DaniWeb IT Discussion Community

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)
-   Viruses, Spyware and other Nasties (http://www.daniweb.com/forums/forum64.html)
-   -   hjt log and a related problem (http://www.daniweb.com/forums/thread74471.html)

deadbydesign Apr 6th, 2007 6:33 pm
hjt log and a related problem
 
i ran adaware se and it showed that i had a trojan (dont recall the name) so i deleted everything with adaware se ONLY and after doing so i cannot get online at all, no aim, no ie, etc. i have a connection but there are still traces of the trojan left that i dont feel comfortabe removing myself without being told to do so because it is containted in system 32 and windows folders. also i keep getting IPWINS in add or remove programs as well as a few others that keep pop ups running strong. anyways heres the hjt log.

Logfile of HijackThis v1.99.1
Scan saved at 6:57:28 PM, on 4/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchosts.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\psquery\psquery.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\{3C1CEC14-0958-1033-1202-030512200001}\Update.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Denver Hall\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
O2 - BHO: Web Assistant - {04DCB78C-AB45-83AD-A86A-6DFB90277939} - C:\Program Files\psquery\psquery.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C1CE~1\Bar888.dll (file missing)
O2 - BHO: (no name) - {CD7805EE-9779-CF8B-7FE5-B39EFA3505C9} - C:\WINDOWS\System32\sdak.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C1CE~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [{3C1CEC14-0958-1033-1202-030512200001}] "C:\Program Files\Common Files\{3C1CEC14-0958-1033-1202-030512200001}\Update.exe" te-110-12-0000213
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm492YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\System32\uvjksod.dll (file missing)
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UmljayBIYWxs\command.exe (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Denver Hall\ie_updater.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

deadbydesign Apr 6th, 2007 6:38 pm
Re: hjt log and a related problem
 
what are these and why so many?
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchosts.exe
C:\WINDOWS\System32\svchost.exe


this keeps coming back, and sometimes wont allow me to delete it because its says its in use (with all other windows closed except for the common files folder)
C:\Program Files\Common Files\{3C1CEC14-0958-1033-1202-030512200001}\Update.exe

crunchie Apr 7th, 2007 12:08 am
Re: hjt log and a related problem
 
Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract
    All    ,
  • Open the extracted folder and double click RunThis.bat to
    start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the
    registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool
    will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and
    display Finished, then press any key to end the script and load
    your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the
    contents of the results file Report.txt back onto the forum with
    a new HijackThis log

deadbydesign Apr 22nd, 2007 3:04 pm
Re: hjt log and a related problem
 
Logfile of HijackThis v1.99.1
Scan saved at 6:57:28 PM, on 4/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchosts.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\psquery\psquery.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\{3C1CEC14-0958-1033-1202-030512200001}\Update.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Denver Hall\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
O2 - BHO: Web Assistant - {04DCB78C-AB45-83AD-A86A-6DFB90277939} - C:\Program Files\psquery\psquery.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C1CE~1\Bar888.dll (file missing)
O2 - BHO: (no name) - {CD7805EE-9779-CF8B-7FE5-B39EFA3505C9} - C:\WINDOWS\System32\sdak.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C1CE~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [{3C1CEC14-0958-1033-1202-030512200001}] "C:\Program Files\Common Files\{3C1CEC14-0958-1033-1202-030512200001}\Update.exe" te-110-12-0000213
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm492YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\System32\uvjksod.dll (file missing)
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UmljayBIYWxs\command.exe (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Denver Hall\ie_updater.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe






SDFix: Version 1.79
Run by Denver Hall - Sun 04/22/2007 - 13:14:26.81
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
COM+ Messages
Microsoft IEUpdater22
Runtime
ImagePath:
"C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213
C:\Documents and Settings\Denver Hall\ie_updater.exe /start
\??\C:\WINDOWS\System32\drivers\runtime.sys
COM+ Messages - Deleted
Microsoft IEUpdater22 - Deleted
Runtime - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found...


Removing Temp Files
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Final Check:
Remaining Services:
------------------

Rootkit PE386 Active, Use a Rootkit scanner !

Remaining Files:
---------------

Checking For Files with Hidden Attributes:
C:\Program Files\??stem\c?rss.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP176\A0090209.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP176\A0090210.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP180\A0094257.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP195\A0109303.exe
Finished

deadbydesign Apr 22nd, 2007 3:11 pm
Re: hjt log and a related problem
 
to me it seems like nothing was done. i have an internet connection but i still cant get online on that computer. the only thing that has changed is that when before, i tried using something that required installshield wizard or w/e it said my computer didnt have enough memory, and now it works as it should.

on the status bar it says "detecting proxy settings" then it tries to load the page and the status bar displays "Downloading from site: res://C:\Windows\System32\shdoclc.dll/dnserror.htm" . after displaying that it says that it cannot find the server. when i try to enter in another website a window pops up that says "Internet Explorer could not open the search page", doesnt matter what website it is. also aim will not connect to the internet and as i said, my task bar as well as internet connections is showing that i am connected to the internet.

crunchie Apr 22nd, 2007 5:58 pm
Re: hjt log and a related problem
 
Download Rustbfix from one of these locations:
http://www.uploads.ejvindh.net/rustbfix.exe
http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.

deadbydesign Apr 22nd, 2007 6:54 pm
Re: hjt log and a related problem
 
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\byuwarbf
*******************
Script file located at: \??\C:\bguofwvw.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.
Completed script processing.
*******************
Finished! Terminate.






************************* Rustock.b-fix -- By ejvindh *************************
Sun 04/22/2007 17:40:01.25
******************* Pre-run Status of system *******************
Rootkit driver PE386 is found. Starting the unload-procedure....
Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 80888
Total size: 80888 bytes.
Attempting to remove ADS...
system32: deleted 80888 bytes in 1 streams.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************* Post-run Status of system *******************
Rustock.b-driver on the system: NONE!
Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************************* End of Logfile ********************************




Logfile of HijackThis v1.99.1
Scan saved at 6:57:28 PM, on 4/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchosts.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\psquery\psquery.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\{3C1CEC14-0958-1033-1202-030512200001}\Update.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Denver Hall\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
O2 - BHO: Web Assistant - {04DCB78C-AB45-83AD-A86A-6DFB90277939} - C:\Program Files\psquery\psquery.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C1CE~1\Bar888.dll (file missing)
O2 - BHO: (no name) - {CD7805EE-9779-CF8B-7FE5-B39EFA3505C9} - C:\WINDOWS\System32\sdak.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C1CE~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [{3C1CEC14-0958-1033-1202-030512200001}] "C:\Program Files\Common Files\{3C1CEC14-0958-1033-1202-030512200001}\Update.exe" te-110-12-0000213
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm492YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lzxsllacvja.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\System32\uvjksod.dll (file missing)
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UmljayBIYWxs\command.exe (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Denver Hall\ie_updater.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

deadbydesign Apr 22nd, 2007 9:33 pm
Re: hjt log and a related problem
 
Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, April 22, 2007 8:11:19 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R163 26.03.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Adware.MyToolbar(TAC index:3):2 total references
Adware.Yazzle(TAC index:7):4 total references
CmdServices(TAC index:4):13 total references
Hacktool.Netmon(TAC index:3):1 total references
MRU List(TAC index:0):14 total references
PurityScan(TAC index:6):1 total references
Softomate Toolbar(TAC index:9):38 total references
Targetsaver(TAC index:8):1 total references
WebHancer(TAC index:9):1 total references
Win32.Trojan.Downloader(TAC index:10):4 total references
Win32.Trojan.MatrixHasYou(TAC index:10):3 total references
Win32.TrojanDownloader.Adload(TAC index:10):3 total references
Win32.TrojanDownloader.Agent(TAC index:10):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

4-22-2007 8:11:19 PM - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : C:\Documents and Settings\Denver Hall\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-3004044973-3061706531-2914870272-1008\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-3004044973-3061706531-2914870272-1008\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-3004044973-3061706531-2914870272-1008\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro

MRU List Object Recognized!
Location: : S-1-5-21-3004044973-3061706531-2914870272-1008\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console

MRU List Object Recognized!
Location: : S-1-5-21-3004044973-3061706531-2914870272-1008\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-3004044973-3061706531-2914870272-1008\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-3004044973-3061706531-2914870272-1008\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : software\musicmatch\musicmatch jukebox\4.0\mmradio
Description : information on the last station listened to using musicmatch radio

MRU List Object Recognized!
Location: : S-1-5-21-3004044973-3061706531-2914870272-1008\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer

MRU List Object Recognized!
Location: : S-1-5-21-3004044973-3061706531-2914870272-1008\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 312
ThreadCreationTime : 4-22-2007 9:43:05 PM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 476
ThreadCreationTime : 4-22-2007 9:43:07 PM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 500
ThreadCreationTime : 4-22-2007 9:43:08 PM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 652
ThreadCreationTime : 4-22-2007 9:43:08 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 664
ThreadCreationTime : 4-22-2007 9:43:08 PM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 816
ThreadCreationTime : 4-22-2007 9:43:09 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 844
ThreadCreationTime : 4-22-2007 9:43:09 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1004
ThreadCreationTime : 4-22-2007 9:43:11 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1016
ThreadCreationTime : 4-22-2007 9:43:11 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:10 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1244
ThreadCreationTime : 4-22-2007 9:43:13 PM
BasePriority : Normal
FileVersion : 8.14
ProductVersion : 8.14
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : (C) 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe
#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1280
ThreadCreationTime : 4-22-2007 9:43:13 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:12 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1284
ThreadCreationTime : 4-22-2007 9:43:13 PM
BasePriority : Normal
FileVersion : 8.14
ProductVersion : 8.14
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : (C) 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)
#:13 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1428
ThreadCreationTime : 4-22-2007 9:43:13 PM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe
#:14 [wlservice.exe]
FilePath : C:\Program Files\Belkin\Belkin Wireless Network Utility\
ProcessID : 1440
ThreadCreationTime : 4-22-2007 9:43:13 PM
BasePriority : Normal

#:15 [wlancfgg.exe]
FilePath : C:\Program Files\Belkin\Belkin Wireless Network Utility\
ProcessID : 1456
ThreadCreationTime : 4-22-2007 9:43:14 PM
BasePriority : Normal
FileVersion : 1, 0, 7, 4
ProductVersion : 1, 0, 7, 4
ProductName : Wireless Monitor Application
FileDescription : Wireless Monitor Application
InternalName : WLanCfg
LegalCopyright : Copyright (C) 2002.08
OriginalFilename : WLanCfg.EXE
#:16 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1508
ThreadCreationTime : 4-22-2007 9:43:14 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:17 [wdfmgr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1528
ThreadCreationTime : 4-22-2007 9:43:14 PM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe
#:18 [viewpointservice.exe]
FilePath : C:\Program Files\Viewpoint\Common\
ProcessID : 1548
ThreadCreationTime : 4-22-2007 9:43:14 PM
BasePriority : Normal
FileVersion : 2, 0, 0, 54
ProductVersion : 2, 0, 0, 54
ProductName : Viewpoint Manager
CompanyName : Viewpoint Corporation
FileDescription : ViewMgr
InternalName : Viewpoint Manager
LegalCopyright : Copyright © 2004
OriginalFilename : ViewMgr.exe
Comments : Viewpoint Manager
#:19 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 900
ThreadCreationTime : 4-22-2007 9:43:39 PM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE
#:20 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1540
ThreadCreationTime : 4-22-2007 9:43:44 PM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:21 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1792
ThreadCreationTime : 4-22-2007 9:44:06 PM
BasePriority : Normal
FileVersion : 3,0,0,2104
ProductVersion : 7,0,0,2104
ProductName : Intel(R) Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : HKCMD.EXE
#:22 [pcmservice.exe]
FilePath : C:\Program Files\Dell\Media Experience\
ProcessID : 1944
ThreadCreationTime : 4-22-2007 9:44:06 PM
BasePriority : Normal
FileVersion : 1.0.0826
ProductVersion : 1.0.0826
ProductName : PCM2Launcher Application
CompanyName : CyberLink Corp.
FileDescription : PowerCinema Resident Program for Dell
InternalName : PowerCinema Resident Program for Dell
LegalCopyright : Copyright c 2003 CyberLink Corp.
OriginalFilename : PCM2Launcher.EXE
#:23 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 1964
ThreadCreationTime : 4-22-2007 9:44:07 PM
BasePriority : Normal
FileVersion : 0.1.0.1622
ProductVersion : 0.1.0.1622
ProductName : RealOne Player (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2002
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe
#:24 [support.exe]
FilePath : C:\Program Files\Common Files\Dell\EUSW\
ProcessID : 1848
ThreadCreationTime : 4-22-2007 9:44:07 PM
BasePriority : Normal
FileVersion : 2, 0, 0, 34
ProductVersion : 1, 0, 0, 1
ProductName : Dell Support
CompanyName : Dell
FileDescription : Support
InternalName : Support
LegalCopyright : Copyright © 2002
OriginalFilename : Support.exe
#:25 [notifyalert.exe]
FilePath : C:\Program Files\Dell\Support\Alert\bin\
ProcessID : 1480
ThreadCreationTime : 4-22-2007 9:44:10 PM
BasePriority : Normal

#:26 [mmtask.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ProcessID : 212
ThreadCreationTime : 4-22-2007 9:44:10 PM
BasePriority : Normal
FileVersion : 9.0.0.1
ProductVersion : 9.0.0.1
ProductName : Musicmatch Jukebox
CompanyName : Musicmatch Inc.
FileDescription : <Musicmatch System Tray Application>
InternalName : mmtask.exe
LegalCopyright : (c) Musicmatch Inc.. All rights reserved.
OriginalFilename : mmtask.exe
#:27 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_08\bin\
ProcessID : 1048
ThreadCreationTime : 4-22-2007 9:44:12 PM
BasePriority : Normal

#:28 [update.exe]
FilePath : C:\Program Files\Common Files\{3C1CEC14-0958-1033-1202-030512200001}\
ProcessID : 440
ThreadCreationTime : 4-22-2007 9:44:13 PM
BasePriority : Normal

Softomate Toolbar Object Recognized!
Type : Process
Data : Update.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\Program Files\Common Files\{3C1CEC14-0958-1033-1202-030512200001}\

"C:\Program Files\Common Files\{3C1CEC14-0958-1033-1202-030512200001}\Update.exe"Process terminated successfully
"C:\Program Files\Common Files\{3C1CEC14-0958-1033-1202-030512200001}\Update.exe"Process terminated successfully
#:29 [viewmgr.exe]
FilePath : C:\Program Files\Viewpoint\Viewpoint Manager\
ProcessID : 548
ThreadCreationTime : 4-22-2007 9:44:15 PM
BasePriority : Normal
FileVersion : 2, 0, 0, 54
ProductVersion : 2, 0, 0, 54
ProductName : Viewpoint Manager
CompanyName : Viewpoint Corporation
FileDescription : ViewMgr
InternalName : Viewpoint Manager
LegalCopyright : Copyright © 2004
OriginalFilename : ViewMgr.exe
Comments : Viewpoint Manager
#:30 [dlg.exe]
FilePath : C:\Program Files\Digital Line Detect\
ProcessID : 916
ThreadCreationTime : 4-22-2007 9:44:22 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : BVRP Software TestLine
CompanyName : BVRP Software
FileDescription : Digital Line Detection
InternalName : TestLine
LegalCopyright : Copyright © 2003
OriginalFilename : TestLine.exe
#:31 [quickdcf.exe]
FilePath : C:\Program Files\FinePixViewer\
ProcessID : 1180
ThreadCreationTime : 4-22-2007 9:44:30 PM
BasePriority : Normal
FileVersion : 4, 0, 0, 0
ProductVersion : 4, 0, 0, 0
ProductName : FinePixViewer
CompanyName : FUJI PHOTO FILM CO., LTD.
FileDescription : Exif Launcher
InternalName : QuickDCF
LegalCopyright : Copyright 2000-2003 FUJI PHOTO FILM CO.,LTD.
OriginalFilename : QuickDCF.exe
#:32 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1956
ThreadCreationTime : 4-23-2007 12:10:09 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 15

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Adware.MyToolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}
Adware.MyToolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6f2214e-0b54-45a9-b90d-7dd4ba45ed0b}
Softomate Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 9
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{c1b4dec2-2623-438e-9ca2-c9043ab28508}
Softomate Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 9
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{c1b4dec2-2623-438e-9ca2-c9043ab28508}
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 19

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Softomate Toolbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 9
Category : Data Miner
Comment : "{3C1CEC14-0958-1033-1202-030512200001}"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : {3C1CEC14-0958-1033-1202-030512200001}
Softomate Toolbar Object Recognized!
Type : File
Data : update.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : c:\program files\common files\{3c1cec14-0958-1033-1202-030512200001}\

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 21
Softomate Toolbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 9
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\toolbar
Value : {c1b4dec2-2623-438e-9ca2-c9043ab28508}

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 22

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Softomate Toolbar Object Recognized!
Type : File
Data : temp.frC4AE
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Denver Hall\Local Settings\Temp\

Win32.Trojan.MatrixHasYou Object Recognized!
Type : File
Data : windm[1]
TAC Rating : 10
Category : Malware
Comment :
Object : C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\

Softomate Toolbar Object Recognized!
Type : File
Data : system.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\Program Files\Common Files\{3C1CEC14-0958-1033-1202-030512200001}\

Softomate Toolbar Object Recognized!
Type : File
Data : system.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\RECYCLER\S-1-5-18\Dc1\

Softomate Toolbar Object Recognized!
Type : File
Data : system.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\RECYCLER\S-1-5-18\Dc15\

Softomate Toolbar Object Recognized!
Type : File
Data : system.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\RECYCLER\S-1-5-18\Dc2\

Softomate Toolbar Object Recognized!
Type : File
Data : system.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\RECYCLER\S-1-5-18\Dc24\

Softomate Toolbar Object Recognized!
Type : File
Data : system.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\RECYCLER\S-1-5-18\Dc25\

Softomate Toolbar Object Recognized!
Type : File
Data : system.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\RECYCLER\S-1-5-18\Dc27\

Softomate Toolbar Object Recognized!
Type : File
Data : system.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\RECYCLER\S-1-5-18\Dc3\

Softomate Toolbar Object Recognized!
Type : File
Data : system.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\RECYCLER\S-1-5-18\Dc4\

Softomate Toolbar Object Recognized!
Type : File
Data : system.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\RECYCLER\S-1-5-18\Dc5\

Softomate Toolbar Object Recognized!
Type : File
Data : system.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\RECYCLER\S-1-5-18\Dc6\

Softomate Toolbar Object Recognized!
Type : File
Data : A0090200.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP176\

Hacktool.Netmon Object Recognized!
Type : File
Data : A0090201.exe
TAC Rating : 3
Category : Monitoring Tool
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP176\

CmdServices Object Recognized!
Type : File
Data : A0090202.exe
TAC Rating : 4
Category : Adware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP176\

Win32.Trojan.Downloader Object Recognized!
Type : File
Data : A0090203.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP176\

Win32.TrojanDownloader.Agent Object Recognized!
Type : File
Data : A0090204.exe
TAC Rating : 10
Category : Virus
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP176\

Softomate Toolbar Object Recognized!
Type : File
Data : A0090206.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP176\

Win32.TrojanDownloader.Adload Object Recognized!
Type : File
Data : A0090207.dll
TAC Rating : 10
Category : Virus
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP176\

Adware.Yazzle Object Recognized!
Type : File
Data : A0090210.exe
TAC Rating : 7
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP176\

Adware.Yazzle Object Recognized!
Type : File
Data : A0090212.exe
TAC Rating : 7
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP176\
FileVersion : 1.01
ProductVersion : 1.01
ProductName : Cowabanga
CompanyName : Yazzle
InternalName : Cowabanga
OriginalFilename : Cowabanga.exe

Win32.TrojanDownloader.Adload Object Recognized!
Type : File
Data : A0090216.dll
TAC Rating : 10
Category : Virus
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP176\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0

Win32.Trojan.Downloader Object Recognized!
Type : File
Data : A0094228.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP179\
FileVersion : 4, 0, 4, 1
ProductVersion : 4, 0, 4, 1
LegalCopyright : Copyright (C) 2006

Win32.Trojan.Downloader Object Recognized!
Type : File
Data : A0094229.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP179\
FileVersion : 4, 0, 4, 1
ProductVersion : 4, 0, 4, 1
LegalCopyright : Copyright (C) 2006

Targetsaver Object Recognized!
Type : File
Data : A0094230.dll
TAC Rating : 8
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP179\

Softomate Toolbar Object Recognized!
Type : File
Data : A0094246.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP180\

Softomate Toolbar Object Recognized!
Type : File
Data : A0094247.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP180\

Win32.Trojan.Downloader Object Recognized!
Type : File
Data : A0094248.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP180\

Adware.Yazzle Object Recognized!
Type : File
Data : A0094258.exe
TAC Rating : 7
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP180\

Adware.Yazzle Object Recognized!
Type : File
Data : A0109304.exe
TAC Rating : 7
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP195\

PurityScan Object Recognized!
Type : File
Data : A0110261.dll
TAC Rating : 6
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP196\

WebHancer Object Recognized!
Type : File
Data : A0121291.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP213\
FileVersion : 4.0.1
ProductVersion : 4.0.1
ProductName : webHancer Customer Companion
CompanyName : webHancer Corporation
FileDescription : webHancer Installer
InternalName : whInstaller
LegalCopyright : Copyright © 1999-2006 webHancer Corporation
OriginalFilename : whInstaller.exe

Softomate Toolbar Object Recognized!
Type : File
Data : A0126300.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP218\

Softomate Toolbar Object Recognized!
Type : File
Data : A0126301.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP218\

Softomate Toolbar Object Recognized!
Type : File
Data : A0138309.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\

Softomate Toolbar Object Recognized!
Type : File
Data : A0138310.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\

Softomate Toolbar Object Recognized!
Type : File
Data : A0140314.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP234\

Softomate Toolbar Object Recognized!
Type : File
Data : A0140315.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP234\

Softomate Toolbar Object Recognized!
Type : File
Data : A0140316.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP234\

Softomate Toolbar Object Recognized!
Type : File
Data : A0140317.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP234\

Softomate Toolbar Object Recognized!
Type : File
Data : A0142316.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP235\

Win32.Trojan.MatrixHasYou Object Recognized!
Type : File
Data : A0142317.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP235\

Softomate Toolbar Object Recognized!
Type : File
Data : A0142319.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP235\

Softomate Toolbar Object Recognized!
Type : File
Data : A0142320.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP235\

Softomate Toolbar Object Recognized!
Type : File
Data : A0142321.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP235\

Softomate Toolbar Object Recognized!
Type : File
Data : A0142331.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP235\

Softomate Toolbar Object Recognized!
Type : File
Data : A0143324.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP235\

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 70

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 70


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Softomate Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 9
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolbar.toolbarobj
Softomate Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 9
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolbar.toolbarobj.1
Win32.Trojan.MatrixHasYou Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment : Removing key.
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\system
CmdServices Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\cmdservice
CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\cmdservice
Value : Start
CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\cmdservice
Value : ErrorControl
CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\cmdservice
Value : ImagePath
CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\cmdservice
Value : DisplayName
CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\cmdservice
Value : ObjectName
CmdServices Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\cmdservice
CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\cmdservice
Value : Start
CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\cmdservice
Value : ErrorControl
CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\cmdservice
Value : ImagePath
CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\cmdservice
Value : DisplayName
CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\cmdservice
Value : ObjectName
Win32.TrojanDownloader.Agent Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Virus
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\ipwins
Win32.TrojanDownloader.Adload Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Virus
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\policies\explorer
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 17
Objects found so far: 87
8:20:20 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:09:00.203
Objects scanned:144594
Objects identified:73
Objects ignored:0
New critical objects:73

crunchie Apr 23rd, 2007 6:30 am
Re: hjt log and a related problem
 
Can you please do the following.


===============

Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the "Backups" folder, for HiJackThis, if present.


===============

Go to Add/Remove programs and uninstall the following, if present:

MyWebSearch

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Next, Open a command prompt by:

1. Clicking "Start", then "Run...".
2. Enter "cmd" (without the quotes).
3. Enter "services.msc" (without the quotes).

-

Now, locate and 'stop' the following services, if present:

COM+ Messages owner ... (C:\WINDOWS\System32\svchosts.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\System32\svchosts.exe
C:\Program Files\Common Files\{3C1CEC14-0958-1033-1202-030512200001}\Update.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Download LSPFix and unzip to your desktop, then run it. Now, we need to:

1. check(tick) "I know what i'm doing".
2. click on (highlight) each occurrence of the following, one at a time:

lzxsllacvja.dll

3. then click ">>", moving each one, individually, to the 'Remove' pane.
4. (double-check, and make sure that only the above files are in the 'Remove' pane.)
5. click "Finish >>"


===============

Scan with HijackThis and then place a check next to all the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

O2 - BHO: Web Assistant - {04DCB78C-AB45-83AD-A86A-6DFB90277939} - C:\Program Files\psquery\psquery.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C1CE~1\Bar888.dll (file missing)
O2 - BHO: (no name) - {CD7805EE-9779-CF8B-7FE5-B39EFA3505C9} - C:\WINDOWS\System32\sdak.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C1CE~1\Bar888.dll (file missing)

O4 - HKLM\..\Run: [{3C1CEC14-0958-1033-1202-030512200001}] "C:\Program Files\Common Files\{3C1CEC14-0958-1033-1202-030512200001}\Update.exe" te-110-12-0000213

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm492YYUS

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab

O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\System32\uvjksod.dll (file missing)

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UmljayBIYWxs\command.exe (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Denver Hall\ie_updater.exe


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\Program Files\Common Files\{3C1CEC14-0958-1033-1202-030512200001}
C:\Program Files\psquery

files...

C:\WINDOWS\System32\svchosts.exe
c:\windows\system32\lzxsllacvja.dll
C:\Documents and Settings\Denver Hall\ie_updater.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.
Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

To help protect your system from hostile ActiveX content, or special 'downloadable' files:

Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:

1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.

-

Note: Remember to regularly check for updates.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.


All times are GMT -4. The time now is 9:42 pm.

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC