I have this laptop to play with, a friend brought to me for the usual reasons, slow running, loads of pop ups and couldn't get to usual web pages, ran adaware se several times now, going into DOS to clear nasty dll's then on lastSE scan possible new kind of infection noted sooooo heres the log
Ad-Aware SE Build 1.06r1
Logfile Created on:Thursday, July 27, 2006 8:13:01 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R116 24.07.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
0 Possible New Malware 0(TAC index:3):2 total references
Adware.Look2Me(TAC index:7):3 total references
MRU List(TAC index:0):2 total references
Possible Browser Hijack attempt(TAC index:3):6 total references
Tracking Cookie(TAC index:3):4 total references
WinAntiVirusPro(TAC index:10):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
7-27-2006 8:13:01 PM - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : S-1-5-21-2320958936-995690780-1244716356-1006\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 456
ThreadCreationTime : 7-27-2006 7:05:25 PM
BasePriority : Normal
#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 544
ThreadCreationTime : 7-27-2006 7:05:37 PM
BasePriority : High
Adware.Look2Me Object Recognized!
Type : Process
Data : mv20l9fm1.dll
TAC Rating : 7
Category : Adware
Comment : iieshare.dll.dmp
Object : C:\WINDOWS\system32\
Warning! Adware.Look2Me Object found in memory(C:\WINDOWS\system32\mv20l9fm1.dll)
#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 588
ThreadCreationTime : 7-27-2006 7:05:40 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 600
ThreadCreationTime : 7-27-2006 7:05:40 PM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 784
ThreadCreationTime : 7-27-2006 7:05:45 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 856
ThreadCreationTime : 7-27-2006 7:05:45 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1372
ThreadCreationTime : 7-27-2006 7:05:51 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:8 [ati2evxx.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1480
ThreadCreationTime : 7-27-2006 7:05:58 PM
BasePriority : Normal
#:9 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1592
ThreadCreationTime : 7-27-2006 7:05:59 PM
BasePriority : Normal
FileVersion : 2.2.0.577
ProductVersion : 2.2.0.577
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe
#:10 [defwatch.exe]
FilePath : C:\Program Files\Symantec AntiVirus\
ProcessID : 1612
ThreadCreationTime : 7-27-2006 7:05:59 PM
BasePriority : Normal
FileVersion : 9.0.0.338
ProductVersion : 9.0.0.338
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
LegalCopyright : Copyright 1998 - 2004 Symantec Corporation. All rights reserved.
OriginalFilename : DefWatch.exe
#:11 [guard.exe]
FilePath : C:\Program Files\ewido anti-spyware 4.0\
ProcessID : 1648
ThreadCreationTime : 7-27-2006 7:06:00 PM
BasePriority : Normal
FileVersion : 4, 0, 0, 172
ProductVersion : 4, 0, 0, 172
ProductName : ewido anti-spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : ewido anti-spyware guard
InternalName : ewido anti-spywareguard
LegalCopyright : Copyright © 2005 Anti-Malware Development a.s.
OriginalFilename : guard.exe
#:12 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ProcessID : 1680
ThreadCreationTime : 7-27-2006 7:06:03 PM
BasePriority : Normal
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
ProductName : Microsoft Development Environment
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright © Microsoft Corp. 1997-2000
OriginalFilename : mdm.exe
#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1812
ThreadCreationTime : 7-27-2006 7:06:07 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:14 [rtvscan.exe]
FilePath : C:\Program Files\Symantec AntiVirus\
ProcessID : 1900
ThreadCreationTime : 7-27-2006 7:06:10 PM
BasePriority : Normal
FileVersion : 9.0.0.338
ProductVersion : 9.0.0.338
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright 1991 - 2004 Symantec Corporation. All rights reserved.
#:15 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 364
ThreadCreationTime : 7-27-2006 7:06:29 PM
BasePriority : Normal
FileVersion : 2.2.0.577
ProductVersion : 2.2.0.577
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe
#:16 [vptray.exe]
FilePath : C:\PROGRA~1\SYMANT~1\
ProcessID : 376
ThreadCreationTime : 7-27-2006 7:06:30 PM
BasePriority : Normal
FileVersion : 9.0.0.338
ProductVersion : 9.0.0.338
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright 1991 - 2004 Symantec Corporation. All rights reserved.
#:17 [apoint.exe]
FilePath : C:\Program Files\Apoint\
ProcessID : 388
ThreadCreationTime : 7-27-2006 7:06:30 PM
BasePriority : Normal
FileVersion : 5.5.5.109
ProductVersion : 5.5.5.109
ProductName : Alps Pointing-device Driver
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver
InternalName : Alps Pointing-device Driver
LegalCopyright : Copyright © 1999-2001 Alps Electric Co., Ltd.
OriginalFilename : Apoint.exe
#:18 [atiptaxx.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 412
ThreadCreationTime : 7-27-2006 7:06:31 PM
BasePriority : Normal
FileVersion : 6.13.2518
ProductVersion : 6.13.2518
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright © 1998-2001 ATI Technologies Inc.
OriginalFilename : Atiptaxx.exe
#:19 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_06\bin\
ProcessID : 420
ThreadCreationTime : 7-27-2006 7:06:32 PM
BasePriority : Normal
#:20 [apntex.exe]
FilePath : C:\Program Files\Apoint\
ProcessID : 520
ThreadCreationTime : 7-27-2006 7:06:34 PM
BasePriority : Normal
FileVersion : 5.0.1.13
ProductVersion : 5.0.1.13
ProductName : Alps Pointing-device Driver for Windows NT/2000
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver for Windows NT/2000
InternalName : Alps Pointing-device Driver for Windows NT/2000
LegalCopyright : Copyright © 1998-2001 Alps Electric Co., Ltd.
OriginalFilename : ApntEx.exe
#:21 [ewido.exe]
FilePath : C:\Program Files\ewido anti-spyware 4.0\
ProcessID : 920
ThreadCreationTime : 7-27-2006 7:06:47 PM
BasePriority : Normal
FileVersion : 4, 0, 0, 172
ProductVersion : 4, 0, 0, 172
ProductName : ewido anti-spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : ewido anti-spyware
InternalName : ewido anti-spyware
LegalCopyright : Copyright © 2005 Anti-Malware Development a.s.
OriginalFilename : ewido.exe
#:22 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 904
ThreadCreationTime : 7-27-2006 7:06:47 PM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE
#:23 [mspmspsv.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1080
ThreadCreationTime : 7-27-2006 7:06:53 PM
BasePriority : Normal
FileVersion : 7.01.00.3055
ProductVersion : 7.01.00.3055
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE
#:24 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1112
ThreadCreationTime : 7-27-2006 7:06:57 PM
BasePriority : Normal
FileVersion : 2.2.0.577
ProductVersion : 2.2.0.577
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe
#:25 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2592
ThreadCreationTime : 7-27-2006 7:07:59 PM
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe
#:26 [wpabaln.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2820
ThreadCreationTime : 7-27-2006 7:08:20 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows WPA Balloon Reminder
InternalName : WPABALN.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WPABALN.EXE
#:27 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2040
ThreadCreationTime : 7-27-2006 7:10:13 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE
Adware.Look2Me Object Recognized!
Type : Process
Data : guard.tmp
TAC Rating : 7
Category : Adware
Comment : iieshare.dll.dmp
Object : C:\WINDOWS\system32\
Warning! Adware.Look2Me Object found in memory(C:\WINDOWS\system32\guard.tmp)
"C:\WINDOWS\system32\rundll32.exe"Process terminated successfully
#:28 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 488
ThreadCreationTime : 7-27-2006 7:10:22 PM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
0 Possible New Malware 0 Object Recognized!
Type : Process
Data : guard.tmp
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\WINDOWS\system32\
#:29 [ycommon.exe]
FilePath : C:\PROGRA~1\YAHOO!\browser\
ProcessID : 2940
ThreadCreationTime : 7-27-2006 7:11:45 PM
BasePriority : Normal
FileVersion : 2005, 2, 23, 1
ProductVersion : 3, 0, 0, 0
ProductName : YCommon Exe Module
CompanyName : Yahoo!, Inc.
FileDescription : YCommon Exe Module
InternalName : YCommonExe
LegalCopyright : Copyright 2003-2005 Yahoo! Inc.
OriginalFilename : YCommon.EXE
#:30 [ybrwicon.exe]
FilePath : C:\Program Files\Yahoo!\browser\
ProcessID : 2932
ThreadCreationTime : 7-27-2006 7:11:46 PM
BasePriority : Normal
FileVersion : 2003, 12, 9, 1
ProductVersion : 1, 0, 0, 1
ProductName : Yahoo!, Inc. YBrwIcon
CompanyName : Yahoo!, Inc.
FileDescription : YBrwIcon
InternalName : YBrwIcon
LegalCopyright : Copyright © 2003
OriginalFilename : YBrwIcon.exe
#:31 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3688
ThreadCreationTime : 7-27-2006 7:12:34 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinAntiVirusPro Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 6
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt : S-1-5-21-2320958936-995690780-1244716356-1006\Software\Microsoft\Internet Explorer\MainStart Page.findthewebsiteyouneed.com
Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://www.findthewebsiteyouneed.com"
TAC Rating : 10
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-2320958936-995690780-1244716356-1006\Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "http://www.findthewebsiteyouneed.com"
Possible Browser Hijack attempt : S-1-5-21-2320958936-995690780-1244716356-1006\Software\Microsoft\Internet Explorer\MainDefault_Search_URL.findthewebsiteyouneed.com
Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://searchbar.findthewebsiteyouneed.com"
TAC Rating : 10
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-2320958936-995690780-1244716356-1006\Software\Microsoft\Internet Explorer\Main
Value : Default_Search_URL
Data : "http://searchbar.findthewebsiteyouneed.com"
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 8
WinAntiVirusPro Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : dyanne holland@www.globaladvertisingservices[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:dyanne holland@www.globaladvertisingservices.info/
Expires : 8-10-2006 7:45:28 PM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : dyanne holland@edge.ru4[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:dyanne holland@edge.ru4.com/
Expires : 7-19-2036 8:08:34 PM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : dyanne holland@adtech[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:dyanne holland@adtech.de/
Expires : 7-24-2016 7:46:20 PM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : dyanne holland@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:dyanne holland@doubleclick.net/
Expires : 7-26-2009 7:51:32 PM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 13
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
0 Possible New Malware 0 Object Recognized!
Type : File
Data : __delete_on_reboot__g_u_a_r_d_._t_m_p_
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\WINDOWS\system32\
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14
Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 14
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : REMOVE SPYWARE.url
TAC Rating : 0
Category : Misc
Comment : Problematic URL discovered: http://hop.clickbank.net/?adm0531/swnuker06&pg=7
Object : C:\Documents and Settings\Dyanne Holland\Desktop\
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Online Dating.url
TAC Rating : 0
Category : Misc
Comment : Problematic URL discovered: http://www.zestyfind.com/cgi-bin/search.cgi?keywords=dating
Object : C:\Documents and Settings\Dyanne Holland\Desktop\
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Cheap Holiday Travel.url
TAC Rating : 0
Category : Misc
Comment : Problematic URL discovered: http://www.zestyfind.com/cgi-bin/search.cgi?keywords=travel
Object : C:\Documents and Settings\Dyanne Holland\Desktop\
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Free Online Music.url
TAC Rating : 0
Category : Misc
Comment : Problematic URL discovered: http://www.zestyfind.com/cgi-bin/search.cgi?keywords=music
Object : C:\Documents and Settings\Dyanne Holland\Desktop\
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Adware.Look2Me Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon\notify
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 19
8:24:25 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:11:23.703
Objects scanned:135138
Objects identified:14
Objects ignored:0
New critical objects:14
Full Version: hi jackers that won't go away and much more
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Ad-Aware SE Resolved/Inactive Issues
Hello Charlie,
This is your 7th new topic in two months. Are you running a repair service? We're here to support our users but this is beginning to sap our resources with so many help requests. What is going on?
This is your 7th new topic in two months. Are you running a repair service? We're here to support our users but this is beginning to sap our resources with so many help requests. What is going on?
QUOTE(LS CalamityJane @ Jul 28 2006, 01:56 AM) 
Hello Charlie,
This is your 7th new topic in two months. Are you running a repair service? We're here to support our users but this is beginning to sap our resources with so many help requests. What is going on?
This is your 7th new topic in two months. Are you running a repair service? We're here to support our users but this is beginning to sap our resources with so many help requests. What is going on?
Soz Calamity, I like to help my non technical friends and I enjoy the challenge, I don't wish to be a burden and I don't charge for helping, If you want me to stop I will, how ever only 2 of the issues I have posted recently have been for other ppl all the rest have been for myself
No problem, you can see why I'd be wondering 
Thanks for letting me know.
This one has a whole bundle of some really hard to remove nasties.
Have you used the vx2 plugin on this one?
http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml
If not, please do that and run AAW again using the vx2 cleaner (directions & download are on that page I linked above) Reboot after cleaning, and Scan a second time to removal critical objects found. It may take 2 or more runs with Ad-Aware (and reboot inbetween cleanings) to clean up everything.
Also, have you run an online AV scan on this PC? Looks like it needs it. Use both of these free online scanners. ETrust for viruses and the Ewido is good for finding trojans.
eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)
It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.
Ewido free online scanner
http://www.ewido.net/en/onlinescan/
Then if problems remain, post the latest Ad-Aware scan log and a HijackThis log here in this thread for review. Please save the reports from the online scanners to post as well, so we can see what may have been found.
Thanks for letting me know.This one has a whole bundle of some really hard to remove nasties.
Have you used the vx2 plugin on this one?
http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml
If not, please do that and run AAW again using the vx2 cleaner (directions & download are on that page I linked above) Reboot after cleaning, and Scan a second time to removal critical objects found. It may take 2 or more runs with Ad-Aware (and reboot inbetween cleanings) to clean up everything.
Also, have you run an online AV scan on this PC? Looks like it needs it. Use both of these free online scanners. ETrust for viruses and the Ewido is good for finding trojans.
eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)
It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.
Ewido free online scanner
http://www.ewido.net/en/onlinescan/
Then if problems remain, post the latest Ad-Aware scan log and a HijackThis log here in this thread for review. Please save the reports from the online scanners to post as well, so we can see what may have been found.
Calamity tnx for understanding ...I do to, an tnx for advice, but as I not so tired an peed of with it now I will give you full history and situation to date, as I said earlier I had run SE several times in normal and safe mode and had to boot in DOS to clear some of the DLL's after one of these when I re-booted an went back on line one of these malicious prosseses re-installed itself and after another I completely lost windows explorer and had to run a repair install to get it back, I also ran EWIDO, smitrem. ATF, and smit fraud I had to burn these of my machine and run them on laptop because it won't down load any legitimate files, tried to run panda online scan and as soon as it started to down load IE just stopped working although stask manager said it was still running but after giving it 1/2 an hour with no movement on an 8mb connection I gave up. Finally this morning while replying to your 1st post the machine just re-booted as of yet I have not tried going back on line with it. this is the nastiest infection I have seen yet and don't wanna see it again )
again TY hun
as I said earlier I had run SE several times in normal and safe mode and had to boot in DOS to clear some of the DLL's after one of these when I re-booted an went back on line one of these malicious prosseses re-installed itself and after another I completely lost windows explorer and had to run a repair install to get it back, I also ran EWIDO, smitrem. ATF, and smit fraud I had to burn these of my machine and run them on laptop because it won't down load any legitimate files, tried to run panda online scan and as soon as it started to down load IE just stopped working although stask manager said it was still running but after giving it 1/2 an hour with no movement on an 8mb connection I gave up. Finally this morning while replying to your 1st post the machine just re-booted as of yet I have not tried going back on line with it. this is the nastiest infection I have seen yet and don't wanna see it again )again TY hun
A bundle like this can sometimes render a PC unuseable and unrepairable, almost easier to backup any clean important data and reformat/reinstall the OS. Once infected with these types of malware, it can be very difficult if not impossible to remove. Prevention is really the key!
Try this tool, it should help with eliminating the Look2me pest and repair some of the registry damage done by that one.
Please download Look2Me-Destroyer.exe to your desktop.
Also, if you can get a HijackThis log off of it I can analyze for other difficult pests that may be causing problems. You might be dealing with the very nasty Alcra/Alcan trojan that downloads a boatload of malware onto the system. I have a tool for that.
Try this tool, it should help with eliminating the Look2me pest and repair some of the registry damage done by that one.
Please download Look2Me-Destroyer.exe to your desktop.
- Close all windows before continuing.
- Double-click Look2Me-Destroyer.exe to run it.
- Put a check next to Run this program as a task.
- You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
- When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
- Once it's done scanning, click the Remove L2M button.
- You will receive a Done Scanning message, click OK.
- When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
- Your computer will then shutdown.
- Turn your computer back on.
- Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log.
Also, if you can get a HijackThis log off of it I can analyze for other difficult pests that may be causing problems. You might be dealing with the very nasty Alcra/Alcan trojan that downloads a boatload of malware onto the system. I have a tool for that.
ran ewido online scan and l2m deleter when I re-booted could not access my computer or windows explorer, also made the mistake of not putting in an e-mail addy for the ewido report, have got L2M report thouhg and hi jack this report
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 7/29/2006 13:04:47
Infected! C:\WINDOWS\system32\lvn6095se.dll
Infected! C:\WINDOWS\system32\l60ulgd9160.dll
Infected! C:\WINDOWS\system32\n84s0ih7e84.dll
Infected! C:\WINDOWS\system32\Akfv2.dll
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\l60ulgd9160.dll
C:\WINDOWS\system32\l60ulgd9160.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\n84s0ih7e84.dll
C:\WINDOWS\system32\n84s0ih7e84.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\Akfv2.dll
C:\WINDOWS\system32\Akfv2.dll Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{388349E8-CDD1-4811-8213-168491BDAADA}"
HKCR\Clsid\{388349E8-CDD1-4811-8213-168491BDAADA}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{12C73B5C-F9A7-4260-AB44-9DC3CD01EA7C}"
HKCR\Clsid\{12C73B5C-F9A7-4260-AB44-9DC3CD01EA7C}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F7F8B641-748F-4A65-A8F5-E6FEAF20BC56}"
HKCR\Clsid\{F7F8B641-748F-4A65-A8F5-E6FEAF20BC56}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
will post hijack report in proper place
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 7/29/2006 13:04:47
Infected! C:\WINDOWS\system32\lvn6095se.dll
Infected! C:\WINDOWS\system32\l60ulgd9160.dll
Infected! C:\WINDOWS\system32\n84s0ih7e84.dll
Infected! C:\WINDOWS\system32\Akfv2.dll
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\l60ulgd9160.dll
C:\WINDOWS\system32\l60ulgd9160.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\n84s0ih7e84.dll
C:\WINDOWS\system32\n84s0ih7e84.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\Akfv2.dll
C:\WINDOWS\system32\Akfv2.dll Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{388349E8-CDD1-4811-8213-168491BDAADA}"
HKCR\Clsid\{388349E8-CDD1-4811-8213-168491BDAADA}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{12C73B5C-F9A7-4260-AB44-9DC3CD01EA7C}"
HKCR\Clsid\{12C73B5C-F9A7-4260-AB44-9DC3CD01EA7C}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F7F8B641-748F-4A65-A8F5-E6FEAF20BC56}"
HKCR\Clsid\{F7F8B641-748F-4A65-A8F5-E6FEAF20BC56}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
will post hijack report in proper place
topic description same as from SE post, well nearly
Logfile of HijackThis v1.99.1
Scan saved at 7:44:53 PM, on 7/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Dyanne Holland\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [P2P Networking9] C:\WINDOWS\System32\P2P Networking\P2P Networking9.exe /AUTOSTART
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [P2P Networking3] C:\WINDOWS\System32\P2P Networking\P2P Networking3.exe /AUTOSTART
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://mppv2flash3.valueactive.com/Bet365/FlashAX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Logfile of HijackThis v1.99.1
Scan saved at 7:44:53 PM, on 7/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Dyanne Holland\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [P2P Networking9] C:\WINDOWS\System32\P2P Networking\P2P Networking9.exe /AUTOSTART
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [P2P Networking3] C:\WINDOWS\System32\P2P Networking\P2P Networking3.exe /AUTOSTART
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://mppv2flash3.valueactive.com/Bet365/FlashAX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
It's much harder to have two topics going on the same problem. I'm going to merge the HijackThis post into this one and let's keep it here.
Open HijackThis and do a *system scan only*
When it finishes place a checkmark next to these entries then press the *fix checked* button
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O4 - HKLM\..\Run: [P2P Networking9] C:\WINDOWS\System32\P2P Networking\P2P Networking9.exe /AUTOSTART
O4 - HKLM\..\Run: [P2P Networking3] C:\WINDOWS\System32\P2P Networking\P2P Networking3.exe /AUTOSTART
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
Go to the control panel and locate the following. If found, highlight each one and press *remove*. Do them one at a time if more than one.
P2P Networking
Subsequently remove this folder:
C:\WINDOWS\System32\P2P Networking
Is the PC still having a problem?
When it finishes place a checkmark next to these entries then press the *fix checked* button
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O4 - HKLM\..\Run: [P2P Networking9] C:\WINDOWS\System32\P2P Networking\P2P Networking9.exe /AUTOSTART
O4 - HKLM\..\Run: [P2P Networking3] C:\WINDOWS\System32\P2P Networking\P2P Networking3.exe /AUTOSTART
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
Go to the control panel and locate the following. If found, highlight each one and press *remove*. Do them one at a time if more than one.
P2P Networking
Subsequently remove this folder:
C:\WINDOWS\System32\P2P Networking
Is the PC still having a problem?
OK calamity,
ran Hijack, removed as instructed, 'my computer' 'windows explorer' and 'Internet explorer' still unavailable unless I run adaware se then click on lavasoft link then IE loads.
re-booted in dos but did not find P2P.exe, did find the following,
P2P networking version 123.cpl
P2PGASVC.DLL
P2PSVC.DLL
P2PNETSH.DLL
P2P.DLL
at this time I have not removed them
soz to be such a pain
ran Hijack, removed as instructed, 'my computer' 'windows explorer' and 'Internet explorer' still unavailable unless I run adaware se then click on lavasoft link then IE loads.
re-booted in dos but did not find P2P.exe, did find the following,
P2P networking version 123.cpl
P2PGASVC.DLL
P2PSVC.DLL
P2PNETSH.DLL
P2P.DLL
at this time I have not removed them
soz to be such a pain
ooops also did the nessesary in control panel
hehehe I've cured it I had 1 piece of software I hadn't ran, and although through all the scans it there was no reference to it I ran vundifix, there was about 16 instances in system32 and whe they were cleared everything was fine
lets hope that it all finished now
Tnx eversomuch for your help hun :-*
lets hope that it all finished now
Tnx eversomuch for your help hun :-*
QUOTE(charlieuk @ Jul 30 2006, 06:00 AM)
OK calamity,
ran Hijack, removed as instructed, 'my computer' 'windows explorer' and 'Internet explorer' still unavailable unless I run adaware se then click on lavasoft link then IE loads.
re-booted in dos but did not find P2P.exe, did find the following,
P2P networking version 123.cpl
P2PGASVC.DLL
P2PSVC.DLL
P2PNETSH.DLL
P2P.DLL
at this time I have not removed them
soz to be such a pain
ran Hijack, removed as instructed, 'my computer' 'windows explorer' and 'Internet explorer' still unavailable unless I run adaware se then click on lavasoft link then IE loads.
re-booted in dos but did not find P2P.exe, did find the following,
P2P networking version 123.cpl
P2PGASVC.DLL
P2PSVC.DLL
P2PNETSH.DLL
P2P.DLL
at this time I have not removed them
soz to be such a pain
Rightclick on a blank area of the desktop display
Choose Properties
Choose Desktop tab
Press the Customize Desktop button
Put a checkmark in the My Computer and Internet Explorer boxes (and any others you want there)
Also, C:\WINDOWS\System32\P2P Networking <--that is a folder (directory) not a file. If it is not found, it may have been removed already using the uninstaller.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.