Jump to content


Photo

E2Give, Command Service


  • This topic is locked This topic is locked
6 replies to this topic

#1 dawoodone

dawoodone

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 09 March 2006 - 03:44 AM

HOLD THE FORT! It seems that MAYBE the problem has been solved! Please look at my Hijack this log because I still think that there is something a little dodgy. (There was a delay between doing all of the following and the problem "disappearing"!?) BUT, Adaware finds NOTHING now, Spybot still finds "Command Service" (but no popup troubles for a while).

-The problem is the usual malware problem; popup windows opening at will, various Adaware and Spybot (both updated) checks seem to reveal the problem but cannot get rid of it. Spybot shows "Command Service" and "E2Give" (and various other recurring Hotkeys), and AdAware shows the malicious dll (in the system32 folder) but that "mutates" at my attempts to remove it with those programs (plus, no removal after restarts), and the same problem with Hijack This. Have used CWS shredder . . .
-- UPDATE! I searched intensively on your site, for an entry that looked like basically the same problem/s; downloaded Ewido Suite and AproposFix and followed the guidelines in Safe Mode, and then I used the fix.reg suggestion as follows:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\fyksqgkx]
[-HKEY_CLASSES_ROOT\CLSID\{a9472d95-2357-44dc-a4a6-e313f559108d}]

Still the problem/s persist. Here is my LATEST Hijackthis log, AFTER I "removed (fixed)" all suspicious entries!
Thanks for the help.

Logfile of HijackThis v1.99.1
Scan saved at 02:24:14, on 12/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCD.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Paula\Configurações locais\Temporary Internet Files\Content.IE5\SXU749YF\ie6setup[1].exe
C:\DOCUME~1\Paula\CONFIG~1\Temp\IXP000.TMP\ie6wzd.exe
C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINNT\system32\WISPTIS.EXE
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paula\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINNT\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Paula\CONFIG~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [BrandClearStubs] RUNDLL32 IEDKCS32.DLL,BrandCleanInstallStubs >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
O4 - HKLM\..\RunOnce: [Regsister WScript] wscript -regserver
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD7E9B85-89D3-4A65-824A-281D1F52588C}: NameServer = 200.222.0.34 200.202.193.75
O20 - Winlogon Notify: WebCheck - C:\WINNT\system32\g6040gdqe60e0.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\system32\netddesrv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Edited by dawoodone, 12 March 2006 - 01:07 AM.


#2 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 13 March 2006 - 09:07 AM

Hello dawoodone, welcome to SWI.

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Sometime ago you tried to install Internet Explorer Ver. 6 but it was not installed correctly.
How long ago was it.?

For now just stop these processes from running.

ie6wzd.exe is the installation program for I.E. which has not been installed but running as a process.
C:\DOCUME~1\Paula\CONFIG~1\Temp\IXP000.TMP\ie6wzd.exe
First Stop the process.
Go to: Control Panel - Add / Remove Programs
Click on "Add/Remove Windows Components" on the left
UNcheck "ie6wzd.exe"
Click "NEXT"
Click "Finish"
Reboot

Repeat the same this for ie6setup[1].exe
C:\Documents and Settings\Paula\Configurações locais\Temporary Internet Files\Content.IE5\SXU749YF\ie6setup[1].exe

When the infection is gone you can install, not before.
  • Close all open Explorer windows and browsers
  • Run HijackThis
  • Click on the Scan button and when complete
  • Put a check beside all of the items listed below
  • Click on the "Fix Checked" button
  • When complete and all files removed, close the application.
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINNT\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Paula\CONFIG~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [BrandClearStubs] RUNDLL32 IEDKCS32.DLL,BrandCleanInstallStubs >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
O4 - HKLM\..\RunOnce: [Regsister WScript] wscript -regserver
O20 - Winlogon Notify: WebCheck - C:\WINNT\system32\g6040gdqe60e0.dll (file missing)
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\system32\netddesrv.exe (file missing)


Restart the computer to reset the registry.

From what you are telling us, and what I see in your log you have a look2me infection.

Download this tool L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

If you receive, while running option #1, an error similar like: "C:\windows\system32\cmd.exe" or
C:\windows\system32\autoexec.nt the system file is not suitable for running MS-DOS and Microsoft Windows Applications. Choose close to terminate the application.." then please use Option 5 or the web page link in the l2mfix folder to solve this error condition. Do not run the fix portion without fixing this first.


Include a fresh hijackThis for review.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#3 dawoodone

dawoodone

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 15 March 2006 - 03:19 AM

Thanks Nasdaq,

Sorry, but I must have been downloading ie6 when I made that hijackthis log and posted it, because there is no sign of it on my system anymore! (And I successfully installed ie6, without any problem). I have tried checking/ removing the hijackthis entry:
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\system32\netddesrv.exe (file missing)
but it just keeps returning.
All the other problematic entries are gone!
I will list that l2mfix file and latest hijackthis log, HOWEVER LATEST problem (occurred after/during the download/running of that l2mfix program - MY TRASHCAN DISAPPEARED AND THE FOLDER TO FIND FILES, FOLDERS, etc., HAS ALSO DISAPPEARED, and I fear what else!!
Help please (a new set of problems).

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D5CD1ED9-728C-20FA-65D7-87FEE09FEE3F}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Folha de propriedades de arquivo de multim¡dia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Gerenciamento de scanner ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="P gina de seguran‡a NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="P gina de propriedades do arquivo de documento OLE"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensäes do Shell para compartilhamento"
"{41E300E0-78B6-11ce-849B-444553540000}"="ExtensÆo do 'Painel de controle' PlusPack"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="ExtensÆo do 'Painel de controle' para adaptador de v¡deo"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="ExtensÆo do 'Painel de controle' para monitor de v¡deo"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="ExtensÆo do 'Painel de controle' para panorƒmica de v¡deo"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="P gina de seguran‡a DS"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Manipulador de dados de recorte do shell"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="ExtensÆo de c¢pia de disco"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensäes do shell para objetos Microsoft Windows Network"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gerenciamento de monitor ICM"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gerenciamento de impressora ICM"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensäes do shell para compacta‡Æo de arquivos"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="ExtensÆo do shell de impressora na Web"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu de contexto de criptografia"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porta-arquivos"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="ExtensÆo de ¡cone do HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Perfil ICC"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="P gina de seguran‡a de impressoras"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensäes do Shell para compartilhamento"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensäes de interpretador de comando para o Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="ExtensÆo PKO de criptografia"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="ExtensÆo do sinal de criptografia"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Conexäes dial-up e de rede"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Servi‡o de hist¢rico de URLs da Microsoft"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Hist¢rico"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tarefas agendadas"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Pasta 'Favoritos' do shell"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="Meu computador"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Pasta 'Porta-arquivos'"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Atalho de pasta"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Volume montado"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="ExtensÆo de p gina de propriedade do arquivo"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="P gina de tipos de arquivo"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="Captura de tipos de arquivo MIME"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Servi‡o 'Copiar para' da Microsoft"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Servi‡o 'Mover para' da Microsoft"
"{13709620-C279-11CE-A49E-444553540000}"="Servi‡o de automatiza‡Æo do shell"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Exibi‡Æo da pasta de automatiza‡Æo do shell"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Menu 'Iniciar'"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Servi‡o 'Enviar para' da Microsoft"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Servi‡o 'Novo objeto' da Microsoft"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Manipulador do menu de contexto 'Abrir como'"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Extensäes HTML do painel de controle 'V¡deo'"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="ExtensÆo da p gina de propriedade de op‡äes de pasta"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Auxiliador de arrastar e largar do Shell"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Adicionar item de criptografia aos menus de contexto no Explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barra de ferramentas do Microsoft Internet Explorer"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Status do download"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Pasta 'Menu do Shell'"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Faixa de menu"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Menu do shell de rastreamento"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Local do menu"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Barra da  rea de menus"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Pasta do shell aumentada"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Pasta do shell aumentada 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Faixa de pesquisa"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Pesquisa no painel"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Pesquisa na Web"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilit rio de op‡äes de  rvore do Registro"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="E&ndere‡o"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Caixa de edi‡Æo de endere‡o"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Preenchimento autom tico da Microsoft"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Imagem em miniatura"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="Lista de preenchimento autom tico MRU"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lista de preenchimento autom tico de hist¢rico da Microsoft"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Lista de preenchimento autom tico de pastas do Shell da Microsoft"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Recipiente de lista de preenchimento autom tico m£ltiplo da Microsoft"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu de site de faixa do Shell"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistˆncia ao usu rio"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Configura‡äes de pasta globais"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Pasta cache de ActiveX"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Pasta de inscri‡äes"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Miniaturas"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="Extrator de miniaturas HTML"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Extrator de miniaturas de filtros gr ficos do Office"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Identificador de informa‡äes de resumo de miniaturas (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="Delegante de interface de miniaturas de arquivos LNK"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gerenciador de aplicativos do shell"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Enumerador de aplicativos instalado"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Menu de arquivos off-line"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Op‡äes de pastas de arquivos off-line"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Pasta de arquivos off-line"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Pastas da Web"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{F0EA5019-236B-41B2-83D2-A191FDF4C5EB}"=""
"{4C8B40CC-B9AD-4457-96EF-328BCFF7F4DD}"=""
"{F1B84F7F-DA4D-4366-9B67-4C1CE8AA39A0}"=""
"{08EFAE49-8344-4738-8F99-C87C6A6B02A3}"=""
"{96B5CE4C-FB64-4D16-B696-1D4AD5692735}"=""
"{AD0972A8-2E89-4917-9321-3C1F532B37C1}"=""
"{C729DCC0-6F5D-483B-BFC9-A845D9BD2787}"=""
"{F9B318EE-55AE-46AE-B0FF-471BFDF8B132}"=""
"{BAFD1613-3E40-4DBC-929F-B06E868FE6B7}"=""
"{1A141565-AED3-489D-A247-7140332C4CD3}"=""
"{DE0E5089-AF99-450B-B3CB-7DCAE891E56E}"=""
"{D23283B9-1CFB-432E-BACF-6A209BF1D9B9}"=""
"{9098BB9A-9F9A-479E-979C-FE0879FDF292}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Faixa de m¡dia"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Lista personalizada MRU preenchida automaticamente"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Acess¡vel"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barra Popup de controle"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analisador da barra de endere‡os"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Faixa do Explorer"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Arquivo de canal"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Atalho para o canal"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Objeto manipulador de canais"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F0EA5019-236B-41B2-83D2-A191FDF4C5EB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F0EA5019-236B-41B2-83D2-A191FDF4C5EB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F0EA5019-236B-41B2-83D2-A191FDF4C5EB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F0EA5019-236B-41B2-83D2-A191FDF4C5EB}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4C8B40CC-B9AD-4457-96EF-328BCFF7F4DD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C8B40CC-B9AD-4457-96EF-328BCFF7F4DD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C8B40CC-B9AD-4457-96EF-328BCFF7F4DD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C8B40CC-B9AD-4457-96EF-328BCFF7F4DD}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F1B84F7F-DA4D-4366-9B67-4C1CE8AA39A0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1B84F7F-DA4D-4366-9B67-4C1CE8AA39A0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1B84F7F-DA4D-4366-9B67-4C1CE8AA39A0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1B84F7F-DA4D-4366-9B67-4C1CE8AA39A0}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{08EFAE49-8344-4738-8F99-C87C6A6B02A3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{08EFAE49-8344-4738-8F99-C87C6A6B02A3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{08EFAE49-8344-4738-8F99-C87C6A6B02A3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{08EFAE49-8344-4738-8F99-C87C6A6B02A3}\InprocServer32]
@="C:\\WINNT\\system32\\situpdll.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{96B5CE4C-FB64-4D16-B696-1D4AD5692735}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{96B5CE4C-FB64-4D16-B696-1D4AD5692735}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{96B5CE4C-FB64-4D16-B696-1D4AD5692735}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{96B5CE4C-FB64-4D16-B696-1D4AD5692735}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C729DCC0-6F5D-483B-BFC9-A845D9BD2787}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C729DCC0-6F5D-483B-BFC9-A845D9BD2787}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C729DCC0-6F5D-483B-BFC9-A845D9BD2787}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C729DCC0-6F5D-483B-BFC9-A845D9BD2787}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F9B318EE-55AE-46AE-B0FF-471BFDF8B132}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F9B318EE-55AE-46AE-B0FF-471BFDF8B132}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F9B318EE-55AE-46AE-B0FF-471BFDF8B132}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F9B318EE-55AE-46AE-B0FF-471BFDF8B132}\InprocServer32]
@="C:\\WINNT\\system32\\oxe2disp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BAFD1613-3E40-4DBC-929F-B06E868FE6B7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BAFD1613-3E40-4DBC-929F-B06E868FE6B7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BAFD1613-3E40-4DBC-929F-B06E868FE6B7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BAFD1613-3E40-4DBC-929F-B06E868FE6B7}\InprocServer32]
@="C:\\WINNT\\system32\\mlxdm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1A141565-AED3-489D-A247-7140332C4CD3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A141565-AED3-489D-A247-7140332C4CD3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A141565-AED3-489D-A247-7140332C4CD3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A141565-AED3-489D-A247-7140332C4CD3}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DE0E5089-AF99-450B-B3CB-7DCAE891E56E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE0E5089-AF99-450B-B3CB-7DCAE891E56E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE0E5089-AF99-450B-B3CB-7DCAE891E56E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE0E5089-AF99-450B-B3CB-7DCAE891E56E}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D23283B9-1CFB-432E-BACF-6A209BF1D9B9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D23283B9-1CFB-432E-BACF-6A209BF1D9B9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D23283B9-1CFB-432E-BACF-6A209BF1D9B9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D23283B9-1CFB-432E-BACF-6A209BF1D9B9}\InprocServer32]
@="C:\\WINNT\\system32\\ogeacc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9098BB9A-9F9A-479E-979C-FE0879FDF292}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9098BB9A-9F9A-479E-979C-FE0879FDF292}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9098BB9A-9F9A-479E-979C-FE0879FDF292}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9098BB9A-9F9A-479E-979C-FE0879FDF292}\InprocServer32]
@="C:\\WINNT\\system32\\mbxoci.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
vsdata.dll Sun 19 Feb 2006 18:26:20 A.... 83.720 81,76 K
vsinit.dll Sun 19 Feb 2006 18:26:32 A.... 141.064 137,76 K
vsmonapi.dll Sun 19 Feb 2006 18:26:42 A.... 104.208 101,77 K
vspubapi.dll Sun 19 Feb 2006 18:26:46 A.... 227.088 221,77 K
vsregexp.dll Sun 19 Feb 2006 18:26:50 A.... 71.440 69,77 K
vsutil.dll Sun 19 Feb 2006 18:27:02 A.... 382.728 373,76 K
vsxml.dll Sun 19 Feb 2006 18:27:10 A.... 100.104 97,76 K
zlcomm.dll Sun 19 Feb 2006 18:27:32 A.... 79.624 77,76 K
zlcommdb.dll Sun 19 Feb 2006 18:27:36 A.... 71.440 69,77 K

9 items found: 9 files, 0 directories.
Total of file sizes: 1.261.416 bytes 1,20 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
O volume na unidade C nÆo tem nome.
O n£mero de s‚rie do volume ‚ 4817-E59B

Pasta de C:\WINNT\System32

12/03/2006 00:43 <DIR> dllcache
0 arquivo(s) 0 bytes
1 pasta(s) 5.399.412.736 bytes dispon¡veis

Logfile of HijackThis v1.99.1
Scan saved at 05:08:21, on 15/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCD.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\OS2SRV.EXE
C:\WINNT\system32\os2ss.exe
C:\Documents and Settings\Paula\Meus documentos\Davibrinde\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD7E9B85-89D3-4A65-824A-281D1F52588C}: NameServer = 200.222.0.34 200.202.193.75
O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\system32\netddesrv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Edited by dawoodone, 15 March 2006 - 03:25 AM.


#4 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 15 March 2006 - 10:09 AM

Sorry, but I must have been downloading ie6 when I made that hijackthis log and posted it, because there is no sign of it on my system anymore! (And I successfully installed ie6, without any problem). I have tried checking/ removing the hijackthis entry:


Your first log clearly indicate that you were running I.E. 5 when you submitted the log.

MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000) <-- 1st Log.

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) <-- Now.

I would like to know when you did the upgrade.
Were all the programs, Windows, Security software disable when you did?

HOWEVER LATEST problem (occurred after/during the download/running of that l2mfix program - MY TRASHCAN DISAPPEARED AND THE FOLDER TO FIND FILES, FOLDERS, etc., HAS ALSO DISAPPEARED, and I fear what else!!


To my knowledge and experience the download and running of l2mfix never caused any of the problems you have enumerated.
If you were installing I.E. 6 while downloading or running the fix that may be the cause.

First let us deal with the removal of the Look2Me infection. That infection may have been the cause of your current problem .

Close all programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#5 dawoodone

dawoodone

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 25 March 2006 - 05:01 PM

L2mfix 032106
Creating Account.
Comando conclu¡do com ˆxito.
Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINNT\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 156 'smss.exe'
Killing PID 156 'smss.exe'
Error 0x5 : Acesso negado.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 176 'winlogon.exe'
Killing PID 176 'winlogon.exe'
Error 0x5 : Acesso negado.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 908 'explorer.exe'
Killing PID 908 'explorer.exe'
Error 0x5 : Acesso negado.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F0EA5019-236B-41B2-83D2-A191FDF4C5EB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F0EA5019-236B-41B2-83D2-A191FDF4C5EB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F0EA5019-236B-41B2-83D2-A191FDF4C5EB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F0EA5019-236B-41B2-83D2-A191FDF4C5EB}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4C8B40CC-B9AD-4457-96EF-328BCFF7F4DD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C8B40CC-B9AD-4457-96EF-328BCFF7F4DD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C8B40CC-B9AD-4457-96EF-328BCFF7F4DD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C8B40CC-B9AD-4457-96EF-328BCFF7F4DD}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F1B84F7F-DA4D-4366-9B67-4C1CE8AA39A0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1B84F7F-DA4D-4366-9B67-4C1CE8AA39A0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1B84F7F-DA4D-4366-9B67-4C1CE8AA39A0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1B84F7F-DA4D-4366-9B67-4C1CE8AA39A0}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{08EFAE49-8344-4738-8F99-C87C6A6B02A3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{08EFAE49-8344-4738-8F99-C87C6A6B02A3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{08EFAE49-8344-4738-8F99-C87C6A6B02A3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{08EFAE49-8344-4738-8F99-C87C6A6B02A3}\InprocServer32]
@="C:\\WINNT\\system32\\situpdll.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{96B5CE4C-FB64-4D16-B696-1D4AD5692735}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{96B5CE4C-FB64-4D16-B696-1D4AD5692735}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{96B5CE4C-FB64-4D16-B696-1D4AD5692735}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{96B5CE4C-FB64-4D16-B696-1D4AD5692735}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C729DCC0-6F5D-483B-BFC9-A845D9BD2787}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C729DCC0-6F5D-483B-BFC9-A845D9BD2787}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C729DCC0-6F5D-483B-BFC9-A845D9BD2787}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C729DCC0-6F5D-483B-BFC9-A845D9BD2787}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F9B318EE-55AE-46AE-B0FF-471BFDF8B132}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F9B318EE-55AE-46AE-B0FF-471BFDF8B132}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F9B318EE-55AE-46AE-B0FF-471BFDF8B132}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F9B318EE-55AE-46AE-B0FF-471BFDF8B132}\InprocServer32]
@="C:\\WINNT\\system32\\oxe2disp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BAFD1613-3E40-4DBC-929F-B06E868FE6B7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BAFD1613-3E40-4DBC-929F-B06E868FE6B7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BAFD1613-3E40-4DBC-929F-B06E868FE6B7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BAFD1613-3E40-4DBC-929F-B06E868FE6B7}\InprocServer32]
@="C:\\WINNT\\system32\\mlxdm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1A141565-AED3-489D-A247-7140332C4CD3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A141565-AED3-489D-A247-7140332C4CD3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A141565-AED3-489D-A247-7140332C4CD3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A141565-AED3-489D-A247-7140332C4CD3}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DE0E5089-AF99-450B-B3CB-7DCAE891E56E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE0E5089-AF99-450B-B3CB-7DCAE891E56E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE0E5089-AF99-450B-B3CB-7DCAE891E56E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE0E5089-AF99-450B-B3CB-7DCAE891E56E}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D23283B9-1CFB-432E-BACF-6A209BF1D9B9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D23283B9-1CFB-432E-BACF-6A209BF1D9B9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D23283B9-1CFB-432E-BACF-6A209BF1D9B9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D23283B9-1CFB-432E-BACF-6A209BF1D9B9}\InprocServer32]
@="C:\\WINNT\\system32\\ogeacc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9098BB9A-9F9A-479E-979C-FE0879FDF292}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9098BB9A-9F9A-479E-979C-FE0879FDF292}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9098BB9A-9F9A-479E-979C-FE0879FDF292}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9098BB9A-9F9A-479E-979C-FE0879FDF292}\InprocServer32]
@="C:\\WINNT\\system32\\mbxoci.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{F0EA5019-236B-41B2-83D2-A191FDF4C5EB}"=-
"{4C8B40CC-B9AD-4457-96EF-328BCFF7F4DD}"=-
"{F1B84F7F-DA4D-4366-9B67-4C1CE8AA39A0}"=-
"{08EFAE49-8344-4738-8F99-C87C6A6B02A3}"=-
"{96B5CE4C-FB64-4D16-B696-1D4AD5692735}"=-
"{AD0972A8-2E89-4917-9321-3C1F532B37C1}"=-
"{C729DCC0-6F5D-483B-BFC9-A845D9BD2787}"=-
"{F9B318EE-55AE-46AE-B0FF-471BFDF8B132}"=-
"{BAFD1613-3E40-4DBC-929F-B06E868FE6B7}"=-
"{1A141565-AED3-489D-A247-7140332C4CD3}"=-
"{DE0E5089-AF99-450B-B3CB-7DCAE891E56E}"=-
"{D23283B9-1CFB-432E-BACF-6A209BF1D9B9}"=-
"{9098BB9A-9F9A-479E-979C-FE0879FDF292}"=-
[-HKEY_CLASSES_ROOT\CLSID\{F0EA5019-236B-41B2-83D2-A191FDF4C5EB}]
[-HKEY_CLASSES_ROOT\CLSID\{4C8B40CC-B9AD-4457-96EF-328BCFF7F4DD}]
[-HKEY_CLASSES_ROOT\CLSID\{F1B84F7F-DA4D-4366-9B67-4C1CE8AA39A0}]
[-HKEY_CLASSES_ROOT\CLSID\{08EFAE49-8344-4738-8F99-C87C6A6B02A3}]
[-HKEY_CLASSES_ROOT\CLSID\{96B5CE4C-FB64-4D16-B696-1D4AD5692735}]
[-HKEY_CLASSES_ROOT\CLSID\{AD0972A8-2E89-4917-9321-3C1F532B37C1}]
[-HKEY_CLASSES_ROOT\CLSID\{C729DCC0-6F5D-483B-BFC9-A845D9BD2787}]
[-HKEY_CLASSES_ROOT\CLSID\{F9B318EE-55AE-46AE-B0FF-471BFDF8B132}]
[-HKEY_CLASSES_ROOT\CLSID\{BAFD1613-3E40-4DBC-929F-B06E868FE6B7}]
[-HKEY_CLASSES_ROOT\CLSID\{1A141565-AED3-489D-A247-7140332C4CD3}]
[-HKEY_CLASSES_ROOT\CLSID\{DE0E5089-AF99-450B-B3CB-7DCAE891E56E}]
[-HKEY_CLASSES_ROOT\CLSID\{D23283B9-1CFB-432E-BACF-6A209BF1D9B9}]
[-HKEY_CLASSES_ROOT\CLSID\{9098BB9A-9F9A-479E-979C-FE0879FDF292}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/08EFAE49-8344-4738-8F99-C87C6A6B02A3.reg (164 bytes security) (deflated 70%)
adding: backregs/1A141565-AED3-489D-A247-7140332C4CD3.reg (164 bytes security) (deflated 70%)
adding: backregs/4C8B40CC-B9AD-4457-96EF-328BCFF7F4DD.reg (164 bytes security) (deflated 71%)
adding: backregs/9098BB9A-9F9A-479E-979C-FE0879FDF292.reg (164 bytes security) (deflated 70%)
adding: backregs/96B5CE4C-FB64-4D16-B696-1D4AD5692735.reg (164 bytes security) (deflated 70%)
adding: backregs/BAFD1613-3E40-4DBC-929F-B06E868FE6B7.reg (164 bytes security) (deflated 70%)
adding: backregs/C729DCC0-6F5D-483B-BFC9-A845D9BD2787.reg (164 bytes security) (deflated 70%)
adding: backregs/D23283B9-1CFB-432E-BACF-6A209BF1D9B9.reg (164 bytes security) (deflated 70%)
adding: backregs/DE0E5089-AF99-450B-B3CB-7DCAE891E56E.reg (164 bytes security) (deflated 70%)
adding: backregs/F0EA5019-236B-41B2-83D2-A191FDF4C5EB.reg (164 bytes security) (deflated 70%)
adding: backregs/F1B84F7F-DA4D-4366-9B67-4C1CE8AA39A0.reg (164 bytes security) (deflated 71%)
adding: backregs/F9B318EE-55AE-46AE-B0FF-471BFDF8B132.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (152 bytes security) (deflated 85%)
adding: backregs/shell.reg (152 bytes security) (deflated 74%)


Logfile of HijackThis v1.99.1
Scan saved at 05:40:42, on 22/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCD.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Documents and Settings\Paula\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\system32\netddesrv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#6 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 26 March 2006 - 07:54 AM

Nice work the log is clean.

Special attention is required to remove this empty sting in the registry.

O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\system32\netddesrv.exe (file missing)

[*]Please disable Command Service as followed:
  • Go to Start-> Run and type Services.msc then click OK.
  • Click the Extended tab at the bottom.
  • Scroll down until you find the NetDDE Server.
  • Click once on NetDDE Server to highlight it.
  • Click Stopthis service in the left pane.
  • Right-Click on NetDDE Server and choose Properties.
  • Select the General tab.
  • Click the down-arrow on the right-hand side of the Start-up Type box.
  • From the drop-down menu, choose Disabled.
  • Click the Apply, then click OK.
[*]Please delete Command Service as followed:
  • Please run HijackThis and click Config -> Misc Tools -> Delete an NT service.
  • In the Delete window, type NetDDEsrv and press OK.
  • OK any prompts, close HijackThis.
Stay clean.

How did I get infected in the first place?

You usually get infected because your security settings are too low.

Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:

1.) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read This Article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.

2.) Go to Internet Explorer > Tools > Windows Update > Product Updates, and install ALL High-Priority Security Updates listed.
If you're running Windows XP, that of course includes the Service Pack 2! If you suspect your computer is infected with Malware of any type, we advise you to not install SP2 if you don't already have it. You can post a HijackThis log on our Forums to get free Expert help cleaning your machine. Once you are sure you have a clean system, it is highly recommended to install SP2 to help prevent against future infections.

It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

3.) Open Internet Explorer and go to Internet Options > Security > Internet, then press "Default Level", then OK.
  • Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option > Security.

So why is ActiveX so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?

4.) Install Javacool's SpywareBlaster

It will protect you from most spy/foistware in it's database by blocking installation of their ActiveX objects.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer)
Press "Enable All Protection", and you're done.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer.
Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so.

5.) Let's also not forget that Spybot Search & Destroy has the Immunize feature which works roughly the same way. Another feature within Spybot is the TeaTimer option. This option immediately detects known malicious processes wanting to start and terminates them. TeaTimer also detects when something wants to change some critical registry keys and gives you an option to allow them or not.

6.) Microsoft now offers their own free malicious software blocking tool. Windows Defender. (Not compatible with Windows 98 and ME.)

7.) Another excellent program by Javacool we recommend is SpywareGuard.
It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

8.) IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.

*It is important to note that all of the above programs/files can be run simultaneously on your system. They will work together in layers, so to speak, to help protect your computer. However, the following suggestions are designed to only run one of each. It is not a good idea to run more than one firewall, and one anti-virus program. Running more than one of these at a time can cause system crashes, high system usage and/or conflicts with each other.*

9.) It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Three good ones that are freeware to boot are ZoneAlarm, Kerioand Sygate

10.) An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Some very good and easy-to-use free A/V programs are AVG, Avast, and AntiVir. It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.

11.) Finally, after following up on all these recommendations, why not run Jason Levine's Browser Security Tests
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.

Happy safe computing!!
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#7 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 09 April 2006 - 08:44 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button