Tech Support banner

Status
Not open for further replies.
1 - 14 of 14 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter · #1 ·
My pc has picked up something in the last few days and its extremely annoying. I seem to be getting tons of spyware, one in particular is a voice message from friendsand.com that just comes out of nowhere, even if i am not on a site or anything. Also, when i click on IE my homepage gets hijacked. I've read the posts here on what programs to download and check for spyware, and i've done that, but i still can't get rid of it. Houscall said my pc was clean, Ad aware, counterspy, microsoft antispyware ect... picked up some spyware but it just keeps coming back. I've run the hijack this and the hijack this anaylizer. Any help would be appreciated. Thanks

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:51:47 PM, on 10/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\security\FireDaemon.exe
C:\WINDOWS\security\winsecure.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106794149671
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\o848lihu1848.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: FireDaemon Service: winsecure (winsecure) - Sublime Solutions Pty Ltd - C:\WINDOWS\security\FireDaemon.exe


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
Administrator
Joined
·
4,870 Posts
Hi Lily Welcome to TSF

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If necessary, please ask any questions before proceeding with the procedures below.
_________________________________________________

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select #2 for Run Fix by typing 2 and then pressing enter. Press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

**NOTE** Please run your new log in Normal Mode and NOT in Safe Mode as you did previously.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #3 ·
Hope I did this right.

L2Mfix 1.04a

Running From:
C:\Documents and Settings\shawna\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!


Logfile of HijackThis v1.99.1
Scan saved at 5:57:23 PM, on 11/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\security\FireDaemon.exe
C:\WINDOWS\security\winsecure.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 
R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106794149671
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\o884lilq18qe.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: FireDaemon Service: winsecure (winsecure) - Sublime Solutions Pty Ltd - C:\WINDOWS\security\FireDaemon.exe


I'm also getting error messages on reboot like this: An exception occured while trying to run C:windows/system32/weerrenu.dll",dllgetversion"

and Run32dll.exe please wait till program ends


Thanks for any help, if you can.
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Download and install CleanUp! but do not run it yet.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: FireDaemon Service: winsecure (winsecure)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one IF they are still listed (they shouldn't be but make sure)

C:\WINDOWS\security\FireDaemon.exe
C:\WINDOWS\security\winsecure.exe


Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\o884lilq18qe.dll
O23 - Service: FireDaemon Service: winsecure (winsecure) - Sublime Solutions Pty Ltd - C:\WINDOWS\security\FireDaemon.exe


Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS)

C:\WINDOWS\security\FireDaemon.exe
C:\WINDOWS\security\winsecure.exe
C:\windows\system32\weerrenu.dll
C:\WINDOWS\system32\o884lilq18qe.dll


Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Once back to normal windows...proceed below....

*Note* If you already have Spysweeper..make sure it's updated and you set it up as I listed below.

Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions.

Then configure it as followed:
  • From the left pane, click Options
  • Select the Sweep Options tab & ensure the following are ticked:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All Users accounts
    • Do Not Sweep System Restore Folder
    • Enable Direct Disk Sweeping
    • Sweep For Rootkits
  • After that's done, select Sweep from the left pane & click on the Start button
  • Allow Spysweeper to reboot your machine to remove the infected files.
After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log, and the Ewido log.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #5 ·
ok, I've done all the steps in the above post and here are my results. Thanks for all your help.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:35:32 PM, 11/7/2005
+ Report-Checksum: 462A501E

+ Scan result:

C:\Documents and Settings\shawna\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\shawna\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\shawna\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\shawna\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\shawna\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\shawna\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\shawna\Local Settings\Temp\Temporary Internet Files\Content.IE5\S1YFG5UN\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\WINDOWS\SYSTEM32\k2800clmefqa0.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\lvl2093oe.dll -> Spyware.Look2Me : Cleaned with backup


::Report End





02:59 PM: |··· Start of Session, Friday, October 28, 2005 ···|
02:59 PM: Spy Sweeper 3.2.0 (Build 147) started
02:59 PM: Updating spyware definitions
03:08 PM: Your spyware definitions have been updated.
07:04 PM: |··· End of Session, Friday, October 28, 2005 ···|
07:07 PM: |··· Start of Session, Friday, October 28, 2005 ···|
07:07 PM: Spy Sweeper 3.2.0 (Build 147) started
07:07 PM: Processing Startup Alerts
07:07 PM: Allowed Startup entry: iTouch
07:08 PM: Sweep initiated using definitions version 564
07:08 PM: Sweeping memory for active spyware.
07:08 PM: Memory sweep has completed. Elapsed time 00:00:09
07:08 PM: Registry sweep initiated.
07:09 PM: Found: 2 TargetSaver registry traces.
07:09 PM: Registry sweep completed. Elapsed time 00:00:23
07:09 PM: Full sweep on all local drives initiated.
07:09 PM: Now sweeping drive C:
07:10 PM: Found Cookie: About Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: HBMediaPro Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][2].txt
07:10 PM: Found Cookie: specificclick.com Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: Askmen Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: Ask Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][2].txt
07:10 PM: Found Cookie: Belnk Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: Atwola Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][2].txt
07:10 PM: Found Cookie: Banner Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: Goclick Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][2].txt
07:10 PM: Found Cookie: GoStats Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][2].txt
07:10 PM: Found Cookie: Ccbill Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: About Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][2].txt
07:10 PM: Found Cookie: 2o7.net Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: go.com Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: Belnk Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][2].txt
07:10 PM: Found Cookie: GoStats Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: go.com Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: About Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: About Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: screensavers.com Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][2].txt
07:10 PM: Found Cookie: IC-live Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: Kmpads Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][2].txt
07:10 PM: Found Cookie: TouchClarity Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: Nextag Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: DirectTrack Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: About Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: Overture Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: Qsrch Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: About Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: affiliatefuel.com Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: RC Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: Adjuggler Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: TvGuide Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: TvGuide Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: Servlet Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][2].txt
07:10 PM: Found Cookie: starware.com Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][2].txt
07:10 PM: Found Cookie: Dealtime Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][2].txt
07:10 PM: Found Cookie: Uproar Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][2].txt
07:10 PM: Found Cookie: BurstBeacon Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: ClickAds Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][2].txt
07:10 PM: Found Cookie: Clickxchange Adware Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: Redzip Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: screensavers.com Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: Uproar Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][2].txt
07:10 PM: Found Cookie: UpSpiral Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: YieldManager Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Cookie: Ysbweb Cookie, version 1, c:\documents and settings\shawna\cookies\[email protected][1].txt
07:10 PM: Found Adware: IST YourSiteBar, version 1, c:\documents and settings\shawna\local settings\application data\sunbelt software\counterspy\quarantine\10cc1bd0-1fa5-41ea-bc56-bfb29b\617e8637-ad8d-4dac-b8e9-a40406
07:10 PM: Found Adware: IST SideFind, version 1, c:\documents and settings\shawna\local settings\application data\sunbelt software\counterspy\quarantine\ac696bbd-0a95-46e4-8a79-c09ea8\e7ea8329-f3d8-40dd-a785-6c6ee4
07:10 PM: Found Adware: IST Istbar, version 1, c:\documents and settings\shawna\local settings\temp\jfghjhhfgudk.exe
07:14 PM: Found Adware: IST Istbar, version 1, c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\6dydu7ir\istdownload[1].exe
07:14 PM: Found Adware: IST YourSiteBar, version 1, c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\6dydu7ir\yoursitebar[1].xml
07:14 PM: Found Adware: Surf Accuracy, version 1, c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\8zinvzm7\uninstaller.prod.24oct2005.exe[1].67ed8085ef4da0dd46732bc56aa91a66
07:14 PM: Found Adware: IST YourSiteBar, version 1, c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\8zinvzm7\ysbinstall_1003585[1].exe
07:14 PM: Found Adware: IST YourSiteBar, version 1, c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\8zinvzm7\ysb[1].dll
07:14 PM: Found Adware: IST Istbar, version 1, c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\gbew6n12\istsvc[1].exe
07:14 PM: Found Adware: TargetSaver, version 1, c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\gbew6n12\tsupdate[1].ini
07:14 PM: Found Adware: iSearch desktop search, version 1, c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\wxunop67\mte3ndi6odoxng[1].exe
07:14 PM: Found Adware: Surf Accuracy, version 1, c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\wxunop67\sacc[1].cfg
07:30 PM: Found Adware: Look2Me, version 1, c:\windows\system32\guard.tmp
07:31 PM: Found: 60 file traces.
07:31 PM: Full Sweep has completed. Elapsed time 00:23:22
54,040 files swept
62 spyware traces located
07:38 PM: Removal process initiated
07:38 PM: Quarantining: 2o7.net Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: About Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: Adjuggler Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: affiliatefuel.com Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: Ask Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Quarantining: Askmen Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: Atwola Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Quarantining: Banner Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: Belnk Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Quarantining: BurstBeacon Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: Ccbill Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: Clickxchange Adware Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: Dealtime Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Quarantining: DirectTrack Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: go.com Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: Goclick Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Quarantining: GoStats Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Quarantining: HBMediaPro Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Quarantining: IC-live Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: Kmpads Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Quarantining: Overture Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: Qsrch Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: RC Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: Redzip Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: screensavers.com Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: Servlet Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Quarantining: specificclick.com Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: TouchClarity Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: TvGuide Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: Uproar Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Quarantining: UpSpiral Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: YieldManager Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: Ysbweb Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: starware.com Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Quarantining: ClickAds Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Quarantining: Nextag Cookie
07:38 PM: Cookie: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Quarantining: IST SideFind
07:38 PM: File: c:\documents and settings\shawna\local settings\application data\sunbelt software\counterspy\quarantine\ac696bbd-0a95-46e4-8a79-c09ea8\e7ea8329-f3d8-40dd-a785-6c6ee4
07:38 PM: Quarantining: TargetSaver
07:38 PM: Registry: HKEY_CURRENT_USER\software\tsl2
07:38 PM: Registry: HKEY_CURRENT_USER\software\tsl2||tsl2hwnd
07:38 PM: File: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\gbew6n12\tsupdate[1].ini
07:38 PM: Quarantining: iSearch desktop search
07:38 PM: File: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\wxunop67\mte3ndi6odoxng[1].exe
07:38 PM: Quarantining: Surf Accuracy
07:38 PM: File: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\wxunop67\sacc[1].cfg
07:38 PM: File: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\8zinvzm7\uninstaller.prod.24oct2005.exe[1].67ed8085ef4da0dd46732bc56aa91a66
07:38 PM: Quarantining: Look2Me
07:38 PM: File: c:\windows\system32\guard.tmp
07:38 PM: Quarantining: IST YourSiteBar
07:38 PM: File: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\6dydu7ir\yoursitebar[1].xml
07:38 PM: File: c:\documents and settings\shawna\local settings\application data\sunbelt software\counterspy\quarantine\10cc1bd0-1fa5-41ea-bc56-bfb29b\617e8637-ad8d-4dac-b8e9-a40406
07:38 PM: File: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\8zinvzm7\ysb[1].dll
07:38 PM: File: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\8zinvzm7\ysbinstall_1003585[1].exe
07:38 PM: Quarantining: IST Istbar
07:38 PM: File: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\gbew6n12\istsvc[1].exe
07:38 PM: File: c:\documents and settings\shawna\local settings\temp\jfghjhhfgudk.exe
07:38 PM: File: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\6dydu7ir\istdownload[1].exe
07:38 PM: Cleaning Traces
07:38 PM: Removing registry: HKEY_CURRENT_USER\software\tsl2|| (tsl2hwnd)
07:38 PM: Removing registry: HKEY_CURRENT_USER\software\tsl2
07:38 PM: Removing file: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\6dydu7ir\istdownload[1].exe
07:38 PM: Removing file: c:\documents and settings\shawna\local settings\temp\jfghjhhfgudk.exe
07:38 PM: Removing file: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\gbew6n12\istsvc[1].exe
07:38 PM: Removing file: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\8zinvzm7\ysbinstall_1003585[1].exe
07:38 PM: Removing file: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\8zinvzm7\ysb[1].dll
07:38 PM: Removing file: c:\documents and settings\shawna\local settings\application data\sunbelt software\counterspy\quarantine\10cc1bd0-1fa5-41ea-bc56-bfb29b\617e8637-ad8d-4dac-b8e9-a40406
07:38 PM: Removing file: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\6dydu7ir\yoursitebar[1].xml
07:38 PM: Removing file: c:\windows\system32\guard.tmp
07:38 PM: Removing from memory: c:\windows\system32\guard.tmp
07:38 PM: Removing file on reboot: c:\windows\system32\guard.tmp
07:38 PM: Removing file: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\8zinvzm7\uninstaller.prod.24oct2005.exe[1].67ed8085ef4da0dd46732bc56aa91a66
07:38 PM: Removing file: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\wxunop67\sacc[1].cfg
07:38 PM: Removing file: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\wxunop67\mte3ndi6odoxng[1].exe
07:38 PM: Removing file: c:\documents and settings\shawna\local settings\temporary internet files\content.ie5\gbew6n12\tsupdate[1].ini
07:38 PM: Removing file: c:\documents and settings\shawna\local settings\application data\sunbelt software\counterspy\quarantine\ac696bbd-0a95-46e4-8a79-c09ea8\e7ea8329-f3d8-40dd-a785-6c6ee4
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][2].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removing file: c:\documents and settings\shawna\cookies\[email protected][1].txt
07:38 PM: Removal process completed. Elapsed time 00:00:12
43 it07:40 PM: |··· Start of Session, Friday, October 28, 2005 ···|
07:40 PM: Spy Sweeper 3.2.0 (Build 147) started
10:05 PM: Processing Internet Explorer Favorites Alerts
10:05 PM: Allowed IE Favorite: Welcome to Cashmere.ca
10:10 PM: Updating sp03:07 AM: |··· Start of Session, Saturday, October 29, 2005 ···|
03:07 AM: Spy Sweeper 3.2.0 (Build 147) started
03:07 AM: Found: Memory-resident Spyware Look2Me, version 1
03:08 AM: Found: Memory-resident Spyware Look2Me, version 1
03:08 AM: Sweep initiated using definitions version 564
03:08 AM: Sweeping memory for active spyware.
03:08 AM: Found: Memory-resident Spyware Look2Me, version 1
03:08 AM: Memory sweep has completed. Elapsed time 00:00:01
03:08 AM: Registry sweep initiated.
03:08 AM: Found: 7 icannnews registry traces.
03:08 AM: Registry sweep completed. Elapsed time 00:00:06
03:08 AM: Found: 0 file traces.
03:08 AM: Full Sweep has completed. Elapsed time 00:00:22
0 files swept
8 spyware traces located
03:08 AM: Deletion from quarantine initiated
03:08 AM: Processing: 2o7.net Cookie
03:08 AM: Processing: About Cookie
03:08 AM: Processing: Adjuggler Cookie
03:08 AM: Processing: Ask Cookie
03:08 AM: Processing: Askmen Cookie
03:08 AM: Processing: Atwola Cookie
03:08 AM: Processing: Banner Cookie
03:08 AM: Processing: Belnk Cookie
03:08 AM: Processing: BurstBeacon Cookie
03:08 AM: Processing: Ccbill Cookie
03:08 AM: Processing: ClickAds Cookie
03:08 AM: Processing: Clickxchange Adware Cookie
03:08 AM: Processing: Dealtime Cookie
03:08 AM: Processing: DirectTrack Cookie
03:08 AM: Processing: GoStats Cookie
03:08 AM: Processing: Goclick Cookie
03:08 AM: Processing: HBMediaPro Cookie
03:08 AM: Processing: IC-live Cookie
03:08 AM: Processing: IST Istbar
03:08 AM: Processing: IST SideFind
03:08 AM: Processing: IST YourSiteBar
03:08 AM: Processing: Kmpads Cookie
03:08 AM: Processing: Look2Me
03:08 AM: Processing: Nextag Cookie
03:08 AM: Processing: Overture Cookie
03:08 AM: Processing: Qsrch Cookie
03:08 AM: Processing: RC Cookie
03:08 AM: Processing: Redzip Cookie
03:08 AM: Processing: Servlet Cookie
03:08 AM: Processing: Surf Accuracy
03:08 AM: Processing: TargetSaver
03:08 AM: Processing: TouchClarity Cookie
03:08 AM: Processing: TvGuide Cookie
03:08 AM: Processing: UpSpiral Cookie
03:08 AM: Processing: Uproar Cookie
03:08 AM: Processing: YieldManager Cookie
03:08 AM: Processing: Ysbweb Cookie
03:08 AM: Processing: affiliatefuel.com Cookie
03:08 AM: Processing: go.com Cookie
03:08 AM: Processing: iSearch desktop search
03:08 AM: Processing: screensavers.com Cookie
03:08 AM: Processing: specificclick.com Cookie
03:08 AM: Processing: starware.com Cookie
03:08 AM: Deletion from quarantine completed. Elapsed time 00:00:00
03:09 AM: Found: Memory-resident Spyware Look2Me, version 1
03:53 AM: |··· End of Session, Saturday, October 29, 2005 ···|
02:35 PM: |··· Start of Session, Saturday, October 29, 2005 ···|
02:35 PM: Spy Sweeper 3.2.0 (Build 147) started
03:05 PM: Sweep initiated using definitions version 564
03:05 PM: Sweeping memory for active spyware.
03:05 PM: Memory sweep has completed. Elapsed time 00:00:03
03:05 PM: Registry sweep initiated.
03:05 PM: Registry sweep completed. Elapsed time 00:00:17
03:05 PM: Full sweep on all local drives initiated.
03:05 PM: Now sweeping drive C:
03:07 PM: Found Adware: Look2Me, version 1, c:\documents and settings\shawna\local settings\application data\sunbelt software\counterspy\quarantine\9c2d23a7-2874-49a9-82b1-6a592d\f87444e6-aaa3-463f-b3fd-154561
03:29 PM: Found: 1 file traces.
03:29 PM: Full Sweep has completed. Elapsed time 00:24:19
54,765 files swept
1 spyware traces located
03:32 PM: Removal process initiated
03:32 PM: Quarantining: Look2Me
03:32 PM: File: c:\documents and settings\shawna\local settings\application data\sunbelt software\counterspy\quarantine\9c2d23a7-2874-49a9-82b1-6a592d\f87444e6-aaa3-463f-b3fd-154561
03:32 PM: Cleaning Traces
03:32 PM: Removing file: c:\documents and settings\shawna\local settings\application data\sunbelt software\counterspy\quarantine\9c2d23a7-2874-49a9-82b1-6a592d\f87444e6-aaa3-463f-b3fd-154561
03:32 PM: Removal process completed. Elapsed time 00:010:07 AM: |··· Start of Session, Sunday, October 30, 2005 ···|
10:07 AM: Spy Sweeper 3.2.0 (Build 147) started
05:28 PM: Processing Startup Alerts
05:28 PM: Allowed Startup entry: wextract_cleanup0
05:28 PM: Processing Internet Explorer Favorites Alerts
05:28 PM: Allowed IE Favorite: Tech Support Forum
05:29 PM: Processing Internet Explorer Favorites Alerts
05:05:44 PM: |··· Start of Session, Monday, October 31, 2005 ···|
05:44 PM: Spy Sweeper 3.2.0 (Build 147) started
09:55 PM: Processing Internet Explorer Favorites Alerts
09:55 PM: Allowed IE Favorite: Tech Support Forum - Annoying friendsand.com message#post380830
12:06 AM: Processing Internet Explorer Favorites Alerts
12:06 AM: Allowed IE Favorite: Download TuneUp U01:02 AM: |··· Start of Session, Thursday, November 03, 2005 ···|
01:02 AM: Spy Sweeper 3.2.0 (Build 147) started
01:03 A02:53 PM: |··· Start of Session, Thursday, November 03, 2005 ···|
02:53 PM: Spy Sweeper 3.2.0 (Build 147) started
09:20 PM: Sweep initiated using definitions version 564
09:20 PM: Sweeping memory for active spyware.
09:20 PM: Memory sweep has completed. Elapsed time 00:00:06
09:20 PM: Registry sweep initiated.
09:20 PM: Registry sweep completed. Elapsed time 00:00:32
09:20 PM: Full sweep on all local drives initiated.
09:20 PM: Now sweeping drive C:
09:52 PM: Found: 0 file traces.
09:52 PM: Full Sweep has completed. Elapsed time 00:32:30
59,640 files swept
0 spyware traces l10:06 PM: |··· Start of Session, Thursday, November 03, 2005 ···|
10:06 PM: Spy Sweeper 3.2.0 (Build 147) started
10:07 PM: Processing Internet Explorer Favorites Alerts
10:07 PM: Allowed IE Favorite: Renderotica - 3D Adult Erotic Art, Comics &12:01 AM: |··· Start of Session, Friday, November 04, 2005 ···|
12:01 AM: Spy Sweeper 3.2.0 (Build 147) started
12:05 AM: Processing Internet Explorer Favorites Alerts
12:05 AM: Allowed IE Favorite: System Cleanup After Trojan-Worm Compromise
08:07 PM: |··· Start of Session, Friday, November 04, 2005 ···|
08:07 PM: Spy Sweeper 3.2.0 (Build 147) started
01:17 AM:10:34 AM: |··· Start of Session, Saturday, November 05, 2005 ···|
10:34 AM: Spy Sweeper 3.2.0 (Build 147) started
11:09 AM: Your spyware definitions have been updated.
11:15 AM: Sweep initiated using definitions version 567
11:15 AM: Sweeping memory for active spyware.
11:15 AM: Memory sweep has completed. Elapsed time 00:00:02
11:15 AM: Registry sweep initiated.
11:15 AM: Registry sweep completed. Elapsed time 00:00:17
11:15 AM: Full sweep on all local drives initiated.
11:15 AM: Now sweeping drive C:
11:41 AM: Found: 0 file traces.
11:41 AM: Full Sweep has completed. Elapsed time 00:26:18
02:58 PM: |··· Start of Session, Sunday, November 06, 2005 ···|
02:58 PM: Spy Sweeper 3.2.0 (Build 147) started
08:46 PM: Processing Internet Explorer Favorites Alerts
08:46 PM: Allowed IE Favorite: Skype is free Internet telephony that just wo07:47 PM: |··· Start of Session, Monday, November 07, 2005 ···|
07:47 PM: Spy Sweeper 3.2.0 (Build 147) started
07:50 PM: Sweep initiated using definitions version 567
07:50 PM: Sweeping memory for active spyware.
07:51 PM: Memory sweep has completed. Elapsed time 00:00:11
07:51 PM: Registry sweep initiated.
07:51 PM: Found: 7 Look2Me registry traces.
07:51 PM: Registry sweep completed. Elapsed time 00:00:25
07:51 PM: Full sweep on all local drives initiated.
07:51 PM: Now sweeping drive C:
08:08 PM: Found: 0 file traces.
08:08 PM: Full Sweep has completed. Elapsed time 00:17:51
41,049 files swept
7 spyware traces located
08:17 PM: Removal process initiated
08:17 PM: Quarantining: Look2Me
08:17 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\setup
08:17 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\setup||asynchronous
08:17 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\setup||dllname
08:17 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\setup||impersonate
08:17 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\setup||logon
08:17 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\setup||logoff
08:17 PM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\setup||shutdown
08:17 PM: Cleaning Traces
08:17 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\setup|| (shutdown)
08:17 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\setup|| (logon)
08:17 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\setup|| (logoff)
08:17 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\setup|| (impersonate)
08:17 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\setup|| (dllname)
08:17 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\setup|| (asynchronous)
08:17 PM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\setup
08:17 PM: Removal process completed. Elapsed time 00:00:02
1 items (7 traces) quarantined.
08:17 PM: Deletion from quarantine initiated
08:17 PM: Processing: Look2Me
08:17 PM: Deletion from quarantine completed. Elapsed time08:20 PM: |··· Start of Session, Monday, November 07, 2005 ···|
08:20 PM: Spy Sweeper 3.2.0 (Build 147) started




Logfile of HijackThis v1.99.1
Scan saved at 8:25:01 PM, on 11/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\HJT2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106794149671
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\guard.tmp (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Excellent...

Run Hijackthis and fix this entry...

O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\guard.tmp (file missing)

Then run the L2MFix again BUT this time select Option 1 for make log. It will do it's thing and produce a log. Post that log along with the one below..

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
    [*] Click on see report. Then click Save report
Please post that log in your next reply.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #7 ·
I'm having trouble with the Panda Activescan. I've installed the ActiveX then when it goes to download the definitions, it just hangs and does nothing. I've rebooted and tried a few more times and got the same results. Can you suggest any other online scan?
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
You bet.....

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Standard
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


If that won't work....

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log".

I then need you to repeat the same procedure above again... using the TrendMicro scan tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #9 ·
Here's the Kaspersky log. It didn't have a clean option that i saw, so I ran the trendmicro twice like you asked and here's the results of both programs. Anything in there I should be worried about?

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, November 12, 2005 19:45:16
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 13/11/2005
Kaspersky Anti-Virus database records: 149802
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 42115
Number of viruses found: 4
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 2051 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0003400.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0003401.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0003401.exe Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0003403.exe Infected: Trojan-Downloader.Win32.VB.ri
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0003404.EXE/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0003404.EXE Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0003408.exe Infected: Trojan-Dropper.Win32.Fearless

Scan process completed.


Second TrendMicro Scan:

Started Scanning
Internet Cookies
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Excellent.....

Were is the L2MFix log...using Option 1? Please run the tool..using that option and post it's log along with a new hijackthis log.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #11 ·
Oops, sorry forgot those.


L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A1FB9522-BE5B-0657-BD5E-7A85BD172077}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess"
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
"{B327765E-D724-4347-8B16-78AE18552FC3}"="NeroDigitalIconHandler"
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}"="NeroDigitalPropSheetHandler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{52B87208-9CCF-42C9-B88E-069281105805}"="Trojan Remover Shell Extension"
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}"="IZArc DragDrop Menu"
"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"="IZArc Shell Context Menu"
"{A35A4544-A9B9-473E-B315-4CC742833B56}"=""
"{F7E7D124-B047-4701-AF4B-B479FFCF90C5}"=""
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}"="Multiscan"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A35A4544-A9B9-473E-B315-4CC742833B56}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A35A4544-A9B9-473E-B315-4CC742833B56}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A35A4544-A9B9-473E-B315-4CC742833B56}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A35A4544-A9B9-473E-B315-4CC742833B56}\InprocServer32]
@="C:\\WINDOWS\\system32\\MLGLIBNT.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F7E7D124-B047-4701-AF4B-B479FFCF90C5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F7E7D124-B047-4701-AF4B-B479FFCF90C5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F7E7D124-B047-4701-AF4B-B479FFCF90C5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F7E7D124-B047-4701-AF4B-B479FFCF90C5}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Fri Sep 2 2005 6:52:04p A.... 1,019,904 996.00 K
cdfview.dll Fri Sep 2 2005 6:52:04p A.... 151,040 147.50 K
cdosys.dll Fri Sep 9 2005 8:53:42p A.... 2,067,968 1.97 M
danim.dll Fri Sep 2 2005 6:52:04p A.... 1,053,696 1.00 M
dxtrans.dll Fri Sep 2 2005 6:52:04p A.... 205,312 200.50 K
extmgr.dll Fri Sep 2 2005 6:52:04p A.... 55,808 54.50 K
gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K
iepeers.dll Fri Sep 2 2005 6:52:04p A.... 251,392 245.50 K
inseng.dll Fri Sep 2 2005 6:52:04p A.... 96,256 94.00 K
legitc~1.dll Mon Aug 29 2005 12:27:12p A.... 520,968 508.76 K
linkinfo.dll Wed Aug 31 2005 8:41:54p A.... 19,968 19.50 K
mshtml.dll Tue Oct 4 2005 4:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Fri Sep 2 2005 6:52:06p A.... 448,512 438.00 K
msrating.dll Fri Sep 2 2005 6:52:06p A.... 146,432 143.00 K
mstime.dll Fri Sep 2 2005 6:52:06p A.... 530,432 518.00 K
netman.dll Mon Aug 22 2005 1:29:46p A.... 197,632 193.00 K
pngfilt.dll Fri Sep 2 2005 6:52:06p A.... 39,424 38.50 K
quartz.dll Mon Aug 29 2005 10:54:26p A.... 1,287,168 1.23 M
rmoc3260.dll Wed Oct 19 2005 12:15:10a A.... 157,696 154.00 K
shdocvw.dll Fri Sep 2 2005 6:52:06p A.... 1,483,776 1.41 M
shell32.dll Thu Sep 22 2005 10:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Fri Sep 2 2005 6:52:06p A.... 473,600 462.50 K
sirenacm.dll Wed Oct 12 2005 5:11:06p A.... 118,784 116.00 K
sys_dll.dll Sat Nov 12 2005 6:57:26p A.... 0 0.00 K
umpnpmgr.dll Mon Aug 22 2005 10:35:42p A.... 123,392 120.50 K
urlmon.dll Fri Sep 2 2005 6:52:06p A.... 608,768 594.50 K
vete.dll Mon Nov 7 2005 9:27:26p A.... 754,872 737.18 K
wininet.dll Fri Sep 2 2005 6:52:06p A.... 658,432 643.00 K
winsrv.dll Wed Aug 31 2005 8:41:54p A.... 291,840 285.00 K

29 items found: 29 files, 0 directories.
Total of file sizes: 24,508,864 bytes 23.37 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 20FE-8BFE

Directory of C:\WINDOWS\System32

11/10/2005 05:20 AM <DIR> DLLCACHE
08/16/2005 10:54 AM 848 KGyGaAvL.sys
01/21/2005 12:58 AM <DIR> Microsoft
1 File(s) 848 bytes
2 Dir(s) 64,211,988,480 bytes free



Logfile of HijackThis v1.99.1
Scan saved at 11:39:33 AM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480

\Program\LDMConf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05

\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} -

http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1

\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!

\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -

http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106794149671
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) -

http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) -

http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) -

http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program

Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 

·
Premium Member
Joined
·
14,311 Posts
Please read though the following instructions so you have a general idea of what to do.

Please make sure that Word Wrap is turned OFF in Notepad before you post your HijackThis log next time. As you can see, the formatting it creates (see the log you posted) makes it harder for us to read it.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]
"{A35A4544-A9B9-473E-B315-4CC742833B56}"=-
"{F7E7D124-B047-4701-AF4B-B479FFCF90C5}"=-

[-HKEY_CLASSES_ROOT\CLSID\{A35A4544-A9B9-473E-B315-4CC742833B56}]

[-HKEY_CLASSES_ROOT\CLSID\{F7E7D124-B047-4701-AF4B-B479FFCF90C5}]


Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.


Download KillBox http://www.downloads.subratam.org/KillBox.zip Unzip it and run it now.

At the bottom right of the main screen, click on the arrow to the right of System Process
(The area is to the left of the yellow triangle.)
Select the following entry - rundll32.exe
Now click the yellow triangle to End Task.

Wait a few seconds, and check again for rundll32.exe, as it may reload!
If so, End Task once again.

Next, select Standard File Kill.

Highlight the entries below and press the Ctrl and the C key at the same time to copy them to the clipboard:

C:\WINDOWS\system32\MLGLIBNT.DLL
C:\WINDOWS\System32\guard.tmp


Click on the File menu of Pocket KillBox and select - Paste from Clipboard

In the Full Path of File to Delete box you should see the first entry.
Use the down arrow to see the rest of the files.

Make sure C:\Windows\System32\guard.tmp appears on the list.
If not, click on the arrow to the right of System Process.
Once again select the following entry - rundll32.exe
Click the yellow triangle to End Task.
(End Task on rundll32.exe until C:\WINDOWS\SYSTEM32\guard.tmp is on the list!)

Then, highlight the file entries once again and press the Ctrl and the C key at the same time to copy them to the clipboard.

Click on the File menu of Pocket KillBox and select - Paste from Clipboard

In the Full Path of File to Delete box you should see the first entry.
Once again, use the down arrow to see the rest of the files.

C:\Windows\System32\guard.tmp must appear on the list!!

Press the button with a red circle and a white X (Delete File button)
Click Yes at the confirmation message that files will be deleted on next reboot.
Click Yes at the request to reboot.

If the PendingFileRenameOperations error appears, then you must reboot.
Upon reboot, L2M file names may change.
In that case, exit out of KillBox.
Run L2MFix Option 1 and post its log in your reply along with a new HijackThis log.
>>Please wait for new instructions!!<<

If the PendingFileRenameOperations error does not appear, after guard.tmp is removed, for any file that refuses to delete, run KillBox using the Delete on Reboot option.

Restart and run a new L2MFix scan (option #1). Post the log here along with a new HijackThis log. Don't restart or shutdown at this time. Doing so will mean giving us new logs again since the filename will most likely change.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #13 ·
At the bottom right of the main screen, click on the arrow to the right of System Process
(The area is to the left of the yellow triangle.)
Select the following entry - rundll32.exe
Now click the yellow triangle to End Task.

rundll32.exe is not in the dropdown box. Do I go to the next step or ?
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hi Lily,

Yes, just continue with greyknight17's instructions. If it's not in the drop down box, it's not running. :smile: When you continue, check again to make sure it's not in the drop-down box, then-- on with the rest of the instructions.
 
1 - 14 of 14 Posts
Status
Not open for further replies.
Top