,9f,99,c6,80,23,46,c4,16,f2,63,\
da,7b,b8,bf,dd,ab,26,5b,18,99,d5,ce,88,d2,d7,78,d5,b6,8e,fb,8b,a9,a0,1e,87,\
7c,94,fe,58,51,44,9c,8a,50,9d,a2,36,95,77,0f,f2,80,bd,39,b2,87,9d,3f,65,4c,\
4c,cf,47,f8,de,06,4c,e4,2a,7c,de,41,e8,09,a6,88,c0,06,fc,ab,2b,3d,90,dd,9d,\
d1,4f,6b,ba,a9,2e,cb,05,28,b9,7c,b0,6c,65,c1,d3,9f,cb,83,83,0f,53,2a,fa,cc,\
aa,6c,27,59,43,6c,53,27,94,a2,8d,24,05,61,53,a9,aa,06,76,7b,fb,ac,18,f2,23,\
ee,65,4f,6c,47,21,6c,3b,f6,a4,bc,aa,e1,f6,04,0d,e1,08,c3,0f,3d,cf,ad,5d,fa,\
a8,0a,6e,73,9a,40,dd,7c,53,a9,cc,dc,45,e4,30,c3,a1,09,d7,f4,24,70,fb,69,a8,\
15,c1,c8,88,b4,d0,07,43,c6,69,6c,ce,be,d1,a6,29,ef,13,7c,99,a3,13,62,30,e5,\
d0,cf,f1,c3,00,ca,fe,33,76,27,76,6c,e0,7d,f0,9a,41,16,7b,07,b4,72,4c,ab,67,\
62,9c,4c,76,2d,c8,86,df,fb,bd,f4,1c,b1,d5,aa,50,ad,7f,48,fc,5d,0c,11,66,77,\
3c,3c,73,f4,bb,51,14,93,78,e6,d9,a8,48,90,80,e3,3b,c4,08,05,09,c8,b4,fb,55,\
5c,fa,96,ec,24,6a,9e,b6,d4,e5,08,39,7a,6e,cd,57,b0,f6,e6,7e,53,13,2e,a9,16,\
9d,7c,bb,9c,ea,e0,94,2c,91,fb,85,20,d0,9c,bc,28,d1,44,fd,65,f0,ea,3f,73,90,\
c4,5b,5f,69,e6,27,fd,1d,65,57,61,77,b0,64,8e,45,b8,7d,50,ab,ac,94,c2,c1,b4,\
16,0b,e0,36,06,7a,40,a3,7f,e6,5d,59,14,8f,7e,b5,f6,60,32,7b,ae,c7,2f,49,46,\
0d,09,60,41,9c,f4,5f,ec,57,5d,e3,61,fd,98,20,34,54,0c,f2,a3,ab,f9,fd,ae,c6,\
fa,10,6a,cc,55,9f,01,92,09,96,ea,3d,48,fc,92,bc,4b,d6,16,bd,a7,42,a8,c2,8a,\
3c,9a,eb,94,43,fe,ed,6c,54,8a,a0,f0,2d,2c,58,64,42,4c,50,5a,1f,19,c5,f4,6c,\
81,dd,8f,52,79,57,d0,bf,e4,6d,d4,1d,d3,df,32,4c,12,eb,9b,80,d8,73,e5,fb,78,\
03,66,c1,69,25,ae,85,b4,f9,0b,35,be,ed,e9,b3,11,65,b2,f5,26,74,1d,dd,de,4e,\
eb,fa,a3,25,ef,81,83,c2,f1,ba,15,89,4c,81,96,b4,21,e9,e7,a4,50,d2,67,d2,ca,\
d6,40,82,fe,ee,6d,50,57,28,5b,82,44,26,fb,4e,77,0d,20,cc,55,1d,1f,ff,42,76,\
2c,67,8f,cb,89,c0,0e,20,97,c2,3a,af,6d,08,c1,c1,dc,bf,08,1c,cb,cd,39,0f,d0,\
56,89,b7,1e,c4,fa,a5,1c,78,fa,92,d1,3f,7f,2e,4e,fe,3b,8b,56,d4,16,9a,6c,8c,\
2d,4c,f4,ea,13,88,9b,07,bf,48,bc,fc,58,af,fd,69,bf,d8,19,9a,8a,79,84,96,3d,\
34,1c,ef,7d,a3,f8,bf,2c,08,d0,83,98,0a,a4,b4,cf,28,e9,3a,39,16,7d,3e,da,62,\
98,21,9b,d3,1c,7b,f0,66,28,f6,a7,fb,95,f3,4f,dd,b2,1a,79,d2,36,13,b9,22,6d,\
63,7c,54,33,79,d4,b9,e0,a2,c3,ed,74,a9,3e,50,cb,62,4e,31,0e,2b,f6,11,6f,47,\
33,56,de,f4,d3,12,fd,9e,48,96,27,15,38,24,c1,60,40,ad,9b,a0,09,ab,80,3d,ad,\
d5,6a,39,cd,ad,5a,0c,48,17,b5,12,53,ab,6e,7d,1d,f9,78,b7,da,bc,10,90,94,a3,\
e0,48,d9,61,22,27,dc,4f,37,ee,c5,43,ae,93,bc,6d,5a,70,5f,d7,6c,a7,74,8c,49,\
83,6d,05,aa,4f,ab,64,58,c6,ac,bf,68,82,73,9d,e0,fe,00,a4,67,ef,95,b4,91,b7,\
c0,6a,08,cc,f8,69,d3,9e,9b,49,f1,db,91,e2,28,54,1d,38,7b,a0,78,35,10,42,25,\
40,ad,c2,b5,ee,81,47,96,f3,44,50,e3,c2,7d,55,0c,c9,2a,67,a8,08,a2,62,a5,6e,\
00,06,11,ce,b1,f6,81,00,cf,8f,e7,4b,81,f5,22,90,0b,bf,8e,9c,28,78,25,9e,2b,\
27,48,27,ad,8c,50,80,c3,63,0a,16,e9,ce,fc,07,cc,1e,00,cb,ff,d4,4d,6e,c9,1f,\
5a,eb,c8,45,fc,53,6a,f1,05,5e,83,61,a9,3c,36,29,ef,8f,be,00,64,36,60,05,bc,\
18,57,68,2d,f3,ff,30,21,71,2f,dd,b2,dc,51,79,b6,bb,1c,69,ff,9a,51,ff,9a,ef,\
5f,41,1f,4b,f5,24,b9,cc,8f,6b,1c,f3,9c,ea,da,1f,8c,20,70,79,4b,f3,06,e8,2a,\
62,db,40,c0,6d,2a,61,f8,e6,ac,29,37,5f,c5,59,60,c7,6b,68,75,d1,85,8f,d9,aa,\
32,97,65,cf,47,5e,6c,09,e1,03,96,58,2f,a6,65,d9,a5,f1,16,c0,ef,10,d2,20,8e,\
2d,82,ca,86,de,97,f1,34,4a,1b,ea,24,2b,ac,98,bf,7e,47,f5,25,37,a6,ca,dd,7f,\
e7,21,cc,19,a7,7b,ae,31,e2,72,b5,2f,04,3e,78,ae,8b,f4,5d,62,b0,e6,39,b5,88,\
83,a8,9b,d7,a3,be,01,d0,25,9c,cc,23,6a,47,dd,ac,b4,20,1e,88,fd,80,a9,f1,fa,\
20,5b,38,8d,8f,be,54,64,7f,7a,dc,7d,28,74,8b,13,d3,e2,8f,0f,f9,04,7b,df,b6,\
27,41,23,34,29,c6,7f,8d,3b,3a,40,02,85,cf,b9,66,4c,fb,57,38,dd,9f,7c,d1,ec,\
79,a0,31,35,d3,4c,1c,37,5e,6a,6e,bc,ab,79,b6,f9,ac,9e,85,c7,be,f0,8d,4f,c4,\
fb,a8,d6,d0,35,e0,2a,c8,e3,fb,d3,4c,e7,67,8c,cf,84,f2,a9,b5,0c,ba,b1,0d,f9,\
b5,cf,b1,1d,46,e1,fe,0c,2e,66,08,d4,3e,6e,13,67,e5,2b,f6,52,37,18,97,06,20,\
f9,0a,67,f5,7a,50,69,0e,67,18,39,2e,1b,5d,dd,88,a3,bb,21,9b,56,b9,1e,f6,3e,\
5c,f0,11,eb,54,2b,bc,90,49,cc,ac,59,1b,31,71,ab,17,2c,44,6b,d5,2d,61,7f,ff,\
62,59,9d,41,81,fe,b2,d6,be,72,8b,7e,50,e9,ca,41,63,b5,73,c7,48,a7,83,e3,84,\
ca,e7,e8,91,53,df,0d,c9,f9,cd,bc,a8,24,d0,8c,cd,a0,f6,b3,ea,65,bf,70,b9,98,\
30,81,09,4d,f5,42,4d,2e,39,04,66,1e,0f,e6,a9,30,cf,16,50,0d,02,44,7e,49,8f,\
b6,e6,0e,26,a1,7a,20,01,63,07,6a,71,98,28,28,b5,46,54,c1,96,d3,94,95,86,77,\
f1,4d,a9,92,03,df,ac,ef,ec,4b,1e,ce,24,54,d5,62,82,47,f7,7a,2a,9b,d1,aa,51,\
54,4e,f2,7a,84,55,60,5a,39,ad,20,1d,e0,ed,23,b2,d2,b8,08,22,de,6d,4c,76,43,\
14,a3,69,60,ae,5a,fa,87,e5,e3,87,c6,80,2c,63,6d,64,6d,e7,85,7f,a8,00,47,f4,\
e1,8e,b1,6b,a7,72,61,76,9a,a4,d5,d7,2d,3d,35,73,aa,79,60,88,b3,c5,08,13,c6,\
00,e8,00,41,2f,04,5d,d9,5a,97,46,21,13,f9,66,d9,57,9b,44,b5,ac,01,8b,fc,57,\
4c,a8,26,77,e8,27,c0,a9,07,52,61,12,5a,f3,be,26,97,27,d7,fd,a9,2d,21,11,6f,\
92,52,80,8b,31,3e,a2,5a,d4,11,f4,6f,ca,07,97,15,86,98,3f,44,44,c7,ba,ff,5a,\
9c,7a,a9,3a,9a,71,0f,53,80,5d,4c,1a,41,23,6e,50,41,14,00,00,00,b6,1b,5c,ed,\
dd,e8,f3,15,36,8a,7f,56,67,28,10,f2,65,ea,97,45

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{98D9C674-B024-8B43-5FDA-C47DD5173E5F}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{65E97913-DADF-49EE-9D92-D64982A74E25}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{E0CCE1C6-4A6E-4850-AA73-F591D3BCF874}"=""
"{A594D58E-556A-4B14-A094-CD0B55AE7988}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{65E97913-DADF-49EE-9D92-D64982A74E25}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65E97913-DADF-49EE-9D92-D64982A74E25}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65E97913-DADF-49EE-9D92-D64982A74E25}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65E97913-DADF-49EE-9D92-D64982A74E25}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E0CCE1C6-4A6E-4850-AA73-F591D3BCF874}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E0CCE1C6-4A6E-4850-AA73-F591D3BCF874}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E0CCE1C6-4A6E-4850-AA73-F591D3BCF874}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E0CCE1C6-4A6E-4850-AA73-F591D3BCF874}\InprocServer32]
@="C:\\WINDOWS\\system32\\wlwfaxui.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A594D58E-556A-4B14-A094-CD0B55AE7988}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A594D58E-556A-4B14-A094-CD0B55AE7988}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A594D58E-556A-4B14-A094-CD0B55AE7988}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A594D58E-556A-4B14-A094-CD0B55AE7988}\InprocServer32]
@="C:\\WINDOWS\\system32\\dnrpsetu.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
fltlib.dll Mon 21 Aug 2006 13:21:06 A.... 16,896 16.50 K
hlink.dll Fri 21 Jul 2006 9:24:44 A.... 72,704 71.00 K
inetcomm.dll Thu 27 Jul 2006 14:24:46 A.... 679,424 663.50 K
libeay~1.dll Wed 23 Aug 2006 23:37:52 A.... 796,584 777.91 K
mshtml.dll Fri 28 Jul 2006 12:28:54 A.... 3,054,080 2.91 M
netapi32.dll Fri 14 Jul 2006 16:31:40 A.... 332,288 324.50 K
p6n8lg~1.dll Tue 10 Oct 2006 9:00:58 ..S.R 234,176 228.69 K
shell32.dll Thu 13 Jul 2006 14:33:28 A.... 8,453,632 8.06 M
urlmon.dll Tue 25 Jul 2006 21:33:40 A.... 613,888 599.50 K
vsdata.dll Wed 23 Aug 2006 23:37:58 A.... 83,960 81.99 K
vsinit.dll Wed 23 Aug 2006 23:38:00 A.... 157,688 153.99 K
vsmonapi.dll Wed 23 Aug 2006 23:38:00 A.... 104,440 101.99 K
vspubapi.dll Wed 23 Aug 2006 23:38:02 A.... 268,280 261.99 K
vsregexp.dll Wed 23 Aug 2006 23:38:02 A.... 71,672 69.99 K
vsutil.dll Wed 23 Aug 2006 23:38:04 A.... 440,312 429.99 K
vswmi.dll Wed 23 Aug 2006 23:38:04 A.... 59,384 57.99 K
vsxml.dll Wed 23 Aug 2006 23:38:04 A.... 100,344 97.99 K
x264vfw.dll Wed 13 Sep 2006 23:14:18 A.... 593,938 580.02 K
zlcomm.dll Wed 23 Aug 2006 23:38:06 A.... 83,960 81.99 K
zlcommdb.dll Wed 23 Aug 2006 23:38:06 A.... 71,672 69.99 K

20 items found: 20 files (1 H/S), 0 directories.
Total of file sizes: 16,289,322 bytes 15.53 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is CCC6-E2E4

Directory of C:\WINDOWS\System32

10/10/2006 13:48 <DIR> dllcache
10/10/2006 09:00 234,176 p6n8lg5u16.dll
31/07/2005 14:56 <DIR> Microsoft
1 File(s) 234,176 bytes
2 Dir(s) 36,499,963,904 bytes free

#4 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:28 PM

Posted 11 October 2006 - 03:21 AM

Now we'll continue...

At first, well have to disable AVG guard since it may interfere with our cleaning (We can enable it when you're clean)
  • Open AVG Anti-Spyware
  • Click Shied
  • Click under "resident shield is"
  • Change it to inactive
  • Close the program
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new Hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Note : Once the PC has restarted if a log does not appear or the icons didn't disappear, run the "second.bat" located inside the L2mfix folder.

Edited by Mr_JAk3, 11 October 2006 - 03:22 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#5 gregafish

gregafish
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:norfolk engalnd
  • Local time:05:28 PM

Posted 11 October 2006 - 03:57 AM

L2mfix 032106
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 432 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 512 'winlogon.exe'
Killing PID 512 'winlogon.exe'
Killing PID 512 'winlogon.exe'
Killing PID 512 'winlogon.exe'
Killing PID 512 'winlogon.exe'
Killing PID 512 'winlogon.exe'
Killing PID 512 'winlogon.exe'
Killing PID 512 'winlogon.exe'
Killing PID 512 'winlogon.exe'
Killing PID 512 'winlogon.exe'
Killing PID 512 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 240 'explorer.exe'
Killing PID 240 'explorer.exe'
Killing PID 240 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\p6n8lg5u16.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\i024lafq1d2e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000019
"InstallNotifyShown"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,3c,50,f8,c8,69,69,ba,49,93,f2,d5,5a,44,ae,88,70,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,54,88,63,0e,09,83,fe,5e,\
66,4a,ce,ca,45,5d,44,84,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,4d,\
45,1d,84,1c,23,d1,07,58,5c,3f,1a,0e,9c,0f,56,70,06,00,00,11,ab,fd,3a,80,a3,\
5e,dd,b4,cc,92,1c,3c,47,2d,79,4d,88,ce,7b,30,21,e7,37,5f,ce,ac,22,88,ba,2a,\
6e,34,ba,7d,24,a1,31,00,e2,d6,54,41,f4,1b,ea,1a,8a,fb,3b,bd,4b,6f,68,12,1e,\
c4,b2,2c,ea,e7,55,05,e3,1b,51,99,c0,ed,b6,f1,79,57,c9,75,b5,a9,d6,43,3b,81,\
53,93,c3,30,e3,d6,ba,4e,55,c1,e1,13,d3,38,5a,f9,73,90,86,e2,6e,51,fb,63,06,\
89,ba,d8,8b,56,19,52,2b,8b,4e,b6,02,f7,6a,c2,18,fe,59,6c,18,b4,e2,12,fd,72,\
2c,b1,ff,55,dc,0e,3d,b8,47,4e,ea,d8,d3,02,01,3b,93,37,32,be,8e,e8,03,0c,2c,\
78,9e,be,b9,3e,52,ad,bf,d5,e3,e6,83,f2,b5,4e,13,cc,33,83,32,04,95,6e,76,99,\
f9,67,b6,f5,76,30,f2,b8,7e,ba,ea,3e,da,58,13,dc,d9,8d,af,37,41,7f,61,de,29,\
f2,6d,33,6a,d4,50,0a,fb,26,a6,36,59,16,f8,f2,79,15,d0,e9,fb,2f,6b,90,a2,d4,\
c4,ef,47,76,aa,19,33,69,a2,54,d2,b9,ee,18,f9,54,09,93,bc,9e,3b,98,45,78,17,\
db,37,3a,7a,10,17,31,6b,c6,f7,cf,0e,43,0a,bb,7c,3c,a4,49,5b,25,79,d8,90,c8,\
a9,e2,59,b7,da,43,78,81,c0,b4,92,1f,3b,17,eb,a4,26,3e,9f,84,e8,05,fe,a1,62,\
66,5a,ba,23,3c,53,e6,75,5b,52,e1,92,52,0a,a9,ad,d8,5d,d3,23,3b,c5,79,57,12,\
1b,b4,d1,d6,c7,45,94,a8,85,d1,87,12,85,a3,5c,a3,bd,69,86,03,05,2b,69,73,a9,\
9d,92,95,ab,3a,52,c8,0c,52,60,06,35,1e,bb,bc,6e,34,37,35,29,3f,0b,36,37,8d,\
2b,bf,f8,5f,ba,f8,fe,d1,36,8b,7c,59,d0,db,6c,f3,33,a7,2a,0b,a8,7b,db,1a,0b,\
fe,1d,88,c5,33,74,62,c0,8e,58,b2,d4,7d,9e,31,3e,38,da,eb,75,b0,05,9d,77,c4,\
04,af,b8,49,ad,c4,d8,7e,a8,df,2d,b9,1c,1f,83,cd,69,c2,c0,ef,80,d6,33,4d,8e,\
56,65,a5,2e,fa,76,8d,af,40,eb,ec,81,1c,84,9c,58,6e,47,b0,6b,15,69,d6,d5,6a,\
59,b8,6f,4e,dd,a4,51,89,ce,72,c6,4b,55,04,77,b2,7e,e4,91,07,22,a6,f5,a7,91,\
0b,23,c9,9c,99,be,b7,e8,4f,c6,71,24,91,e1,9a,6d,56,cb,97,a2,e2,32,f0,b5,99,\
00,bb,45,b0,ba,35,be,3b,c9,f6,d4,16,1f,51,f6,0a,25,db,7d,00,6b,cf,eb,9f,b1,\
e4,1f,ae,24,21,8d,a3,ef,13,01,3d,2d,99,dc,35,60,17,31,43,95,c7,be,9c,05,d0,\
a8,8b,af,b0,1a,45,25,7f,ed,42,78,8a,9c,e1,3a,fe,d6,93,64,a5,06,f4,99,97,ea,\
3d,5b,e0,bb,f5,5e,53,3f,6c,bb,1d,f9,e7,43,97,5d,82,72,e8,ff,9f,52,ad,8f,6f,\
87,1d,35,a5,50,9b,2a,c3,f8,48,18,fa,51,a5,1a,d2,6d,d0,a0,1f,bf,f4,d2,a4,e1,\
fe,76,6a,9f,e6,4d,40,c8,d6,74,b1,b2,f0,8d,73,45,a8,55,a8,13,83,fa,17,5f,cf,\
03,0c,82,94,1c,4c,1d,71,ca,ff,16,68,02,3b,d9,e3,d4,a2,65,75,14,1b,8e,51,8b,\
23,89,10,a0,a2,28,9c,ff,78,ef,39,dc,7d,c7,f5,61,d4,f5,22,53,62,28,e7,56,d4,\
bc,c3,29,40,45,53,73,22,3b,ac,c3,ee,5a,09,0b,5d,5d,22,c3,84,1f,29,63,49,e8,\
9b,ea,56,eb,9b,83,5d,cb,fb,c0,ba,ee,10,ab,c7,ae,2c,a2,9b,14,3e,ea,5b,c4,87,\
4d,d0,6f,ef,4c,97,fc,be,57,84,ca,ea,c0,80,b6,e3,91,cb,89,5c,36,27,84,12,16,\
c5,ee,31,20,08,04,c4,66,ac,51,e7,35,86,6d,98,16,f1,54,45,9d,23,f7,29,1c,82,\
46,48,92,f2,dd,7a,35,95,1a,81,8a,48,6b,b0,94,08,11,5d,7b,0e,5c,bb,d6,18,81,\
b9,cb,f9,a3,26,71,c5,f8,5e,81,6f,6c,6f,00,33,be,20,7f,ec,c4,3d,13,4b,cb,f5,\
de,b7,dd,3d,3a,6c,72,01,88,c7,ec,71,a8,3c,85,11,9c,be,ad,02,ff,6d,86,be,c0,\
e7,80,e7,a0,b5,10,b9,7c,42,e9,01,28,8c,41,ad,e9,6c,7e,5b,a5,59,2e,5b,f3,09,\
10,65,a9,9d,12,70,20,f6,6c,1b,d6,80,74,ec,04,73,d2,6f,0c,14,65,94,ac,07,9c,\
a0,ca,c1,67,2e,4c,46,47,f3,98,b6,5a,ef,08,e5,67,7d,75,9f,ae,3e,be,31,53,e6,\
f2,88,d3,c7,60,9b,d5,cd,f1,a9,94,74,d1,86,9c,c6,a5,88,a0,96,5d,22,ae,63,20,\
28,19,21,04,ed,8b,16,b7,d7,e8,3f,4c,8c,5c,0c,ed,5c,20,30,ca,52,6a,d0,4a,e9,\
be,18,da,1f,1e,46,4d,e7,89,5c,94,32,f8,1e,b7,61,28,4e,18,47,86,f9,2f,bd,34,\
b6,5b,70,69,24,f2,e3,17,b2,da,7e,f8,d4,9d,7d,b8,19,5e,7c,6e,7f,53,98,e6,f5,\
04,d4,74,9b,a8,0e,ff,15,57,90,66,50,11,81,4b,09,e3,6e,33,e1,40,45,2b,ea,23,\
fc,e0,0c,63,21,b1,2b,61,45,0c,a0,52,a3,ac,4c,34,5f,f7,c4,3b,0e,15,e1,99,0b,\
b3,3e,d0,16,79,5b,17,5d,cb,b7,f8,30,0f,84,be,aa,20,17,91,93,17,21,b5,bb,9c,\
4d,61,b1,e8,76,3a,bc,c7,06,ef,ba,a1,93,e2,23,3d,a3,51,a4,17,d0,12,69,e6,67,\
f7,10,9c,b1,da,99,87,98,b9,87,ce,54,08,ac,47,b1,cc,4d,59,59,8c,26,a5,fd,78,\
81,1a,ae,0f,dd,1c,88,61,5b,6f,4f,13,4a,b2,ce,4d,47,e5,ec,e9,ef,21,74,5a,ad,\
bc,7e,18,e1,db,51,52,40,79,34,29,c5,76,aa,00,8d,f7,61,04,d4,04,9b,4c,74,bd,\
a8,64,b0,0c,c2,ac,9e,ea,9d,5c,31,cb,ea,95,77,9b,c7,10,02,3b,2a,cc,b6,d7,7a,\
e7,a8,33,60,11,48,98,87,87,a0,8b,99,ac,e8,96,1a,b2,99,47,91,b5,f3,6f,bb,b7,\
de,16,c2,29,67,b9,f9,89,db,52,8e,58,c8,89,18,89,f1,ee,05,9f,2d,45,45,1d,61,\
03,a5,65,9c,30,b9,1d,00,bb,d9,6f,9a,79,76,57,01,46,c0,8b,52,7b,32,e4,30,60,\
bb,a4,26,57,5c,5c,68,85,da,56,0e,08,38,f7,c7,23,4d,bb,30,b8,e9,86,d0,52,28,\
4a,ac,5b,1a,91,0b,a5,b0,f8,ec,49,df,f0,db,98,20,40,c5,bd,1c,bb,60,d7,44,a2,\
ec,7d,39,ba,86,ec,51,c3,03,62,7c,8c,15,59,da,57,84,7d,06,63,fa,fc,fb,2e,08,\
6a,73,c9,49,b8,20,35,37,c1,ea,48,fc,57,29,98,21,6a,28,ed,d3,6c,2f,62,36,66,\
30,23,6e,38,f5,a8,a5,45,67,6b,8d,4e,5e,45,7b,5e,da,7e,70,c9,52,71,d4,95,eb,\
ce,43,c0,e8,cd,e0,82,f6,9d,fe,37,b0,f4,ac,e3,d7,61,1c,b1,8b,36,e0,af,b1,62,\
68,21,35,7e,cd,14,30,03,07,a0,e1,51,9c,85,96,43,20,92,9a,a5,66,7e,4b,97,18,\
b3,ea,21,1f,f2,78,2a,2e,8b,62,1f,f9,82,d7,ed,64,db,b0,bf,13,87,5e,7a,d6,83,\
d1,f3,21,53,11,71,4a,0b,da,fa,03,f2,3c,f5,43,51,f5,23,e9,e4,4b,d0,e1,b2,15,\
1a,b2,d1,dd,09,a8,e3,cb,70,af,28,fd,6f,64,05,61,13,8e,f0,9c,a6,5e,3b,ad,b8,\
6f,b0,96,ee,7a,03,b9,74,18,4f,64,0d,b6,1c,2e,8c,f4,d3,a5,8f,30,c2,af,65,1d,\
6f,e7,87,ad,02,79,81,3a,99,49,d8,e7,68,d1,6c,8f,1e,14,00,00,00,31,70,61,1e,\
a3,1f,51,de,14,ee,36,67,34,e1,fd,b3,46,f8,9a,1a

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{65E97913-DADF-49EE-9D92-D64982A74E25}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65E97913-DADF-49EE-9D92-D64982A74E25}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65E97913-DADF-49EE-9D92-D64982A74E25}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65E97913-DADF-49EE-9D92-D64982A74E25}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E0CCE1C6-4A6E-4850-AA73-F591D3BCF874}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E0CCE1C6-4A6E-4850-AA73-F591D3BCF874}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E0CCE1C6-4A6E-4850-AA73-F591D3BCF874}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E0CCE1C6-4A6E-4850-AA73-F591D3BCF874}\InprocServer32]
@="C:\\WINDOWS\\system32\\wlwfaxui.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A594D58E-556A-4B14-A094-CD0B55AE7988}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A594D58E-556A-4B14-A094-CD0B55AE7988}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A594D58E-556A-4B14-A094-CD0B55AE7988}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A594D58E-556A-4B14-A094-CD0B55AE7988}\InprocServer32]
@="C:\\WINDOWS\\system32\\dnrpsetu.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{65E97913-DADF-49EE-9D92-D64982A74E25}"=-
"{E0CCE1C6-4A6E-4850-AA73-F591D3BCF874}"=-
"{A594D58E-556A-4B14-A094-CD0B55AE7988}"=-
[-HKEY_CLASSES_ROOT\CLSID\{65E97913-DADF-49EE-9D92-D64982A74E25}]
[-HKEY_CLASSES_ROOT\CLSID\{E0CCE1C6-4A6E-4850-AA73-F591D3BCF874}]
[-HKEY_CLASSES_ROOT\CLSID\{A594D58E-556A-4B14-A094-CD0B55AE7988}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/65E97913-DADF-49EE-9D92-D64982A74E25.reg (212 bytes security) (deflated 70%)
adding: backregs/A594D58E-556A-4B14-A094-CD0B55AE7988.reg (212 bytes security) (deflated 70%)
adding: backregs/E0CCE1C6-4A6E-4850-AA73-F591D3BCF874.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (140 bytes security) (deflated 79%)

#6 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:28 PM

Posted 11 October 2006 - 07:17 AM

Hi again, please post a fresh HijackThis log to here.

Then we'll continue :thumbsup:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#7 gregafish

gregafish
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:norfolk engalnd
  • Local time:05:28 PM

Posted 11 October 2006 - 07:40 AM

Logfile of HijackThis v1.99.1
Scan saved at 13:37:15, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\greg\My Documents\CMSPEEDER2KXP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: (no name) - {114FD211-3FA3-6276-A0AB-6143B562F099} - C:\WINDOWS\system32\afzadeq.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\bshee.exe
F2 - REG:system.ini: UserInit=userinit.exe,lnoipxe.exe
O2 - BHO: (no name) - {114FD211-3FA3-6276-A0AB-6143B562F099} - C:\WINDOWS\system32\afzadeq.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\greg\Desktop\Yinstall.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e25.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [jbureq] C:\WINDOWS\system32\kjqafs.exe reg_run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [gwbsg] C:\WINDOWS\system32\kjqafs.exe reg_run
O4 - HKCU\..\Run: [Pcaw] "C:\DOCUME~1\greg\APPLIC~1\CURITY~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Kuoxz] C:\Program Files\?icrosoft\w?wexec.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm801AXGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...133352D2D2D.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://express.foto.com/FUploader/SpeedUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E066548-991B-4DD8-B5D6-F8372BF32ACC}: NameServer = 194.72.9.38 194.74.65.68
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\p6n8lg5u16.dll
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\i024lafq1d2e.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dXNlcg\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


sorry il try to read ur posts better next time

Edited by gregafish, 11 October 2006 - 09:28 AM.


#8 gregafish

gregafish
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:norfolk engalnd
  • Local time:05:28 PM

Posted 11 October 2006 - 01:01 PM

i jst got a memory dump is that a problem

#9 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:28 PM

Posted 11 October 2006 - 01:19 PM

Hi again, we'll continue :thumbsup:

You should print these instructions or save these to a text file. Follow these instructions carefully.

At first, well have to disable AVG Anti-Spyware guard since it may interfere with our cleaning (We can enable it when you're clean)
  • Open AVG Anti-Spyware
  • Click Shield
  • Click under "resident shield is"
  • Change it to inactive
  • Close the program
1. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C: ) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
2. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

3. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let the program do itís job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows.

4.When normal mode:
  • Download this file - combofix.exe
  • Double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.
    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Edited by Mr_JAk3, 11 October 2006 - 01:23 PM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#10 gregafish

gregafish
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:norfolk engalnd
  • Local time:05:28 PM

Posted 11 October 2006 - 02:30 PM

hi i was wondering if u could give me an idea of how this is going im following but far from understanding
#
here are my logs:

greg - 06-10-11 20:04:58.86 Service Pack 2
ComboFix 06.10.11 - Running from: "C:\Documents and Settings\greg\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{FC1297CB-A681-4D87-9E1D-1007F9E380BE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FC1297CB-A681-4D87-9E1D-1007F9E380BE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FC1297CB-A681-4D87-9E1D-1007F9E380BE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FC1297CB-A681-4D87-9E1D-1007F9E380BE}\InprocServer32]
@="C:\\WINDOWS\\system32\\obethk32.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-10-10 11:23 127488 pgfdq.dat.qoo
06-10-10 18:04 374 jewgv.dll.qoo
06-10-09 14:28 53 npnllw.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\greg\Application Data\Dxccwrd.dll
C:\Documents and Settings\greg\Application Data\Dxcdmns.dll
C:\Documents and Settings\greg\Application Data\Dxcknwrd.dll
C:\Documents and Settings\greg\Application Data\Dxcuknwrd.dll
C:\WINDOWS\system32\bkd.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\MTE3NDI6ODoxNgV2.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Deskbar
C:\Program Files\Common Files\{3CC6E2E4-0683-1033-0822-02040201002c}
C:\Program Files\Common Files\{CCC6E2E4-0683-1033-0822-02040201002c}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\greg\Application Data\CURITY~1
C:\QooBox\Purity\Documents and Settings\greg\Application Data\CURITY~1\??curity
C:\QooBox\Purity\Program Files\ICROSO~1


((((((((((((((((((((((((((((((( Files Created from 2006-09-11 to 2006-10-11 ))))))))))))))))))))))))))))))))))


2006-10-11 19:44 234,835 -r--s---- C:\WINDOWS\system32\lvn6095se.dll
2006-10-11 19:44 234,176 -r--s---- C:\WINDOWS\system32\obethk32.dll
2006-10-10 13:52 2 --a------ C:\WINDOWS\system32\wnsintcc.exe
2006-10-09 17:24 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-09 14:35 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-09 09:44 23,104 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-10-09 09:23 1,465 --a------ C:\yloi.exe
2006-10-09 09:23 1,233 --a------ C:\WINDOWS\system32\uwt8dd97.sys
2006-09-23 20:39 90,112 --a------ C:\WINDOWS\system32\dpl100.dll
2006-09-23 20:39 620,180 --a------ C:\WINDOWS\system32\divx.dll
2006-09-23 20:39 593,938 --a------ C:\WINDOWS\system32\x264vfw.dll
2006-09-23 20:39 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2006-09-23 20:39 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-09-23 20:39 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-09-23 20:39 200,704 --a------ C:\WINDOWS\system32\dtu100.dll
2006-09-23 20:39 1,415,680 --a------ C:\WINDOWS\system32\WMV9VCM.dll
2006-09-23 20:39 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-10-11 20:06 -------- d-------- C:\Program Files\Common Files
2006-10-10 18:39 -------- d-------- C:\Program Files\HijackThis
2006-10-10 18:10 -------- d-------- C:\Program Files\Zone Labs
2006-10-09 17:24 -------- d-------- C:\Program Files\Grisoft
2006-10-09 14:35 -------- d-------- C:\Program Files\Internet Explorer
2006-10-09 14:30 -------- d-------- C:\Program Files\Java
2006-10-09 14:30 -------- d-------- C:\Documents and Settings\greg\Application Data\Sun
2006-10-09 10:53 -------- d-------- C:\Program Files\Lavasoft
2006-10-09 10:53 -------- d-------- C:\Documents and Settings\greg\Application Data\Lavasoft
2006-10-09 10:11 -------- d-------- C:\Documents and Settings\greg\Application Data\AVG7
2006-10-09 09:44 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-10-09 09:44 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-09 09:44 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-09 09:43 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-09 09:43 -------- d---s---- C:\Documents and Settings\greg\Application Data\Microsoft
2006-10-09 09:22 -------- d-------- C:\Program Files\Windows NT
2006-10-09 09:22 -------- d-------- C:\Program Files\MSN Messenger
2006-10-09 09:22 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-10-09 09:22 -------- d-------- C:\Program Files\ComPlus Applications
2006-09-30 10:10 -------- d-------- C:\Program Files\Sports Interactive
2006-09-28 13:18 -------- d-------- C:\Documents and Settings\greg\Application Data\Google
2006-09-28 10:27 -------- d-------- C:\Program Files\Google
2006-09-23 20:39 -------- d-------- C:\Program Files\K-Lite Codec Pack
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 10:24 -------- d-------- C:\Program Files\OpenTTD
2006-08-16 09:54 -------- d-------- C:\Program Files\ttd
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"RealPlayer"="\"C:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"
"License Manager"="\"C:\\Program Files\\License_Manager\\license_manager.exe \" /silent"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"Pcaw"="\"C:\\DOCUME~1\\greg\\APPLIC~1\\CURITY~1\\nslookup.exe\" -vt yazb"
"Kuoxz"="C:\\Program Files\\?icrosoft\\w?wexec.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Browser Mouse\\mouse32a.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\kyjedida.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Windows NT\\hogy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Help.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\BT Broadband Help.lnk"
"backup"="C:\\WINDOWS\\pss\\BT Broadband Help.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\BTBROA~1\\Help\\bin\\matcli.exe -boot"
"item"="BT Broadband Help"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AVG7_EMC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgemc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DSLAGENTEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dslagent"
"hkey"="HKLM"
"command"="dslagent.exe USB"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\FaxCenterServer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fm3032"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\GSICONEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gsicon"
"hkey"="HKLM"
"command"="gsicon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\InCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InCD"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Lexmark 2200 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lxbvbmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lexmark 2200 Series\\lxbvbmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\Msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Picasa Media Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PicasaMediaDetector"
"hkey"="HKLM"
"command"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\REGSHAVE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="REGSHAVE"
"hkey"="HKLM"
"command"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"InCDsrv"=dword:00000002
"IDriverT"=dword:00000003
"Avg7UpdSvc"=dword:00000002
"Avg7Alrt"=dword:00000002


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: 11/10/2006 20:23:05.01
ComboFix.txt




hijack this- :thumbsup:
Logfile of HijackThis v1.99.1
Scan saved at 20:24:42, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\greg\My Documents\CMSPEEDER2KXP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {114FD211-3FA3-6276-A0AB-6143B562F099} - C:\WINDOWS\system32\afzadeq.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {114FD211-3FA3-6276-A0AB-6143B562F099} - C:\WINDOWS\system32\afzadeq.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Pcaw] "C:\DOCUME~1\greg\APPLIC~1\CURITY~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Kuoxz] C:\Program Files\?icrosoft\w?wexec.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm801AXGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...133352D2D2D.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://express.foto.com/FUploader/SpeedUploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#11 gregafish

gregafish
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:norfolk engalnd
  • Local time:05:28 PM

Posted 12 October 2006 - 03:17 AM

i keep getting the memory demp blue screen is that a problem?

#12 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:28 PM

Posted 12 October 2006 - 04:10 AM

Hi again :thumbsup:

We are going to the rigth direction but there is still some cleaning to do...
Don't worry about that memory dump error, there are still infections so the errors propably disappear when you're clean.

Our next target is a rootkit named pe386:

1. Download gmer from http://www.gmer.net
2. Save it somewhere safe & unzip it to desktop
3. Double click the gmer.exe to run it and select the rootkit tab, press scan
4. When it has finished, right-click the entry highlighted in red - [System] pe386
5. Select 'Delete the service' & then reboot your machine.

Posted Image

6. Double click the gmer.exe to run it and select the rootkit tab, press scan
7. Once done, click the Copy button (This will copy the results to your clipboard)
9. Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.
UNITE & ASAP member since 2006
Posted Image
Posted Image

#13 gregafish

gregafish
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:norfolk engalnd
  • Local time:05:28 PM

Posted 12 October 2006 - 05:53 AM

i had some trouble with this i started a can then it went to memory dump so tried again the befor it had a cahnce to do it again i deleated the file when it came up then it said file failed to deleat or somthing of that nature, then a memory dump toook place. i then did another scan which worked however the file did bnot come up hear is the log:

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-12 11:45:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Devices - GMER 1.0.11 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F9FBE85A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9FBE85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F7C2F2A0] vsdatant.sys
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F9A538B4] sfsync02.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL [F9A538B4] sfsync02.sys
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F9A538B4] sfsync02.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL [F9A538B4] sfsync02.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_INTERNAL_DEVICE_CONTROL [F9A538B4] sfsync02.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9FBE85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9FBE85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F7C2F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F9FBE85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F7C2F2A0] vsdatant.sys

---- Files - GMER 1.0.11 ----

ADS ...

---- EOF - GMER 1.0.11 ----




also here iss a hijck this log done after the above log

Logfile of HijackThis v1.99.1
Scan saved at 11:50:23, on 12/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\greg\My Documents\CMSPEEDER2KXP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {114FD211-3FA3-6276-A0AB-6143B562F099} - C:\WINDOWS\system32\afzadeq.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {114FD211-3FA3-6276-A0AB-6143B562F099} - C:\WINDOWS\system32\afzadeq.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Pcaw] "C:\DOCUME~1\greg\APPLIC~1\CURITY~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Kuoxz] C:\Program Files\?icrosoft\w?wexec.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm801AXGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...133352D2D2D.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://express.foto.com/FUploader/SpeedUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E066548-991B-4DD8-B5D6-F8372BF32ACC}: NameServer = 194.72.9.38 194.74.65.68
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#14 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:06:28 PM

Posted 12 October 2006 - 08:15 AM

Hi again, let's clean the rest :thumbsup:

You should print these instructions or save these to a text file. Follow these instructions carefully.
  • Run AVG Anti-Spyware
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Then, make your hidden files visible:
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Uncheck "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.
Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Copy the filenames below to a Notepad file and save it to your desktop! We will need the file later.

C:\Program Files\MSN Gaming Zone\kyjedida.html
C:\Program Files\Windows NT\hogy.html
C:\WINDOWS\system32\lvn6095se.dll
C:\WINDOWS\system32\obethk32.dll
C:\WINDOWS\system32\wnsintcc.exe
C:\yloi.exe
C:\WINDOWS\system32\uwt8dd97.sys

==================
Open Control Panel -> Add/Remove programs -> Remove all the of the following programs if found:

License Manager

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"License Manager"=-
"Pcaw"=-
"Kuoxz"=-

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]


Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {114FD211-3FA3-6276-A0AB-6143B562F099} - C:\WINDOWS\system32\afzadeq.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {114FD211-3FA3-6276-A0AB-6143B562F099} - C:\WINDOWS\system32\afzadeq.dll (file missing)
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [Pcaw] "C:\DOCUME~1\greg\APPLIC~1\CURITY~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Kuoxz] C:\Program Files\?icrosoft\w?wexec.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm801AXGB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...133352D2D2D.exe
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following folders (if present):
C:\Program Files\License_Manager

Once in Safe Mode, please run Killbox.
Select "Delete on Reboot".
Select "Delete on Reboot".

Open the text file with the filenames in it, and copy the file names to the clipboard by highlighting them and pressing Control-C:

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart the computer to the safe mode again.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, post the following logs to here:
- AVG's report
- a fresh HijackThis log

Edited by Mr_JAk3, 12 October 2006 - 08:15 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#15 gregafish

gregafish
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Location:norfolk engalnd
  • Local time:05:28 PM

Posted 12 October 2006 - 11:35 AM

hi agin,

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:21:03 12/10/2006

+ Scan result:



C:\!KillBox\lvn6095se.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP444\A0519660.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP445\A0522121.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP449\A0528363.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\obethk32.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP444\A0519915.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP444\A0519917.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP442\A0514595.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP442\A0514596.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP444\A0517598.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP444\A0519913.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP445\A0522137.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP444\A0519682.exe -> Downloader.Agent.azc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP445\A0522132.exe -> Downloader.Agent.azc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP444\A0519914.exe -> Downloader.PurityScan.dr : Cleaned with backup (quarantined).
C:\QooBox\pgfdq.dat.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP444\A0519670.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP444\A0519916.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP444\A0519928.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP444\A0519929.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP445\A0519949.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP444\A0519684.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\yloi.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{17B5BC27-9784-408B-A2A2-5DC46A2F1DDD}\RP445\A0522133.exe -> Dropper.Small : Cleaned with backup (quarantined).


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 17:32:19, on 12/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\greg\My Documents\CMSPEEDER2KXP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/pro...133352D2D2D.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://express.foto.com/FUploader/SpeedUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E066548-991B-4DD8-B5D6-F8372BF32ACC}: NameServer = 194.72.9.38 194.74.65.68
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

also do i finaly rermove items from avg quartine area




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users