Post by: Ikakun on May 06, 2005, 10:00:57 PM
This is the hijack log, i already used spybot search & destroy, he finds the two registries infected but doesnt remove it. hijack doesnt work as find it too, ad aware also useless.
As you should know my desktop is bugged, i have no control of it.
Plz help me if you can
btw, how the hell do I start my comp on safe mode with windows ME?
tks
Logfile of HijackThis v1.97.7
Scan saved at 23:54:18, on 6/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {9348B8AB-5206-41E5-B267-C3396D275B90} - C:\WINDOWS\SYSTEM\LFAP.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKCU\..\Run: [msnmsgr] "C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE" /background
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (http://\"http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab\")
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab (http://\"http://www.apple.com/qtactivex/qtplugin.cab\")
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4...0367/wmavax.CAB (http://\"http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB\")
Post by: guestolo on May 06, 2005, 11:41:56 PM
If you have can you open Hijackthis>>Config>>Backups
and restore all backups
Or if you have entries disabled on startup with Msconfig, can you enable all startup entries
Don't restart the computer when prompted
Instead, I need you to do this
Open Hijackthis>>Config>>Open Misc tools
Check for updates Online
Download the latest version of Hijackthis
Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important
Post by: Guest on May 07, 2005, 08:53:17 AM
here is the logfile with the latest version
Logfile of HijackThis v1.99.1
Scan saved at 10:54:27, on 7/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATIUPDPL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SVCHOST.SCR
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARQUIVOS DE PROGRAMAS\WINAMP\WINAMP.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\UNZIPPED\HIJACKTHIS2\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php (http://\"http://81.222.131.49/index.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php (http://\"http://81.222.131.49/index.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php (http://\"http://81.222.131.49/index.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php (http://\"http://81.222.131.49/index.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.234.181.154:3128
O2 - BHO: (no name) - {E42775E1-9073-412F-9A04-C7D5115D9A79} - C:\WINDOWS\SYSTEM\LFAP.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\ARQUIVOS DE PROGRAMAS\SIDEFIND\SFBHO.DLL (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\ARQUIVOS DE PROGRAMAS\CXTPLS\CXTPLS.DLL (file missing)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL (file missing)
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {011933AF-03ED-42D0-B14B-645FD4E0525B} - C:\WINDOWS\SYSTEM\LFAP.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\Run: [CARTAO] C:\WINDOWS\SYSTEM\svchost.scr
O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\SYSTEM\svchost.scr
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [WinampAgent] "C:\ARQUIVOS DE PROGRAMAS\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [c4AA86ihR] C:\WINDOWS\SJJEOPJ.EXE
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\CXTPLS_LOADER.EXE" /HideUninstall /HideDir /PC=CP.AMS /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [SAHBundle] C:\WINDOWS\TEMP\SHOP1004.EXE run
O4 - HKLM\..\Run: [ot4U36T] JSPCONFG.EXE
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\RunServices: [MDM7] "C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [MOSearch] C:\ARQUIV~1\ARQUIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [msnmsgr] "C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ZAv8RWfmR] IUC0_QC.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKCU\..\RunServices: [msnmsgr] "C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\RunServices: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\RunServices: [ZAv8RWfmR] IUC0_QC.EXE
O4 - HKCU\..\RunServices: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\RunServices: [WindowsFY] C:\WP.EXE
O4 - HKCU\..\RunServices: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\RunServices: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Microsoft AntiSpyware helper - {505A910D-B85A-4B6D-A6AE-BF32BB8F10FF} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {505A910D-B85A-4B6D-A6AE-BF32BB8F10FF} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {505A910D-B85A-4B6D-A6AE-BF32BB8F10FF} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {505A910D-B85A-4B6D-A6AE-BF32BB8F10FF} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O15 - Trusted Zone: http://ny.contentmatch.net (http://\"http://ny.contentmatch.net\") (HKLM)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab\")
O16 - DPF: {329D10B1-1C70-11D6-B49A-0040C7A63343} (ChatWebX Control) - http://servers.centraldejogos.com.br/chatweb/ChatWeb.cab (http://\"http://servers.centraldejogos.com.br/chatweb/ChatWeb.cab\")
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/assets/activ...ALStreaming.cab (http://\"http://musicstore.connect.com/assets/activexplayer/SMALStreaming.cab\")
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab (http://\"http://chat.msn.com/bin/msnchat45.cab\")
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (CActiveInstaller Object) - http://download.uol.com.br/discadorUOL/lig...tiveInstall.cab (http://\"http://download.uol.com.br/discadorUOL/light/UOLActiveInstall.cab\")
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab\")
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab (http://\"http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab\")
O16 - DPF: {F1835D04-7CCF-489E-8184-C08A1F682169} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab (http://\"http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/pt-BR/filesharingctrl.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/183c74a4f6b91f...RdxIE601_it.cab (http://\"http://software-dl.real.com/183c74a4f6b91f57c023/netzip/RdxIE601_it.cab\")
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYes.../bridge-c18.cab (http://\"http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c18.cab\")
O18 - Filter: text/html - {4B5F3CEC-D20D-4C9B-83B4-F52E041866A8} - C:\WINDOWS\SYSTEM\LFAP.DLL
O18 - Filter: text/plain - {4B5F3CEC-D20D-4C9B-83B4-F52E041866A8} - C:\WINDOWS\SYSTEM\LFAP.DLL
Post by: guestolo on May 07, 2005, 12:55:33 PM
==Download and save to Desktop
SpSeHjfix109.zip (http://\"http://www.derbilk.de/404.html\")
From that link
Unzip the contents, so you now have SpSeHjfix109.exe on your desktop
Restart your computer into Safe Mode
You can do this by tapping the F8 key as the system is restarting, right after the single post beep
Select safe mode
==Run SpSeHjfix109.exe by clicking the Start Disinfection
It should reboot your computer
If not Reboot anyways back to Normal mode
Back in Windows>>The tool would of created a log, could you copy and paste that log to a location such as MyDocuments, just so we don't overwrite it when we run the tool again
Run
SpSeHjfix109.exe again
Access your Add/Remove programs and remove if found
Security iGuard and ShopAtHome Select
Restart your computer if uninstalled
Afterwards,
Download and save too Desktop
FixAprop.exe (http://\"http://securityresponse.symantec.com/avcenter/FixAprop.exe\")
by Symantec's
Run the tool and let it scan your drive and fix what it finds
Restart your computer afterwards
Back in Windows
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
If you can't run Ad-Aware in Normal mode, can you restart into safe mode and run it
after you have checked for updates
Back in Windows
Run another scan with Hijackthis and post a fresh log
Could you also post the logs from
SpSeHjfix109.exe
We'll still have some work to do, but that should be a good start
Post by: Ikakun on May 07, 2005, 05:03:54 PM
as I said my comp doesnt start on safe mode, f8 does nothing I know it sounds weird but it doesnt work (win ME)
second, i ran SpSeHjfix109.exe two times, rebooted the two times, here is the log of the last one:
(5/7/05 18:53:05) SPSeHjFix started v1.09
(5/7/05 18:53:05) OS: WinME (4.90.73010104)
(5/7/05 18:53:05) Language: português
(5/7/05 18:53:37) Disinfect started
(5/7/05 18:53:37) Bad-Dll(IEP): (not found)
(5/7/05 18:53:37) Bad-Dll(IEP) in BHO: (not found)
(5/7/05 18:53:37) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\LFAP.DLL
(5/7/05 18:53:37) Searchassistant Uninstaller - Keys Deleted
(5/7/05 18:53:37) UBF: 6
(5/7/05 18:53:37) UBB: 6
(5/7/05 18:53:37) FilterKey: HKCR\text/html (deleted)
(5/7/05 18:53:37) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(5/7/05 18:53:37) FilterKey: HKCR\CLSID\{E859D392-B9BD-4757-A654-D987C90D6FE7} (deleted)
(5/7/05 18:53:37) FilterKey: HKCR\text/plain (deleted)
(5/7/05 18:53:37) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(5/7/05 18:53:37) FilterKey: HKCR\CLSID\{E859D392-B9BD-4757-A654-D987C90D6FE7} (error while deleting)
(5/7/05 18:53:37) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70A37112-0FF7-40FF-8B4A-90BA3E373ED9} (deleted)
(5/7/05 18:53:37) BHO-Key: HKCR\CLSID\{70A37112-0FF7-40FF-8B4A-90BA3E373ED9} (deleted)
(5/7/05 18:53:37) UBR: 32
(5/7/05 18:53:37) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(5/7/05 18:53:37) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(5/7/05 18:53:37) Stealth-String not found:
(5/7/05 18:53:37) File added to delete: c:\windows\system\lfap.dll
(5/7/05 18:53:37) File added to delete: c:\windows\system\lfap.dll
(5/7/05 18:53:37) File added to delete: c:\windows\temp\se.dll
(5/7/05 18:53:37) Reboot
(5/7/05 18:54:26) SPSeHjFix 2nd Step
(5/7/05 18:54:26) RunServicesOnce-Key: (edited)
(5/7/05 18:54:31) Cleaned
thought i couldnt use on safe mode, i left only Explorer oppened, closing on the manager (ctrl alt del)
now im running FixAprop.exe and will continue
on add/remove programs, i didnt find the ShopAtHome, but is almost sure I have it here
the iguard security i could remove
for now just these probs, no safe mode and no ShopAtHome found
Post by: guestolo on May 07, 2005, 05:44:54 PM
This is another way to start in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=2#_Section2\")
We may still have to do that, the tool is better run that way
Post by: Ikakun on May 07, 2005, 08:16:42 PM
i also ran ad aware se, found aroun 300 infected objects, removed and quarinted most of them or them all
also ran the fixaprop and found some entries and fixed it too
here is the new log for hijack
Logfile of HijackThis v1.99.1
Scan saved at 22:15:55, on 7/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATIUPDPL.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\ARQUIVOS DE PROGRAMAS\MESSENGERPLUS! 3\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SVCHOST.SCR
C:\WINDOWS\SYSTEM\SVCHOST.SCR
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\XPSP2FW.EXE
C:\ARQUIVOS DE PROGRAMAS\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\PAYTIME.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\IUC0_QC.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WP.EXE
C:\WINDOWS\SYSTEM\PAYTIME.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\HIJACKTHIS2\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php (http://\"http://81.222.131.49/index.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php (http://\"http://81.222.131.49/index.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php (http://\"http://81.222.131.49/index.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php (http://\"http://81.222.131.49/index.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php (http://\"http://81.222.131.49/index.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php (http://\"http://81.222.131.49/index.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.234.181.154:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL (disabled by BHODemon)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHELPER.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {C91703D2-FAFB-41B8-821A-7FFC70203755} - C:\WINDOWS\SYSTEM\LFAP.DLL
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\Run: [CARTAO] C:\WINDOWS\SYSTEM\svchost.scr
O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\SYSTEM\svchost.scr
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [WinampAgent] "C:\ARQUIVOS DE PROGRAMAS\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [c4AA86ihR] C:\WINDOWS\SJJEOPJ.EXE
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKLM\..\Run: [Security iGuard] C:\ARQUIVOS DE PROGRAMAS\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\Run: [KAVPersonal50] C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [projselector] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Arquivos de programas\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\RunServices: [MDM7] "C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [MOSearch] C:\ARQUIV~1\ARQUIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [kavsvc] C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ZAv8RWfmR] IUC0_QC.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O15 - Trusted Zone: http://ny.contentmatch.net (http://\"http://ny.contentmatch.net\") (HKLM)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab\")
O16 - DPF: {329D10B1-1C70-11D6-B49A-0040C7A63343} (ChatWebX Control) - http://servers.centraldejogos.com.br/chatweb/ChatWeb.cab (http://\"http://servers.centraldejogos.com.br/chatweb/ChatWeb.cab\")
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/assets/activ...ALStreaming.cab (http://\"http://musicstore.connect.com/assets/activexplayer/SMALStreaming.cab\")
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab (http://\"http://chat.msn.com/bin/msnchat45.cab\")
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (CActiveInstaller Object) - http://download.uol.com.br/discadorUOL/lig...tiveInstall.cab (http://\"http://download.uol.com.br/discadorUOL/light/UOLActiveInstall.cab\")
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab\")
O16 - DPF: {F1835D04-7CCF-489E-8184-C08A1F682169} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab (http://\"http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/pt-BR/filesharingctrl.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/183c74a4f6b91f...RdxIE601_it.cab (http://\"http://software-dl.real.com/183c74a4f6b91f57c023/netzip/RdxIE601_it.cab\")
O18 - Filter: text/html - {BEA153F8-CAEC-4220-B014-35EACFE7D30E} - C:\WINDOWS\SYSTEM\LFAP.DLL
O18 - Filter: text/plain - {BEA153F8-CAEC-4220-B014-35EACFE7D30E} - C:\WINDOWS\SYSTEM\LFAP.DLL
but i guess the main problem is still not solved, I still have no control over my desktop and the pop ups and home of my IE.
Post by: guestolo on May 08, 2005, 04:30:50 PM
Can you do the following please
have your computer set up to be ready to start into safe mode, but don't restart yet
==Download and then Install
Ewido Trojan Scanner (http://\"http://www.ewido.net/en/download/\")
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido
Print the rest of this out or save too a notepad file for reference
Set Windows to show hidden files
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
* Click Start, Programs and Accessories and open Windows Explorer.
* Select a hard drive from the left hand side of the Windows Explorer window.
* Select View the Entire contents of this drive.
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php (http://\"http://81.222.131.49/index.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php (http://\"http://81.222.131.49/index.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php (http://\"http://81.222.131.49/index.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php (http://\"http://81.222.131.49/index.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php (http://\"http://81.222.131.49/index.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php (http://\"http://81.222.131.49/index.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.234.181.154:3128
O2 - BHO: (no name) - {C91703D2-FAFB-41B8-821A-7FFC70203755} - C:\WINDOWS\SYSTEM\LFAP.DLL
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\Run: [CARTAO] C:\WINDOWS\SYSTEM\svchost.scr
O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\SYSTEM\svchost.scr
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [c4AA86ihR] C:\WINDOWS\SJJEOPJ.EXE
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O4 - HKLM\..\Run: [Security iGuard] C:\ARQUIVOS DE PROGRAMAS\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\ARQUIV~1\ARQUIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\Run: [ZAv8RWfmR] IUC0_QC.EXE
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\SYSTEM\paytime.exe
O15 - Trusted Zone: http://ny.contentmatch.net (http://\"http://ny.contentmatch.net\") (HKLM)
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmesse...pdownloader.cab\")
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/183c74a4f6b91f...RdxIE601_it.cab (http://\"http://software-dl.real.com/183c74a4f6b91f...RdxIE601_it.cab\")
O18 - Filter: text/html - {BEA153F8-CAEC-4220-B014-35EACFE7D30E} - C:\WINDOWS\SYSTEM\LFAP.DLL
O18 - Filter: text/plain - {BEA153F8-CAEC-4220-B014-35EACFE7D30E} - C:\WINDOWS\SYSTEM\LFAP.DLL
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart the computer into safe mode
Find and delete these files or folders if found
C:\WINDOWS\SYSTEM\SVCHOST.SCR <-file
C:\WINDOWS\SYSTEM32\XPSP2FW.EXE
C:\WINDOWS\SYSTEM\PAYTIME.EXE
C:\WINDOWS\SYSTEM\IUC0_QC.EXE
C:\WP.EXE
C:\wp.bmp
C:\bsw.exe
C:\bsw.bmp
C:\Windows\System\wldr.dll
In Safe mode
==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report
Run SpSeHjfix109.exe again in SAFE MODE
Let it restart your computer or restart anyways
Back in Windows
Post back a fresh Hijackthis log and the Report from Ewidos
Also post the lates log from SpSeHjfix109
Post by: Ikakun on May 08, 2005, 06:07:17 PM
Post by: guestolo on May 08, 2005, 06:28:21 PM
Sorry about that
/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />