Post by: Catzmagee on May 17, 2005, 07:30:55 AM
I got a virus/worm of msn messenger last week, the file msdirectx.sys appeared in my userfile, my norton antivirus was disabled and wouldn't open along with task manager and msconfig, and my computer is running very slow and keeps freezing. i tried various things and the file then disappeared. i was advised to uninstall norton and download avast which i did and detected win32trojan/worm and removed that and task manager then ran and msconfig but the computer was still very slow and downloading freezes the computer. The task manager etc are back to not appearing in screen so i think i haven't gotten rid of it and i dont know what there is left to do.
/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' /> /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> Thanks Catherine
I ran avast again and it keeps picking up the win32 trojan-gen wand it says its located in c:\Windows\system32\msdirectx.sys
Post by: Catzmagee on May 17, 2005, 04:04:47 PM
Logfile of HijackThis v1.99.1
Scan saved at 13:13:11, on 17/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/ (http://\"http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html (http://\"http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ (http://\"http://global.acer.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
O1 - Hosts: 69.50.166.11 google.co.uk
O1 - Hosts: 69.50.166.11 www.google.es
O1 - Hosts: 69.50.166.11 google.es
O1 - Hosts: 69.50.166.11 google.com.au
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 69.50.166.12 www.go.com
O1 - Hosts: 69.50.166.12 go.com
O1 - Hosts: 69.50.166.13 astalavista.com
O1 - Hosts: 69.50.166.13 www.astalavista.com
O1 - Hosts: 69.50.166.13 astalavista.box.sk
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1474CE44-8057-4AE3-8F3E-ED37C7C63D8A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KnobMonitor] C:\acer\KnobMonitor.exe
O4 - HKLM\..\Run: [MPS] C:\ACER\MPS.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: BT - {287E6E20-83C8-4B93-9D54-A2DECA6D0B98} - http://www.bt.com (http://\"http://www.bt.com\") (file missing) (HKCU)
O9 - Extra button: Homepage - {44C0A121-B77B-4532-AD14-97E78F05A586} - http://bt.yahoo.com (http://\"http://bt.yahoo.com\") (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/providers...yer/awswaxf.cab (http://\"http://courses.learndirect.co.uk/providers/electric_paper2000_v2/module01/aware_player/awswaxf.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab (http://\"http://www.makeoversolutions.com/save/makeover.cab\")
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab (http://\"http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx (http://\"http://www.webshots.com/samplers/WSDownloader.ocx\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab (http://\"http://www.azebar.com/install/azesearch.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab\")
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Knob Service (KNOBSERV) - Acer Inc. - c:\acer\KnobService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Post by: guestolo on May 17, 2005, 07:51:56 PM
Go to START>>RUN>>COPY AND PASTE the bold line into the open field and then
Click OK
regedit /e C:\find.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe"
Then see if you can find this text file
Manually navigate too
C:\find.txt
If you find it can you copy and paste the contents back here
Additionally, Do the following
Go to Device Manager
(Right click My Computer > Hardware tab > device manager)
Select View from the menu
Under view, select *Show Hidden Devices*
Then go down to and expand (+)
*Non-Plug and Play Drivers*
Look for this entry:
msdirectx
Let me know if you find it
NEXT:
==Download RKFiles.zip from the link
http://skads.org/special/rkfiles.zip (http://\"http://skads.org/special/rkfiles.zip\")
UNZIP the contents to it's own folder
==Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, Save to your desktop
Double click to run eScan's Mwav scan
It will self extract
Before running you may want to disable Norton's autoprotect, so it won't get in the way
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
This may take awhile, let it finish
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and Paste it back here
****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are
After posting the log from escan's Mwav scan
Could you do the following
Ensure your in Safe mode
Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Open the folder you unzipped rkfiles.zip too
Double click to run Rkfiles.bat
Wait for the scan to finish, give this time
When it's done a log will be produced, save this log
By default, it is saved to C:\Log.txt
Post the log back here
Post by: Catzmagee on May 18, 2005, 06:58:57 AM
here is the results from the scan, it said there were 18 virus's and around 300 errors.
My computer won't start in safe mode anymore and the internet has been disabled now saying there is network cable unplugged.
File C:\WINDOWS\System32\msconfig32.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\winjes.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\msconfig32.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\compqs.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\CATZ~1.SYL\MSDIRE~1.SYS infected by "Trojan.Win32.Rootkit.h" Virus! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\Install.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\msgrchkr.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\WinAdCtlX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\YSBactivex.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\DIMM.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\Install.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\WinAdCtlX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\cabmain.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\caleditatl.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0404.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0406.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0407.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0409.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires040a.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires040b.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires040c.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0410.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0413.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0414.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires041d.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0804.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0816.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\catcheventatl.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\dbgout.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\dbgout_init.txt". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ECSCM07Q.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ecscmext.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ecscmirc.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ecscmskt.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ecscmtpi.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ecsmoddata.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ecsnwext.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ecsphext.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm.h". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm_util.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0404.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0406.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0407.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0408.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0409.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm040A.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm040b.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm040c.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0410.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0413.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0414.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0416.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm041d.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm041f.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0804.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0809.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm080a.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0816.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0c04.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0c0c.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\PhoneNameDB_object.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0404.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0406.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0407.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0409.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk040a.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk040b.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk040c.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0410.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0413.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0414.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk041d.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0804.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0816.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\setdbgout.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\setregsecurity.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\OCS\ObexHeaderServiceDll.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\OCS\ObexOperationDll.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Capability Manager\CapabilityManager.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Read Me.txt". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\registerCom.bat". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\YSBactivex.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\msgrchkr.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxwma.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00b71cfb-6864-4346-a978-c0a14556272c}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\msgrchkr.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00FAE562-DACA-11D6-AD30-0050DAD88A02}" refers to invalid object "C:\Program Files\Kodak\Kodak Easyshare Software\bin\Escom.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00FAE568-DACA-11D6-AD30-0050DAD88A02}" refers to invalid object "C:\Program Files\Kodak\Kodak Easyshare Software\bin\Escom.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{09101CAF-D527-11D6-AD30-0050DAD88A02}" refers to invalid object "C:\Program Files\Kodak\Kodak Easyshare Software\bin\Escom.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{09101CB7-D527-11D6-AD30-0050DAD88A02}" refers to invalid object "C:\Program Files\Kodak\Kodak Easyshare Software\bin\Escom.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{09101CBA-D527-11D6-AD30-0050DAD88A02}" refers to invalid object "C:\Program Files\Kodak\Kodak Easyshare Software\bin\Escom.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{09101CBE-D527-11D6-AD30-0050DAD88A02}" refers to invalid object "C:\Program Files\Kodak\Kodak Easyshare Software\bin\Escom.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0A346871-C8AA-4D8D-B665-4906C9BF371C}" refers to invalid object "C:\Program Files\AVSMedia\VideoConverter3\NCTVideoCompress.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0CCD58A4-02C4-44E6-9DA3-0D144CE8242D}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\MMS Home Studio\mmstimer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0dabacb1-1a16-4082-a610-3d0b3a2a94fc}" refers to invalid object "C:\Program Files\Winamp\Plugins\cddbuiwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0ECDED32-7998-11D4-9039-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{107AC600-8BEA-11D5-9149-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\anubisps.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1D66C29D-08ED-0BB8-8B72-265C69550A0F}" refers to invalid object "C:\Program Files\Microsoft Works\wkwpac.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1FD8D838-74A9-4DF8-936F-0D87ED49AD3C}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\frcom-7288971.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{234284E3-B3DC-40AF-BE6F-EE564A832C56}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\OCS\ObexHeaderServiceDll.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2A426D47-51C3-4A79-B064-95FD87DAB5D1}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\frcom-7288971.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2F42F2D4-AF4D-4508-AA49-B32BC29E8167}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\PhoneNameDB_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3251DC78-2D49-43FC-BE4C-A23AF22DB5C8}" refers to invalid object "C:\Program Files\Kodak\Kodak EasyShare software\AddIn\VistaRoadShow.cyx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{341EE246-3B05-4C23-B21A-17F2D4831FC0}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\frext-7288971.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{36773DF3-37FC-47B6-9F8F-CC4699917938}" refers to invalid object "E:\Acer\tools\LaunchRS.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3A091B81-8FAF-4B7D-85C7-7CB5D3FDD479}" refers to invalid object "C:\Program Files\Kodak\Kodak Easyshare Software\bin\Escom.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3E15374C-3069-11D4-8FD8-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{444600D0-9289-11D3-B305-006008559C91}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\phonebook_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{45137563-F598-4574-A987-A25867AB7068}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\bwclext.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4549BCA5-7D56-11D3-83F5-006008676AF8}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\phonebook_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4B4B40F0-C9DF-11D4-AA54-00104B49C4F0}" refers to invalid object "E:\R2ctlNS.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5268D8E3-481E-11D4-A1A8-000000000000}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\esirsock_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5268D9E3-481E-11D4-A1A8-765432100098}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\msmeirsock_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5268D9E3-481E-11D4-A1A8-987654321000}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ms98irsock_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5357DDDC-2FAE-11D4-8FD7-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{56CFF462-F1CB-11D4-A983-0060977EFFD4}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\anubisutils.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5A88E0ED-42A3-11D4-8BFB-0060084C152B}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6100E360-BB4A-4025-95FB-69CA629E4180}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\vbfrext-7288971.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6701C9E9-3067-11D3-8164-00500403AC07}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epoc_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{69C6BDB0-8162-11d3-81A5-00500403AC07}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\cellphone_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{69E9B473-22E6-471D-8683-84BD1E4BECE1}" refers to invalid object "C:\Program Files\Winamp\Plugins\cddbcontrolwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6ED96182-85EE-11D3-B2F3-006008559C91}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\sms_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{743FF640-2E08-11D3-815C-00500403AC07}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\status_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{762EA5BA-7289-11D4-9028-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{777AAC32-95B0-11D3-B307-006008559C91}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\sms_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7A3BAF1E-8E64-46ef-8684-6FCDC3BB881D}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\sms_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76603-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76617-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76627-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76637-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76647-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76657-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76667-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76677-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76687-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC766A7-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC766B7-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{870A393C-9440-11D4-9056-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{89F307EE-CF23-11D3-820B-00500403AC07}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8DBFE843-D7DF-4cfc-B62C-05A6899139E2}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\BWTargetInf.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{90914AA1-0A85-407B-AA90-AD5BE725D805}" refers to invalid object "E:\Acer\tools\LaunchRS.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{90E882E1-F5C4-11d4-A986-0060977EFFD4}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\anubisutils.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A1842DD4-481C-11D4-A1A8-000000000000}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\msirsock_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A988112F-808C-11D3-81A4-00500403AC07}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\db_objects.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB65CDD1-1F0E-11D3-8153-00500403AC07}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\cellphone_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB7CDE7C-5FB0-46E5-A3F4-EF118FACE08B}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\BWfiles-7288971.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BE1793FA-E9E6-453E-9A70-E35DB6151254}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\OCS\ObexOperationDll.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}" refers to invalid object "C:\Program Files\Winamp\Plugins\cddbcontrolwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}" refers to invalid object "C:\Program Files\Winamp\Plugins\cddbcontrolwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C6F1797C-32F5-11D4-8FD9-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C6F17992-32F5-11D4-8FD9-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C9D4128F-64FB-11D3-817F-00500403AC07}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\obex_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CAEF9D56-0816-4984-BE91-B1B2ED801BE5}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\BWCHelpr-7288971.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CB1CB9C8-B636-11D4-8277-00500403AC07}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\obexsyncreq_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CF6067D7-D10C-4767-B04C-148E6EBB1574}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\BWfiles-7288971.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DED68E53-3B5B-418c-8F53-C32A4E5FE55F}" refers to invalid object "C:\Program Files\ScanSoft\OmniPageSE\OfficeAddin.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E63650CA-683C-495F-8FBF-122802B1713E}" refers to invalid object "C:\Program Files\Kodak\Kodak EasyShare software\AddIn\VistaRoadShow.cyx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EECB7D0B-38B4-4db7-BC92-0F71A9289DB3}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\sms_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}" refers to invalid object "C:\Program Files\Winamp\Plugins\cddbcontrolwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}" refers to invalid object "C:\Program Files\Winamp\Plugins\cddbcontrolwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMSServer.Server" refers to invalid object "{845FB959-4279-11D2-BF23-00805FBE84A6}". Action Taken: No Action Taken.
