frank

Members
  • Content Count

    52
  • Joined

  • Last visited

About frank

  • Rank
    Full Member
  1. Yes, comcast came out a couple weeks ago and said everything was fine, i disable my firewall and same problem, yes i have restarted both router and modem....any other ideas? Maybe try connecting to the net w/o the router. I once had that problem and took the router out and my connection was fine. Couble be the router. i would do that but there are like 5 other computers needing the internet...hence the router
  2. Yes, comcast came out a couple weeks ago and said everything was fine, i disable my firewall and same problem, yes i have restarted both router and modem....any other ideas?
  3. NEW OUTPUT LOG>>>>>>>>>>>>>. Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. Find.bat is running from: C:\Documents and Settings\Sean\My Documents\My Downloads\finditnt2000xp\Find It NT-2K-XP ------- System Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 88DA-5EDA Directory of C:\WINDOWS\System32 02/05/2006 10:56 AM <DIR> dllcache 02/04/2006 03:56 AM <DIR> Microsoft 0 File(s) 0 bytes 2 Dir(s) 44,617,871,360 bytes free ------- Hidden Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 88DA-5EDA Directory of C:\WINDOWS\System32 02/05/2006 10:56 AM <DIR> dllcache 02/04/2006 03:51 AM 749 cdplayer.exe.manifest 1 File(s) 749 bytes 1 Dir(s) 44,617,871,360 bytes free ------------ Files Named "Guard" --------------- Volume in drive C has no label. Volume Serial Number is 88DA-5EDA Directory of C:\WINDOWS\System32 ------ Temp Files in System32 Directory ------ Volume in drive C has no label. Volume Serial Number is 88DA-5EDA Directory of C:\WINDOWS\System32 08/10/2004 06:00 AM 2,577 CONFIG.TMP 1 File(s) 2,577 bytes 0 Dir(s) 44,617,871,360 bytes free ------------------ User Agent ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" ------------- Keys Under Notify ------------- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpprintx] "DllName"=hex(2):68,70,70,72,69,6e,74,78,2e,64,6c,6c,00 "Startup"="hpprintx" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 "MaxWait"=dword:00000001 "nk453id"="[20882906427633-NG-Sean]" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" ------------- Locate.com Results ------------- C:\WINDOWS\SYSTEM32\ cdplay~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K 1 item found: 1 file, 0 directories. Total of file sizes: 749 bytes 0.73 K -------- Strings.exe Qoologic Results -------- --------- Strings.exe Aspack Results --------- C:\WINDOWS\system32\d3dx9_25.dll: D3DXUVAtlasPack C:\WINDOWS\system32\MRT.exe: (ASPack) C:\WINDOWS\system32\MRT.exe: (AsPack2k) C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b) C:\WINDOWS\system32\MRT.exe: (ASPack 2.1) C:\WINDOWS\system32\MRT.exe: (ASPack 2.12) C:\WINDOWS\system32\MRT.exe: (ASPack 2.11) C:\WINDOWS\system32\MRT.exe: (ASPack 2.000) C:\WINDOWS\system32\MRT.exe: (ASPack 2.001) C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x) C:\WINDOWS\system32\MRT.exe: ASPack2000 C:\WINDOWS\system32\MRT.exe: ASPack 1.61 C:\WINDOWS\system32\MRT.exe: ASPack 1.084 C:\WINDOWS\system32\MRT.exe: ASPack 1.083 C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b C:\WINDOWS\system32\MRT.exe: ASPack 1.07b C:\WINDOWS\system32\MRT.exe: ASPack 1.05b C:\WINDOWS\system32\MRT.exe: ASPack 1.02 C:\WINDOWS\system32\MRT.exe: ASPACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\ntdll.dll: .aspack -------------- HKLM Run Key ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray" "gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1"
  4. They have been known to have overloaded servers and I don't know if it's still true, but they used to be known for attaching malware to thier programs. Just go to the originators site. ok well, any web site i download from is slow as hell. do you guys have any advise as to what to do?
  5. Yeah, 4MB internet won't download 4MB/s on P2P It will also slow down your internet while you download (not that I download P2P ) well why would i think of even using P2P...lol, but when i downloading from like download.com for virus protection or anythign it is like REALLY REALLY slow...
  6. Hey, i have decent browsing speeds(going from web page to web page, but when i go to downl oad somethign i it lisk at 23KBS whichs it horrible im suppose to be getting 4mbs) i just got an RMA for the old router and i now have the new one and updated firmware but did not help, if you have any ideas taht would be great!
  7. Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. Find.bat is running from: C:\Documents and Settings\Sean\My Documents\My Downloads\finditnt2000xp\Find It NT-2K-XP ------- System Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 88DA-5EDA Directory of C:\WINDOWS\System32 02/07/2006 10:51 PM 234,272 ivssuba.dll 02/07/2006 10:51 PM 234,962 r0r60a9sed.dll 02/07/2006 10:33 PM 234,272 kgdsf.dll 02/07/2006 10:33 PM 234,272 ibdetect.dll 02/05/2006 10:56 AM <DIR> dllcache 02/04/2006 03:56 AM <DIR> Microsoft 4 File(s) 937,778 bytes 2 Dir(s) 45,149,118,464 bytes free ------- Hidden Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 88DA-5EDA Directory of C:\WINDOWS\System32 02/05/2006 10:56 AM <DIR> dllcache 02/04/2006 03:51 AM 488 logonui.exe.manifest 02/04/2006 03:51 AM 488 WindowsLogon.manifest 02/04/2006 03:51 AM 749 nwc.cpl.manifest 02/04/2006 03:51 AM 749 sapi.cpl.manifest 02/04/2006 03:51 AM 749 ncpa.cpl.manifest 02/04/2006 03:51 AM 749 wuaucpl.cpl.manifest 02/04/2006 03:51 AM 749 cdplayer.exe.manifest 7 File(s) 4,721 bytes 1 Dir(s) 45,149,118,464 bytes free ------------ Files Named "Guard" --------------- Volume in drive C has no label. Volume Serial Number is 88DA-5EDA Directory of C:\WINDOWS\System32 ------ Temp Files in System32 Directory ------ Volume in drive C has no label. Volume Serial Number is 88DA-5EDA Directory of C:\WINDOWS\System32 08/10/2004 06:00 AM 2,577 CONFIG.TMP 1 File(s) 2,577 bytes 0 Dir(s) 45,149,114,368 bytes free ------------------ User Agent ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" ------------- Keys Under Notify ------------- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\r0r60a9sed.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpprintx] "DllName"=hex(2):68,70,70,72,69,6e,74,78,2e,64,6c,6c,00 "Startup"="hpprintx" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 "MaxWait"=dword:00000001 "nk453id"="[20882906427633-NG-Sean]" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" ------------- Locate.com Results ------------- C:\WINDOWS\SYSTEM32\ cdplay~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K ibdetect.dll Tue Feb 7 2006 10:33:12p ..S.R 234,272 228.78 K ivssuba.dll Tue Feb 7 2006 10:51:40p ..S.R 234,272 228.78 K kgdsf.dll Tue Feb 7 2006 10:33:20p ..S.R 234,272 228.78 K logonu~1.man Sat Feb 4 2006 3:51:08a A..HR 488 0.48 K ncpacp~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K nwccpl~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K r0r60a~1.dll Tue Feb 7 2006 10:51:40p ..S.R 234,962 229.45 K sapicp~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K window~1.man Sat Feb 4 2006 3:51:08a A..HR 488 0.48 K wuaucp~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K 11 items found: 11 files, 0 directories. Total of file sizes: 942,499 bytes 920.41 K -------- Strings.exe Qoologic Results -------- --------- Strings.exe Aspack Results --------- C:\WINDOWS\system32\d3dx9_25.dll: D3DXUVAtlasPack C:\WINDOWS\system32\MRT.exe: (ASPack) C:\WINDOWS\system32\MRT.exe: (AsPack2k) C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b) C:\WINDOWS\system32\MRT.exe: (ASPack 2.1) C:\WINDOWS\system32\MRT.exe: (ASPack 2.12) C:\WINDOWS\system32\MRT.exe: (ASPack 2.11) C:\WINDOWS\system32\MRT.exe: (ASPack 2.000) C:\WINDOWS\system32\MRT.exe: (ASPack 2.001) C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x) C:\WINDOWS\system32\MRT.exe: ASPack2000 C:\WINDOWS\system32\MRT.exe: ASPack 1.61 C:\WINDOWS\system32\MRT.exe: ASPack 1.084 C:\WINDOWS\system32\MRT.exe: ASPack 1.083 C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b C:\WINDOWS\system32\MRT.exe: ASPack 1.07b C:\WINDOWS\system32\MRT.exe: ASPack 1.05b C:\WINDOWS\system32\MRT.exe: ASPack 1.02 C:\WINDOWS\system32\MRT.exe: ASPACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\ntdll.dll: .aspack -------------- HKLM Run Key ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "6104308"="tskmgr.exe /ibpm" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray" "ASUS Probe"="C:\\Program Files\\ASUS\\Probe\\AsusProb.exe" "KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\ 65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1"
  8. ******** 9:41 PM: | Start of Session, Thursday, February 09, 2006 | 9:41 PM: Spy Sweeper started 9:41 PM: Sweep initiated using definitions version 612 9:42 PM: Starting Memory Sweep 9:44 PM: Memory Sweep Complete, Elapsed Time: 00:01:58 9:44 PM: Starting Registry Sweep 9:44 PM: Found Adware: surfsidekick 9:44 PM: HKLM\software\microsoft\windows nt\currentversion\windows\ || appinit_dlls (ID = 819064) 9:44 PM: Found Trojan Horse: spamrelayer_alpiok 9:44 PM: HKCR\clsid\{636821fc-6f5c-2f1b-b164-e67214f678e2}\ (3 subtraces) (ID = 942353) 9:44 PM: HKLM\software\classes\clsid\{636821fc-6f5c-2f1b-b164-e67214f678e2}\ (3 subtraces) (ID = 942360) 9:44 PM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || systray.exgl (ID = 942368) 9:44 PM: Found Adware: cws_secure32.html hijack 9:44 PM: HKLM\software\microsoft\internet explorer\main\ || start page (ID = 946025) 9:44 PM: Found Adware: command 9:44 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064) 9:44 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072) 9:44 PM: Found Adware: quicklink search toolbar 9:44 PM: HKCR\permeation.permeater\ (3 subtraces) (ID = 1133968) 9:44 PM: HKCR\permeation.permeater.1\ (3 subtraces) (ID = 1133972) 9:44 PM: HKCR\permeation.trecker\ (3 subtraces) (ID = 1133976) 9:44 PM: HKCR\permeation.trecker.1\ (3 subtraces) (ID = 1133980) 9:44 PM: HKCR\clsid\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (10 subtraces) (ID = 1133998) 9:44 PM: HKCR\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (9 subtraces) (ID = 1134093) 9:44 PM: HKLM\software\classes\permeation.permeater\ (3 subtraces) (ID = 1134157) 9:44 PM: HKLM\software\classes\permeation.permeater.1\ (3 subtraces) (ID = 1134161) 9:44 PM: HKLM\software\classes\permeation.trecker\ (3 subtraces) (ID = 1134165) 9:44 PM: HKLM\software\classes\permeation.trecker.1\ (3 subtraces) (ID = 1134169) 9:44 PM: HKLM\software\classes\clsid\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (10 subtraces) (ID = 1134187) 9:44 PM: HKLM\software\classes\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (9 subtraces) (ID = 1134251) 9:44 PM: Found Adware: spysheriff 9:44 PM: HKLM\software\microsoft\internet explorer\main\ || start page (ID = 1140862) 9:44 PM: Found Trojan Horse: infected mushrooms 9:44 PM: HKU\S-1-5-21-220523388-1220945662-725345543-1003\software\microsoft\windows\currentversion\run\ || windowsupdatent (ID = 1124765) 9:44 PM: Registry Sweep Complete, Elapsed Time:00:00:08 9:44 PM: Starting Cookie Sweep 9:44 PM: Found Spy Cookie: atwola cookie 9:44 PM: [email protected][1].txt (ID = 2255) 9:44 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00 9:44 PM: Starting File Sweep 9:44 PM: Found Trojan Horse: komforochka smtp relay 9:44 PM: c:\windows\inet20010 (1 subtraces) (ID = -2147459835) 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005901.exe". Access is denied 9:44 PM: c:\program files\jalmp (3 subtraces) (ID = -2147459072) 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005995.exe". Access is denied 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0009013.exe". Access is denied 9:44 PM: a0009113.exe (ID = 202812) 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005836.exe". Access is denied 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005997.exe". Access is denied 9:44 PM: a0005860.exe (ID = 238236) 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005876.exe". Access is denied 9:44 PM: Found Trojan Horse: trojan-downloader-dh 9:44 PM: a0005884.exe (ID = 208497) 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005896.exe". Access is denied 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0004786.exe". Access is denied 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp41\a0004390.exe". Access is denied 9:44 PM: a0005953.exe (ID = 212830) 9:44 PM: a0005952.exe (ID = 212831) 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005986.exe". Access is denied 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0004787.exe". Access is denied 9:44 PM: Found Adware: targetsaver 9:44 PM: class-barrel (ID = 78229) 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005984.dll". Access is denied 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006097.exe". Access is denied 9:44 PM: a0009221.dll (ID = 239855) 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0005811.exe". Access is denied 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0005813.exe". Access is denied 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0005815.exe". Access is denied 9:44 PM: a0006053.exe (ID = 212830) 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0008053.exe". Access is denied 9:44 PM: a0006052.exe (ID = 212831) 9:44 PM: a0009115.exe (ID = 240726) 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0008054.exe". Access is denied 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005959.exe". Access is denied 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0008055.exe". Access is denied 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005885.exe". Access is denied 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006086.exe". Access is denied 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006084.dll". Access is denied 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006032.exe". Access is denied 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0008012.dll". Access is denied 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0004789.exe". Access is denied 9:44 PM: a0009106.dll (ID = 220754) 9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp36\a0003998.exe". Access is denied 9:45 PM: a0005955.exe (ID = 212828) 9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005883.dll". Access is denied 9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005934.exe". Access is denied 9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005998.exe". Access is denied 9:45 PM: Found Adware: spysheriff fakealert 9:45 PM: secure32.html (ID = 184319) 9:45 PM: Found Adware: coolwebsearch (cws) 9:45 PM: a0009107.exe (ID = 239915) 9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005903.exe". Access is denied 9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005902.exe". Access is denied 9:45 PM: a0005947.exe (ID = 237448) 9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005900.exe". Access is denied 9:45 PM: Found Trojan Horse: trojan-backdoor-haxdoor 9:45 PM: a0005895.sys (ID = 238244) 9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005931.exe". Access is denied 9:46 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006059.exe". Access is denied 9:46 PM: vocabulary (ID = 78283) 9:46 PM: a0006055.exe (ID = 212828) 9:46 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005891.exe". Access is denied 9:46 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005899.exe". Access is denied 9:47 PM: a0005847.exe (ID = 237448) 9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005834.exe". Access is denied 9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005969.exe". Access is denied 9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006098.exe". Access is denied 9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006029.exe". Access is denied 9:47 PM: a0006047.exe (ID = 237448) 9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005869.exe". Access is denied 9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005991.exe". Access is denied 9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006091.exe". Access is denied 9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005881.exe". Access is denied 9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0006000.exe". Access is denied 9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005897.dll". Access is denied 9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005996.dll". Access is denied 9:48 PM: Found Adware: wfgtech 9:48 PM: a0009111.exe (ID = 203674) 9:48 PM: Found Adware: ezula ilookup 9:48 PM: a0004016.src (ID = 111060) 9:48 PM: a0005985.exe (ID = 208497) 9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006100.exe". Access is denied 9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006095.exe". Access is denied 9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006069.exe". Access is denied 9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006096.dll". Access is denied 9:48 PM: a0006085.exe (ID = 208497) 9:49 PM: dh9013.exe (ID = 208497) 9:49 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005898.exe". Access is denied 9:49 PM: a0005855.exe (ID = 212828) 9:49 PM: a0005872.vbs (ID = 231442) 9:49 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0005814.exe". Access is denied 9:49 PM: a0006042.dll (ID = 189) 9:49 PM: a0005973.exe (ID = 231443) 9:49 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005933.exe". Access is denied 9:49 PM: secure32.html (ID = 184319) 9:49 PM: a0005951.config (ID = 212361) 9:49 PM: a0005944.exe (ID = 242377) 9:49 PM: a0005948.dll (ID = 238167) 9:49 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006031.exe". Access is denied 9:49 PM: a0005943.dll (ID = 189) 9:49 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0004799.exe". Access is denied 9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0006002.exe". Access is denied 9:50 PM: Found Adware: clkoptimizer 9:50 PM: a0009110.exe (ID = 208542) 9:50 PM: a0005848.dll (ID = 238167) 9:50 PM: a0005949.cfg (ID = 208796) 9:50 PM: a0006049.cfg (ID = 208796) 9:50 PM: Found Adware: look2me 9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0006001.exe". Access is denied 9:50 PM: a0006017.dll (ID = 159) 9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005999.exe". Access is denied 9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005982.exe". Access is denied 9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005859.exe". Access is denied 9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006077.exe". Access is denied 9:50 PM: a0009118.sys (ID = 238244) 9:50 PM: a0005972.vbs (ID = 231442) 9:50 PM: a0005851.config (ID = 212361) 9:50 PM: a0005853.exe (ID = 212830) 9:50 PM: a0005852.exe (ID = 212831) 9:50 PM: a0005843.exe (ID = 242377) 9:50 PM: a0005960.exe (ID = 238236) 9:50 PM: a0006072.vbs (ID = 231442) 9:50 PM: a0006073.exe (ID = 231443) 9:50 PM: a0005849.cfg (ID = 208796) 9:50 PM: a0006048.dll (ID = 238167) 9:50 PM: a0006043.exe (ID = 242377) 9:50 PM: Found Adware: elitebar 9:50 PM: a0008076.dll (ID = 198437) 9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp36\a0003995.exe". Access is denied 9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005837.exe". Access is denied 9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0005812.exe". Access is denied 9:51 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006102.exe". Access is denied 9:51 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006101.exe". Access is denied 9:51 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005977.exe". Access is denied 9:51 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006099.exe". Access is denied 9:51 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006082.exe". Access is denied 9:51 PM: a0006060.exe (ID = 238236) 9:51 PM: a0006051.config (ID = 212361) 9:52 PM: Found Adware: findthewebsiteyouneed hijacker 9:52 PM: a0009125.exe (ID = 242088) 9:52 PM: a0009230.exe (ID = 239916) 9:52 PM: Found Adware: dollarrevenue 9:52 PM: a0009109.exe (ID = 241756) 9:52 PM: Found Trojan Horse: trojan-backdoor-us15info 9:52 PM: a0009116.exe (ID = 239949) 9:52 PM: a0009124.exe (ID = 241762) 9:52 PM: a0004803.lnk (ID = 60599) 9:52 PM: a0004804.lnk (ID = 60601) 9:52 PM: a0004012.lnk (ID = 60599) 9:52 PM: a0004013.lnk (ID = 60601) 9:52 PM: a0005974.vbs (ID = 185675) 9:52 PM: a0005873.vbs (ID = 185675) 9:52 PM: a0005857.bat (ID = 212353) 9:52 PM: a0005854.config (ID = 212358) 9:52 PM: a0005957.bat (ID = 212353) 9:52 PM: a0005954.config (ID = 212358) 9:52 PM: a0006074.vbs (ID = 185675) 9:52 PM: a0006057.bat (ID = 212353) 9:52 PM: a0006054.config (ID = 212358) 9:58 PM: Found System Monitor: potentially rootkit-masked files 9:58 PM: sysbus32.sys (ID = 0) 10:03 PM: Sweep Canceled 10:04 PM: File Sweep Complete, Elapsed Time: 00:19:57 10:04 PM: Traces Found: 183 10:05 PM: Removal process initiated 10:05 PM: Quarantining All Traces: clkoptimizer 10:05 PM: Quarantining All Traces: elitebar 10:05 PM: Quarantining All Traces: infected mushrooms 10:05 PM: Quarantining All Traces: komforochka smtp relay 10:05 PM: Quarantining All Traces: look2me 10:05 PM: Quarantining All Traces: potentially rootkit-masked files 10:05 PM: potentially rootkit-masked files is in use. It will be removed on reboot. 10:05 PM: sysbus32.sys is in use. It will be removed on reboot. 10:05 PM: Quarantining All Traces: spamrelayer_alpiok 10:05 PM: Quarantining All Traces: spysheriff fakealert 10:05 PM: Quarantining All Traces: trojan-backdoor-haxdoor 10:05 PM: Quarantining All Traces: trojan-backdoor-us15info 10:05 PM: Quarantining All Traces: coolwebsearch (cws) 10:05 PM: Quarantining All Traces: dollarrevenue 10:05 PM: Quarantining All Traces: quicklink search toolbar 10:05 PM: Quarantining All Traces: spysheriff 10:05 PM: Quarantining All Traces: surfsidekick 10:05 PM: Quarantining All Traces: trojan-downloader-dh 10:05 PM: Quarantining All Traces: command 10:05 PM: Quarantining All Traces: cws_secure32.html hijack 10:05 PM: Quarantining All Traces: ezula ilookup 10:05 PM: Quarantining All Traces: findthewebsiteyouneed hijacker 10:05 PM: Quarantining All Traces: targetsaver 10:05 PM: Quarantining All Traces: wfgtech 10:05 PM: Quarantining All Traces: atwola cookie 10:06 PM: Removal process completed. Elapsed time 00:01:05 ******** 9:40 PM: | Start of Session, Thursday, February 09, 2006 | 9:40 PM: Spy Sweeper started 9:41 PM: Your spyware definitions have been updated. 9:41 PM: | End of Session, Thursday, February 09, 2006 | HJT LOG________________________________ Logfile of HijackThis v1.99.1 Scan saved at 10:07:39 PM, on 2/9/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Kerio\Personal Firewall\persfw.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\mozilla.org\Mozilla\Mozilla.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wpabaln.exe C:\Program Files\Common Files\AOL\1139095246\ee\aolsoftware.exe c:\program files\common files\aol\1139095246\ee\aim6.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\WINDOWS\ALCFDRTM.EXE C:\Documents and Settings\Sean\My Documents\malware removal\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [6104308] tskmgr.exe /ibpm O4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 4967156 O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [6104308] tskmgr.exe /ibpm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\r0r60a9sed.dll O20 - Winlogon Notify: hpprintx - hpprintx.dll (file missing) O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  9. L2mfix 010406 Creating Account. The command completed successfully. Adding Administrative privleges. The command completed successfully. Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful Running From: C:\WINDOWS\system32 Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 [email protected] Killing PID 928 'smss.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 [email protected] Killing PID 1024 'winlogon.exe' Killing PID 1024 'winlogon.exe' Killing PID 1024 'winlogon.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 [email protected] Killing PID 320 'explorer.exe' Killing PID 320 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 [email protected] Error, Cannot find a process with an image name of rundll32.exe Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Restoring Windows Update Certificates.: The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\r0r60a9sed.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpprintx] "DllName"=hex(2):68,00,70,00,70,00,72,00,69,00,6e,00,74,00,78,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Startup"="hpprintx" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 "MaxWait"=dword:00000001 "nk453id"="[20882906427633-NG-Sean]" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 The following are the files found: **************************************************************************** Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" **************************************************************************** Desktop.ini Contents: **************************************************************************** **************************************************************************** Checking for L2MFix account(0=no 1=yes): 0 Zipping up files for submission: zip warning: name not matched: dlls\*.* zip error: Nothing to do! (backup.zip) adding: backregs/AC3CA426-F420-45AE-89D9-0C2858D56B51.reg (164 bytes security) (deflated 70%) adding: backregs/notibac.reg (164 bytes security) (deflated 87%) adding: backregs/shell.reg (164 bytes security) (deflated 74%) HERE IS THE HJT LOG(NEW)------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 9:32:18 PM, on 2/9/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Kerio\Personal Firewall\persfw.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ASUS\Probe\AsusProb.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\mozilla.org\Mozilla\Mozilla.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wpabaln.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Sean\My Documents\malware removal\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [6104308] tskmgr.exe /ibpm O4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 4967156 O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [6104308] tskmgr.exe /ibpm O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O20 - AppInit_DLLs: repairs302972994.dll O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\r0r60a9sed.dll O20 - Winlogon Notify: hpprintx - hpprintx.dll (file missing) O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\system32\opmnjckd.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
  10. Logfile of HijackThis v1.99.1 Scan saved at 10:31:56 PM, on 2/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Kerio\Personal Firewall\persfw.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\notepad.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\mozilla.org\Mozilla\Mozilla.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wpabaln.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Grisoft\AVG Free\avgcc.exe C:\Program Files\Grisoft\AVG Free\avgwb.dat C:\Documents and Settings\Sean\My Documents\malware removal\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [6104308] tskmgr.exe /ibpm O4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 4967156 O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [6104308] tskmgr.exe /ibpm O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O20 - AppInit_DLLs: repairs302972994.dll O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\r0r60a9sed.dll O20 - Winlogon Notify: hpprintx - hpprintx.dll (file missing) O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\system32\opmnjckd.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
  11. L2mfix 010406 Creating Account. The command completed successfully. Adding Administrative privleges. The command completed successfully. Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful Running From: C:\WINDOWS\system32 Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 [email protected] Killing PID 928 'smss.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 [email protected] Killing PID 1024 'winlogon.exe' Killing PID 1024 'winlogon.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 [email protected] Killing PID 1372 'explorer.exe' Killing PID 1372 'explorer.exe' Killing PID 1372 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 [email protected] Error, Cannot find a process with an image name of rundll32.exe Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Restoring Windows Update Certificates.: The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\r0r60a9sed.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpprintx] "DllName"=hex(2):68,00,70,00,70,00,72,00,69,00,6e,00,74,00,78,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Startup"="hpprintx" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 "MaxWait"=dword:00000001 "nk453id"="[20882906427633-NG-Sean]" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 The following are the files found: **************************************************************************** Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{AC3CA426-F420-45AE-89D9-0C2858D56B51}] @="" [HKEY_CLASSES_ROOT\CLSID\{AC3CA426-F420-45AE-89D9-0C2858D56B51}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{AC3CA426-F420-45AE-89D9-0C2858D56B51}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{AC3CA426-F420-45AE-89D9-0C2858D56B51}\InprocServer32] @="C:\\WINDOWS\\system32\\ivssuba.dll" "ThreadingModel"="Apartment" REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{AC3CA426-F420-45AE-89D9-0C2858D56B51}"=- [-HKEY_CLASSES_ROOT\CLSID\{AC3CA426-F420-45AE-89D9-0C2858D56B51}] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" **************************************************************************** Desktop.ini Contents: **************************************************************************** **************************************************************************** Checking for L2MFix account(0=no 1=yes): 0 Zipping up files for submission: zip warning: name not matched: dlls\*.* zip error: Nothing to do! (backup.zip) adding: backregs/AC3CA426-F420-45AE-89D9-0C2858D56B51.reg (212 bytes security) (deflated 70%) adding: backregs/notibac.reg (164 bytes security) (deflated 87%) adding: backregs/shell.reg (164 bytes security) (deflated 74%)
