Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VX Better Internet - can´t get rid of it!


  • This topic is locked This topic is locked
10 replies to this topic

#1 bernieboy469

bernieboy469

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 30 June 2004 - 02:35 PM

Hi, please help!

I have got the VX Better Internet on my machine and can´t get rid of it. I have tried the suggestions in the thread here from BENKATZ some days ago, but it fails. I have tried various things, also using MSCONFIG to reduce loaded things. I have also used ADMINISTRATOR, booted in safe mode etc. - nothing helped.

I followed the suggestions that PAPAKID gave to BENKATZ 2 weeks ago, but this daxxxx ADSMIB.DLL file always remains. The VX2FINDER program detects one or more programs, I remove them, I then do the other parts, but when I check afterwards, the .DLL is still there and also the registry entries. I can always delete some .DLL´s and also the registry keys, but never the ADSMIB.DLL file - no matter what I do. On reboot, the same happens.

I even tried a Windows 98 boot diskette - luckily the disk is FAT32 - I can see the .DLL but as it is hidden and system, you can´t delete it. And the ATTRIB command refuses to work on a system file.

I of course had detached the wireless and cable connection when I tried to repair.

I use Keon desktop, Quickplace to connect back to the company.

The logs below are from when I ran the computer with the minimum possible configuration - the VX stuff is incredibly clever!

Please tell me what I can do - would like to avoid reformatting everything.


HIJACK log:
Logfile of HijackThis v1.97.7
Scan saved at 20:51:56, on 30.06.2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NWTRAY.EXE
D:\DATA\Meine empfangenen Dateien\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.home.mars/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.mars/ie4.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.home.mars/ie4.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SDS
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.home.mars/ie4.asp
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\system32\msconfig.exe /auto
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\rsa security\rsa keon desktop\system\mlr.dll
O10 - Unknown file in Winsock LSP: c:\program files\rsa security\rsa keon desktop\system\mlr.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.home.mars/ie4.asp
O16 - DPF: Sametime Meeting Room Client ST25PF1 - http://sametime.eu.mars/sametime/stmeeting...gRoomClient.cab
O16 - DPF: Sametime MRC 651 - http://iswsn71.isw.eu.mars/sametime/stmeet...gRoomClient.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://teamspace.na.mars/qp2.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://www.home.mars/ActiveX/nwdir.cab
O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://iswsn71.isw.eu.mars/sametime/STMeet...STJNILoader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} (JNILoader Control) - http://sametime.eu.mars/sametime/stmeeting...STJNILoader.cab
O16 - DPF: {BF116476-3238-4EDA-A2D7-6D6814EF0DEC} (Quicksilver Class) - http://scpwda.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BRK.EU.MARS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BRK.EU.MARS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = brk.eu.mars,eu.mars,mars,na.mars,ap.mars,sa.mars,cds.mars
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BRK.EU.MARS
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = brk.eu.mars,eu.mars,mars,na.mars,ap.mars,sa.mars,cds.mars
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = brk.eu.mars,eu.mars,mars,na.mars,ap.mars,sa.mars,cds.mars


VX2FINDER log:

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINNT\system32\adsmib.dll


Guardian Key--- is called: GuardianWYWNK
Asynchronous 000
DllName C:\WINNT\system32\adsmib.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {A2F23D07-1B46-499D-9C4E-D52EA32DFB23}
IDex DS3

User Agent String---
{A2F23D07-1B46-499D-9C4E-D52EA32DFB23}

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:46 PM

Posted 30 June 2004 - 04:19 PM

I know you have already probasbly done this, but humor me and try one more time.

Ok do this:

Sign off and stay off the internet until the entire procedure is complete.

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

Put a check mark next to each file.
Then select the *Delete these files* button.
You will be left with notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (Reboot)

Once back in Windows

Open VX2Finder again and click on these buttons in the right pane:

user agent, Guardian.reg, restore policy

Exit and reboot.

Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Post it here with a fresh HijackThis log please.

#3 bernieboy469

bernieboy469
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 01 July 2004 - 03:49 AM

Hi...I did what you said and the strange thing is: It tells me it deleted the ADSMIB.DLL (it disappears from the list) but it does not ask for a reboot.

Here is what I did:

Off network
normal boot without MSConfig restrictions
Have Spyblaster enabled now again which I had off yesterday
The VX2Finder is 110592 bytes (doesn´t show version number)
I am administrator

When I put checkmarks next to the 2 files appearing in list and delete them, it asks and then deletes - disappear from the list.

I then rebooted as said and next time, the ADSMIB.DLL is there again.
Then did the 3 buttons as requested and rebooted - again see ADSMIB.DLL

I then did all in one go: Delete files, User agent, Guardian.reg, Restore policy. It reboots and then I can again see this damn.. ADSMIB.DLL.

It just appears not to delete any of those... When I open regedit, it is located on the position of this Guardian string after I tried to delete it but it simply did not delete it.

Here is the log as of now (before this reboot)
Log for VX2.BetterInternet File Finder

Files Found---
C:\WINNT\system32\adsmib.dll


Guardian Key--- is called: GuardianTCOFU
Asynchronous 000
DllName C:\WINNT\system32\adsmib.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {A2F23D07-1B46-499D-9C4E-D52EA32DFB23}
IDex DS3

User Agent String---
{A2F23D07-1B46-499D-9C4E-D52EA32DFB23}

Logfile of HijackThis v1.97.7Scan saved at 10:15:51, on 01.07.2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\RSA Security\RSA Keon Desktop\system\sdlss.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\RSA Security\RSA Keon Desktop\System\SDTray.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\ndpsrv.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\SDSUTILS\clntrust.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Apoint\Apntex.exe
D:\DATA\Meine empfangenen Dateien\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.home.mars/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.mars/ie4.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.home.mars/ie4.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SDS
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.home.mars/ie4.asp
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\RSA Keon Desktop\System\SDTray.exe"
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ND-Osiris] ndpsrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [ClientTrust] C:\WINNT\SDSUTILS\CLNTRUST.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\rsa security\rsa keon desktop\system\mlr.dll
O10 - Unknown file in Winsock LSP: c:\program files\rsa security\rsa keon desktop\system\mlr.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.home.mars/ie4.asp
O16 - DPF: Sametime Meeting Room Client ST25PF1 - http://sametime.eu.mars/sametime/stmeeting...gRoomClient.cab
O16 - DPF: Sametime MRC 651 - http://iswsn71.isw.eu.mars/sametime/stmeet...gRoomClient.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://teamspace.na.mars/qp2.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://www.home.mars/ActiveX/nwdir.cab
O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://iswsn71.isw.eu.mars/sametime/STMeet...STJNILoader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} (JNILoader Control) - http://sametime.eu.mars/sametime/stmeeting...STJNILoader.cab
O16 - DPF: {BF116476-3238-4EDA-A2D7-6D6814EF0DEC} (Quicksilver Class) - http://scpwda.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BRK.EU.MARS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BRK.EU.MARS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = brk.eu.mars,eu.mars,mars,na.mars,ap.mars,sa.mars,cds.mars
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BRK.EU.MARS
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = brk.eu.mars,eu.mars,mars,na.mars,ap.mars,sa.mars,cds.mars
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = brk.eu.mars,eu.mars,mars,na.mars,ap.mars,sa.mars,cds.mars


This SVCHOST entries look odd to me - I also tried yesterday to delete the processes when I was on the minimum boot configuration - nope.

I have also a log from AdAware - maybe this helps. Interesting that it does not recognize the ADSMIB.DLL. only the other one that exists now.

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Donnerstag, 01. Juli 2004 10:38:13
Created with Ad-aware Personal, free for private use.
Using reference-file :01R325 27.06.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


01.07.2004 10:38:13 - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 01.07.2004 08:17:18
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ThreadCreationTime : 01.07.2004 08:17:25
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 01.07.2004 08:17:26
BasePriority : Normal
FileSize : 86 KB
FileVersion : 5.00.2195.3940
ProductVersion : 5.00.2195.3940
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 31.12.1979 22:00:00
Last accessed : 30.06.2004 22:00:00
Last modified : 22.07.2002 10:05:04

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 01.07.2004 08:17:26
BasePriority : Normal
FileSize : 32 KB
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
OriginalFilename : lsasrv.dll and lsass.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 31.12.1979 22:00:00
Last accessed : 30.06.2004 22:00:00
Last modified : 25.02.2004 23:59:08

#:5 [scardsvr.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 01.07.2004 08:17:28
BasePriority : Normal
FileSize : 96 KB
FileVersion : 5.00.2195.3649
ProductVersion : 5.00.2195.3649
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Smart Card Resource Management Server
InternalName : SCardSvr.exe
OriginalFilename : SCardSvr.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 31.12.1979 22:00:00
Last accessed : 30.06.2004 22:00:00
Last modified : 22.07.2002 10:05:04

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 01.07.2004 08:17:29
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 31.12.1979 22:00:00
Last accessed : 30.06.2004 22:00:00
Last modified : 08.05.2001 11:00:00

#:7 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 01.07.2004 08:17:34
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 31.12.1979 22:00:00
Last accessed : 30.06.2004 22:00:00
Last modified : 08.05.2001 11:00:00

#:8 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 01.07.2004 08:17:35
BasePriority : Normal
FileSize : 44 KB
FileVersion : 5.00.2195.4299
ProductVersion : 5.00.2195.4299
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
OriginalFilename : spoolss.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 01.12.2003 12:24:17
Last accessed : 30.06.2004 22:00:00
Last modified : 22.07.2002 10:05:04

#:9 [ati2evxx.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 01.07.2004 08:17:35
BasePriority : Normal
FileSize : 144 KB
Created on : 31.12.1979 22:00:00
Last accessed : 30.06.2004 22:00:00
Last modified : 03.01.2003 14:40:00

#:10 [defwatch.exe]
FilePath : C:\Program Files\NavNT\
ThreadCreationTime : 01.07.2004 08:17:35
BasePriority : Normal
FileSize : 32 KB
FileVersion : 7, 50, 0, 1
ProductVersion : 7, 50, 0, 1
Copyright : Copyright
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
OriginalFilename : DefWatch.exe
ProductName : Norton AntiVirus
Created on : 09.10.2000 05:50:00
Last accessed : 30.06.2004 22:00:00
Last modified : 09.10.2000 05:50:00

#:11 [rtvscan.exe]
FilePath : C:\Program Files\NavNT\
ThreadCreationTime : 01.07.2004 08:17:36
BasePriority : Normal
FileSize : 420 KB
FileVersion : 7.50.00.846
ProductVersion : 7.50.00.846
Copyright : Copyright © Symantec Corporation 1991-2000
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus
ProductName : Norton AntiVirus
Created on : 25.10.2000 05:50:02
Last accessed : 30.06.2004 22:00:00
Last modified : 25.10.2000 05:50:02

#:12 [regsvc.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 01.07.2004 08:17:45
BasePriority : Normal
FileSize : 65 KB
FileVersion : 5.00.2195.3649
ProductVersion : 5.00.2195.3649
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
OriginalFilename : REGSVC.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 31.12.1979 22:00:00
Last accessed : 30.06.2004 22:00:00
Last modified : 22.07.2002 10:05:04

#:13 [mstask.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 01.07.2004 08:17:46
BasePriority : Normal
FileSize : 115 KB
FileVersion : 4.71.2195.1
ProductVersion : 4.71.2195.1
Copyright : Copyright © Microsoft Corp. 1997
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 01.12.2003 12:31:02
Last accessed : 30.06.2004 22:00:00
Last modified : 22.07.2002 10:05:04

#:14 [sdlss.exe]
FilePath : C:\Program Files\RSA Security\RSA Keon Desktop\system\
ThreadCreationTime : 01.07.2004 08:17:46
BasePriority : Normal
FileSize : 120 KB
FileVersion : 2.00.0.030
ProductVersion : 2.00.0.030
Copyright : Copyright
CompanyName : RSA Security Inc.
FileDescription : LSS Base Module
InternalName : sdlss.exe
OriginalFilename : sdlss.exe
ProductName : RSA Keon Desktop
Created on : 07.12.2001 12:50:02
Last accessed : 30.06.2004 22:00:00
Last modified : 07.12.2001 12:50:02

#:15 [uphclean.exe]
FilePath : C:\Program Files\UPHClean\
ThreadCreationTime : 01.07.2004 08:17:46
BasePriority : Normal
FileSize : 188 KB
FileVersion : 1.5.5.21
ProductVersion : 1.5e
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : User Profile Hive Cleanup Service
InternalName : UPHClean
OriginalFilename : uphclean.exe
ProductName : User Profile Hive Cleanup Service
Created on : 04.03.2004 22:45:34
Last accessed : 30.06.2004 22:00:00
Last modified : 04.03.2004 22:45:34

#:16 [vsmon.exe]
FilePath : C:\WINNT\system32\ZONELABS\
ThreadCreationTime : 01.07.2004 08:17:47
BasePriority : Normal
FileSize : 893 KB
FileVersion : 5.0.590.043
ProductVersion : 5.0.590.043
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 05.06.2004 13:04:09
Last accessed : 30.06.2004 22:00:00
Last modified : 16.06.2004 02:47:36

#:17 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ThreadCreationTime : 01.07.2004 08:17:50
BasePriority : Normal
FileSize : 192 KB
FileVersion : 1.50.1085.0070
ProductVersion : 1.50.1085.0070
Copyright : Copyright © Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 31.12.1979 22:00:00
Last accessed : 30.06.2004 22:00:00
Last modified : 22.07.2002 10:05:04

#:18 [wltrysvc.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 01.07.2004 08:17:50
BasePriority : Normal
FileSize : 44 KB
Created on : 01.12.2003 12:32:34
Last accessed : 30.06.2004 22:00:00
Last modified : 27.01.2003 07:38:04

#:19 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 01.07.2004 08:17:50
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 31.12.1979 22:00:00
Last accessed : 30.06.2004 22:00:00
Last modified : 08.05.2001 11:00:00

#:20 [bcmwltry.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 01.07.2004 08:17:50
BasePriority : Normal
FileSize : 180 KB
FileVersion : 3.10.39.0
ProductVersion : 3.10.39.0
Copyright : 1998-2002, Broadcom Corporation All Rights Reserved.
CompanyName : Broadcom Corporation
FileDescription : Wireless Network Tray Applet
InternalName : bcmwltry.exe
OriginalFilename : bcmwltry.exe
ProductName : Wireless Network Tray Applet
Created on : 01.12.2003 12:32:34
Last accessed : 30.06.2004 22:00:00
Last modified : 27.01.2003 07:38:04

#:21 [msgsys.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 01.07.2004 08:17:55
BasePriority : Normal
FileSize : 14 KB
FileVersion : 6.0.201.0940 E
ProductVersion : 6.0
Copyright : Copyright
CompanyName : Intel Corporation
FileDescription : CBA -- Message System
InternalName : MsgExe
OriginalFilename : MsgSys.EXE
ProductName : Intel Common Base Agent
Created on : 18.09.2000 15:12:40
Last accessed : 30.06.2004 22:00:00
Last modified : 18.09.2000 15:12:40

#:22 [explorer.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 01.07.2004 08:18:20
BasePriority : Normal
FileSize : 237 KB
FileVersion : 5.00.3502.5321
ProductVersion : 5.00.3502.5321
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 31.12.1979 22:00:00
Last accessed : 30.06.2004 22:00:00
Last modified : 22.07.2002 10:05:04

#:23 [nwtray.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 01.07.2004 08:18:23
BasePriority : Normal
FileSize : 28 KB
FileVersion : v4.83
ProductVersion : v4.83
Copyright : Copyright
CompanyName : Novell, Inc.
FileDescription : Novell System Tray Icon
OriginalFilename : NWTRAY.EXE
ProductName : Novell Client for Windows
Created on : 15.04.2004 07:29:13
Last accessed : 30.06.2004 22:00:00
Last modified : 18.12.2001 11:24:56

#:24 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ThreadCreationTime : 01.07.2004 08:18:24
BasePriority : Normal
FileSize : 681 KB
FileVersion : 5.0.590.043
ProductVersion : 5.0.590.043
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : Zone Labs Client
InternalName : zlclient
OriginalFilename : zlclient.exe
ProductName : Zone Labs Client
Created on : 22.02.2004 12:28:35
Last accessed : 30.06.2004 22:00:00
Last modified : 16.06.2004 02:48:24

#:25 [vptray.exe]
FilePath : C:\Program Files\NavNT\
ThreadCreationTime : 01.07.2004 08:18:24
BasePriority : Normal
FileSize : 52 KB
FileVersion : 7.50.00.846
ProductVersion : 7.50.00.846
Copyright : Copyright © Symantec Corporation 1991-2000
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus
ProductName : Norton AntiVirus
Created on : 09.10.2000 05:50:00
Last accessed : 30.06.2004 22:00:00
Last modified : 09.10.2000 05:50:00

#:26 [sdtray.exe]
FilePath : C:\Program Files\RSA Security\RSA Keon Desktop\System\
ThreadCreationTime : 01.07.2004 08:18:24
BasePriority : Normal
FileSize : 28 KB
FileVersion : 2.00.0.030
ProductVersion : 2.00.0.030
Copyright : Copyright
CompanyName : RSA Security Inc.
FileDescription : Tray Icon
InternalName : SDTRAY.EXE
OriginalFilename : SDTRAY.EXE
ProductName : RSA Keon Desktop
Created on : 07.12.2001 12:49:58
Last accessed : 30.06.2004 22:00:00
Last modified : 07.12.2001 12:49:58

#:27 [prpcui.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 01.07.2004 08:18:25
BasePriority : Normal
FileSize : 44 KB
FileVersion : 3.0.0.0
ProductVersion : 3.0.0.0
Copyright : Copyright
CompanyName : Intel Corporation
FileDescription : Intel® SpeedStep™ technology User Interface
InternalName : prpcui.exe
OriginalFilename : prpcui.exe
ProductName : Intel® SpeedStep™ technology applet
Created on : 08.01.2004 09:57:52
Last accessed : 30.06.2004 22:00:00
Last modified : 07.10.2002 01:00:08

#:28 [ndpsrv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 01.07.2004 08:18:25
BasePriority : Normal
FileSize : 36 KB
Created on : 12.11.2001 14:37:42
Last accessed : 30.06.2004 22:00:00
Last modified : 12.11.2001 14:37:54

#:29 [hpztsb06.exe]
FilePath : C:\WINNT\System32\spool\drivers\w32x86\3\
ThreadCreationTime : 01.07.2004 08:18:25
BasePriority : Normal
FileSize : 184 KB
FileVersion : 2,133,0,0
ProductVersion : 2,133,0,0
Copyright : Copyright © Hewlett-Packard Company 1999-2002
CompanyName : HP
ProductName : HP DeskJet
Created on : 04.12.2003 07:50:40
Last accessed : 30.06.2004 22:00:00
Last modified : 11.07.2002 10:55:00

#:30 [createcd50.exe]
FilePath : C:\Program Files\Common Files\Adaptec Shared\CreateCD\
ThreadCreationTime : 01.07.2004 08:18:25
BasePriority : Normal
FileSize : 128 KB
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
Copyright : Copyright © 1999-2002 Roxio, Inc.
CompanyName : Roxio
FileDescription : Roxio Create CD
InternalName : createcd.exe
OriginalFilename : createcd.exe
ProductName : Easy CD Creator
Created on : 17.12.2002 11:14:14
Last accessed : 30.06.2004 22:00:00
Last modified : 17.12.2002 11:14:14

#:31 [carpserv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 01.07.2004 08:18:26
BasePriority : Normal
FileSize : 4 KB
FileVersion : 5.03.21.05
ProductVersion : 5.03.21.05
Copyright : Copyright
CompanyName : Conexant Systems
FileDescription : carpserv
InternalName : carpserv
OriginalFilename : carpserv.exe
ProductName : Conexant carpserv
Created on : 31.12.1979 22:00:00
Last accessed : 30.06.2004 22:00:00
Last modified : 17.10.2002 08:54:04

#:32 [clntrust.exe]
FilePath : C:\WINNT\SDSUTILS\
ThreadCreationTime : 01.07.2004 08:18:26
BasePriority : Normal
FileSize : 30 KB
Created on : 31.12.1979 22:00:00
Last accessed : 30.06.2004 22:00:00
Last modified : 20.09.1999 14:25:40

#:33 [atiptaxx.exe]
FilePath : C:\Program Files\ATI Technologies\ATI Control Panel\
ThreadCreationTime : 01.07.2004 08:18:26
BasePriority : Normal
FileSize : 328 KB
FileVersion : 6.14.10.5072
ProductVersion : 6.14.10.5072
Copyright : Copyright © 1998-2002 ATI Technologies Inc.
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
OriginalFilename : Atiptaxx.exe
ProductName : ATI Desktop Component
Created on : 26.01.2004 19:33:05
Last accessed : 30.06.2004 22:00:00
Last modified : 25.11.2003 19:10:00

#:34 [apoint.exe]
FilePath : C:\Program Files\Apoint\
ThreadCreationTime : 01.07.2004 08:18:27
BasePriority : Normal
FileSize : 140 KB
FileVersion : 5.4.101.113
ProductVersion : 5.4.101.113
Copyright : Copyright © 1999-2002 Alps Electric Co., Ltd.
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver
InternalName : Alps Pointing-device Driver
OriginalFilename : Apoint.exe
ProductName : Alps Pointing-device Driver
Created on : 22.08.2002 17:28:14
Last accessed : 30.06.2004 22:00:00
Last modified : 22.08.2002 17:28:14

#:35 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
ThreadCreationTime : 01.07.2004 08:18:28
BasePriority : Normal
FileSize : 668 KB
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
Copyright : Copyright © 2001,2002, Roxio, Inc.
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
OriginalFilename : Directcd.exe
ProductName : DirectCD
Created on : 17.12.2002 10:28:00
Last accessed : 30.06.2004 22:00:00
Last modified : 17.12.2002 10:28:00

#:36 [mmmanager.exe]
FilePath : C:\Documents and Settings\kuntzber\Application Data\Map Maker\
ThreadCreationTime : 01.07.2004 08:18:29
BasePriority : Normal
FileSize : 93 KB
Created on : 03.12.2003 13:06:51
Last accessed : 30.06.2004 22:00:00
Last modified : 17.10.2002 14:06:02

#:37 [psnotes.exe]
FilePath : C:\Program Files\3M\PSNotes\
ThreadCreationTime : 01.07.2004 08:18:31
BasePriority : Normal
FileSize : 1495 KB
FileVersion : 1.5.320.240
ProductVersion : 1.5.320.240
CompanyName : 3M
FileDescription : Post-it® Software Notes
InternalName : PSNotes
OriginalFilename : PSNotes.exe
ProductName : Post-it® Software Notes
Created on : 04.12.2003 07:12:57
Last accessed : 30.06.2004 22:00:00
Last modified : 16.11.1996 13:19:00

#:38 [connect.exe]
FilePath : C:\Program Files\Lotus\SameTime Client 3.0\
ThreadCreationTime : 01.07.2004 08:18:31
BasePriority : High
FileSize : 1236 KB
FileVersion : 3, 2, 0, 12
ProductVersion : 3, 2, 0, 12
Copyright : Copyright © 1998-2000
CompanyName : Lotus Development Corporation
FileDescription : Sametime Connect Application
InternalName : Connect
OriginalFilename : Connect.EXE
ProductName : Sametime Connect
Created on : 24.05.2004 12:55:35
Last accessed : 30.06.2004 22:00:00
Last modified : 22.10.2002 10:23:00

#:39 [apntex.exe]
FilePath : C:\Program Files\Apoint\
ThreadCreationTime : 01.07.2004 08:18:32
BasePriority : Normal
FileSize : 32 KB
FileVersion : 5.0.1.13
ProductVersion : 5.0.1.13
Copyright : Copyright © 1998-2001 Alps Electric Co., Ltd.
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver for Windows NT/2000
InternalName : Alps Pointing-device Driver for Windows NT/2000
OriginalFilename : ApntEx.exe
ProductName : Alps Pointing-device Driver for Windows NT/2000
Created on : 13.07.2001 08:44:24
Last accessed : 30.06.2004 22:00:00
Last modified : 13.07.2001 08:44:24

#:40 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 01.07.2004 08:20:42
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 29.08.2002 05:14:40
Last accessed : 30.06.2004 22:00:00
Last modified : 29.08.2002 05:14:40

#:41 [excel.exe]
FilePath : C:\Program Files\Microsoft Office\Office\
ThreadCreationTime : 01.07.2004 08:29:36
BasePriority : High
FileSize : 5488 KB
Created on : 31.05.1998 22:00:00
Last accessed : 30.06.2004 22:00:00
Last modified : 31.05.1998 22:00:00

#:42 [ad-aware.exe]
FilePath : D:\PROGRA~1\LAVASOFT\AD-AWA~1\
ThreadCreationTime : 01.07.2004 08:38:05
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 07.05.2004 11:45:56
Last accessed : 30.06.2004 22:00:00
Last modified : 12.07.2003 19:00:20

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Windows Object recognized!
Type : RegData
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Policies\Microsoft\Internet Explorer\Control Panel
Value : Homepage
Data :


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"


Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 2


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

VX2 Object recognized!
Type : File
Data : ayledit.dll
Object : C:\WINNT\system32\
FileSize : 309 KB
Created on : 30.06.2004 18:44:40
Last accessed : 30.06.2004 22:00:00
Last modified : 20.06.2004 03:02:44




Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 3


10:39:45 Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:01:32:212
Objects scanned :49354
Objects identified :3
Objects ignored :0
New objects :3

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 PM

Posted 01 July 2004 - 09:34 AM

Hello bernie,
Let's try something different. AdAware now has a plugin that is supposed to clean up VX2. If this doesn't work, we'll look into why VX2Finder isn't working for you.

1. Be sure to update the reference file. The most recent is 01R325 27.06.2004.

2. Reconfigure Ad-Aware for Full Scan as per the following instructions:

* Launch the program, and click on the Gear at the top of the start screen.
* Click the "Scanning" button (On the left side).
* Under Drives & Folders, select "Scan within Archives" (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
* Click "Click here to select Drives + folders" and select your installed hard drives.
* Under Memory & Registry, select all options.
* Click the "Advanced" button (On the left hand side).
* Under "Log-file detail", select all options.
* Click the "Tweak" button (Again, on the left hand side).
* Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
o "Include additional Ad-aware settings in logfile"
o "Unload recognized processes during scanning."
* Under "Cleaning Engine", select the following:
o "Automatically try to unregister objects prior to deletion."
o "Let Windows remove files in use after reboot."
* Click on "Proceed" to save these Preferences.
* Click on the "Scan Now" button on the left.
* Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
* Select "Activate in-Depth scan".

3. Install and run the VX2 Cleaner plug-in

Close Ad-Aware 6.
Download the free VX2 Cleaner here.
Install the VX2 Cleaner.
Start Ad-Aware and click on "Plug-ins".
Select the VX2 Cleaner plug-in and click "Run Plugin".
If your computer isn’t infected, click "Close".

If your computer is infected:
Select "Clean System".
Reboot your computer.
Scan your computer with Ad-Aware.
Remove any VX2 objects detected.
Reboot your computer again.
Run a second scan to make sure the files have been removed from your computer.

Whether AdAware says you're infected with VX2 or not, post a VX2Finder log to confirm and let us know what you did. If the problem file is removed, post another HijackThis log.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#5 bernieboy469

bernieboy469
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 01 July 2004 - 02:25 PM

PapaKid, you are a guru!!! :trumpet:

Big, big thanks!!! I have a friend who has exactly the same problem - he had spent most of the night fixing - I will forward the hints to him and say already now "Thanks!" in his name! :flowers:

It worked in the end. It was a bit more iterative...

I had already the latest revision for AdAware.
Changed the parameters according to your reply.
Much better result.
First time it found 3 VX files and also some others that had not been detected so far - not by SpyBot 1.3, AdAware 6.0 and SpyBlaster...

AdAware log 1Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Virtumundo Object recognized!
Type : File
Data : wincore.dll
Category : Data Miner
Comment :
Object : C:\TEMP\
FileSize : 184 KB
FileVersion : 0, 403, 19, 1928
ProductVersion : 1, 1, 0, 0
Copyright : Copyright 2003
InternalName : wincore.dll
OriginalFilename : wincore.dll
ProductName : TargetSoft
Created on : 20.06.2004 03:04:30
Last accessed : 30.06.2004 22:00:00
Last modified : 20.06.2004 03:04:34



Virtumundo Object recognized!
Type : File
Data : cidrules.dll
Category : Data Miner
Comment :
Object : C:\TEMP\
FileSize : 108 KB
FileVersion : 0, 402, 23, 1953
ProductVersion : 1, 1, 0, 0
Copyright : Copyright
CompanyName : Virtumundo, Inc.
FileDescription : cidrules
InternalName : cidrules
OriginalFilename : cidrules.dll
ProductName : Virtumundo, Inc. cidrules
Created on : 20.06.2004 03:04:33
Last accessed : 30.06.2004 22:00:00
Last modified : 20.06.2004 03:04:36



Virtumundo Object recognized!
Type : File
Data : inetadpt.dll
Category : Data Miner
Comment :
Object : C:\TEMP\
FileSize : 192 KB
FileVersion : 0, 403, 29, 1705
ProductVersion : 1, 1, 0, 0
Copyright : Copyright 2003
InternalName : inetadpt.dll
OriginalFilename : inetadpt.dll
ProductName : TargetSoft
Created on : 20.06.2004 03:04:35
Last accessed : 30.06.2004 22:00:00
Last modified : 20.06.2004 03:04:38



Virtumundo Object recognized!
Type : File
Data : winhost32.exe
Category : Data Miner
Comment :
Object : C:\TEMP\
FileSize : 96 KB
FileVersion : 0, 310, 14, 1115
ProductVersion : 1, 0, 0, 0
OriginalFilename : winhost32.exe
ProductName : TargetSoft
Created on : 20.06.2004 03:04:29
Last accessed : 30.06.2004 22:00:00
Last modified : 20.06.2004 03:04:32



VX2 Object recognized!
Type : File
Data : ayledit.dll
Category : Data Miner
Comment :
Object : C:\WINNT\system32\
FileSize : 309 KB
Created on : 30.06.2004 18:44:40
Last accessed : 30.06.2004 22:00:00
Last modified : 20.06.2004 03:02:44



VX2 Object recognized!
Type : File
Data : updinstall.exe
Category : Data Miner
Comment :
Object : C:\WINNT\system\
FileSize : 239 KB
Created on : 20.04.2004 23:44:20
Last accessed : 30.06.2004 22:00:00
Last modified : 20.06.2004 03:02:44



SecondThought Object recognized!
Type : File
Data : install026.exe
Category : Data Miner
Comment :
Object : C:\WINNT\Downloaded Program Files\
FileSize : 23 KB
Created on : 10.12.2003 09:55:00
Last accessed : 30.06.2004 22:00:00
Last modified : 10.12.2003 09:55:02

I then let it remove the stuff and it deleted everything.
Then installed the Plugin that I had downloaded before (did the whole clean procedure unplugged from network)
Plugin said it prepared everything.
Reboot
AdAware did not pop up automatically
Manual start.
AdAware run again, came up only with 1 NEW file!

AdAware log 2Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

VX2 Object recognized!
Type : File
Data : adsmib.dll
Category : Data Miner
Comment :
Object : C:\WINNT\system32\
FileSize : 309 KB
Created on : 20.06.2004 03:02:42
Last accessed : 30.06.2004 22:00:00
Last modified : 20.06.2004 03:02:44

Then run plugin again.
Reboot
This time, AdAware kicked in during startup and was able to delete the CRAP
Reboot
AdAware was clean!!! :thumbsup:

I then had a Guardian Key still existing that I deleted with the VX2finder utility.
Here is the VX2finder log:

Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---

Here is the HiJackThis log after all cleanups:
Logfile of HijackThis v1.97.7
Scan saved at 20:44:40, on 01.07.2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\RSA Security\RSA Keon Desktop\system\sdlss.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\RSA Security\RSA Keon Desktop\System\SDTray.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\ndpsrv.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\SDSUTILS\clntrust.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Documents and Settings\kuntzber\Application Data\Map Maker\MMManager.exe
C:\Program Files\3M\PSNotes\PSNOTES.EXE
C:\Program Files\Apoint\Apntex.exe
d:\data\Meine empfangenen Dateien\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.home.mars/ie4.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SDS
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://webproxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*,*.mars;<local>
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\RSA Keon Desktop\System\SDTray.exe"
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ND-Osiris] ndpsrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [ClientTrust] C:\WINNT\SDSUTILS\CLNTRUST.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - Startup: SunClock5.lnk = C:\Documents and Settings\kuntzber\Application Data\Map Maker\MMManager.exe
O4 - Startup: SameTime Connect 3.0.lnk = C:\WINNT\SDSUTILS\UPDATE2K.EXE
O4 - Startup: Post-it® Software Notes.lnk = C:\Program Files\3M\PSNotes\PSNOTES.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\rsa security\rsa keon desktop\system\mlr.dll
O10 - Unknown file in Winsock LSP: c:\program files\rsa security\rsa keon desktop\system\mlr.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.home.mars/ie4.asp
O16 - DPF: Sametime Meeting Room Client ST25PF1 - http://sametime.eu.mars/sametime/stmeeting...gRoomClient.cab
O16 - DPF: Sametime MRC 651 - http://iswsn71.isw.eu.mars/sametime/stmeet...gRoomClient.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://teamspace.na.mars/qp2.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://www.home.mars/ActiveX/nwdir.cab
O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://iswsn71.isw.eu.mars/sametime/STMeet...STJNILoader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} (JNILoader Control) - http://sametime.eu.mars/sametime/stmeeting...STJNILoader.cab
O16 - DPF: {BF116476-3238-4EDA-A2D7-6D6814EF0DEC} (Quicksilver Class) - http://scpwda.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BRK.EU.MARS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BRK.EU.MARS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = brk.eu.mars,eu.mars,mars,na.mars,ap.mars,sa.mars,cds.mars
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BRK.EU.MARS
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = brk.eu.mars,eu.mars,mars,na.mars,ap.mars,sa.mars,cds.mars
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = brk.eu.mars,eu.mars,mars,na.mars,ap.mars,sa.mars,cds.mars

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:46 PM

Posted 01 July 2004 - 03:34 PM

Great job Papakid!

Few things i want you to check :

Fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.home.mars/ie4.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SDS
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com


Do you know what this is? Is it part of your netware setup?


O4 - HKLM\..\Run: [ND-Osiris] ndpsrv.exe

Right click on c:\winnt\system32\ndpsrv.exe and see if you can see what it is

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 PM

Posted 01 July 2004 - 11:31 PM

Hey, thanks for the kudos, Bernie, just glad you got rid of that thing and you deserve a pat on the back for seeing it thru. Hope your friend has similar success. I'm not really much of a guru (except at being a newbie) at this, I just pick the brains of people who are. :thumbsup: I thank you for confirming that the AdAware plugin can remove this. What you've related is new information, at least to me. We're always learning from people's experiences and finding new and better ways to help rid people of this scumware. So you've contributed to the knowledge base.

I'm not sure why VX2Finder didn't work. It may have something to do with Keon. I'm not familiar with it, but you may want to check to make sure it is functioning properly. I believe VX2 is known to do damage to your system sometimes.

You're in good hands with Grinler for the rest of the cleanup. I'll be away starting tomorrow thru the fourth.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#8 bernieboy469

bernieboy469
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 02 July 2004 - 02:30 AM

I have fixed the things Grinler recommended.

The [ND-Oriris] thing - ndpsrv.exe is safe. I know what it is. It is a virtual printing device for an electronic fax out of an application (eg Word). It is a part of a software called CHARON.

All running fine. I hope this fixes now also the "TCP/IP stack ran out of memory" that I had experienced after 20 June after a longer working day every time - you were just cut off the network then and had to reboot.

Many thanks again for all the help!

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:46 PM

Posted 02 July 2004 - 12:46 PM

Please post one last log so we can give it the once over.

#10 bernieboy469

bernieboy469
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 05 July 2004 - 08:03 AM

Hi, it will look like the one before but here you go:

I have now upgraded to a AdAware professional license and am running AdAware as well.

Many thanks again, I really appreciated the support! :thumbsup:

Logfile of HijackThis v1.97.7
Scan saved at 15:01:50, on 05.07.2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\RSA Security\RSA Keon Desktop\system\sdlss.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\RSA Security\RSA Keon Desktop\System\SDTray.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\ndpsrv.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\SDSUTILS\clntrust.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Documents and Settings\kuntzber\Application Data\Map Maker\MMManager.exe
C:\Program Files\3M\PSNotes\PSNOTES.EXE
C:\Program Files\Apoint\Apntex.exe
C:\NOTES\NLNOTES.EXE
C:\NOTES\nwrdaemn.EXE
C:\NOTES\nupdate.EXE
C:\NOTES\nhldaemn.EXE
C:\Program Files\Quick View Plus\Program\qvp32.exe
d:\Program Files\SpywareGuard\sgmain.exe
d:\Program Files\SpywareGuard\sgbhp.exe
C:\NOTES\nWEB.EXE
C:\NOTES\nxpcdmn.EXE
D:\Program Files\WinMX\WinMX.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat4\Reader\Reader\Reader\AcroRd32.exe
C:\Program Files\Lotus\SameTime Client 3.0\Connect.exe
D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
d:\data\Meine empfangenen Dateien\AntiSpyWare\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.home.mars/ie4.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SDS
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://webproxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*,*.mars;<local>
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - d:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\RSA Keon Desktop\System\SDTray.exe"
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ND-Osiris] ndpsrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [ClientTrust] C:\WINNT\SDSUTILS\CLNTRUST.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Ad-watch] "D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - Startup: SunClock5.lnk = C:\Documents and Settings\kuntzber\Application Data\Map Maker\MMManager.exe
O4 - Startup: SameTime Connect 3.0.lnk = C:\WINNT\SDSUTILS\UPDATE2K.EXE
O4 - Startup: Post-it® Software Notes.lnk = C:\Program Files\3M\PSNotes\PSNOTES.EXE
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\rsa security\rsa keon desktop\system\mlr.dll
O10 - Unknown file in Winsock LSP: c:\program files\rsa security\rsa keon desktop\system\mlr.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.home.mars/ie4.asp
O16 - DPF: Sametime Meeting Room Client ST25PF1 - http://sametime.eu.mars/sametime/stmeeting...gRoomClient.cab
O16 - DPF: Sametime MRC 651 - http://iswsn71.isw.eu.mars/sametime/stmeet...gRoomClient.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://teamspace.na.mars/qp2.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4F021AE3-9E98-11D0-A808-00C04FDCD94A} (Novell Directory Control) - http://www.home.mars/ActiveX/nwdir.cab
O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://iswsn71.isw.eu.mars/sametime/STMeet...STJNILoader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} (JNILoader Control) - http://sametime.eu.mars/sametime/stmeeting...STJNILoader.cab
O16 - DPF: {BF116476-3238-4EDA-A2D7-6D6814EF0DEC} (Quicksilver Class) - http://scpwda.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BRK.EU.MARS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BRK.EU.MARS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = brk.eu.mars,eu.mars,mars,na.mars,ap.mars,sa.mars,cds.mars
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BRK.EU.MARS
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = brk.eu.mars,eu.mars,mars,na.mars,ap.mars,sa.mars,cds.mars
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = brk.eu.mars,eu.mars,mars,na.mars,ap.mars,sa.mars,cds.mars

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:46 PM

Posted 05 July 2004 - 01:52 PM

Looks good




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users