Show Posts

1

Tech Clinic / Malware attack

« on: August 10, 2006, 01:02:18 AM »

thanks so much guest youve been amazingly helpful!

2

Tech Clinic / Malware attack

« on: August 06, 2006, 02:16:02 AM »

I do not have an AV program any help would be much appreciated!!

3

Tech Clinic / Malware attack

« on: August 02, 2006, 09:14:00 PM »

sorry about the wait again! lol heres the list:

Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0
AOL Uninstaller (Choose which Products to Remove)
Ares 1.9.0
aTuner (remove only)
Call of Juarez SP Demo
CleanUp!
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
Decal Converter
Dell ResourceCD
DivX
DivX Converter
DivX Player
Easy CD Creator 5 Basic
ewido anti-spyware 4.0
FEAR
GdiplusUpgrade
Google Toolbar for Internet Explorer
GTH(en)
Half-Life: Counter-Strike
HijackThis 1.99.1
HP Extended Capabilities 5.3
HP Imaging Device Functions 5.3
HP Photosmart Essential
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
IGN Download Manager 2.1.1
Intel® PRO Ethernet Adapter and Software
iPod for Windows 2006-03-23
iTunes
Java 2 Runtime Environment, SE v1.4.2_06
Lexmark X74-X75
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Logitech G-series Keyboard Software
Logon Loader 2.1.0
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Mozilla Firefox (1.5.0.5)
MSN Messenger 7.0
MSN Music Assistant
Norton WMI Update
NVIDIA Drivers
NYKO AirFlo Controller v0.1
Oblivion
PENTAX USB DISK Device
Personal License Update Wizard for Windows Media Player
Plaxo Toolbar for Outlook (with AIM Enhancements)
QuickTime
Rakion International
RealPlayer
Rhapsody Player Engine
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Shockwave
Softnyx Launcher
Sound Blaster Live! Value
Steam
Sygate Personal Firewall
TeamSpeak 2 RC2
TeamSpeak 2 Server RC2
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
URGE
Ventrilo Client
Viewpoint Media Player
VirtuallyJenna-2.017.002 (Cracked)
WinAce Archiver 2.0
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
Xfire (remove only)
XviD MPEG-4 Codec
Zhentarim Playback Pack 2005-04-25 (Remove Only)

4

Tech Clinic / Malware attack

« on: July 26, 2006, 09:13:14 PM »

I definitely did not save the logfile! im sorry

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> what should i do?

5

Tech Clinic / Malware attack

« on: July 24, 2006, 06:42:12 PM »

Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, July 24, 2006 4:05:50 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R116 24.07.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:6):6 total references
CoolWebSearch(TAC index:10):9 total references
MRU List(TAC index:0):29 total references
Tracking Cookie(TAC index:3):17 total references
Win32.Trojan.Downloader(TAC index:10):5 total references
Zango(TAC index:6):31 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

7-24-2006 4:05:50 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Grem Fox\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office

MRU List Object Recognized!
Location: : C:\Documents and Settings\Grem Fox\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\google\navclient\1.1\history
Description : list of recently used search terms in the google toolbar

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1004\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 592
ThreadCreationTime : 7-24-2006 6:58:23 PM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 640
ThreadCreationTime : 7-24-2006 6:58:27 PM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 664
ThreadCreationTime : 7-24-2006 6:58:28 PM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 708
ThreadCreationTime : 7-24-2006 6:58:32 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 720
ThreadCreationTime : 7-24-2006 6:58:32 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 892
ThreadCreationTime : 7-24-2006 6:58:33 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 976
ThreadCreationTime : 7-24-2006 6:58:33 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1076
ThreadCreationTime : 7-24-2006 6:58:33 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [smc.exe]
FilePath : E:\Program Files\Sygate\SPF\
ProcessID : 1248
ThreadCreationTime : 7-24-2006 6:58:34 PM
BasePriority : Normal
FileVersion : 5.6.00.2808
ProductVersion : 5.6.00.2808
ProductName : Sygate® Security Agent and Personal Firewall
CompanyName : Sygate Technologies, Inc.
FileDescription : Sygate Agent Firewall
InternalName : Smc
LegalCopyright : Copyright © 1999 - 2004 Sygate Technologies, Inc. All rights reserved.
OriginalFilename : Smc.EXE

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1272
ThreadCreationTime : 7-24-2006 6:58:37 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1356
ThreadCreationTime : 7-24-2006 6:58:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1496
ThreadCreationTime : 7-24-2006 6:58:38 PM
BasePriority : Normal
FileVersion : 7.4
ProductVersion : 7.4
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2002 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:13 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1520
ThreadCreationTime : 7-24-2006 6:58:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:14 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1532
ThreadCreationTime : 7-24-2006 6:58:38 PM
BasePriority : Normal
FileVersion : 7.4
ProductVersion : 7.4
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : © 1993 - 2002 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:15 [devldr32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1848
ThreadCreationTime : 7-24-2006 6:58:41 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 22
ProductVersion : 1, 0, 0, 22
ProductName : Creative Ring3 NT Inteface
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr32
InternalName : DevLdr
LegalCopyright : Copyright © 1997-2001 Creative Technology Ltd.
OriginalFilename : DevLdr32.exe

#:16 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1904
ThreadCreationTime : 7-24-2006 6:58:41 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:17 [hpwuschd2.exe]
FilePath : C:\Program Files\HP\HP Software Update\
ProcessID : 148
ThreadCreationTime : 7-24-2006 6:58:42 PM
BasePriority : Normal
FileVersion : 53.0.13.000
ProductVersion : 053.000.013.000
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : Hewlett-Packard Product Assistant
InternalName : hpwuSchd2
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2004
OriginalFilename : hpwuSchd2.exe
Comments : Hewlett-Packard Product Assistant

#:18 [aolsoftware.exe]
FilePath : C:\Program Files\Common Files\AOL\1128695648\ee\
ProcessID : 168
ThreadCreationTime : 7-24-2006 6:58:42 PM
BasePriority : Normal
FileVersion : 1.4.16.3
ProductVersion : 1.4.16.3
ProductName : AOL Service Libraries
CompanyName : America Online, Inc.
FileDescription : AOL
InternalName : AOLSoftware
LegalCopyright : © 2006 America Online, Inc.
OriginalFilename : AOLSoftware.exe

#:19 [lgdcore.exe]
FilePath : C:\Program Files\Logitech\G-series Software\
ProcessID : 176
ThreadCreationTime : 7-24-2006 6:58:42 PM
BasePriority : Normal
FileVersion : 1.00.402
ProductVersion : 1.00.402
ProductName : G-series Software
CompanyName : Logitech Inc.
FileDescription : Logitech G-series Profiler
InternalName : LGDCore
LegalCopyright : © 2004-2005 Logitech. All rights reserved.
LegalTrademarks : Logitech, the Logitech logo, and other Logitech marks are owned by Logitech and may be registered. All other trademarks are the property of their respective owners.
OriginalFilename : LGDCore.exe
Comments : Created by Interactive Entertainment.

#:20 [lcdmon.exe]
FilePath : C:\Program Files\Logitech\G-series Software\
ProcessID : 164
ThreadCreationTime : 7-24-2006 6:58:42 PM
BasePriority : Normal
FileVersion : 1.00.402
ProductVersion : 1.00.402
ProductName : G-series Software
CompanyName : Logitech Inc.
FileDescription : Logitech G-series LCD Monitor
InternalName : LCDMon
LegalCopyright : © 2004-2005 Logitech. All rights reserved.
LegalTrademarks : Logitech, the Logitech logo, and other Logitech marks are owned by Logitech and may be registered. All other trademarks are the property of their respective owners.
OriginalFilename : LCDMon.exe
Comments : Created by Interactive Entertainment.

#:21 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 184
ThreadCreationTime : 7-24-2006 6:58:43 PM
BasePriority : Normal
FileVersion : 0.1.0.3510
ProductVersion : 0.1.0.3510
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:22 [ituneshelper.exe]
FilePath : E:\Program Files\iTunes\
ProcessID : 212
ThreadCreationTime : 7-24-2006 6:58:43 PM
BasePriority : Normal
FileVersion : 6.0.4.2
ProductVersion : 6.0.4.2
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:23 [ares.exe]
FilePath : C:\Program Files\Ares\
ProcessID : 224
ThreadCreationTime : 7-24-2006 6:58:43 PM
BasePriority : Normal
FileVersion : 1.9.2.3011
ProductVersion : 1.9
ProductName : Ares for windows
CompanyName : Ares Development Group
FileDescription : Ares
InternalName : Ares
OriginalFilename : ARES.EXE
Comments : http://aresgalaxy.sourceforge.net

#:24 [lcdclock.exe]
FilePath : C:\Program Files\Logitech\G-series Software\Applets\
ProcessID : 284
ThreadCreationTime : 7-24-2006 6:58:44 PM
BasePriority : Normal
FileVersion : 1.00.402
ProductVersion : 1.00.402
ProductName : G-series Software
CompanyName : Logitech Inc.
FileDescription : Logitech G-series LCD Clock
InternalName : LCDClock
LegalCopyright : © 2004-2005 Logitech. All rights reserved.
LegalTrademarks : Logitech, the Logitech logo, and other Logitech marks are owned by Logitech and may be registered. All other trademarks are the property of their respective owners.
OriginalFilename : LCDClock.exe
Comments : Created by Interactive Entertainment.

#:25 [lcdmedia.exe]
FilePath : C:\Program Files\Logitech\G-series Software\Applets\
ProcessID : 304
ThreadCreationTime : 7-24-2006 6:58:44 PM
BasePriority : Normal
FileVersion : 1.00.402
ProductVersion : 1.00.402
ProductName : G-series Software
CompanyName : Logitech Inc.
FileDescription : Logitech G-series Media Display
InternalName : LCDMedia
LegalCopyright : © 2004-2005 Logitech. All rights reserved.
LegalTrademarks : Logitech, the Logitech logo, and other Logitech marks are owned by Logitech and may be registered. All other trademarks are the property of their respective owners.
OriginalFilename : LCDMedia.exe
Comments : Created by Interactive Entertainment.

#:26 [cisvc.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 988
ThreadCreationTime : 7-24-2006 6:58:47 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cisvc.exe

#:27 [ctsvccda.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1036
ThreadCreationTime : 7-24-2006 6:58:47 PM
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : Creative Service for CDROM Access
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.
OriginalFilename : CTsvcCDA.EXE

#:28 [guard.exe]
FilePath : C:\Program Files\ewido anti-spyware 4.0\
ProcessID : 1072
ThreadCreationTime : 7-24-2006 6:58:50 PM
BasePriority : Normal
FileVersion : 4, 0, 0, 172
ProductVersion : 4, 0, 0, 172
ProductName : ewido anti-spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : ewido anti-spyware guard
InternalName : ewido anti-spywareguard
LegalCopyright : Copyright © 2005 Anti-Malware Development a.s.
OriginalFilename : guard.exe

#:29 [nprotect.exe]
FilePath : C:\Program Files\Norton AntiVirus\AdvTools\
ProcessID : 1208
ThreadCreationTime : 7-24-2006 6:58:51 PM
BasePriority : Normal
FileVersion : 16.00.0.22
ProductVersion : 16.00.0.22
ProductName : Norton Utilities
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
LegalCopyright : Copyright © 2003 Symantec Corporation
LegalTrademarks : Norton Utilities
OriginalFilename : NPROTECT.EXE

#:30 [nvsvc32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1280
ThreadCreationTime : 7-24-2006 6:58:51 PM
BasePriority : Normal
FileVersion : 6.14.10.7610
ProductVersion : 6.14.10.7610
ProductName : NVIDIA Driver Helper Service, Version 76.10
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 76.10
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:31 [hpzipm12.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1336
ThreadCreationTime : 7-24-2006 6:58:51 PM
BasePriority : Normal
FileVersion : 9, 0, 0, 0
ProductVersion : 9, 0, 0, 0
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:32 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1676
ThreadCreationTime : 7-24-2006 6:58:54 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:33 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1796
ThreadCreationTime : 7-24-2006 6:58:54 PM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:34 [mspmspsv.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1944
ThreadCreationTime : 7-24-2006 6:58:54 PM
BasePriority : Normal
FileVersion : 7.00.00.1954
ProductVersion : 7.00.00.1954
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:35 [ipodservice.exe]
FilePath : E:\Program Files\iPod\bin\
ProcessID : 2216
ThreadCreationTime : 7-24-2006 6:58:56 PM
BasePriority : Normal
FileVersion : 6.0.4.2
ProductVersion : 6.0.4.2
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:36 [wmiprvse.exe]
FilePath : C:\WINDOWS\System32\wbem\
ProcessID : 2344
ThreadCreationTime : 7-24-2006 6:58:57 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI
InternalName : Wmiprvse.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Wmiprvse.exe

#:37 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3472
ThreadCreationTime : 7-24-2006 6:59:03 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:38 [cidaemon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3408
ThreadCreationTime : 7-24-2006 7:06:01 PM
BasePriority : Idle
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cidaemon.exe

#:39 [aim6.exe]
FilePath : c:\program files\common files\aol\1128695648\ee\
ProcessID : 2764
ThreadCreationTime : 7-24-2006 8:01:25 PM
BasePriority : Normal
FileVersion : 1.4.9.1
ProductVersion : 1.4.9.1
ProductName : AOL Service Libraries
CompanyName : America Online, Inc.
FileDescription : AIM
InternalName : AOLSoftware
LegalCopyright : © 2005 America Online, Inc.
OriginalFilename : AOLSoftware.exe

#:40 [firefox.exe]
FilePath : C:\Program Files\Mozilla Firefox\
ProcessID : 3184
ThreadCreationTime : 7-24-2006 11:03:32 PM
BasePriority : Normal

#:41 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1156
ThreadCreationTime : 7-24-2006 11:04:18 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 29

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

180Solutions Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}

180Solutions Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}

180Solutions Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{2b0eceac-f597-4858-a542-d966b49055b9}

180Solutions Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{ddea2e1d-8555-45e5-af09-ec9aa4ea27ad}

180Solutions Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{f1f1e775-1b21-454d-8d38-7c16519969e5}

180Solutions Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{5b6689b5-c2d4-4dc7-bfd1-24ac17e5fcda}

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{6c092742-10fe-4db2-988d-fc71948de70c}

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{7fa8976f-d00c-4e98-8729-a66569233fb5}

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{8be3faba-7468-4851-b97c-0750af2b908e}

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : zangohook.sabho

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : zangohook.sabho.1

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{51cf80dc-a309-4735-bb11-ef18bf4e3ad9}

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{f31a5d11-bf0b-4a4e-90af-274f2090aaa6}

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a16650a9-b065-40ec-bbd1-f8d370d17fb1}

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{bdddf1a5-51a9-4f51-b38d-4cd0ad831b31}

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{e43dfaa6-8c16-4519-b022-8792408505a4}

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango

Zango Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
Value : last_conn_l

Zango Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
Value : we

Zango Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
Value : cdata

Zango Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
Value : TimeOffset

Zango Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
Value : recent_shown

Zango Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
Value : key_int_high

Zango Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
Value : key_int_low

Zango Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
Value : geourl_current_version

Zango Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
Value : geourl_last_full_version

Zango Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
Value : actionurl_current_version

Zango Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
Value : actionurl_last_full_version

Zango Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
Value : keyword_current_version

Zango Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1547161642-1275210071-839522115-1004\software\zango
Value : keyword_last_full_version

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment : "{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
Value : {3F143C3A-1457-6CCA-03A7-7AA23B61E40F}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 31
Objects found so far: 60

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 60

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:grem [email protected]/
Expires : 7-16-2006 12:48:40 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:grem [email protected]/
Expires : 12-30-2037 9:00:00 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem fox@live365[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:51
Value : Cookie:grem [email protected]/
Expires : 7-21-2011 1:52:42 AM
LastSync : Hits:51
UseCount : 0
Hits : 51

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem fox@fastclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:grem [email protected]/
Expires : 7-15-2008 11:44:32 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem fox@atdmt[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:13
Value : Cookie:grem [email protected]/
Expires : 7-16-2011 5:00:00 PM
LastSync : Hits:13
UseCount : 0
Hits : 13

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:grem [email protected]/
Expires : 12-31-2009 5:00:00 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem fox@realmedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:grem [email protected]/
Expires : 7-14-2007 10:36:50 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem fox@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:329
Value : Cookie:grem [email protected]/
Expires : 7-23-2011 3:32:26 PM
LastSync : Hits:329
UseCount : 0
Hits : 329

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem fox@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:50
Value : Cookie:grem [email protected]/
Expires : 7-15-2009 5:30:12 PM
LastSync : Hits:50
UseCount : 0
Hits : 50

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem fox@advertising[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1022
Value : Cookie:grem [email protected]/
Expires : 7-23-2011 3:32:30 PM
LastSync : Hits:1022
UseCount : 0
Hits : 1022

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem fox@zedo[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:17
Value : Cookie:grem [email protected]/
Expires : 7-17-2016 1:39:34 AM
LastSync : Hits:17
UseCount : 0
Hits : 17

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem fox@hitbox[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:grem [email protected]/
Expires : 7-14-2007 10:37:44 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:grem [email protected]/
Expires : 7-14-2007 10:37:44 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem fox@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:8
Value : Cookie:grem [email protected]/
Expires : 6-21-2009 5:00:00 PM
LastSync : Hits:8
UseCount : 0
Hits : 8

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem fox@questionmarket[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:13
Value : Cookie:grem [email protected]/
Expires : 9-3-2006 4:15:04 PM
LastSync : Hits:13
UseCount : 0
Hits : 13

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem fox@serving-sys[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:grem [email protected]/
Expires : 12-31-2037 3:00:00 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : grem fox@casalemedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:9
Value : Cookie:grem [email protected]/
Expires : 7-7-2007 1:58:16 PM
LastSync : Hits:9
UseCount : 0
Hits : 9

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 17
Objects found so far: 77

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Zango Object Recognized!
Type : File
Data : A0224308.exe
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Grem Fox\DoctorWeb\Quarantine\
FileVersion : 8, 0, 63, 0
ProductVersion : 8, 0, 63, 0
ProductName : Zango
CompanyName : 180solutions, Inc.
FileDescription : Zango
LegalCopyright : Copyright © 2005, 180solutions Inc.

Zango Object Recognized!
Type : File
Data : A0224309.dll
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Grem Fox\DoctorWeb\Quarantine\
FileVersion : 8.5.63.0
ProductVersion : 8.5.63.0
ProductName : Zango
CompanyName : 180solutions, Inc.
FileDescription : Zango
InternalName : ClientHook
LegalCopyright : Copyright © 2005, 180solutions Inc.
OriginalFilename : ClientHook.dll

Zango Object Recognized!
Type : File
Data : A0225303.exe
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Grem Fox\DoctorWeb\Quarantine\
FileVersion : 8, 0, 63, 0
ProductVersion : 8, 0, 63, 0
ProductName : Zango
CompanyName : 180solutions, Inc.
FileDescription : Zango
LegalCopyright : Copyright © 2005, 180solutions Inc.

Zango Object Recognized!
Type : File
Data : A0225454.dll
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Grem Fox\DoctorWeb\Quarantine\
FileVersion : 8.5.63.0
ProductVersion : 8.5.63.0
ProductName : Zango
CompanyName : 180solutions, Inc.
FileDescription : Zango
InternalName : ClientHook
LegalCopyright : Copyright © 2005, 180solutions Inc.
OriginalFilename : ClientHook.dll

Win32.Trojan.Downloader Object Recognized!
Type : File
Data : A0225409.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285\

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 82

Deep scanning and examining files (E:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for E:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 82

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
33 entries scanned.
New critical objects:0
Objects found so far: 82

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : lmgr180.wmdrmax

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clientax.zangoclientax

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clientax.zangoclientax.1

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{3f143c3a-1457-6cca-03a7-7aa23b61e40f}\inprocserver32

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{3f143c3a-1457-6cca-03a7-7aa23b61e40f}\inprocserver32
Value : ThreadingModel

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\downloadmanager

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\enum\root\legacy_zesoft

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Enable Browser Extensions

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\media
Value : GUID

Win32.Trojan.Downloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop

Win32.Trojan.Downloader Object Recognized!
Type : File
Data : winsub.xml
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\system32\

Win32.Trojan.Downloader Object Recognized!
Type : File
Dat

6

Tech Clinic / Malware attack

« on: July 24, 2006, 06:05:10 PM »

hey there sorry that took so long ive been at my new job 11 hour days 6 days a week its a killer! ill get the scan back to you when its finished! ^^

7

Tech Clinic / Malware attack

« on: July 20, 2006, 01:57:11 AM »

well i HAD adware but everytime i used it, it would freeze, so i dont know what that was about, couldve been cause of all that virus junk on my computer, i dont have spyboy 1.4 or any anti-virus stuff, im such a LOSER, your a LIFE saver guestolo you have no clue!

8

Tech Clinic / Malware attack

« on: July 18, 2006, 02:30:43 PM »

Here goes!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Logfile of HijackThis v1.99.1
Scan saved at 12:27:51 PM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
c:\program files\common files\aol\1128695648\ee\aim6.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\Documents and Settings\Grem Fox\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Find.bat

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"LsaPid"=dword:000002d0
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000001
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"AtiDisplayDrv"="atidrvxx.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:7b,9c,25,f9,11,b8,8b,aa,f8,d8,4c,93,37,b9,38,c3,33,63,31,64,35,\
65,63,31,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,d7,35,af,34

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:1f,63,0d,b6,c8,9a,58,75,34

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:27,e0,d7,12,1e,48

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:4e,73,56,c7,ec,db,1f,64,72,7e,d7,7c,89,51,20,0c

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:3c,00,34,cc,dd,b0,c4,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,6f,e3,94,f8,79,c4,01
"Type"=dword:00000031

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="N"
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"AtiDisplayDrv"="atidrvxx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"LsaPid"=dword:000002d0
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:7b,9c,25,f9,11,b8,8b,aa,f8,d8,4c,93,37,b9,38,c3,33,63,31,64,35,\
65,63,31,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,d7,35,af,34

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:1f,63,0d,b6,c8,9a,58,75,34

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:27,e0,d7,12,1e,48

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:4e,73,56,c7,ec,db,1f,64,72,7e,d7,7c,89,51,20,0c

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:3c,00,34,cc,dd,b0,c4,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,6f,e3,94,f8,79,c4,01
"Type"=dword:00000031

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""

9

Tech Clinic / Malware attack

« on: July 17, 2006, 03:51:18 AM »

Yes that was all for the Dr web-cureit and the find.bat turned up this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"LsaPid"=dword:000002d0
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000001
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"AtiDisplayDrv"="atidrvxx.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:7b,9c,25,f9,11,b8,8b,aa,f8,d8,4c,93,37,b9,38,c3,33,63,31,64,35,\
65,63,31,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,d7,35,af,34

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:1f,63,0d,b6,c8,9a,58,75,34

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:27,e0,d7,12,1e,48

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:4e,73,56,c7,ec,db,1f,64,72,7e,d7,7c,89,51,20,0c

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:3c,00,34,cc,dd,b0,c4,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,6f,e3,94,f8,79,c4,01
"Type"=dword:00000031

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="N"
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"AtiDisplayDrv"="atidrvxx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""

10

Tech Clinic / Malware attack

« on: July 16, 2006, 11:16:31 PM »

Alright I did all of that woohoo! its getting much better, heres the hijackthis file log:

Logfile of HijackThis v1.99.1
Scan saved at 9:14:06 PM, on 7/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
c:\program files\common files\aol\1128695648\ee\aim6.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Grem Fox\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [d037c73c.exe] C:\Documents and Settings\Grem Fox\Local Settings\Application Data\d037c73c.exe
O4 - HKCU\..\Run: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKCU\..\RunServices: [AtiDisplayDrv] atidrvxx.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

and the dr web-cute it report

d037c73c.exe;C:\!KillBox;Trojan.DownLoader.based;Deleted.;
A0216129.EXE;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1259;Adware.Aws;Incurable.Moved.;
A0221083.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1282;Trojan.PWS.Snap;Deleted.;
A0221084.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1282;Trojan.PWS.Snap;Deleted.;
A0221085.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1282;Trojan.PWS.Snap;Deleted.;
A0221086.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1282;Trojan.PWS.Snap;Deleted.;
A0221176.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1284;Trojan.DownLoader.based;Deleted.;
A0221185.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1284;Trojan.DownLoader.based;Deleted.;
A0222194.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1284;Trojan.DownLoader.based;Deleted.;
A0223212.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1284;Trojan.DownLoader.based;Deleted.;
A0224241.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1284;Trojan.DownLoader.based;Deleted.;
A0224308.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Adware.Zango;Incurable.Moved.;
A0224309.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Adware.Zango;Incurable.Moved.;
A0224315.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.10917;Deleted.;
A0225302.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.PWS.Alanchum;Deleted.;
A0225303.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Adware.Zango;Incurable.Moved.;
A0225305.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Proxy.991;Deleted.;
A0225312.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.10595;Deleted.;
A0225316.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.based;Deleted.;
A0225336.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225376.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.PWS.Snap;Deleted.;
A0225377.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.based;Deleted.;
A0225378.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Proxy.986;Deleted.;
A0225379.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Proxy.986;Deleted.;
A0225381.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;BackDoor.Dsrv;Deleted.;
A0225382.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.6332;Deleted.;
A0225388.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.9540;Deleted.;
A0225390.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.9540;Deleted.;
A0225391.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.9540;Deleted.;
A0225392.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.10841;Deleted.;
A0225393.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.10842;Deleted.;
A0225398.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.PWS.Alanchum;Deleted.;
A0225399.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.EmailSpy;Deleted.;
A0225400.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Proxy.899;Deleted.;
A0225401.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;BackDoor.Uragan;Deleted.;
A0225402.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.10593;Deleted.;
A0225403.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.9502;Deleted.;
A0225405.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.8077;Deleted.;
A0225406.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Galapoper;Deleted.;
A0225407.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.9540;Deleted.;
A0225415.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.PWS.Snap;Deleted.;
A0225416.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.PWS.Snap;Deleted.;
A0225417.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.PWS.Snap;Deleted.;
A0225419.DLL;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Click.519;Deleted.;
A0225420.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225421.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225422.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225423.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225424.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225425.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225426.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225427.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225428.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225429.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225430.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225431.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225432.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225433.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225434.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225435.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225436.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225437.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225438.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225439.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225440.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225441.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225442.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225443.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225444.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225445.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225446.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225447.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225448.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.Spambot;Deleted.;
A0225449.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Dialer.Silent;Deleted.;
A0225451.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.10649;Deleted.;
A0225452.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.9540;Deleted.;
A0225453.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Adware.Zango;Incurable.Moved.;
A0225454.dll;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Adware.Zango;Incurable.Moved.;
A0225472.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.based;Deleted.;
A0225521.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1285;Trojan.DownLoader.based;Deleted.;
A0225881.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1286;Trojan.DownLoader.based;Deleted.;
A0225883.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1286;Trojan.DownLoader.based;Deleted.;
A0225893.exe;C:\System Volume Information\_restore{2539DEEC-17EA-432D-A89F-6EDB317F1372}\RP1286;Trojan.DownLoader.based;Deleted.;
UWA6P_0001_N822M1605NetInstaller.exe;C:\WINDOWS\Downloaded Program Files;Trojan.DownLoader.10346;Deleted.;
UWA6P_0001_N822M1605NetInstaller.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.1;Trojan.DownLoader.10346;Deleted.;

11

Tech Clinic / Malware attack

« on: July 16, 2006, 07:39:46 PM »

I just put the programs in my shared documents and that seemed to work, anyways i followed your steps to the t and here are the reports (before i give you the reports though i should show you that there was 1 thing that could not be deleted via Killbox, that are: C:\WINDOWS\system32\ntos.exe

also i have no control over my desktop wallpaper, when i go into properties to change it, it is completely frozen.
and my task manager is still disabled, saying "Task Manager has been disabled by your Administrator"

Logfile of HijackThis v1.99.1
Scan saved at 5:30:48 PM, on 7/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\Grem Fox\Local Settings\Application Data\d037c73c.exe
E:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1128695648\ee\aim6.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Grem Fox\Desktop\hijackthis(2).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [d037c73c.exe] C:\WINDOWS\system32\d037c73c.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [d037c73c.exe] C:\Documents and Settings\Grem Fox\Local Settings\Application Data\d037c73c.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKCU\..\RunServices: [AtiDisplayDrv] atidrvxx.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Ewido Scan Report

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:11:10 PM 7/16/2006

+ Scan result:

C:\WINDOWS\Downloaded Program Files\ClientAX.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
E:\Program Files\BearShare\BearShareZangoInstaller.exe/clientax.dll -> Adware.180Solutions : Error during cleaning.
HKLM\SOFTWARE\Classes\CLSID\{56F1D444-11BF-4879-A12B-79CF0177F038} -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller.1 -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56F1D444-11BF-4879-A12B-79CF0177F038} -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ISTbarISTbar -> Adware.HotBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\PerfectNav -> Adware.KeenValue : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll -> Adware.Zango : Cleaned with backup (quarantined).
C:\Program Files\Zango\zangohook.dll -> Adware.Zango : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent -> Adware.Zango : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent.1 -> Adware.Zango : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent\CLSID -> Adware.Zango : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ClientAX.RequiredComponent\CurVer -> Adware.Zango : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\zango -> Adware.Zango : Cleaned with backup (quarantined).
HKLM\SOFTWARE\zango -> Adware.Zango : Cleaned with backup (quarantined).
C:\!KillBox\2236_27.dll -> Backdoor.Agent.adr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwaani.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwatoo.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwbiqp.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwbqlx.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwdofx.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwecdp.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvweqvk.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwfctb.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwgfgn.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwguqx.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwhwga.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwidqj.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwjdtu.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwlaxy.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwlplr.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwmmib.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwnpsn.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwnqeq.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwpesn.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwqjwr.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwqqqd.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwtiuk.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwupaa.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwuqmt.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwvick.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwvnrs.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwvtuv.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxvwxivf.exe -> Backdoor.SdBot.ate : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_0001_N85M0906NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UERS_0001_N85M0906NetInstaller.exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pmkhg.exe -> Downloader.ConHook.ac : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nеtdde.exe -> Downloader.PurityScan.r : Cleaned with backup (quarantined).
C:\WINDOWS\system32\testtestt.exe -> Downloader.Small.cyb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\D0CE0C16B1.DLL -> Hijacker.Agent.dh : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N822M1605NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Ignored.
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N822M1605NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Ignored.
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D09M0706NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Ignored.
C:\Program Files\hix\scripts\IPLookup\portscan.exe -> Not-A-Virus.NetTool.Win32.Scan.12 : Ignored.
C:\!KillBox\lk.dll -> Proxy.Agent.df : Cleaned with backup (quarantined).
C:\!KillBox\_zskwrkni05chjdrhf`ugibhzuh.exe -> Proxy.Agent.km : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ipod.raw.exe -> Proxy.Lager.aq : Cleaned with backup (quarantined).
[240] C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll -> Trojan.Agent.oh : Error during cleaning.
C:\WINDOWS\system32\maxd641.exe -> Trojan.Dialer.pw : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UDC6_0001_D10M2905NetInstaller.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D10M2905NetInstaller.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00006.dll -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00008.dll -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.dll -> Trojan.Sinowal.af : Cleaned with backup (quarantined).
C:\!KillBox\ibm00007.exe -> Trojan.Sinowal.v : Cleaned with backup (quarantined).

::Report end

Rapport.txt

SmitFraudFix v2.72

Scan done at 14:11:19.93, Sun 07/16/2006
Run from C:\Documents and Settings\All Users\Documents\SmitfraudFix0
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2236}\InProcServer32]
@="C:\WINDOWS\system32\2236_27.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2236}\InProcServer32]
@="C:\WINDOWS\system32\2236_27.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="OLE Automation Module"

[HKEY_CLASSES_ROOT\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINDOWS\system32\mscdaux.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINDOWS\system32\mscdaux.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2238}"="DCOM Server 2238"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2238}\InProcServer32]
@="C:\WINDOWS\system32\dxvwcmxf.exe"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2238}\InProcServer32]
@="C:\WINDOWS\system32\dxvwcmxf.exe"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\2236_27.dll -> Missing File

C:\WINDOWS\system32\2236_27.dll -> Missing File

C:\WINDOWS\system32\lk.dll -> Missing File

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\desktop.html Deleted
C:\WINDOWS\xpupdate.exe Deleted
C:\WINDOWS\system32\dlh9jkdq?.exe Deleted
C:\WINDOWS\system32\kernels8.exe Deleted
C:\WINDOWS\system32\qvxgamet?.exe Deleted
C:\WINDOWS\system32\taskdir.dll Deleted
C:\WINDOWS\system32\taskdir~.exe Deleted
C:\WINDOWS\system32\TheMatrixHasYou.exe Deleted
C:\WINDOWS\system32\vxgame?.exe Deleted
C:\WINDOWS\system32\vxgamet?.exe Deleted
C:\WINDOWS\system32\zlbw.dll Deleted
C:\Program Files\BraveSentry\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2236}\InProcServer32]
@="C:\WINDOWS\system32\2236_27.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2236}\InProcServer32]
@="C:\WINDOWS\system32\2236_27.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="OLE Automation Module"

[HKEY_CLASSES_ROOT\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINDOWS\system32\mscdaux.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINDOWS\system32\mscdaux.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2238}"="DCOM Server 2238"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2238}\InProcServer32]
@="C:\WINDOWS\system32\dxvwcmxf.exe"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2238}\InProcServer32]
@="C:\WINDOWS\system32\dxvwcmxf.exe"

»»»»»»»»»»»»»»»»»»»»»»»» End

12

Tech Clinic / Malware attack

« on: July 16, 2006, 03:53:41 PM »

I have a small problem guestolo when i boot it in safemode none of the programs that you told me to download appear, i try and do search and run for them ie: run: killbox.exe but nothing comes up, do you know why this is or how i can fix it so the programs show in safe mode?

13

Tech Clinic / Malware attack

« on: July 16, 2006, 01:24:16 AM »

Here ya go

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Logfile of HijackThis v1.99.1
Scan saved at 10:20:11 PM, on 7/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\d037c73c.exe
C:\WINDOWS\system32\dxvwcmxf.exe
C:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
c:\program files\common files\aol\1128695648\ee\aim6.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Grem Fox\Desktop\hijackthis(2).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O2 - BHO: (no name) - {980d2642-10c3-4184-9cd3-862328ec3fe1} - C:\WINDOWS\system32\aut029.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [d037c73c.exe] C:\WINDOWS\system32\d037c73c.exe
O4 - HKLM\..\Run: [Explorer 2238] C:\WINDOWS\system32\dxvwcmxf.exe
O4 - HKLM\..\Run: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKLM\..\RunServices: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [d037c73c.exe] C:\Documents and Settings\Grem Fox\Local Settings\Application Data\d037c73c.exe
O4 - HKCU\..\RunServices: [AtiDisplayDrv] atidrvxx.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: aut029 - C:\WINDOWS\SYSTEM32\aut029.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINDOWS\system32\dxvwcmxf.exe
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\2236_27.dll
O21 - SSODL: LeXnm - {9CFF98C3-3655-3269-E61E-D5F69815CF33} - C:\WINDOWS\system32\lk.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINDOWS\system32\dxvwcmxf.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

14

Tech Clinic / Malware attack

« on: July 16, 2006, 12:25:57 AM »

Hi there everyone, I've been searching the internet for awhile and finally found a post about a similiar problem ive encountered, i dont know much about this thing except that the screen turns black and on the bottom right hand corner it says "Your Computer is in Danger! Windows Security Center has detected spyware/adware infection! It is strongly recommended to use special antispyware tools to prevent data loss." also there is a red dot with an x in it in the bottom right hand corner, I managed to find and delete that problem so thats not a problem that i know of anymore, i desperately need help as this program is destroying my computer, any help would be greatly appreciated! I scanned my computer with Hijack this and came up with this:

Logfile of HijackThis v1.99.1
Scan saved at 10:20:11 PM, on 7/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1128695648\ee\AOLSoftware.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\d037c73c.exe
C:\WINDOWS\system32\dxvwcmxf.exe
C:\windows\system32\_zskwrkni05chjdrhf`ugibhzuh.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
c:\program files\common files\aol\1128695648\ee\aim6.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Grem Fox\Desktop\hijackthis(2).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe

"C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1

\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program

Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O2 - BHO: (no name) - {980d2642-10c3-4184-9cd3-862328ec3fe1} - C:\WINDOWS\system32

\aut029.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128695648

\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe"

/SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -

osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [d037c73c.exe] C:\WINDOWS\system32\d037c73c.exe
O4 - HKLM\..\Run: [Explorer 2238] C:\WINDOWS\system32\dxvwcmxf.exe
O4 - HKLM\..\Run: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32

\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32

\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKLM\..\RunServices: [ÿ_zskhuzhbigu`fhrdjhc50inkrwksz_] c:\windows\system32

\_zskwrkni05chjdrhf`ugibhzuh.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en

-US ee://aol/imApp
O4 - HKCU\..\Run: [d037c73c.exe] C:\Documents and Settings\Grem Fox\Local Settings\Application

Data\d037c73c.exe
O4 - HKCU\..\RunServices: [AtiDisplayDrv] atidrvxx.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0

\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program

files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program

files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program

Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -

http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-

games.com.my/com/EGamesPlugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -

http://launch.gamespyarcade.com/software/launch/alaunch.cab
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All

Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: aut029 - C:\WINDOWS\SYSTEM32\aut029.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} -

C:\WINDOWS\system32\dxvwcmxf.exe
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} -

C:\WINDOWS\system32\2236_27.dll
O21 - SSODL: LeXnm - {9CFF98C3-3655-3269-E61E-D5F69815CF33} - C:\WINDOWS\system32

\lk.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} -

C:\WINDOWS\system32\dxvwcmxf.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32

\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program

Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32

\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program

Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\Security Center\SymWSC.exe

15

Tech Clinic / Malware Attack

« on: July 15, 2006, 06:01:03 AM »

Hi there, I am having the same problem as desmondang, i really need your help, and was wondering if anyone could help me, any help would be seriously appreciated if you can help me ill send you all and any information you need such as the hijack checklist and whatever else you would need me to do, i really need this thing off my computre its driving me crazy!

Again any help would be really appreciated, thank you for your time.

- soL

TheTechGuide Forum

News:

Messages - soL309

Tech Clinic / Malware attack

Tech Clinic / Malware attack

Tech Clinic / Malware attack

Tech Clinic / Malware attack

Tech Clinic / Malware attack

Tech Clinic / Malware attack

Tech Clinic / Malware attack

Tech Clinic / Malware attack

Tech Clinic / Malware attack

Tech Clinic / Malware attack

Tech Clinic / Malware attack

Tech Clinic / Malware attack

Tech Clinic / Malware attack

Tech Clinic / Malware attack

Tech Clinic / Malware Attack