  12. L2MFIX find log 010406 These are the registry keys present ******************************************************************************** ** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\r0r60a9sed.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown"
  13. i turn on the computer and like 4 command promps appear, an error message abuot 16 bit ms-dos subsystem, and a rundll error saying error loading 0oqw0ct0.dll any thing in here malware i can get rid of or fix what is happening?(or things i dont need) Logfile of HijackThis v1.99.1 Scan saved at 7:39:27 PM, on 2/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Kerio\Personal Firewall\persfw.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\inet20010\winlogon.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ASUS\Probe\AsusProb.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Common Files\AOL\1139095246\ee\AOLSoftware.exe C:\WINDOWS\system32\paytime.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\mozilla.org\Mozilla\Mozilla.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\ntvdm.exe c:\program files\common files\aol\1139095246\ee\aim6.exe C:\WINDOWS\system32\wpabaln.exe C:\Documents and Settings\Sean\My Documents\malware removal\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R3 - Default URLSearchHook is missing F3 - REG:win.ini: run=C:\WINDOWS\inet20010\winlogon.exe O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139095246\ee\AOLSoftware.exe O4 - HKLM\..\Run: [i downloaded pirated Software from P2P] C:\WINDOWS\system32\Battlefield2 .exe O4 - HKLM\..\Run: [system service79] C:\WINDOWS\\\etb\\pokapoka79.exe O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd5.exe O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s O4 - HKLM\..\Run: [6104308] tskmgr.exe /ibpm O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20010\winlogon.exe O4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 4967156 O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe" O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban5.exe O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O4 - HKCU\..\Run: [6104308] tskmgr.exe /ibpm O4 - HKCU\..\Run: [klop] C:\WINDOWS\25.tmp O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe O4 - HKCU\..\Run: [rkfu] C:\PROGRA~1\COMMON~1\rkfu\rkfum.exe O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20010\winlogon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O20 - AppInit_DLLs: repairs302972994.dll O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\r0r60a9sed.dll O20 - Winlogon Notify: hpprintx - hpprintx.dll (file missing) O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\system32\opmnjckd.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
  14. is tehre anything here i can jsut turn off that i dont need? Logfile of HijackThis v1.99.1 Scan saved at 2:22:03 PM, on 1/29/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\devldr32.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Icons\Seticon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\MSI\Live Update 3\LMonitor.exe C:\WINNT\system32\ctfmon.exe C:\PROGRA~1\Cacheman\Cacheman.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Palm\HOTSYNC.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Administrator\Desktop\a2personalsetup.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-HT9VS.tmp\is-5U28G.tmp C:\Program Files\a2\a2upd.exe C:\Documents and Settings\Administrator\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe O4 - HKLM\..\Run: [setIcon] C:\Program Files\Icons\Seticon.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe" O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0241d6dc377970...ip/RdxIE601.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130103273390 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130695614437 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: RemoteShutDown Service (RemShutDownSvc) - Unknown owner - C:\WINNT\System32\remsdnsv.exe
  15. Hi, my computer will randomly just restart, before this restart the hard drive will rev down then back up then down and restart. if you have any idea why it would do this help would be greatly appricated. -Frank