Entry "HKCR\WMSServer.Server.9" refers to invalid object "{845FB959-4279-11D2-BF23-00805FBE84A6}". Action Taken: No Action Taken.
Entry "HKCR\ZToolbar.activator" refers to invalid object "{FFF5092F-7172-4018-827B-FA5868FB0478}". Action Taken: No Action Taken.
Entry "HKCR\ZToolbar.activator.1" refers to invalid object "{FFF5092F-7172-4018-827B-FA5868FB0478}". Action Taken: No Action Taken.
Entry "HKCR\ZToolbar.ParamWr" refers to invalid object "{D7BF3304-138B-4DD5-86EE-491BB6A2286C}". Action Taken: No Action Taken.
Entry "HKCR\ZToolbar.ParamWr.1" refers to invalid object "{D7BF3304-138B-4DD5-86EE-491BB6A2286C}". Action Taken: No Action Taken.
Entry "HKCR\ZToolbar.StockBar" refers to invalid object "{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}". Action Taken: No Action Taken.
Entry "HKCR\ZToolbar.StockBar.1" refers to invalid object "{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}". Action Taken: No Action Taken.
File C:\WINDOWS\cpa.exe infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\processview.exe infected by "IM-Worm.Win32.Prex.d" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\cpa.exe infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindUpdates1.zip infected by "Password-protected-EXE" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP4\A0000094.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP4\A0000095.exe infected by "Backdoor.Win32.Agobot.abl" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP4\A0000111.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP4\A0000115.exe infected by "Trojan-Downloader.Win32.Small.aqt" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP9\A0002979.exe infected by "Trojan-Downloader.Win32.Small.xk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP9\A0002980.exe infected by "Trojan-Downloader.Win32.Small.xk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0012383.sys infected by "Trojan.Win32.Rootkit.h" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0012384.sys infected by "Trojan.Win32.Rootkit.h" Virus! Action Taken: No Action Taken.
Post by: guestolo on May 18, 2005, 08:58:41 AM
Post by: Catzmagee on May 18, 2005, 09:57:48 AM
C:\Documents and Settings\Catz\My Documents\Downloads\Catherine\rkfiles
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\t3odm.dll: UPX!
C:\WINDOWS\system32\ASPTV.EXE: UPX!
C:\WINDOWS\system32\ASPFM.EXE: UPX!
C:\WINDOWS\system32\t5rdv.dll: UPX!
C:\WINDOWS\system32\cpwiuy.dll: UPX!
C:\WINDOWS\system32\ecesq.dll: UPX!
C:\WINDOWS\system32\MACDec.dll: UPX!
C:\WINDOWS\system32\MonkeySource.ax: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
Post by: Catzmagee on May 18, 2005, 01:32:31 PM
thanks
Post by: Catzmagee on May 19, 2005, 08:32:37 AM
Post by: guestolo on May 19, 2005, 05:00:47 PM
If you can get back to me tonight, can you let me know if you can run an earlier version
of Hijackthis
Please download it from HERE (http://\"http://computercops.biz/zx/Merijn/hijackthis1982.zip\")
UNZIP it too a permanent folder and then run a scan and post a fresh log
If you can't get this version to run, could you do the following please
Go to START>>RUN>>COPY AND PASTE the bold line into the open field and then
Click OK
regedit /e C:\find.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
Can you again do the following
Go to START>>RUN>>COPY AND PASTE the bold line into the open field and then
Click OK
regedit /e C:\find2.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
Then find these text files
C:\find.txt and C:\find2.txt
When you find them can you copy and paste the contents back here
Post by: Catzmagee on May 19, 2005, 07:44:24 PM
i tried safe mode again and i got it to run for hijack this so i got the new log:
Logfile of HijackThis v1.99.1
Scan saved at 01:34:58, on 20/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HJK\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/ (http://\"http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html (http://\"http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ (http://\"http://global.acer.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
O1 - Hosts: 69.50.166.11 google.co.uk
O1 - Hosts: 69.50.166.11 www.google.es
O1 - Hosts: 69.50.166.11 google.es
O1 - Hosts: 69.50.166.11 google.com.au
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 69.50.166.12 www.go.com
O1 - Hosts: 69.50.166.12 go.com
O1 - Hosts: 69.50.166.13 astalavista.com
O1 - Hosts: 69.50.166.13 www.astalavista.com
O1 - Hosts: 69.50.166.13 astalavista.box.sk
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1474CE44-8057-4AE3-8F3E-ED37C7C63D8A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KnobMonitor] C:\acer\KnobMonitor.exe
O4 - HKLM\..\Run: [MPS] C:\ACER\MPS.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\Run: [Compaq Jes Drivers] winjes.exe
O4 - HKLM\..\Run: [System] wumgrd32.exe
O4 - HKLM\..\RunServices: [Compaq Jes Drivers] winjes.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [System] wumgrd32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Compaq Jes Drivers] winjes.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq Jes Drivers] winjes.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: BT - {287E6E20-83C8-4B93-9D54-A2DECA6D0B98} - http://www.bt.com (http://\"http://www.bt.com\") (file missing) (HKCU)
O9 - Extra button: Homepage - {44C0A121-B77B-4532-AD14-97E78F05A586} - http://bt.yahoo.com (http://\"http://bt.yahoo.com\") (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/providers...yer/awswaxf.cab (http://\"http://courses.learndirect.co.uk/providers/electric_paper2000_v2/module01/aware_player/awswaxf.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab (http://\"http://www.makeoversolutions.com/save/makeover.cab\")
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab (http://\"http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx (http://\"http://www.webshots.com/samplers/WSDownloader.ocx\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab (http://\"http://www.azebar.com/install/azesearch.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab\")
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Knob Service (KNOBSERV) - Acer Inc. - c:\acer\KnobService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
I can't get anything much to work when using the RUN, i cant locate find.txt but i did find find2.txt:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Compaq Jes Drivers"="winjes.exe"
"Compaq32 Service Drivers"="msconfig32.exe"
Sorry i haven't been able to do much to assist you, my computer seems to be getting worse by day.
