Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

surf side kick

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

surf side kick

Unread postby kurd70 » June 23rd, 2006, 6:52 pm

Hi

My little brother somehow got surf side kick installed on the computer
I have been trying to get rid of these for several hours
I have run Norton and deleted 8 files and through adware i have quaratined and delete a lot
After deleting and restarting the first time the desktop was unactive. and when visting a website a got a strange error I never seen before
I am still getting a lot of advertisement/pop ups
Please help
Hijack log below and Ad aware quarantine below
I have also tried http://www.symantec.com/avcenter/venc/d ... ekick.html
Before i used ad aware windows defender always found surf side kick but now says no unwanted or harmful software detected

Kind Regards

Kieran
Logfile of HijackThis v1.99.1
Scan saved at 23:53:18, on 23/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\DOCUME~1\Kieran\APPLIC~1\SKS~1\cmd.exe
C:\WINDOWS\system32\?ppPatch\spool32.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\Kieran\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\RunServices: [Windows Recylinder Check] xyyicxsnjb.exe
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S21B.tmp"
O4 - HKCU\..\Run: [Cepp] "C:\DOCUME~1\Kieran\APPLIC~1\SKS~1\cmd.exe" -vt yazr
O4 - HKCU\..\Run: [Tvp] C:\WINDOWS\system32\?ppPatch\spool32.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: DigiChatMaster Applet - http://albany.digi-net.com/DigiChat/Dig ... _1_0_1.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/c ... vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/c ... /xs2_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/c ... /jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct0_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/c ... dtt0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/c ... lts0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/c ... /zs0_x.cab
O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/games/c ... gst0_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/c ... /ht0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... potb_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/c ... ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/c ... /wt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3090166312
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleo ... gleNav.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (YBIOCtrl Class) - http://us.dl1.yimg.com/download.yahoo.c ... io4025.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... owdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC1884E0-FB62-409B-A4A4-1491EC7C7C8D}: NameServer = 212.74.114.129 212.74.112.66
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\g2jolc131f.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




ArchiveData(auto-quarantine- 2006-06-23 23-30-05.bckp)
Referencefile : SE1R112 15.06.2006
======================================================

ADWARE.LOOK2ME
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Process : C:\WINDOWS\system32\jtnu0759e.dll
obj[1]=Process : C:\WINDOWS\system32\vublock.dll
obj[2]=Process : C:\WINDOWS\system32\vublock.dll
obj[71]=Regkey : software\microsoft\windows nt\currentversion\winlogon\notify
obj[72]=RegValue : software\microsoft\windows nt\currentversion\winlogon\notify "DllName"
obj[73]=RegValue : software\microsoft\windows nt\currentversion\winlogon\notify "Impersonate"
obj[74]=RegValue : software\microsoft\windows nt\currentversion\winlogon\notify "Logon"
obj[75]=RegValue : software\microsoft\windows nt\currentversion\winlogon\notify "Logoff"
obj[76]=RegValue : software\microsoft\windows nt\currentversion\winlogon\notify "Shutdown"

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[3]=IECache Entry : Cookie:kieran@realmedia.com/
obj[4]=IECache Entry : Cookie:kieran@statcounter.com/
obj[5]=IECache Entry : Cookie:kieran@~~local~~/
obj[6]=IECache Entry : Cookie:kieran@etype.adbureau.net/
obj[7]=IECache Entry : Cookie:kieran@clickbank.net/
obj[8]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@0[2].txt
obj[9]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@0[3].txt
obj[10]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@adrevolver[1].txt
obj[11]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@ads.clickad.com[2].txt
obj[12]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@adserver.adreactor[1].txt
obj[13]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@adserver.promokant[1].txt
obj[14]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@adtech[2].txt
obj[15]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@advertiseireland[1].txt
obj[16]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@apmebf[1].txt
obj[17]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@atdmt[2].txt
obj[18]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@beweb[1].txt
obj[19]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@bravenet[1].txt
obj[20]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@cgi-bin[10].txt
obj[21]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@cgi-bin[11].txt
obj[22]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@cgi-bin[1].txt
obj[23]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@cgi-bin[2].txt
obj[24]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@cgi-bin[3].txt
obj[25]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@cgi-bin[4].txt
obj[26]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@cgi-bin[5].txt
obj[27]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@cgi-bin[6].txt
obj[28]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@cgi-bin[7].txt
obj[29]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@cgi-bin[8].txt
obj[30]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@cgi-bin[9].txt
obj[31]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@clickbank[1].txt
obj[32]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@cs.sexcounter[2].txt
obj[33]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@doubleclick[2].txt
obj[34]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@ehg-bskyb.hitbox[2].txt
obj[35]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@ehg-ladbrokes.hitbox[2].txt
obj[36]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@estat[1].txt
obj[37]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@etype.adbureau[1].txt
obj[38]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@haynet.adbureau[1].txt
obj[39]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@hc2.humanclick[2].txt
obj[40]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@hg1.hitbox[1].txt
obj[41]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@hitbox[1].txt
obj[42]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@instadia[1].txt
obj[43]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@kliks[2].txt
obj[44]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@landing.domainsponsor[2].txt
obj[45]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@list[2].txt
obj[46]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@lscore.adbureau[2].txt
obj[47]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@mediaplex[1].txt
obj[48]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@metriweb[2].txt
obj[49]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@partners.webmasterplan[1].txt
obj[50]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@please[1].txt
obj[51]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@please[2].txt
obj[52]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@qksrv[2].txt
obj[53]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@realmedia[2].txt
obj[54]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@real[2].txt
obj[55]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@redeye.willhill[1].txt
obj[56]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@seeq[1].txt
obj[57]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@servedby.netshelter[2].txt
obj[58]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@server.iad.liveperson[1].txt
obj[59]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@stat.onestat[1].txt
obj[60]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@statse.webtrendslive[1].txt
obj[61]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@tickle[2].txt
obj[62]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@tribalfusion[1].txt
obj[63]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@tripod[1].txt
obj[64]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@weborama[2].txt
obj[65]=IECache Entry : C:\Documents and Settings\Kieran\Cookies\kieran@xml.bravenetmedianetwork[1].txt
obj[66]=IECache Entry : C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@clickbank[2].txt
obj[67]=IECache Entry : C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@etype.adbureau[2].txt
obj[68]=IECache Entry : C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@realmedia[1].txt
obj[69]=IECache Entry : C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@statcounter[1].txt
obj[70]=IECache Entry : C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@~~local~~[2].txt

ADWARE.DOLLARREVENUE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[77]=Regkey : software\microsoft\drsmartload2
obj[89]=File : C:\Documents and Settings\Kieran\Local Settings\Temporary Internet Files\Content.IE5\4N1ZQURX\keyboard25[1].exe
obj[92]=File : C:\Documents and Settings\Kieran\Local Settings\Temporary Internet Files\Content.IE5\GHIJKHMN\newname25[1].exe
obj[107]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030781.exe
obj[109]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030783.exe

COOLWEBSEARCH
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[78]=Regkey : software\microsoft\windows\currentversion\internet settings\zonemap\domains\i--search.com
obj[79]=Regkey : software\microsoft\downloadmanager
obj[80]=Regkey : software\microsoft\internet explorer\urlsearchhooks
obj[81]=RegValue : software\microsoft\internet explorer\main "Enable Browser Extensions"
obj[82]=RegValue : software\microsoft\internet explorer\main "Search Bar"
obj[83]=RegValue : software\microsoft\internet explorer\new windows "PopupMgr"
obj[84]=RegData : software\microsoft\internet explorer\main "Use Search Asst"
obj[91]=File : C:\Documents and Settings\Kieran\Local Settings\Temporary Internet Files\Content.IE5\8FT7EIVD\Installer[1].exe
obj[116]=File : C:\warebundle.exe
obj[124]=File : C:\WINDOWS\warebundle.exe

WIN32.TROJANCLICKER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[85]=RegData : software\microsoft\windows nt\currentversion\winlogon "Userinit"
obj[100]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030769.dll
obj[120]=File : C:\WINDOWS\system32\atmtd.dll._

CMDSERVICES
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[86]=File : C:\Documents and Settings\Kieran\Local Settings\Temp\cmdinst.exe
obj[88]=File : C:\Documents and Settings\Kieran\Local Settings\Temporary Internet Files\Content.IE5\4D8XQ7SP\installer[1].exe
obj[93]=File : C:\Documents and Settings\Kieran\Local Settings\Temporary Internet Files\Content.IE5\QH9IV2T0\MTE3NDI6ODoxNg[1].exe
obj[108]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030782.exe
obj[118]=File : C:\WINDOWS\MTE3NDI6ODoxNg.exe
obj[119]=File : C:\WINDOWS\S2llcmFu\command.exe

TARGETSAVER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[87]=File : C:\Documents and Settings\Kieran\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe

SURFSIDEKICKBHO
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[90]=File : C:\Documents and Settings\Kieran\Local Settings\Temporary Internet Files\Content.IE5\4N1ZQURX\SS1001[1].exe
obj[98]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030765.exe

WEBHANCER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[94]=File : C:\Documents and Settings\Kieran\Local Settings\Temporary Internet Files\Content.IE5\SLMRKHI3\WHCC2[1].exe
obj[101]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030772.exe
obj[102]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030773.exe
obj[103]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030774.exe
obj[104]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030775.dll
obj[105]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030776.dll
obj[117]=File : C:\WHCC2.exe

WIN32.TROJAN.DOWNLOADER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[95]=File : C:\Program Files\Movie Maker\wmm2ae.exe
obj[96]=File : C:\stub_113_4_0_4_0.exe
obj[97]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP333\A0030760.exe
obj[106]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030777.exe
obj[125]=File : \drsmartload422a.exe
obj[126]=File : \drsmartload45b.exe
obj[127]=File : \drsmartload46c.exe
obj[128]=File : \drsmartload849b.exe
obj[129]=File : C:\WINDOWS\drsmartload2.dat
obj[130]=File : c:\windows\system32\guard.tmp

VX2
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[99]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030767.dll
obj[114]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030790.dll
obj[121]=File : C:\WINDOWS\system32\cumpobj.dll
obj[122]=File : C:\WINDOWS\system32\cwl3dv2.dll
obj[123]=File : C:\WINDOWS\system32\k8no0i53e8.dll

ADWARE.YAZZLE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[110]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030784.exe
obj[111]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030785.exe
obj[115]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031915.exe

ISEARCH TOOLBAR
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[112]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030788.dll

WIN32.TROJAN.DNSCHANGER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[113]=File : C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030789.exe

OTHER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[131]=File : C:\WINDOWS\prefetch\CMDINST.EXE-0D1DC9EE.pf
obj[132]=File : C:\WINDOWS\prefetch\WMM2AE.EXE-322F3994.pf
obj[133]=File : C:\WINDOWS\prefetch\STUB_113_4_0_4_0.EXE-32891155.pf
obj[134]=File : C:\WINDOWS\prefetch\WAREBUNDLE.EXE-0DB3117A.pf
obj[135]=File : C:\WINDOWS\prefetch\WAREBUNDLE.EXE-30CC14A8.pf
obj[136]=File : C:\WINDOWS\prefetch\WHCC2.EXE-29C4F9E2.pf
obj[137]=File : C:\WINDOWS\prefetch\MTE3NDI6ODOXNG.EXE-0C5660D8.pf
obj[138]=File : C:\WINDOWS\prefetch\MTE3NDI6ODOXNG.EXE-34CC5A1F.pf
obj[139]=File : C:\WINDOWS\prefetch\COMMAND.EXE-0666F74A.pf
obj[140]=File : C:\WINDOWS\prefetch\DRSMARTLOAD422A.EXE-150F14B3.pf
obj[141]=File : C:\WINDOWS\prefetch\DRSMARTLOAD45B.EXE-0E9D1982.pf
obj[142]=File : C:\WINDOWS\prefetch\DRSMARTLOAD46C.EXE-3478E67A.pf
obj[143]=File : C:\WINDOWS\prefetch\DRSMARTLOAD849B.EXE-336CFA8C.pf
kurd70
Regular Member
 
Posts: 26
Joined: June 26th, 2005, 9:34 am
Advertisement
Register to Remove

Unread postby agrarianmonk » June 23rd, 2006, 7:13 pm

One or more of the identified infection is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found here

I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.


If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can definitely help you clean your computer to the best of my abilities.

Should you have any questions, please feel free to ask.

Please let me know what you decide to do in your next post.

****************************

If you decide not to reformat at this time, please follow these instructions:


You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

If you receive, while running option #1, an error similar to:
''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt
the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."
...then please use option 5 or the web page link in the l2mfix folder to solve this error condition.
Then rerun option 1 to be sure it will run without errors.

IMPORTANT: Do NOT run option #2 OR any other options in the l2mfix folder until you are asked to do so!

********************************

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

********************************

in your next post, please include
  • new hijackthis log
  • uninstall list
  • l2mfix log
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby kurd70 » June 23rd, 2006, 7:44 pm

Hi

I would like to clean up the computer as much as possible. I do not wish to reformat at this time, no sensitive work
I will change all passwords from a clean computer
I restarted the pc and got this message
RUNDLL
'An exception occured while trying to run C:\WINDOWS\system32\wtsdmod.dll'',DllGetVersion''

Reports below



L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g2jolc131f.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,2d,5c,90,e9,7b,ef,7d,40,99,92,ec,86,e2,51,ff,0c,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,a4,66,fc,98,b5,2e,3b,4f,\
6e,ff,8e,f6,5a,57,92,36,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,79,\
48,bf,f3,c0,07,04,bf,f3,eb,a4,7d,5b,57,0f,75,28,05,00,00,78,b5,9e,6d,99,b1,\
03,5b,14,4c,0c,48,3c,c4,80,e9,c8,55,6e,8c,b4,a2,0d,2e,20,33,77,6d,8f,b0,3e,\
50,47,bd,f1,9a,9c,c0,e5,a7,3e,d3,2f,58,7c,28,55,96,8d,21,77,f1,ae,9b,1e,9e,\
3b,0c,fd,94,95,52,f1,e4,9a,a2,f9,40,e3,75,bd,34,25,22,11,91,40,a1,2b,e4,cb,\
42,3c,45,8d,1b,02,de,90,ac,c7,a0,42,98,9b,bf,6f,14,50,c7,9e,f8,3d,29,e4,fc,\
f4,ee,36,61,ca,72,00,d8,c1,48,fe,03,f3,d0,e7,6c,78,66,d6,8c,2e,f8,e9,27,83,\
16,62,97,f1,dd,65,58,1f,93,32,9e,4d,28,4e,a8,72,c7,be,8d,03,c9,23,8f,38,a1,\
74,fd,e2,8a,a7,b3,74,56,bd,a8,83,b9,17,70,33,c4,f1,18,6d,26,c3,f6,c3,5d,ed,\
af,04,6c,71,d7,64,54,6d,7a,f1,30,0b,ee,f7,ea,25,82,e6,d6,3c,9c,a7,f1,24,e9,\
c5,f4,f6,b4,c9,e8,51,a1,fc,49,04,65,28,55,e4,e5,4e,0f,2c,11,5a,00,99,15,d2,\
ac,ff,96,1d,4e,e6,69,2a,da,d3,f4,3a,6e,5b,4d,2b,f3,63,64,3e,4d,d1,62,56,cf,\
f1,eb,d7,e0,aa,6b,37,d6,64,4b,c7,9c,99,c0,61,93,06,a8,cb,01,df,bc,be,47,23,\
fc,c4,9d,22,2e,9b,98,91,52,34,24,cb,05,90,7c,d0,1b,d6,a3,bf,3f,89,f5,82,c3,\
31,3d,df,1d,17,00,79,c8,c7,60,93,77,95,89,39,a0,57,26,83,80,21,ed,a7,03,af,\
79,35,28,f0,67,08,a8,45,15,65,35,7b,d0,ad,ee,97,5c,b6,38,4e,29,3f,3f,ad,f3,\
81,e0,41,68,07,ee,77,e2,e0,5b,fe,53,7a,75,98,f1,0d,e4,fb,7e,74,58,6c,37,ce,\
eb,95,0a,1d,9a,b8,69,73,70,a2,3f,47,1c,5e,6b,ff,fa,b0,ab,95,22,16,d1,88,c6,\
99,d1,28,d2,12,ac,51,85,35,35,18,39,08,86,ea,95,5f,de,97,b6,ff,5e,e3,6a,1d,\
fb,3b,1d,46,7f,a8,46,9e,3b,84,44,78,da,63,73,55,15,59,6a,cc,e0,9f,8f,b0,9c,\
4a,75,55,3d,4b,22,05,44,9e,44,b1,c0,59,28,04,24,0a,8c,d9,fe,11,c9,79,76,1f,\
50,6e,87,f0,86,e5,11,f0,80,d0,5e,b4,b8,09,82,ea,1c,59,c5,50,2f,ef,57,e1,a4,\
4e,15,23,e2,df,4f,2a,a7,b8,2b,a3,c5,55,7f,22,2c,da,49,a7,52,ac,5d,1f,a9,80,\
8e,40,cb,18,2b,0a,da,36,a6,75,ae,3b,59,a8,ce,2b,43,ba,7e,ac,9e,fe,f2,b5,09,\
24,61,3d,43,79,1f,cc,9d,78,0f,de,74,a4,16,11,79,6f,1f,98,76,ad,8f,a9,2b,52,\
63,40,a3,b8,27,50,28,b1,ab,ec,89,b1,9c,bc,9f,7f,93,63,24,58,12,cd,eb,37,cf,\
fe,15,3e,77,b7,73,bf,dd,d0,e3,18,e1,49,88,f1,95,2a,fd,68,5c,8a,1f,49,62,a8,\
4e,9b,da,88,24,34,1b,0c,8c,79,53,4b,39,27,f7,c2,ed,fe,6c,e9,7a,95,c3,c3,bd,\
d4,26,8c,bd,4f,c7,9d,40,43,4a,3d,51,e9,34,a4,51,5f,e6,f7,13,0e,ea,18,df,49,\
10,31,ec,2b,85,27,53,5c,8e,88,3b,99,14,76,bd,69,80,8c,f5,18,36,9f,f3,54,f8,\
3a,94,a1,2a,b5,6b,29,24,93,50,cb,bc,7e,60,a8,29,4f,1c,5c,4c,f6,25,b8,80,a4,\
41,98,d5,83,b1,d2,1d,7d,aa,e3,39,e1,23,e0,0f,08,53,79,bb,8b,08,17,82,fd,c6,\
c2,cd,f9,71,6b,95,cc,29,d3,4b,a1,44,5b,86,3e,bd,1c,1c,a9,43,3a,fe,2b,d4,91,\
ac,71,fa,1a,97,25,56,e7,4c,85,5a,82,6d,06,ea,64,6b,13,ae,4c,7f,f7,61,66,11,\
89,f2,02,ab,97,e1,0d,f2,35,7f,77,1b,ab,09,5f,08,41,0c,2a,7a,97,63,1e,09,37,\
53,45,63,b7,ca,eb,63,a2,41,86,8b,de,04,74,26,3c,cb,eb,08,76,73,19,cc,52,9b,\
11,4c,86,dd,71,84,1c,4a,95,61,c8,d3,b2,e1,53,7e,fd,d9,3f,64,15,a8,23,e2,fa,\
70,3a,c1,33,50,65,0f,24,49,c3,c3,70,4f,ab,00,94,ff,31,f9,72,af,5e,c6,45,fa,\
84,be,6d,2e,50,23,0f,76,08,7c,b3,3c,70,b7,6c,90,9e,92,7a,90,c2,95,42,e4,4a,\
2b,95,f4,4c,da,1a,7d,2d,d4,a3,f2,4c,a6,60,cd,72,6d,1f,be,5f,20,01,9c,59,d0,\
4c,4a,96,1d,9b,eb,fe,fb,ff,5a,8f,d7,31,b7,d7,96,0e,35,3a,88,dc,4b,a4,ce,c9,\
73,26,56,b2,e3,46,d3,5c,eb,4b,f8,46,18,e4,43,7b,d9,bb,08,89,d0,5e,7f,5f,d1,\
d4,57,58,1b,e9,4e,51,93,d3,c4,ec,d0,84,46,67,79,39,0c,ed,15,f0,9b,27,95,a2,\
92,3e,ec,c2,eb,94,ca,f3,29,77,71,67,7a,dd,18,75,f6,ba,6f,f2,db,b1,45,a0,e2,\
ca,c4,a3,b3,44,9a,d4,e5,65,d4,2c,9c,6e,05,3c,ff,53,31,b4,f7,78,41,5f,b0,3e,\
f5,1b,db,28,a4,d0,9f,79,81,aa,87,40,84,0c,2a,f8,31,26,f6,83,1a,b3,1f,02,c7,\
2e,e7,32,83,37,dc,49,86,15,95,a4,7d,8a,26,6f,27,72,f7,10,19,d9,6d,63,48,05,\
e4,76,85,61,be,a1,96,95,0c,c2,f5,94,ff,d6,5a,4a,9c,3e,8a,47,f9,34,04,ac,75,\
e5,4b,66,c8,d1,8f,c3,6e,db,29,3c,68,86,b7,ae,da,13,95,7b,b9,1a,cd,05,04,29,\
f1,4e,3c,ae,7d,c3,ed,e8,17,93,06,b2,b6,74,ae,96,47,2e,44,2b,be,fe,67,a1,59,\
67,07,04,09,4e,0b,1c,43,59,df,f5,4a,f8,52,d2,6f,82,04,b5,4b,d4,72,ed,70,af,\
bf,57,94,34,93,83,7b,ef,81,3c,f9,4c,8e,58,2b,84,60,38,24,00,c8,c6,77,dc,d7,\
b7,91,8d,4e,29,c5,cc,c4,ec,56,26,14,68,c9,99,77,ff,05,34,bd,dd,ba,ad,17,01,\
3e,84,f7,cc,6a,e3,ba,26,91,b9,c4,80,96,ba,ed,47,10,9f,4d,ba,57,14,f3,4f,d3,\
a3,7a,6a,f7,7d,a7,62,67,ee,14,f5,76,11,49,14,00,00,00,ef,68,c2,1d,64,45,f6,\
73,cc,7e,ab,35,d5,e8,3e,fc,2e,90,67,fe

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BD7F4B76-70FC-66E9-AB23-CAF46541634A}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{20082881-FC36-4E47-9A7A-644C95FF749F}"="IntelliPoint Wireless Control Panel Property Page"
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}"="IntelliPoint Wheel Control Panel Property Page"
"{653DCCC2-13DB-45B2-A389-427885776CFE}"="IntelliPoint Activities Control Panel Property Page"
"{124597D8-850A-41AE-849C-017A4FA99CA2}"="IntelliPoint Buttons Control Panel Property Page"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{B327765E-D724-4347-8B16-78AE18552FC3}"="NeroDigitalIconHandler"
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}"="NeroDigitalPropSheetHandler"
"{FA6486F3-BFE9-4E7F-BC9A-66FB3C8A74CB}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FA6486F3-BFE9-4E7F-BC9A-66FB3C8A74CB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FA6486F3-BFE9-4E7F-BC9A-66FB3C8A74CB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FA6486F3-BFE9-4E7F-BC9A-66FB3C8A74CB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FA6486F3-BFE9-4E7F-BC9A-66FB3C8A74CB}\InprocServer32]
@="C:\\WINDOWS\\system32\\wtsdmod.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Wed 10 May 2006 6:23:00 A.... 1,022,976 999.00 K
capicom.dll Mon 15 May 2006 18:24:34 A.... 466,944 456.00 K
cdfview.dll Wed 10 May 2006 6:23:00 A.... 151,040 147.50 K
danim.dll Wed 10 May 2006 6:23:00 A.... 1,054,208 1.00 M
dxtmsft.dll Wed 10 May 2006 6:23:00 A.... 357,888 349.50 K
dxtrans.dll Wed 10 May 2006 6:23:00 A.... 205,312 200.50 K
extmgr.dll Wed 10 May 2006 6:23:00 ..... 55,808 54.50 K
fpj803~1.dll Fri 23 Jun 2006 23:39:42 ..S.R 233,904 228.42 K
g2jolc~1.dll Fri 23 Jun 2006 23:34:12 ..S.R 233,904 228.42 K
hgpertrm.dll Mon 19 Jun 2006 0:20:18 ..S.R 235,910 230.38 K
hpl.dll Mon 19 Jun 2006 0:27:14 ..S.R 235,910 230.38 K
iepeers.dll Wed 10 May 2006 6:23:00 A.... 251,392 245.50 K
inseng.dll Wed 10 May 2006 6:23:00 A.... 96,256 94.00 K
jgdw400.dll Thu 1 Jun 2006 19:47:08 A.... 163,840 160.00 K
jgpl400.dll Thu 1 Jun 2006 19:47:08 A.... 27,648 27.00 K
jscript.dll Thu 18 May 2006 6:24:26 A.... 450,560 440.00 K
jsproxy.dll Wed 10 May 2006 6:23:00 A.... 16,384 16.00 K
legitc~1.dll Fri 2 Jun 2006 13:39:54 A.... 579,888 566.30 K
m0rm0a~1.dll Fri 23 Jun 2006 23:36:12 ..S.R 236,767 231.21 K
mshtml.dll Fri 19 May 2006 16:08:32 A.... 3,052,544 2.91 M
mshtmled.dll Wed 10 May 2006 6:23:02 A.... 448,512 438.00 K
msrating.dll Wed 10 May 2006 6:23:02 A.... 146,432 143.00 K
mstime.dll Wed 10 May 2006 6:23:02 A.... 532,480 520.00 K
n4n60e~1.dll Mon 19 Jun 2006 17:16:40 ..S.R 233,575 228.10 K
njrstr.dll Mon 19 Jun 2006 0:23:00 ..S.R 235,910 230.38 K
pngfilt.dll Wed 10 May 2006 6:23:02 A.... 39,424 38.50 K
rasmans.dll Sun 14 May 2006 9:44:08 A.... 181,248 177.00 K
shdocvw.dll Mon 29 May 2006 16:30:34 A.... 1,494,016 1.42 M
shlwapi.dll Wed 10 May 2006 6:23:02 A.... 474,112 463.00 K
spmsg.dll Thu 1 Jun 2006 22:18:32 ..... 14,048 13.72 K
urlmon.dll Wed 10 May 2006 6:23:02 A.... 613,888 599.50 K
uytheme.dll Mon 19 Jun 2006 0:24:48 ..S.R 235,910 230.38 K
wd2_32.dll Mon 19 Jun 2006 0:25:22 ..S.R 235,910 230.38 K
wgalogon.dll Fri 2 Jun 2006 13:39:46 A.... 402,736 393.30 K
wininet.dll Wed 10 May 2006 6:23:04 A.... 658,432 643.00 K
wmp.dll Mon 24 Apr 2006 15:40:00 ..... 4,730,880 4.51 M
wtsdmod.dll Sat 24 Jun 2006 0:30:24 ..S.R 233,904 228.42 K
wuauclt.dll Mon 19 Jun 2006 0:06:50 A.... 81,920 80.00 K
xpsp3res.dll Thu 11 May 2006 9:23:24 A.... 24,576 24.00 K

39 items found: 39 files (10 H/S), 0 directories.
Total of file sizes: 20,146,996 bytes 19.21 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is AC7E-9D3D

Directory of C:\WINDOWS\System32

24/06/2006 00:30 233,904 wtsdmod.dll
23/06/2006 23:39 233,904 fpj8031ue.dll
23/06/2006 23:36 236,767 m0rm0a91ed.dll
23/06/2006 23:34 233,904 g2jolc131f.dll
23/06/2006 23:32 <DIR> dllcache
19/06/2006 17:16 233,575 n4n60e5seh.dll
19/06/2006 00:27 235,910 HPL.DLL
19/06/2006 00:25 235,910 wd2_32.dll
19/06/2006 00:24 235,910 uytheme.dll
19/06/2006 00:22 235,910 njrstr.dll
19/06/2006 00:20 235,910 hgpertrm.dll
22/02/2002 20:15 <DIR> Microsoft
10/09/2001 10:33 7,168 Thumbs.db
11 File(s) 2,358,772 bytes
2 Dir(s) 7,915,749,376 bytes free



Ad-Aware SE Personal
Adobe Acrobat 4.0, 5.0
ArcSoft PhotoImpression 2000
ArcSoft VideoImpression 1.6
Armor Command
Askey CNR V.92 Modem
CCleaner (remove only)
Championship Manager 3
Civ II : Test Of Time
CM4
Command & Conquer Tiberian Sun
DivX
DivX Player
DivX Web Player
Dungeon Siege Demo
DVD Shrink 3.2
EPSON Printer Software
ewido security suite
FashionCam 21
FIFA 2000
GameSpy Arcade
Google Toolbar for Internet Explorer
Grand Theft Auto
Half-Life
Half-Life: Counter-Strike
Half-Life: Opposing Force
HijackThis 1.99.1
IndustrieGigant 2- Demo
InterVideo Installer
InterVideo WinDVD
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player 8
Madden NFL (TM) 2001
Medal of Honor Allied Assault
Medal of Honor Allied Assault(tm) Breakthrough
Medal of Honor Allied Assault(tm) Spearhead
Microsoft AutoRoute 2002
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard - WE 2002
Microsoft Money
Microsoft Money System Pack
Microsoft Picture It! Photo 2002
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Morpheus 5.2 (remove only)
MSN Gaming Zone
MSN Messenger 7.5
Nero Suite
Next Generation Tennis 2002
Norton AntiVirus 2002
Norton WMI Update
NVIDIA Windows 2000/XP Display Drivers
PhotoFantasy 2000
PhotoMontage 2000
Quake III Arena
QuickTime
RealArcade
Rogue Spear
SAGEM F@st 800-840
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Shockwave
Sierra Utilities
Snowball Wars by OIN
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
Star Wars JK II Jedi Outcast Demo
Stealth Combat - Ultimate War - Demo
The Sum of All Fears Demo
Tom Clancy's Rainbow Six
Tom Clancy's Rainbow Six: Eagle Watch
Tony Hawk's Pro Skater 3® DEMO
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Urban Operations
Westwood Shared Internet Components
WildTangent GameChannel (remove only)
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WONswap

Logfile of HijackThis v1.99.1
Scan saved at 00:44:49, on 24/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\DOCUME~1\Kieran\APPLIC~1\SKS~1\cmd.exe
C:\WINDOWS\system32\?ppPatch\spool32.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\Kieran\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\RunServices: [Windows Recylinder Check] xyyicxsnjb.exe
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S21B.tmp"
O4 - HKCU\..\Run: [Cepp] "C:\DOCUME~1\Kieran\APPLIC~1\SKS~1\cmd.exe" -vt yazr
O4 - HKCU\..\Run: [Tvp] C:\WINDOWS\system32\?ppPatch\spool32.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: DigiChatMaster Applet - http://albany.digi-net.com/DigiChat/Dig ... _1_0_1.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/c ... vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/c ... /xs2_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/c ... /jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct0_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/c ... dtt0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/c ... lts0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/c ... /zs0_x.cab
O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/games/c ... gst0_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/c ... /ht0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... potb_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/c ... ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/c ... /wt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3090166312
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleo ... gleNav.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (YBIOCtrl Class) - http://us.dl1.yimg.com/download.yahoo.c ... io4025.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... owdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC1884E0-FB62-409B-A4A4-1491EC7C7C8D}: NameServer = 212.74.114.129 212.74.112.66
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\g2jolc131f.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
kurd70
Regular Member
 
Posts: 26
Joined: June 26th, 2005, 9:34 am

Unread postby agrarianmonk » June 23rd, 2006, 8:08 pm

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder.

********************************

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Snowball Wars by OIN

The following are optional; however, any time your are running any type of P2P application, you are FAR more prone to infection by malware. Your current infections are likely due to P2P use.

Morpheus 5.2 (remove only)

Please note any other programs that you dont recognize in that list in your next response

********************************

In your next post, please include:
  • l2mfix log
  • new HijackThis log
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby kurd70 » June 23rd, 2006, 8:29 pm

I have removed Snowball Wars by OIN and Morpheus 5.2 (remove only) after running hijack this
There are no other programs that i do not recognise

L2mfix 051206
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!
Killing 'smss.exe'
\SystemRoot\System32\smss.exe (388)
Killing 'winlogon.exe'
winlogon.exe (460)
Killing 'explorer.exe'
C:\WINDOWS\Explorer.EXE (284)
Killing 'rundll32.exe'
rundll32.exe "C:\WINDOWS\system32\guard.tmp",DllGetVersion (3004)
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\fpj8031ue.dll
Successfully Deleted: C:\WINDOWS\system32\fpj8031ue.dll
Deleting: C:\WINDOWS\system32\g2jolc131f.dll
Successfully Deleted: C:\WINDOWS\system32\g2jolc131f.dll
Deleting: C:\WINDOWS\system32\hgpertrm.dll
Successfully Deleted: C:\WINDOWS\system32\hgpertrm.dll
Deleting: C:\WINDOWS\system32\HPL.DLL
Successfully Deleted: C:\WINDOWS\system32\HPL.DLL
Deleting: C:\WINDOWS\system32\m0rm0a91ed.dll
Successfully Deleted: C:\WINDOWS\system32\m0rm0a91ed.dll
Deleting: C:\WINDOWS\system32\n4n60e5seh.dll
Successfully Deleted: C:\WINDOWS\system32\n4n60e5seh.dll
Deleting: C:\WINDOWS\system32\njrstr.dll
Successfully Deleted: C:\WINDOWS\system32\njrstr.dll
Deleting: C:\WINDOWS\system32\uytheme.dll
Successfully Deleted: C:\WINDOWS\system32\uytheme.dll
Deleting: C:\WINDOWS\system32\wd2_32.dll
Successfully Deleted: C:\WINDOWS\system32\wd2_32.dll
Deleting: C:\WINDOWS\system32\wtsdmod.dll
Successfully Deleted: C:\WINDOWS\system32\wtsdmod.dll
Deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g2jolc131f.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,2d,5c,90,e9,7b,ef,7d,40,99,92,ec,86,e2,51,ff,0c,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,a4,66,fc,98,b5,2e,3b,4f,\
6e,ff,8e,f6,5a,57,92,36,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,79,\
48,bf,f3,c0,07,04,bf,f3,eb,a4,7d,5b,57,0f,75,28,05,00,00,78,b5,9e,6d,99,b1,\
03,5b,14,4c,0c,48,3c,c4,80,e9,c8,55,6e,8c,b4,a2,0d,2e,20,33,77,6d,8f,b0,3e,\
50,47,bd,f1,9a,9c,c0,e5,a7,3e,d3,2f,58,7c,28,55,96,8d,21,77,f1,ae,9b,1e,9e,\
3b,0c,fd,94,95,52,f1,e4,9a,a2,f9,40,e3,75,bd,34,25,22,11,91,40,a1,2b,e4,cb,\
42,3c,45,8d,1b,02,de,90,ac,c7,a0,42,98,9b,bf,6f,14,50,c7,9e,f8,3d,29,e4,fc,\
f4,ee,36,61,ca,72,00,d8,c1,48,fe,03,f3,d0,e7,6c,78,66,d6,8c,2e,f8,e9,27,83,\
16,62,97,f1,dd,65,58,1f,93,32,9e,4d,28,4e,a8,72,c7,be,8d,03,c9,23,8f,38,a1,\
74,fd,e2,8a,a7,b3,74,56,bd,a8,83,b9,17,70,33,c4,f1,18,6d,26,c3,f6,c3,5d,ed,\
af,04,6c,71,d7,64,54,6d,7a,f1,30,0b,ee,f7,ea,25,82,e6,d6,3c,9c,a7,f1,24,e9,\
c5,f4,f6,b4,c9,e8,51,a1,fc,49,04,65,28,55,e4,e5,4e,0f,2c,11,5a,00,99,15,d2,\
ac,ff,96,1d,4e,e6,69,2a,da,d3,f4,3a,6e,5b,4d,2b,f3,63,64,3e,4d,d1,62,56,cf,\
f1,eb,d7,e0,aa,6b,37,d6,64,4b,c7,9c,99,c0,61,93,06,a8,cb,01,df,bc,be,47,23,\
fc,c4,9d,22,2e,9b,98,91,52,34,24,cb,05,90,7c,d0,1b,d6,a3,bf,3f,89,f5,82,c3,\
31,3d,df,1d,17,00,79,c8,c7,60,93,77,95,89,39,a0,57,26,83,80,21,ed,a7,03,af,\
79,35,28,f0,67,08,a8,45,15,65,35,7b,d0,ad,ee,97,5c,b6,38,4e,29,3f,3f,ad,f3,\
81,e0,41,68,07,ee,77,e2,e0,5b,fe,53,7a,75,98,f1,0d,e4,fb,7e,74,58,6c,37,ce,\
eb,95,0a,1d,9a,b8,69,73,70,a2,3f,47,1c,5e,6b,ff,fa,b0,ab,95,22,16,d1,88,c6,\
99,d1,28,d2,12,ac,51,85,35,35,18,39,08,86,ea,95,5f,de,97,b6,ff,5e,e3,6a,1d,\
fb,3b,1d,46,7f,a8,46,9e,3b,84,44,78,da,63,73,55,15,59,6a,cc,e0,9f,8f,b0,9c,\
4a,75,55,3d,4b,22,05,44,9e,44,b1,c0,59,28,04,24,0a,8c,d9,fe,11,c9,79,76,1f,\
50,6e,87,f0,86,e5,11,f0,80,d0,5e,b4,b8,09,82,ea,1c,59,c5,50,2f,ef,57,e1,a4,\
4e,15,23,e2,df,4f,2a,a7,b8,2b,a3,c5,55,7f,22,2c,da,49,a7,52,ac,5d,1f,a9,80,\
8e,40,cb,18,2b,0a,da,36,a6,75,ae,3b,59,a8,ce,2b,43,ba,7e,ac,9e,fe,f2,b5,09,\
24,61,3d,43,79,1f,cc,9d,78,0f,de,74,a4,16,11,79,6f,1f,98,76,ad,8f,a9,2b,52,\
63,40,a3,b8,27,50,28,b1,ab,ec,89,b1,9c,bc,9f,7f,93,63,24,58,12,cd,eb,37,cf,\
fe,15,3e,77,b7,73,bf,dd,d0,e3,18,e1,49,88,f1,95,2a,fd,68,5c,8a,1f,49,62,a8,\
4e,9b,da,88,24,34,1b,0c,8c,79,53,4b,39,27,f7,c2,ed,fe,6c,e9,7a,95,c3,c3,bd,\
d4,26,8c,bd,4f,c7,9d,40,43,4a,3d,51,e9,34,a4,51,5f,e6,f7,13,0e,ea,18,df,49,\
10,31,ec,2b,85,27,53,5c,8e,88,3b,99,14,76,bd,69,80,8c,f5,18,36,9f,f3,54,f8,\
3a,94,a1,2a,b5,6b,29,24,93,50,cb,bc,7e,60,a8,29,4f,1c,5c,4c,f6,25,b8,80,a4,\
41,98,d5,83,b1,d2,1d,7d,aa,e3,39,e1,23,e0,0f,08,53,79,bb,8b,08,17,82,fd,c6,\
c2,cd,f9,71,6b,95,cc,29,d3,4b,a1,44,5b,86,3e,bd,1c,1c,a9,43,3a,fe,2b,d4,91,\
ac,71,fa,1a,97,25,56,e7,4c,85,5a,82,6d,06,ea,64,6b,13,ae,4c,7f,f7,61,66,11,\
89,f2,02,ab,97,e1,0d,f2,35,7f,77,1b,ab,09,5f,08,41,0c,2a,7a,97,63,1e,09,37,\
53,45,63,b7,ca,eb,63,a2,41,86,8b,de,04,74,26,3c,cb,eb,08,76,73,19,cc,52,9b,\
11,4c,86,dd,71,84,1c,4a,95,61,c8,d3,b2,e1,53,7e,fd,d9,3f,64,15,a8,23,e2,fa,\
70,3a,c1,33,50,65,0f,24,49,c3,c3,70,4f,ab,00,94,ff,31,f9,72,af,5e,c6,45,fa,\
84,be,6d,2e,50,23,0f,76,08,7c,b3,3c,70,b7,6c,90,9e,92,7a,90,c2,95,42,e4,4a,\
2b,95,f4,4c,da,1a,7d,2d,d4,a3,f2,4c,a6,60,cd,72,6d,1f,be,5f,20,01,9c,59,d0,\
4c,4a,96,1d,9b,eb,fe,fb,ff,5a,8f,d7,31,b7,d7,96,0e,35,3a,88,dc,4b,a4,ce,c9,\
73,26,56,b2,e3,46,d3,5c,eb,4b,f8,46,18,e4,43,7b,d9,bb,08,89,d0,5e,7f,5f,d1,\
d4,57,58,1b,e9,4e,51,93,d3,c4,ec,d0,84,46,67,79,39,0c,ed,15,f0,9b,27,95,a2,\
92,3e,ec,c2,eb,94,ca,f3,29,77,71,67,7a,dd,18,75,f6,ba,6f,f2,db,b1,45,a0,e2,\
ca,c4,a3,b3,44,9a,d4,e5,65,d4,2c,9c,6e,05,3c,ff,53,31,b4,f7,78,41,5f,b0,3e,\
f5,1b,db,28,a4,d0,9f,79,81,aa,87,40,84,0c,2a,f8,31,26,f6,83,1a,b3,1f,02,c7,\
2e,e7,32,83,37,dc,49,86,15,95,a4,7d,8a,26,6f,27,72,f7,10,19,d9,6d,63,48,05,\
e4,76,85,61,be,a1,96,95,0c,c2,f5,94,ff,d6,5a,4a,9c,3e,8a,47,f9,34,04,ac,75,\
e5,4b,66,c8,d1,8f,c3,6e,db,29,3c,68,86,b7,ae,da,13,95,7b,b9,1a,cd,05,04,29,\
f1,4e,3c,ae,7d,c3,ed,e8,17,93,06,b2,b6,74,ae,96,47,2e,44,2b,be,fe,67,a1,59,\
67,07,04,09,4e,0b,1c,43,59,df,f5,4a,f8,52,d2,6f,82,04,b5,4b,d4,72,ed,70,af,\
bf,57,94,34,93,83,7b,ef,81,3c,f9,4c,8e,58,2b,84,60,38,24,00,c8,c6,77,dc,d7,\
b7,91,8d,4e,29,c5,cc,c4,ec,56,26,14,68,c9,99,77,ff,05,34,bd,dd,ba,ad,17,01,\
3e,84,f7,cc,6a,e3,ba,26,91,b9,c4,80,96,ba,ed,47,10,9f,4d,ba,57,14,f3,4f,d3,\
a3,7a,6a,f7,7d,a7,62,67,ee,14,f5,76,11,49,14,00,00,00,ef,68,c2,1d,64,45,f6,\
73,cc,7e,ab,35,d5,e8,3e,fc,2e,90,67,fe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\fpj8031ue.dll
C:\WINDOWS\system32\g2jolc131f.dll
C:\WINDOWS\system32\hgpertrm.dll
C:\WINDOWS\system32\HPL.DLL
C:\WINDOWS\system32\m0rm0a91ed.dll
C:\WINDOWS\system32\n4n60e5seh.dll
C:\WINDOWS\system32\njrstr.dll
C:\WINDOWS\system32\uytheme.dll
C:\WINDOWS\system32\wd2_32.dll
C:\WINDOWS\system32\wtsdmod.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FA6486F3-BFE9-4E7F-BC9A-66FB3C8A74CB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FA6486F3-BFE9-4E7F-BC9A-66FB3C8A74CB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FA6486F3-BFE9-4E7F-BC9A-66FB3C8A74CB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FA6486F3-BFE9-4E7F-BC9A-66FB3C8A74CB}\InprocServer32]
@="C:\\WINDOWS\\system32\\wtsdmod.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{FA6486F3-BFE9-4E7F-BC9A-66FB3C8A74CB}"=-
[-HKEY_CLASSES_ROOT\CLSID\{FA6486F3-BFE9-4E7F-BC9A-66FB3C8A74CB}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/fpj8031ue.dll (164 bytes security) (deflated 4%)
adding: dlls/g2jolc131f.dll (164 bytes security) (deflated 4%)
adding: dlls/guard.tmp (164 bytes security) (deflated 4%)
adding: dlls/hgpertrm.dll (164 bytes security) (deflated 5%)
adding: dlls/HPL.DLL (164 bytes security) (deflated 5%)
adding: dlls/m0rm0a91ed.dll (164 bytes security) (deflated 5%)
adding: dlls/n4n60e5seh.dll (164 bytes security) (deflated 4%)
adding: dlls/njrstr.dll (164 bytes security) (deflated 5%)
adding: dlls/uytheme.dll (164 bytes security) (deflated 5%)
adding: dlls/wd2_32.dll (164 bytes security) (deflated 5%)
adding: dlls/wtsdmod.dll (164 bytes security) (deflated 4%)
adding: backregs/FA6486F3-BFE9-4E7F-BC9A-66FB3C8A74CB.reg (188 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 72%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Logfile of HijackThis v1.99.1
Scan saved at 01:25:32, on 24/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\DOCUME~1\Kieran\APPLIC~1\SKS~1\cmd.exe
C:\WINDOWS\system32\?ppPatch\spool32.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kieran\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\RunServices: [Windows Recylinder Check] xyyicxsnjb.exe
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S21B.tmp"
O4 - HKCU\..\Run: [Cepp] "C:\DOCUME~1\Kieran\APPLIC~1\SKS~1\cmd.exe" -vt yazr
O4 - HKCU\..\Run: [Tvp] C:\WINDOWS\system32\?ppPatch\spool32.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: DigiChatMaster Applet - http://albany.digi-net.com/DigiChat/Dig ... _1_0_1.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/c ... vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/c ... /xs2_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/c ... /jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct0_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/c ... dtt0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/c ... lts0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/c ... /zs0_x.cab
O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/games/c ... gst0_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/c ... /ht0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... potb_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/c ... ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/c ... /wt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3090166312
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleo ... gleNav.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (YBIOCtrl Class) - http://us.dl1.yimg.com/download.yahoo.c ... io4025.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... owdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC1884E0-FB62-409B-A4A4-1491EC7C7C8D}: NameServer = 212.74.114.129 212.74.112.66
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\g2jolc131f.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
kurd70
Regular Member
 
Posts: 26
Joined: June 26th, 2005, 9:34 am

Unread postby agrarianmonk » June 23rd, 2006, 8:34 pm

I notice you already have Ewido installed:
    Open Ewido.
    You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

***************************************

Next, please reboot your computer in SafeMode by doing the following:
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.

***************************************

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
______________________________

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Please post:
  1. Ewido log
  2. panda log
  3. A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby kurd70 » June 25th, 2006, 3:40 am

Ewido below
Other reports to follow

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 02:25:38, 25/06/2006
+ Report-Checksum: 8B46A66B

+ Scan result:

HKU\S-1-5-21-1229272821-839522115-1240387651-1004\Software\DNS -> Adware.Shorty : Cleaned with backup
C:\Documents and Settings\Kieran\Application Data\Τаsks\cmd.exe -> Adware.ClickSpring : Cleaned with backup
C:\Documents and Settings\Kieran\Cookies\kieran@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\backup.zip/dlls/fpj8031ue.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\backup.zip/dlls/g2jolc131f.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\backup.zip/dlls/guard.tmp -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\backup.zip/dlls/hgpertrm.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\backup.zip/dlls/HPL.DLL -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\backup.zip/dlls/m0rm0a91ed.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\backup.zip/dlls/n4n60e5seh.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\backup.zip/dlls/njrstr.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\backup.zip/dlls/uytheme.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\backup.zip/dlls/wd2_32.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\backup.zip/dlls/wtsdmod.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\dlls\fpj8031ue.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\dlls\g2jolc131f.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\dlls\guard.tmp -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\dlls\hgpertrm.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\dlls\HPL.DLL -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\dlls\m0rm0a91ed.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\dlls\n4n60e5seh.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\dlls\njrstr.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\dlls\uytheme.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\dlls\wd2_32.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Desktop\l2mfix\dlls\wtsdmod.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Local Settings\Temp\!update.exe -> Adware.ClickSpring : Cleaned with backup
C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Kieran\Local Settings\Temp\iB.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Kieran\Local Settings\Temp\temp.fr8E21 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Kieran\Local Settings\Temp\temp.frB322 -> Adware.Look2Me : Cleaned with backup
C:\Program Files\DNS\cwebpage.dll -> Adware.Maxifiles : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gsda.dll -> Not-A-Virus.Downloader.Win32.SpyGame : Cleaned with backup
C:\WINDOWS\system32\wuauclt.dll -> Adware.PurityScan : Cleaned with backup


::Report End
kurd70
Regular Member
 
Posts: 26
Joined: June 26th, 2005, 9:34 am

Unread postby kurd70 » June 25th, 2006, 3:58 am

Should i click disinfection on panda

Incident Status Location

Adware:Adware/PurityScan Not disinfected c:\windows\system32\?pppatch\spool32.exe
Adware:adware/ncase Not disinfected c:\temp\salm.log
Adware:adware/savenow Not disinfected c:\windows\system32\ap2nqrd4.dat
Adware:adware/sahagent Not disinfected c:\windows\system32\bqrufs5f.dat
Dialer:dialer.db Not disinfected c:\windows\downloaded program files\msa64chk.inf
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Kieran\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat
Adware:adware/exact.bargainbuddy Not disinfected c:\windows\msxct1.ini
Adware:adware/maxifiles Not disinfected c:\program files\common files\FreeProd1
Adware:adware/wupd Not disinfected c:\program files\Windows AdStatus
Adware:adware/cws Not disinfected C:\Documents and Settings\Kieran\Favorites\Fun & Games
Adware:adware/ist.sidefind Not disinfected Windows Registry
Adware:Adware/nCase Not disinfected C:\!Submit\4.exe
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@888[2].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@anm.co[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@cassava[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@errorsafe[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@realmedia[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@rn11[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Kieran\Local Settings\Temp\Cookies\kieran@www.errorsafe[2].txt
Logfile of HijackThis v1.99.1
Scan saved at 09:00:21, on 25/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\?ppPatch\spool32.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kieran\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\RunServices: [Windows Recylinder Check] xyyicxsnjb.exe
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S21B.tmp"
O4 - HKCU\..\Run: [Tvp] C:\WINDOWS\system32\?ppPatch\spool32.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: DigiChatMaster Applet - http://albany.digi-net.com/DigiChat/Dig ... _1_0_1.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/c ... vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/c ... /xs2_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/c ... /jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct0_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/c ... dtt0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/c ... lts0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/c ... /zs0_x.cab
O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/games/c ... gst0_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/c ... /ht0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... potb_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/c ... ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/c ... /wt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3090166312
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleo ... gleNav.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (YBIOCtrl Class) - http://us.dl1.yimg.com/download.yahoo.c ... io4025.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... owdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC1884E0-FB62-409B-A4A4-1491EC7C7C8D}: NameServer = 80.225.255.185 80.225.255.177
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\g2jolc131f.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
kurd70
Regular Member
 
Posts: 26
Joined: June 26th, 2005, 9:34 am

Unread postby kurd70 » June 25th, 2006, 7:50 am

I am starting to get the following error this morning when visiting websites

Internet explorer script error
file://C:\Documents and Settings\Kieran\Local Settings\Temp\NDr222.tmp.html
And then gives the option to continue running scripts on this page

I have Never had this before
kurd70
Regular Member
 
Posts: 26
Joined: June 26th, 2005, 9:34 am

Unread postby agrarianmonk » June 25th, 2006, 8:21 pm

Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - Default URLSearchHook is missing
O4 - HKLM\..\RunServices: [Windows Recylinder Check] xyyicxsnjb.exe
O4 - HKCU\..\Run: [Tvp] C:\WINDOWS\system32\?ppPatch\spool32.exe
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\g2jolc131f.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot

Next, we need to Reveal Hidden Files

1. Click Start.
2. Open My Computer.
3. Select Tools menu
4. Click Folder Options.
5. Select the View Tab.
6. Select Show hidden files and folders in the Hidden files and folders section.
7. Uncheck Hide protected operating system files (recommended) option.
8. Uncheck the Hide file extensions for known file types option.
9. Click Yes.
10. Click OK.

***************************************

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

c:\temp\salm.log
c:\windows\system32\ap2nqrd4.dat
c:\windows\system32\bqrufs5f.dat
c:\windows\downloaded program files\msa64chk.inf
C:\Documents and Settings\Kieran\Local Settings\Temporary Internet Files\Ssk.log
c:\windows\keyboard1.dat
c:\windows\msxct1.ini
C:\!Submit\4.exe

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

c:\program files\common files\FreeProd1 << folder
c:\program files\Windows AdStatus << folder
c:\windows\system32\?pppatch\ << folder that looks like Apppatch and has the file spool32.exe in it

We need to do a search. Start | Search | For Files and Folders.
Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the Search for files and folders named box:

xyyicxsnjb.exe

If any of these files are found please delete them.

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Image and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.

    After that, Reboot.

    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only
      Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
      Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
        Extended (if available otherwise Standard)
      • Scan Options:
        Scan Archives
        Scan Mail Bases

    • Click OK
    • Now under select a target to scan:
        Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.


    In your next post, please include
    • new hijackthis log
    • kaspersky log


*You may need to use separate posts to ensure that the logs don't get cut off!

*also let me know how your computer is running at the moment and if any problems persist.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby kurd70 » June 29th, 2006, 5:59 pm

Hi

Sorry for not getting back sooner. I only have access to this pc near the weekends

I have got as far as Kaspersky
I am having problems installing/downloading Kaspersky Online Scanner
When I try to I get the following

Failed to load Kaspersky Online Scanner ActiveX Control
You must have administrative rights on this computer;
you also must have the IE security settings to the medium level

I have administrative rights and have changed my security IE setting to medium level
Also when i try to download Kaspersky Online Scanner kavwebscan_unicode.cab
I get a warning from norton anti virus telling me the document ''C\Document and settings\Kieran\local Settings\Temporary Internet Files\Content.IE5\W5Y7CD23\kavwebscan-unicode(1).cab is still infected
Do you want to delete this file'' and I have the option yes or no

If a click yes or no
I get after a while

Failed to load Kaspersky Online Scanner ActiveX Control
You must have administrative rights on this computer;
you also must have the IE security settings to the medium level

I have done all before Kaspersky

Regarding
:\windows\system32\?pppatch\ << folder that looks like Apppatch and has the file spool32.exe
I could not see ?pppatch but there is a folder called Apppatch and has the file spool32.exe, but this could not be deleted

Please advise

I am still getting advertisements/adware popping up when browsing but these are not as bad and as often as before
kurd70
Regular Member
 
Posts: 26
Joined: June 26th, 2005, 9:34 am

Unread postby kurd70 » June 29th, 2006, 6:42 pm

Sorry should have read
I am still getting plently of advertisements/adware popping up when browsing these are occuring regularly
kurd70
Regular Member
 
Posts: 26
Joined: June 26th, 2005, 9:34 am

Unread postby kurd70 » June 29th, 2006, 6:51 pm

Finally got it downloaded!
Reports to follow
kurd70
Regular Member
 
Posts: 26
Joined: June 26th, 2005, 9:34 am

Unread postby kurd70 » June 29th, 2006, 8:45 pm

kaspersky log
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, June 30, 2006 1:50:00 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 30/06/2006
Kaspersky Anti-Virus database records: 203691
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 93137
Number of viruses found: 23
Number of infected objects: 86 / 0
Number of suspicious objects: 1
Duration of the scan process: 01:52:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-05082006-214508.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-06-29_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\Kieran\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kieran\Desktop\Unused Desktop Shortcuts\ccsetup120.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Kieran\Desktop\Unused Desktop Shortcuts\ccsetup120.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Kieran\Desktop\Unused Desktop Shortcuts\ccsetup120.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Kieran\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kieran\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kieran\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kieran\Local Settings\History\History.IE5\MSHist012006062920060630\index.dat Object is locked skipped
C:\Documents and Settings\Kieran\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kieran\ntuser.dat Object is locked skipped
C:\Documents and Settings\Kieran\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP333\A0030759.exe/data0004/data0006 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP333\A0030759.exe/data0004 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP333\A0030759.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP333\A0030759.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP333\A0030759.exe PE_Patch.UPX: infected - 2 skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030766.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030766.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030766.exe CAB: infected - 2 skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030778.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030778.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030778.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030778.exe PE_Patch.UPX: infected - 1 skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030779.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP334\A0030780.exe Infected: Trojan-Downloader.Win32.Adload.bv skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP335\A0030795.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP337\A0030834.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP337\A0031834.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP337\A0031838.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP337\A0031840.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP337\A0031844.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP337\A0031848.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP339\A0031865.exe Infected: Trojan-Clicker.Win32.VB.ly skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP339\A0031867.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP339\A0031871.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP340\A0031873.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP340\A0031876.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP340\A0031878.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP340\A0031882.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP340\A0031910.exe Infected: Trojan.Win32.VB.abv skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031916.exe/data0004 Infected: Trojan-Downloader.MSIL.Agent.a skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031916.exe/data0010 Infected: Trojan.Win32.Zapchast.bl skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031916.exe/data0011/data0006 Infected: Trojan-Dropper.Win32.VB.mz skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031916.exe/data0011 Infected: Trojan-Dropper.Win32.VB.mz skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031916.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031917.exe Infected: Trojan.Win32.VB.abv skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031918.exe Infected: Trojan.Win32.Zapchast.bl skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031919.exe Infected: Backdoor.Win32.Rbot.gen skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031928.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031929.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031930.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031931.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031932.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031932.exe/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031932.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031932.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031932.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031932.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031933.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031934.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031935.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031936.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031937.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP341\A0031938.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP342\A0031951.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP342\A0031959.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP342\snapshot\MFEX-45.DAT Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0031968.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0031974.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0031975.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0031976.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0031977.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0031978.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0031979.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0031980.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0031981.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0032209.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0032210.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0032211.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0032212.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0032225.exe Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0032226.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0032227.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0032228.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0032229.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0032230.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0032231.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0032232.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0032233.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0032234.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0032235.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP343\A0032237.dll Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP348\A0035401.exe Infected: Trojan-Dropper.Win32.PurityScan.m skipped
C:\System Volume Information\_restore{8AA3F290-B0DF-45AF-B5BA-E37EC51D29AF}\RP348\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\cache319\B_319_0_1_518500.htm Suspicious: Exploit.HTML.Mht skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wuauclt.dll Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
kurd70
Regular Member
 
Posts: 26
Joined: June 26th, 2005, 9:34 am

Unread postby kurd70 » June 29th, 2006, 8:47 pm

Logfile of HijackThis v1.99.1
Scan saved at 01:52:26, on 30/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\DOCUME~1\Kieran\APPLIC~1\SKS~1\cmd.exe
C:\WINDOWS\system32\PPPATC~1\spool32.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Kieran\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S21B.tmp"
O4 - HKCU\..\Run: [Cepp] "C:\DOCUME~1\Kieran\APPLIC~1\SKS~1\cmd.exe" -vt ndrv
O4 - HKCU\..\Run: [Tvp] C:\WINDOWS\system32\PPPATC~1\spool32.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: DigiChatMaster Applet - http://albany.digi-net.com/DigiChat/Dig ... _1_0_1.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/c ... vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/c ... /xs2_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/c ... /jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct0_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/c ... dtt0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/c ... lts0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/c ... /zs0_x.cab
O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/games/c ... gst0_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/c ... /ht0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... potb_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/c ... ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/c ... /wt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3090166312
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleo ... gleNav.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (YBIOCtrl Class) - http://us.dl1.yimg.com/download.yahoo.c ... io4025.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... owdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC1884E0-FB62-409B-A4A4-1491EC7C7C8D}: NameServer = 212.74.114.129 212.74.112.66
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\wuauclt.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
kurd70
Regular Member
 
Posts: 26
Joined: June 26th, 2005, 9:34 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 36 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware