I'm Infected With SPYWARE!

coltm4carbine · December 21, 2005

OMG! It's in my computer too but I don't understand a thing you said

sorry, maybe it's because i am not using my canned speech.

Glad to see I'm not the only one with winfixer problems. Mine happened AFTER I installed Foxfire (read it on a post someplace that it was better than IE). I've removed that, I think, and am using IE now but winfixer keeps butting in.

Also, Adaware never picked it up and Spybot does only sometimes. I'm also running Norton which did zip.

well the files are usually different for each vundo (usually random). Post a HJT log and i see if anyone replies- if not i kill vundo first.

Also! I needed to download an "XP Home Files" thing, which over-wrote some files in my system32. I hope that's okay..

Which files? Some variants of CWS deletes some windows files (i got the files on a disk). I have a look @ the log- having bit of problem with this comp.

p.s change your title- not very nice. Anyone can reply if they want. Some people might even notice things i didn't.

longest l2m log i've seen...

do this first to see what else needs to be done.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder.

astagarden · December 21, 2005

Thanks for trying to help me, techs.

Sir - not to worry, I didn't try to copy what Colt told you to do because I know my limitations here. I'm clueless. :?

Colt - I'd send you my HJT log, but don't know what it is or how to do it. I just wandered into this forum to see if winfixer was a problem for others and to maybe get a quick fix. Thanks for the offer though. :)

I downloaded Xoftspy last night and that seems to have fixed it, as well as other stuff that snuck in. It cost, but at least it's fixed. I hope. :D

Sir_Itchlot · December 21, 2005

L2MFix Log:

L2mfix Beta 121605

Creating Account.

The command completed successfully.

Adding Administrative privleges.

The command completed successfully.

Checking for L2MFix account(0=no 1=yes):

1

Granting SeDebugPrivilege to L2MFIX ... successful

Running From:

C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Killing PID 540 'smss[Caution: ExecutableFile]'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Killing PID 628 'winlogon[Caution: ExecutableFile]'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Killing PID 1636 'explorer[Caution: ExecutableFile]'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Error, Cannot find a process with an image name of rundll32[Caution: ExecutableFile]

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Granting SeDebugPrivilege to Administrateurs ... failed (GetAccountSid(Administrateurs)=1332

Granting SeDebugPrivilege to AdministratÃÆÃâÃâÃÂ·rer ... failed (GetAccountSid(AdministratÃÆÃâÃâÃÂ·rer)=1332

Granting SeDebugPrivilege to Administradores ... failed (GetAccountSid(Administradores)=1332

Granting SeDebugPrivilege to Amministratore ... failed (GetAccountSid(Amministratore)=1332

Granting SeDebugPrivilege to Administratoren ... failed (GetAccountSid(Administratoren)=1332

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

moving: C:\WINDOWS\system32\guard.tmp

Successfully Moved: C:\WINDOWS\system32\guard.tmp

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

@=""

"DLLName"="igfxsrvc.dll"

"Asynchronous"=dword:00000001

"Impersonate"=dword:00000001

"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljji]

"Asynchronous"=dword:00000001

"DllName"="C:\\WINDOWS\\system32\\mljji.dll"

"Impersonate"=dword:00000000

"Startup"="SysLogon"

"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

The following are the files found:

****************************************************************************

C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:

Please verify that the listing looks ok.

If there was something deleted wrongly there are backups in the backreg folder.

****************************************************************************

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

****************************************************************************

Desktop.ini Contents:

****************************************************************************

Checking for L2MFix account(0=no 1=yes):

0

adding: dlls/guard.tmp (124 bytes security) (deflated 3%)

adding: backregs/notibac.reg (164 bytes security) (deflated 87%)

adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Also! Before the reboot (after the L2MFix), it said to fix missing file 020 in HJT... Just incase you miss that, thought I'd let you know.

wcerforlyfe · December 21, 2005

i have winfixer too, i just click out of it and dont worry about it lol

coltm4carbine · December 21, 2005

this isn't really gd for my health it's almost 1am in here...

using HJT (i make it more detailed in the morning)

download HijackThis 1.99.1 from

http://www.merijn.org to it's own folder.

extract it and run it. DON'T FIX ANYTHING.

Click "save log" when the scan has finished. Notepad will open.

Copy and paste the log and post it on the forum. Wait for someone to give you a fix for it.

Look at the stickies for a better tutorial (soz to sound rude- i wanna sleep).

===================

I downloaded Xoftspy last night and that seems to have fixed it, as well as other stuff that snuck in. It cost, but at least it's fixed. I hope.

Mate (if u don't mind me calling u that), you are making it worst for yourself. Uninstall xoftspy. It's a rogue antispyware program (fake).

====================

Sir- i take a look at it in the morning. Also the missing o20 is basically vundo (I am being lazy).

go offline, open HJT and fix these (the vundo entries):

O2 - BHO: (no name) - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - (no file)

O20 - Winlogon Notify: mljji - C:\WINDOWS\system32\mljji.dll (file missing)

fyi the vx2/l2m file is gaurd.tmp. I get you a tool to delete it on reboot. (there are a few more (should be anyway) so wait till i post in the morning)

Sir_Itchlot · December 21, 2005

go offline, open HJT and fix these (the vundo entries):

O2 - BHO: (no name) - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - (no file)

O20 - Winlogon Notify: mljji - C:\WINDOWS\system32\mljji.dll (file missing)

Done.

...Which programs can I delete now? I feel uneasy with them.. ie. vundofix, l2mfix...

astagarden · December 22, 2005

WHAT??? :shock: You're joking, right?

ARGHHH......someone just shoot me now, quick!!

coltm4carbine · December 22, 2005

sir-do what you just did to each of your accounts (shouldn't need to but just incase-no need to post a log)

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder.

after that please post a new HJT log. l2m/vx2 should now be gone from all accounts.

Which programs can I delete now? I feel uneasy with them.. ie. vundofix, l2mfix

I get you to delete them at the end (remind me). They should be ok as long as you don't go around running them (this includes getting your sister away from your computer).

asta- no i am not joking.

Sir_Itchlot · December 22, 2005

sir-do what you just did to each of your accounts (shouldn't need to but just incase-no need to post a log)

Done.. well, none of them had either of the files.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

L2MFIX LOG - Also, it still told me to fix the missing 020 in HJT.. But it's not there in any of the accounts.

L2mfix Beta 121605

Creating Account.

The command completed successfully.

Adding Administrative privleges.

The command completed successfully.

Checking for L2MFix account(0=no 1=yes):

1

Granting SeDebugPrivilege to L2MFIX ... successful

Running From:

C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Killing PID 544 'smss[Caution: ExecutableFile]'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Killing PID 632 'winlogon[Caution: ExecutableFile]'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Killing PID 2000 'explorer[Caution: ExecutableFile]'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Error, Cannot find a process with an image name of rundll32[Caution: ExecutableFile]

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Granting SeDebugPrivilege to Administrateurs ... failed (GetAccountSid(Administrateurs)=1332

Granting SeDebugPrivilege to AdministratÃÆÃâÃâÃÂ·rer ... failed (GetAccountSid(AdministratÃÆÃâÃâÃÂ·rer)=1332

Granting SeDebugPrivilege to Administradores ... failed (GetAccountSid(Administradores)=1332

Granting SeDebugPrivilege to Amministratore ... failed (GetAccountSid(Amministratore)=1332

Granting SeDebugPrivilege to Administratoren ... failed (GetAccountSid(Administratoren)=1332

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

@=""

"DLLName"="igfxsrvc.dll"

"Asynchronous"=dword:00000001

"Impersonate"=dword:00000001

"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

The following are the files found:

****************************************************************************

Registry Entries that were Deleted:

Please verify that the listing looks ok.

If there was something deleted wrongly there are backups in the backreg folder.

****************************************************************************

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

****************************************************************************

Desktop.ini Contents:

****************************************************************************

Checking for L2MFix account(0=no 1=yes):

0

adding: dlls/guard.tmp (124 bytes security) (deflated 3%)

adding: backregs/notibac.reg (164 bytes security) (deflated 87%)

adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Sir_Itchlot · December 22, 2005

HJT LOG - I Noticed there's a few new files since the last time..

Logfile of HijackThis v1.99.1

Scan saved at 3:55:47 PM, on 22/12/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss[Caution: ExecutableFile]

C:\WINDOWS\system32\winlogon[Caution: ExecutableFile]

C:\WINDOWS\system32\services[Caution: ExecutableFile]

C:\WINDOWS\system32\lsass[Caution: ExecutableFile]

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile]

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

C:\WINDOWS\Explorer[Caution: ExecutableFile]

C:\WINDOWS\System32\hkcmd[Caution: ExecutableFile]

C:\Program Files\CyberLink\PowerDVD\DVDLauncher[Caution: ExecutableFile]

C:\Program Files\Java\j2re1.4.2_03\bin\jusched[Caution: ExecutableFile]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile]

C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB[Caution: ExecutableFile]

C:\Program Files\MSN Messenger\msnmsgr[Caution: ExecutableFile]

C:\WINDOWS\system32\wuauclt[Caution: ExecutableFile]

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

C:\Documents and Settings\Mitch\Desktop\Spyware Removal Programs\HijackThis[Caution: ExecutableFile]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant ... gn=wdz0605

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.accoona.com/search_assistant ... gn=wdz0605

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;

R3 - Default URLSearchHook is missing

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {06a34ccb-f185-40c4-b367-15f01a0d7996} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing)

O2 - BHO: (no name) - {19ca005a-8716-4e8d-b232-70451fe73635} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing)

O2 - BHO: (no name) - {2393728b-6ffd-45b7-89a5-9f9b490d000e} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing)

O2 - BHO: (no name) - {49c5f9e3-63fc-4ced-a16c-77bea61396f5} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing)

O2 - BHO: LinkTracker Class - {85A77577-A8CA-41b7-AA1E-DDAD4C0B12B1} - C:\WINDOWS\system32\hlwin.dll

O2 - BHO: (no name) - {91e6dc04-6d5c-404f-8699-c1a5d73b2090} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing)

O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)

O2 - BHO: (no name) - {e16b8728-c829-40bf-8aa8-c1bb2e387fcb} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray[Caution: ExecutableFile]

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd[Caution: ExecutableFile]

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher[Caution: ExecutableFile]"

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService[Caution: ExecutableFile]"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched[Caution: ExecutableFile]

O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan[Caution: ExecutableFile]

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile]

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: ExecutableFile]" -atboottime

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB[Caution: ExecutableFile]

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]" /background

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr[Caution: ExecutableFile]" /background

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] (file missing)

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... 0.0.15.cab

O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares ... cracks.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Filter: text/html - {03974811-C15F-462c-B6B0-2D2336AA57D0} - C:\WINDOWS\system32\hlwin.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile]

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile]

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc[Caution: ExecutableFile]

coltm4carbine · December 23, 2005

yeh, me too. lol. least most of the junk is out of your system.

go offline and fix these (you can leave the accoona if you have set them):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant ... gn=wdz0605

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.accoona.com/search_assistant ... gn=wdz0605

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca <-did you set this? if not fix it.