thanks for your help its very much appreciated.
Post by: guestolo on May 19, 2005, 11:59:47 PM
travelling gear
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> I'll make sure I get you started on a fix tonight or I'll post first thing in the morning before I leave
and hope everything is well for you when I get back
Post by: guestolo on May 20, 2005, 12:03:06 PM
If you can't connect to the Internet, ensure you download msfix.zip and Killbox to one computer and transfer to the infected computer, as we will need them
Do the other download steps when you can connect again
==Download the Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
UNZIP it to a folder of your choice
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Install for now, don't run a scan yet
==Download and then Install
Ewido Trojan Scanner (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido
==Download and UNZIP to desktop msfix.zip
So you now have msfix.reg extracted to the desktop
[attachment=235:attachment]
Please Print this out or save it too a Notepad file for reference
Disconnect from the Internet
In safe mode
Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off
Run EWIDO and do a Full system scan, save the report afterwards
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Create a new folder on your desktop,
Right click an empty spot>>Select NEW>>FOLDER
Name it Backups
Open your C:\WINDOWS\system32 folder
Left click and DRAG these files into the Backups folder on your desktop
DON'T copy and paste them, we want to remove them from there location, but not delete them until we know there bad guys
t3odm.dll
ASPTV.EXE
ASPFM.EXE
t5rdv.dll
cpwiuy.dll
ecesq.dll
Also, delete msdirectx file again
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/ (http://\"http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html (http://\"http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html\")
O1 - Hosts: 69.50.166.11 google.co.uk
O1 - Hosts: 69.50.166.11 www.google.es
O1 - Hosts: 69.50.166.11 google.es
O1 - Hosts: 69.50.166.11 google.com.au
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 69.50.166.12 www.go.com
O1 - Hosts: 69.50.166.12 go.com
O1 - Hosts: 69.50.166.13 astalavista.com
O1 - Hosts: 69.50.166.13 www.astalavista.com
O1 - Hosts: 69.50.166.13 astalavista.box.sk
O2 - BHO: (no name) - {1474CE44-8057-4AE3-8F3E-ED37C7C63D8A} - (no file)
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\Run: [Compaq Jes Drivers] winjes.exe
O4 - HKLM\..\Run: [System] wumgrd32.exe
O4 - HKLM\..\RunServices: [Compaq Jes Drivers] winjes.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [System] wumgrd32.exe
O4 - HKCU\..\Run: [Compaq Jes Drivers] winjes.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq Jes Drivers] winjes.exe
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab (http://\"http://www.azebar.com/install/azesearch.cab\")
After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
==Double click on msfix.reg and allow to add or Merge to the registry
==Run Pocket KillBox
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
Then click the Delete file button
The Red Circle with the White X
For any files that won't delete, we'll need those in a bit
C:\WINDOWS\System32\msconfig32.exe
Continue to copy and paste the next path to the file below into killbox
Selecting Delete on Reboot afterwards
C:\WINDOWS\system32\winjes.exe
C:\WINDOWS\system32\compqs.exe
C:\WINDOWS\System32\wumgrd32.exe
c:\Windows\system32\msdirectx.sys
C:\WINDOWS\system32\tasker32.exe
C:\WINDOWS\system32\wininit16.exe
C:\DOCUME~1\CATZ~1.SYL\MSDIRE~1.SYS
C:\WINDOWS\Downloaded Program Files\WinAdCtlX.dll
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll
C:\WINDOWS\Downloaded Program Files\Install.dll
C:\WINDOWS\cpa.exe
C:\processview.exe
For any file that won't delete, again copy and paste that entry back into Killbox,
This time
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO
When you've entered the last path to the file
Allow the computer to Reboot
or Restart the computer anyways
Back in Windows
Go back to
Device Manager
(Right click My Computer > Hardware tab > device manager)
Select View from the menu
Under view, select *Show Hidden Devices*
Then go down to and expand (+)
*Non-Plug and Play Drivers*
Look for this entry:
msdirectx
Disable it (Reboot if prompted)
Then Uninstall it
Reboot again
Back in Windows
==Download and Unzip to a folder Hoster.zip (http://\"http://www.funkytoad.com/download/hoster.zip\")
Open Hoster>>Click on "Restore Original Hosts"
OK it
I suggest that you do an Online Virus scan at Panda's
Save the report afterwards
http://www.pandasoftware.com/products/acti...n_principal.htm (http://\"http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm\")
After your done, could you please run another scan with Hijackthis and post a fresh log
Try and run one from Normal mode
Also include the report from Ewidos and the one from Panda's
Post by: Catzmagee on May 20, 2005, 05:54:28 PM
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 23:22:02, 20/05/2005
+ Report-Checksum: 6A5D678C
+ Date of database: 20/05/2005
+ Version of scan engine: v3.0
+ Duration: 34 min
+ Scanned Files: 85479
+ Speed: 41.65 Files/Second
+ Infected files: 14
+ Removed files: 14
+ Files put in quarantine: 14
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0018458.sys -> Trojan.Rootkit.h -> Cleaned with backup
C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0018459.sys -> Trojan.Rootkit.h -> Cleaned with backup
C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0018466.sys -> Trojan.Rootkit.h -> Cleaned with backup
C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0018467.sys -> Trojan.Rootkit.h -> Cleaned with backup
C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0018481.sys -> Trojan.Rootkit.h -> Cleaned with backup
C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0018482.sys -> Trojan.Rootkit.h -> Cleaned with backup
C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0019488.sys -> Trojan.Rootkit.h -> Cleaned with backup
C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0020487.sys -> Trojan.Rootkit.h -> Cleaned with backup
C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0020488.sys -> Trojan.Rootkit.h -> Cleaned with backup
C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0020499.sys -> Trojan.Rootkit.h -> Cleaned with backup
C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0021694.sys -> Trojan.Rootkit.h -> Cleaned with backup
C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0021695.exe -> Trojan.Pakes -> Cleaned with backup
C:\!Submit\MSDIRE~1.SYS -> Trojan.Rootkit.h -> Cleaned with backup
C:\!Submit\cpa.exe -> Trojan.Pakes -> Cleaned with backup
::Report End
And the new hijack this log:-
Logfile of HijackThis v1.98.2
Scan saved at 23:52:33, on 20/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\acer\KnobService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\YPCSER~1.EXE
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\acer\KnobMonitor.exe
C:\ACER\MPS.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\WINDOWS\CNYHKey.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ (http://\"http://global.acer.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KnobMonitor] C:\acer\KnobMonitor.exe
O4 - HKLM\..\Run: [MPS] C:\ACER\MPS.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: BT - {287E6E20-83C8-4B93-9D54-A2DECA6D0B98} - http://www.bt.com (http://\"http://www.bt.com\") (file missing) (HKCU)
O9 - Extra button: Homepage - {44C0A121-B77B-4532-AD14-97E78F05A586} - http://bt.yahoo.com (http://\"http://bt.yahoo.com\") (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/providers...yer/awswaxf.cab (http://\"http://courses.learndirect.co.uk/providers/electric_paper2000_v2/module01/aware_player/awswaxf.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab (http://\"http://www.makeoversolutions.com/save/makeover.cab\")
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab (http://\"http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx (http://\"http://www.webshots.com/samplers/WSDownloader.ocx\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{C319C1A1-B0A2-4E7E-89A9-25C970431204}: NameServer = 194.72.9.39 194.74.65.87
I was able to run it from normal mode, the virus seems to have gone everything seems to back to working. i didnt run panda because when i was half way through i got a virus alert up coming from the panda connection and i am very wary now. Thank you very much. You've been great.
Post by: guestolo on May 23, 2005, 01:55:16 AM
Quote
i didnt run panda because when i was half way through i got a virus alert up coming from the panda connection
Can you go back and finish the virus scan with Panda's please and then include the report
Allow Panda's to fix what it can
You may have to possibly temporarily disable Avast's protection so it won't interfere with the Panda scan
Also
When done, could you then update your version of Hijackthis to the latest and run another scan and post a fresh log
You can redownload Hijackthis 1.99.1 from my signature below
Post by: Predogz on May 25, 2005, 05:01:32 AM
Note that some of these programs did in fact find msdirectx.sys and remove it, but it kept reappearing anyways. What it was doing is spawning another file of a simular name called 'mspg.exe' that would recreate the file and put it on my start up programs almost as soon as it was removed.
What i had to do to remove it was boot in safemode, run msconfig utility, remove the secondary file from my Start up list. Then i rebooted in safemode.
I removed all instances of msdirectx from my C: drive. Then i checked windows/ prefetch and searched for any instances of the secondary file 'mspg' and deleted them. Then i searched for msdirectx in the registry, as well as the secondary file. and deleted all entries.
Then i rebooted and i was finally clean. I immediately updated windows, Mcafee, and all other security programs.
Note that niether my Mcafee or windows was up to date, which was completely foolish on my part. Also know that this worm would not even let me on the internet to use Symantec, Mcafee or the Windows sight with any browser i tried. Internet Explorer was totally hijacked by it, so much so that im afraid to use it again. One other thing worth noting is that it was preventing any firewall services from running on my computer by disabling and stopping the service called 'remote accessconnection manager'. When you try to restore the service it would just say 'access is denied'.
This bug was very frustrating and took me a week to figure out how to beat it. I'm currently in school for software development, and i am computer savy - to a point. But ill tell ya -this worm had me thinkin reinstall windows at the worst points of it. Its very much like a personal attack when i cant do what i want on it in my own home. I hope that this information can help you to help anyone else who may get this worm.
Good Luck All - Predogz
Post by: Catzmagee on May 29, 2005, 02:06:46 PM
sorry it's taken me ages to reply, kept having problems, i tried the panda virus scan again but when the screen came up to choose what i wanted to scan it kept saying there was an error, i used latest hijackthis and got the new log:-
Logfile of HijackThis v1.99.1
Scan saved at 19:23:33, on 29/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\acer\KnobService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\YPCSER~1.EXE
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\acer\KnobMonitor.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Techclinic Help\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ (http://\"http://global.acer.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [KnobMonitor] C:\acer\KnobMonitor.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [System32] crsvvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/providers...yer/awswaxf.cab (http://\"http://courses.learndirect.co.uk/providers/electric_paper2000_v2/module01/aware_player/awswaxf.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab (http://\"http://www.makeoversolutions.com/save/makeover.cab\")
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab (http://\"http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx (http://\"http://www.webshots.com/samplers/WSDownloader.ocx\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab\")
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Knob Service (KNOBSERV) - Acer Inc. - c:\acer\KnobService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Post by: guestolo on May 29, 2005, 02:11:59 PM
Seems you just waited until you were reinfected to post back
Your log is no longer clean
Post by: guestolo on May 29, 2005, 03:32:14 PM
Thanks to CreteMon. for reminding me
Can you do the following please and see if it is any help
Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Also, Can you check the following please to see if they are correct
Under the Security tab | Custom Level
Check ActiveX security settings:
Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled) or prompt
o Script ActiveX controls marked safe for scripting (Prompt)
Then try the scan at Panda's again, see if that is any help
Could you also do the following
Download: Registry Search Tool from this link
http://billsway.com/vbspage/ (http://\"http://billsway.com/vbspage/\")
Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run
In the open field copy and paste the below in bold then hit OK
msdirectx
Wait for the results and post them back here
Post by: Catzmagee on May 30, 2005, 11:55:57 AM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Incident Status Location
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\a95kfrhe.ini
Spyware:Spyware/YourSiteBar No disinfected Windows Registry
Virus:W32/Gaobot.FAI.worm Disinfected C:\WINDOWS\system32\TFTP2648
Virus:W32/Sdbot.CUU.worm Disinfected C:\WINDOWS\system32\systeminfos.exe
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\baur5s9q.dat
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\q10pvbrv.dat
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\ap9h4qmo.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\ritsacnk.dat
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\a95kfrhe.ini
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\ap2nqrd4.dat
Virus:W32/Gaobot.FCZ.worm Disinfected C:\WINDOWS\system32\msmsngr.exe
Adware:Adware/AzeSearch No disinfected C:\Program Files\HijackThis\backups\backup-20050520-214537-547.inf
And this is the report from registry search tool :-
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "msdirectx" 30/05/2005 17:53:55
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_MSDIRECTX]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_MSDIRECTX]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_MSDIRECTX]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_MSDIRECTX]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_MSDIRECTX]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\msdirectx]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\msdirectx]
"DisplayName"="msdirectx"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\msdirectx\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_MSDIRECTX]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_MSDIRECTX]
Thought i should send new hijack this log file: sorry if it isnt needed
Logfile of HijackThis v1.99.1
Scan saved at 17:55:14, on 30/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\acer\KnobService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\YPCSER~1.EXE
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\acer\KnobMonitor.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Techclinic Help\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ (http://\"http://global.acer.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [KnobMonitor] C:\acer\KnobMonitor.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ST5UNST Uninstaller.LNK = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/providers...yer/awswaxf.cab (http://\"http://courses.learndirect.co.uk/providers/electric_paper2000_v2/module01/aware_player/awswaxf.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab (http://\"http://www.makeoversolutions.com/save/makeover.cab\")
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab (http://\"http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx (http://\"http://www.webshots.com/samplers/WSDownloader.ocx\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{C319C1A1-B0A2-4E7E-89A9-25C970431204}: NameServer = 194.72.9.39 194.74.65.87
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Knob Service (KNOBSERV) - Acer Inc. - c:\acer\KnobService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Thanx
Post by: Catzmagee on June 01, 2005, 02:17:19 PM
Post by: Catzmagee on June 03, 2005, 06:44:49 AM
Post by: trj on June 08, 2005, 09:57:35 AM
Please, Read this (http://\"http://www.thetechguide.com/forum/index.php?showtopic=14623\")
Post by: guestolo on June 08, 2005, 11:40:01 PM
I'm very sorry for the long delay
I've been busy and trying to catch up on all logs I missed and new ones
Can you let me know if you still need a hand
Post by: Catzmagee on June 14, 2005, 05:25:11 PM
Post by: guestolo on June 15, 2005, 07:41:41 PM
First of all, having more than one Anti-Virus software running on your computer can cause instability and conflicts
Can you decide which AV scanner your happiest with and unstall the others
NEXT:
Download and UNZIP to your desktop
Remove.zip, so you now have Remove.reg on your desktop
We'll need this later
[attachment=264:attachment]
Afterwards
I hope you still have Ewido installed
Could you open it please
click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido
Ensure windows is set to show hidden files and folders
Print this out or save too a Notepad file on the desktop
Reboot into safe mode
If you didn't already remove the files found bad by Panda's scan that couldn't be disinfected, manually search for them and delete them
Here are the ones from your last scan
C:\WINDOWS\system32\baur5s9q.dat
C:\WINDOWS\system32\q10pvbrv.dat
C:\WINDOWS\system32\ap9h4qmo.ini
C:\WINDOWS\system32\ritsacnk.dat
C:\WINDOWS\system32\a95kfrhe.ini
C:\WINDOWS\system32\ap2nqrd4.dat
Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off
Run EWIDO and do a Full system scan, save the report afterwards
Double click on Repair.reg and allow to add or merge to the registry
Restart back to Normal mode
Again, could you open Hoster and Restore Original Hosts
Can I get you to supply a few logs please
Run another scan with Hijackthis and post a fresh log
Could you also post the new Report from Ewidos
Can I have you again
Run the Registry Search tool and enter this into the open field
Wait for the results and post them
msdirectx
Do the same for this entry
msconfig32.exe
and this one
wumgrd32.exe
I would also suggest you do another online virus scan at Panda's and post the report afterwards
I'm asking you to run Ewido and Panda's again, they would of both been updated
and new nasties may be found
Post by: Catzmagee on June 16, 2005, 08:02:54 AM
I ran ewido and there were no infected files found,
The rest of the logs are below
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "msdirectx" 16/06/2005 13:10:57
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_MSDIRECTX]
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "msconfig32.exe" 16/06/2005 13:12:08
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Lsa]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\S-1-5-21-354938242-3891418503-1059126332-1005\Software\Microsoft\OLE]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\S-1-5-21-354938242-3891418503-1059126332-1005\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"="msconfig32.exe"
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "wumgrd32.exe" 16/06/2005 13:12:59
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"System"="wumgrd32.exe"
[HKEY_USERS\S-1-5-21-354938242-3891418503-1059126332-1005\Software\Microsoft\OLE]
"System"="wumgrd32.exe"
[HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
"System"="wumgrd32.exe"
Logfile of HijackThis v1.99.1
Scan saved at 13:14:04, on 16/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\acer\KnobService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\YPCSER~1.EXE
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\acer\KnobMonitor.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Techclinic Help\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html (http://\"http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/ (http://\"http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html (http://\"http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/ (http://\"http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://bt.yahoo.com (http://\"http://bt.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ (http://\"http://global.acer.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [KnobMonitor] C:\acer\KnobMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: strings.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/providers...yer/awswaxf.cab (http://\"http://courses.learndirect.co.uk/providers/electric_paper2000_v2/module01/aware_player/awswaxf.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab (http://\"http://www.makeoversolutions.com/save/makeover.cab\")
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab (http://\"http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx (http://\"http://www.webshots.com/samplers/WSDownloader.ocx\")
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab (http://\"http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{C319C1A1-B0A2-4E7E-89A9-25C970431204}: NameServer = 194.72.9.39 194.74.65.87
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Knob Service (KNOBSERV) - Acer Inc. - c:\acer\KnobService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Panda Report
Incident Status Location
Adware:Adware/AzeSearch No disinfected C:\Program Files\HijackThis\backups\backup-20050520-214537-547.inf
Post by: guestolo on June 16, 2005, 03:57:08 PM
First start by creating a fresh Restore point
START>>All programs>>Accessories>>System Tools
System Restore
Click Create New Restore point>>Next
Name it and click Create
When that's done
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop, we'll need this later, don't run it yet
Code: [Select]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_MSDIRECTX]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
"Compaq32 Service Drivers"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa]
"Compaq32 Service Drivers"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Lsa]
"Compaq32 Service Drivers"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"Compaq32 Service Drivers"=-
"System"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Compaq32 Service Drivers"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaq32 Service Drivers"=-
[HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"=-
[HKEY_USERS\S-1-5-21-354938242-3891418503-1059126332-1005\Software\Microsoft\OLE]
"Compaq32 Service Drivers"=-
"System"=-
[HKEY_USERS\S-1-5-21-354938242-3891418503-1059126332-1005\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
"Compaq32 Service Drivers"=-
"System"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Compaq32 Service Drivers"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaq32 Service Drivers"=-
[HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"=- Download and Save to Desktop this uninstaller from Avast found here
http://www.avast.com/eng/avast_uninstall_util.html (http://\"http://www.avast.com/eng/avast_uninstall_util.html\")
Don't run it yet
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html (http://\"http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/ (http://\"http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html (http://\"http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/ (http://\"http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/\")
O4 - Global Startup: strings.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot into Safe mode
Double click on fix.reg and allow to add/or merge to the registry
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- avast! iAVS4 Control Service
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Do the same for these ones too if found
avast! Antivirus
avast! Mail Scanner
avast! Web Scanner
Run the Uninstall utility from Avast
Restart back to Normal mode afterwards
Can you run these through the registry search tool again
MSDIRECTX
If msdirectx is found again, can you do the following please
Download: Registrar Lite
http://www.resplendence.com/reglite (http://\"http://www.resplendence.com/reglite\")
Free link at the bottom of the page
Open Registrar Lite
Copy and paste the following line in bold into the top address bar of Registrar Lite and then hit GO
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_MSDIRECTX
Highlight LEGACY_MSDIRECTX on the left which shoud be a purple folder on the left
Right click on it and Delete it
If it won't delete
Right click on it and choose Properties
>>Permissions, >>Advanced button
Check the following
"Inherit from parent the permission entries that apply to child objects."
OK it and OK again
Then try and delete the key
Exit Registrar lite
Then run these through the registry search tool
Let me see the results if any, this is just for some cleanup
msconfig32.exe
winjes.exe
Also, post a fresh Hijackthis log
Let me know how everythings running
Post by: Catzmagee on June 17, 2005, 03:53:23 AM
Here is the new hijack this log.
Logfile of HijackThis v1.99.1
Scan saved at 09:51:19, on 17/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\acer\KnobService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\YPCSER~1.EXE
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\acer\KnobMonitor.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Techclinic Help\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ (http://\"http://global.acer.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [KnobMonitor] C:\acer\KnobMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/providers...yer/awswaxf.cab (http://\"http://courses.learndirect.co.uk/providers/electric_paper2000_v2/module01/aware_player/awswaxf.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab (http://\"http://www.makeoversolutions.com/save/makeover.cab\")
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab (http://\"http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx (http://\"http://www.webshots.com/samplers/WSDownloader.ocx\")
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab (http://\"http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{C319C1A1-B0A2-4E7E-89A9-25C970431204}: NameServer = 194.72.9.39 194.74.65.87
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Knob Service (KNOBSERV) - Acer Inc. - c:\acer\KnobService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "winjes.exe" 17/06/2005 09:50:41
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"Compaq Jes Drivers"="winjes.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
"Compaq Jes Drivers"="winjes.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa]
"Compaq Jes Drivers"="winjes.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Lsa]
"Compaq Jes Drivers"="winjes.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq Jes Drivers"="winjes.exe"
[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"Compaq Jes Drivers"="winjes.exe"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Compaq Jes Drivers"="winjes.exe"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaq Jes Drivers"="winjes.exe"
[HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq Jes Drivers"="winjes.exe"
[HKEY_USERS\S-1-5-21-354938242-3891418503-1059126332-1005\Software\Microsoft\OLE]
"Compaq Jes Drivers"="winjes.exe"
[HKEY_USERS\S-1-5-21-354938242-3891418503-1059126332-1005\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq Jes Drivers"="winjes.exe"
[HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
"Compaq Jes Drivers"="winjes.exe"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Compaq Jes Drivers"="winjes.exe"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaq Jes Drivers"="winjes.exe"
[HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq Jes Drivers"="winjes.exe"
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "msconfig32.exe" 17/06/2005 09:49:54
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"Compaq32 Service Drivers"="msconfig32.exe"
Post by: guestolo on June 17, 2005, 01:35:45 PM
You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"
For the times you must use Internet Explorer
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
It's compatible with XP SP2 as well
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
After you have that done with
Can you do the following
Let's rid you of some entries in the registry and set some back to Windows defaults
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix2.reg
Save this file on the desktop
Code: [Select]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"Compaq32 Service Drivers"=-
"Compaq Jes Drivers"=-
"EnableDCOM"="Y"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
"Compaq Jes Drivers"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa]
"Compaq Jes Drivers"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Lsa]
"Compaq Jes Drivers"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq Jes Drivers"=-
"restrictanonymous"=dword:00000000
[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"Compaq Jes Drivers"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Compaq Jes Drivers"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaq Jes Drivers"=-
[HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq Jes Drivers"=-
[HKEY_USERS\S-1-5-21-354938242-3891418503-1059126332-1005\Software\Microsoft\OLE]
"Compaq Jes Drivers"=-
[HKEY_USERS\S-1-5-21-354938242-3891418503-1059126332-1005\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq Jes Drivers"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
"Compaq Jes Drivers"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Compaq Jes Drivers"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaq Jes Drivers"=-
[HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq Jes Drivers"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start"=dword:00000002 Double click on fix2.reg and allow to add or Merge to the registry
Restart your computer
Can I have you download and UNZIP to your desktop
Search.zip, so you now have Search.bat extracted
Double click on Search.bat and a text file will open, can you copy and paste the contents back here please
Post by: Catzmagee on June 18, 2005, 09:54:48 AM
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
Windows Registry Editor Version 5.00
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Compaqs Service Drivers"="compqs.exe"
"msmsngr"="C:\\WINDOWS\\System32\\msmsngr.exe"
"Compaq Service Drivers"="systeminfos.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
Windows Registry Editor Version 5.00
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaqs Service Drivers"="compqs.exe"
"Compaq Service Drivers"="systeminfos.exe"
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"
"Compaqs Service Drivers"="compqs.exe"
"Compaq Service Drivers"="systeminfos.exe"
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"LsaPid"=dword:0000022c
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"Compaqs Service Drivers"="compqs.exe"
"Compaq Service Drivers"="systeminfos.exe"
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:fa,1b,9d,3a,b0,da,a7,2e,e1,ab,51,c4,54,3b,b4,d3,62,65,36,34,63,\
38,37,31,00,00,00,00,01,00,00,00,c8,01,00,00,cc,01,00,00,34,ca,06,00,45,9d,\
bf,71,04,00,00,00,10,00,00,00,00,00,00,00,42,49,0c,65
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:2b,eb,9f,af,9b,19,46,83,f8
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:40,b3,73,df,5e,9b
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:cf,73,d6,4e,c8,a8,b9,f6,f8,1d,92,81,ad,25,f7,91
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:a4,16,d5,b8,26,65,c5,01
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,c6,58,87,b5,79,c4,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,c6,58,87,b5,79,c4,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,c6,58,87,b5,79,c4,01
"Type"=dword:00000031
Post by: guestolo on June 18, 2005, 11:47:13 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Can you create another fresh System Restore point
Afterwards
Download and UNZIP to desktop Fix3.zip
So you have Fix3.reg extracted
Double click on Fix3.reg and allow to merge to the Registry
[attachment=269:attachment]
Go here and
Download and UNZIP this free registry cleaner
RegSeeker 1.45
http://www.hoverdesk.net/freeware.htm (http://\"http://www.hoverdesk.net/freeware.htm\")
Open the RegSeeker Folder and double click on RegSeeker.exe
Click on
"Clean the Registry" on the left menu
Ensure there is a check in "Backup before Deletion" on the bottom left
Then click OK on the right
Let it finish scanning
When it's done
Click "Select All" Near the bottom
and then Right click in the Results pane and click
"Delete Selected Items"
Exit RegSeeker
Afterwards Restart your computer
Back in Windows run RegSeeker one more time
Post back one last hijackthis log and let me know how things are.....
Post by: Catzmagee on June 19, 2005, 06:32:02 AM
Here's the log for hijack this
Logfile of HijackThis v1.99.1
Scan saved at 12:26:19, on 19/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\acer\KnobService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\rsvp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\YPCSER~1.EXE
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\acer\KnobMonitor.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Techclinic Help\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ (http://\"http://global.acer.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [KnobMonitor] C:\acer\KnobMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/providers...yer/awswaxf.cab (http://\"http://courses.learndirect.co.uk/providers/electric_paper2000_v2/module01/aware_player/awswaxf.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab (http://\"http://www.makeoversolutions.com/save/makeover.cab\")
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab (http://\"http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx (http://\"http://www.webshots.com/samplers/WSDownloader.ocx\")
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab (http://\"http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{C319C1A1-B0A2-4E7E-89A9-25C970431204}: NameServer = 194.72.9.39 194.74.65.87
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Knob Service (KNOBSERV) - Acer Inc. - c:\acer\KnobService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Post by: Catzmagee on June 19, 2005, 12:26:05 PM
Just though I'd say that i've got the security centre started now.
Post by: guestolo on June 19, 2005, 02:01:50 PM
I suspect you reenabled Security Center in services.msc
Sound right?
If you still have Windows set to show hidden files and folders, you can go back and hide them again
I know I asked you to make a couple fresh restore points
But if your happy with the way everything is running, could you do the following please
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows be sure to re-enable system restore
Also, I linked you too SpywareBlaster and IE-Spyad earlier
I would make sure you install those 2 utilities
Stay safe
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: Catzmagee on June 19, 2005, 03:24:50 PM
Thanks for all your help! Greatly appreciated!
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: guestolo on June 19, 2005, 09:57:08 PM
I'll lock this topic Catz, as your problems appear resolved
If you need it reopened, please PM a Mod or the site Admin and supply a link to this thread
Take Care
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />