Help - Search - Members - Calendar
Full Version: Infected system
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
darren62
Jan 3 2006, 07:28 AM
I think i've been infected. I had spy sherift and win hound 2 days ago. Then i went to download spybot - search and destroy to scan my com. Since the day i scanned and deleted(by add/remove prog uninstalling them. So i wouldn't know if i removed them completely.) spy sherift and win hound, each time i reboot , on the com , i get this error message that kernel64 is missing and the windows explorer is not working properly.

My HijackThis log :

Logfile of HijackThis v1.99.1
Scan saved at 3:18:41 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\inet20001\winlogon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\darren\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels64.exe
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKLM\..\Run: [Windows Services] service32.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe
O4 - HKLM\..\RunServices: [Windows Services] service32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels64.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Windows Services] service32.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\RunServices: [Windows Services] service32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O15 - Trusted Zone: http://*.gunbound.net
O15 - Trusted Zone: http://*.nprotect.net
O15 - Trusted Zone: http://*.softnyx.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c18.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121153143218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130976709265
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Need help pls thanks.
Bobbi Flekman
Jan 3 2006, 11:16 AM
Hi darren62,

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
darren62
Jan 4 2006, 07:00 AM
um.. i clicked the panda active scan short cut and im brought back to the web. i clicked on local disk to scan but nothing happens.
Bobbi Flekman
Jan 4 2006, 10:46 AM
Weird.... Can you try this link: http://www.pandasoftware.com/activescan/ac...17490&Idpais=63

Do you use Internet Explorer at the Panda site?
darren62
Jan 4 2006, 03:46 PM
Ok this is weird. Either my browser is not IE 0.5 and above, or something is wrong. I tried downloading IE 0.6 but they(microsoft) said i have a newer version than IE 0.6
Bobbi Flekman
Jan 5 2006, 11:10 AM
From your logs I would say you are at Internet Explorer 6, fully updated and all.
QUOTE
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

How are the ActiveX settings in Internet Explorer?
darren62
Jan 6 2006, 05:05 AM
Well its working. When i first entered the site(panda active scan), i was required to download activeX prog for the panda active scan site. I've downloaded it and i tried again clicking at local disk it still doesn't work. The only problems i have so far is occasion windows explorer error.
Bobbi Flekman
Jan 6 2006, 12:32 PM
Good that it works. Can you still post the logs I asked for?
darren62
Jan 8 2006, 07:16 PM
Sorry for the late reply. I couldn't get the panda active scan to work. But here are the rest of the logs that u requested ^_^


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 01/04/2006
The current time is: 15:36:24.64

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key

WinHound.com key present!



Running WinHound.com fix!



WinHound.com key was successfully removed! :)

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~

svcp.csv
oleext32.dll
intell32.exe
oleext.dll
logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

uninstIU.exe
desktop.html


~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peaco*k@beyondlogic.org
Killing PID 736 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)






Logfile of HijackThis v1.99.1
Scan saved at 3:13:57 AM, on 1/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\e-Games\RAN_Online(en)\RANLauncher(en).exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\darren\My Documents\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [Windows Services] service32.exe
O4 - HKLM\..\RunServices: [Windows Services] service32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Services] service32.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [Windows Services] service32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O15 - Trusted Zone: http://*.gunbound.net
O15 - Trusted Zone: http://*.nprotect.net
O15 - Trusted Zone: http://*.softnyx.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121153143218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130976709265
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:49:01 PM, 1/4/2006
+ Report-Checksum: 262AF488

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{31EE3286-D785-4E3F-95FC-51D00FDABC01} -> Downloader.Delf.aeo : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\bhoreg\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-2038945071-495446925-488748980-1005\Software\Microsoft\Internet Explorer\Keywords -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-2038945071-495446925-488748980-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-2038945071-495446925-488748980-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-2038945071-495446925-488748980-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} -> Spyware.Azsearch : Cleaned with backup
HKU\S-1-5-21-2038945071-495446925-488748980-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B75F75B8-93F3-429D-FF34-660B206D897A} -> Spyware.PurityScan : Cleaned with backup
HKU\S-1-5-21-2038945071-495446925-488748980-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFF5092F-7172-4018-827B-FA5868FB0478} -> Spyware.ZToolbar : Cleaned with backup
[204] C:\WINDOWS\system32\browsela.dll -> Downloader.Delf.aeo : Cleaned with backup
[1836] C:\WINDOWS\system32\browsela.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\WINDOWS\system32\browsela.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\WINDOWS\system32\msvcrl.dll -> Dropper.Agent.afj : Cleaned with backup
C:\WINDOWS\system32\sachostp.exe -> Dropper.Agent.afj : Cleaned with backup
C:\WINDOWS\system32\sachostw.exe -> Dropper.Agent.afj : Cleaned with backup
C:\WINDOWS\system32\sachostc.exe -> Dropper.Agent.afj : Cleaned with backup
C:\WINDOWS\system32\mspostsp.exe -> Trojan.Inject.i : Cleaned with backup
C:\WINDOWS\system32\sachosts.exe -> Dropper.Agent.afj : Cleaned with backup
C:\WINDOWS\system32\AdCache -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_171900.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_172100.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_172200.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_172300.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_173200.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_187300.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_187400.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_206900.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_153300.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_206900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_153300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_153400.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_153500.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_153600.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_217400.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_313200.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_346600.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_346900.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_382400.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_153400.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_153500.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_153600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_313200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_346600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_346900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_282500.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_282500.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_113700.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_2_382400.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_229200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_230700.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_230900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_231200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_113700.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_2_171900.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_2_172100.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_3_172200.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_3_172300.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_3_173200.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_382400.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_207400.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_207400.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_436300.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_436500.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_436700.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_436800.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_436900.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_160800.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_160900.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_161000.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_438300.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_438500.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_438600.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_160800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_160900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_161000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_438300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_438500.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_438600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_228300.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_138300.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_138300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_436100.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_149700.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_149700.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_273100.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_273100.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_120800.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_128600.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_130800.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_158700.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_166900.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_220000.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_220100.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_436100.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_436300.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_436500.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_220000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_220100.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_436700.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_436800.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_4_436900.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_221500.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_297200.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_314300.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_359400.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_221500.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_297200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_314300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_220000.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_220100.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_295400.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_4_396600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_220000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_220100.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_1_130800.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_445800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_445900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_453800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_815900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_815600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_0_0_446000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_2_0_814200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_448600.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\AdCache\B_434_1_0_448500.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\system32\paradise.raw.exe -> Proxy.Lager.f : Cleaned with backup
C:\WINDOWS\system32\msupdate32.dll -> Backdoor.Delf.ald : Cleaned with backup
C:\WINDOWS\alt.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\WINDOWS\sachostx.exe -> Worm.Locksky.q : Cleaned with backup
C:\WINDOWS\adsldpbf.dll -> Downloader.Delf.lh : Cleaned with backup
C:\WINDOWS\inet20001\services.exe -> Downloader.CWS.r : Cleaned with backup
C:\WINDOWS\inet20001\winlogon.exe -> Downloader.CWS.r : Cleaned with backup
C:\WINDOWS\inet20001\3.00.13.dll -> Spyware.Ihbo : Cleaned with backup
C:\WINDOWS\inet20001\mm4.exe.bak -> Proxy.Delf.an : Cleaned with backup
C:\WINDOWS\inet20001\mm4.exe -> Proxy.Delf.an : Cleaned with backup
C:\WINDOWS\inet20001\alg.exe.bak -> Worm.Delf.i : Cleaned with backup
C:\WINDOWS\inet20001\alg.exe -> Worm.Delf.i : Cleaned with backup
C:\WINDOWS\g41429093.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\Documents and Settings\darren\Local Settings\Temporary Internet Files\Content.IE5\XFQARHHX\xp_0031[1].exe -> Worm.Locksky.q : Cleaned with backup
C:\Documents and Settings\darren\Cookies\darren@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\darren\Cookies\darren@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\darren\Cookies\darren@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\darren\temp.bak -> Worm.Locksky.q : Cleaned with backup
C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0000010.exe -> Adware.PSGuard : Cleaned with backup
C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0000012.dll -> Adware.PSGuard : Cleaned with backup
C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0000019.exe -> Proxy.Delf.an : Cleaned with backup
C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0000020.exe -> Worm.Delf.i : Cleaned with backup
C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0001019.exe -> Proxy.Delf.an : Cleaned with backup
C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0001020.exe -> Worm.Delf.i : Cleaned with backup
C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0001028.exe -> Proxy.Delf.an : Cleaned with backup
C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0001029.exe -> Worm.Delf.i : Cleaned with backup
C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0001037.exe -> Downloader.Small.vu : Cleaned with backup
C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0001038.dll -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{0DC391BE-28C7-4A2A-AE41-463EA2D85ADA}\RP1\A0001039.exe -> Trojan.Small.ev : Cleaned with backup
C:\boot.inx -> Downloader.FakeAntiSpyware : Cleaned with backup


::Report End




thats all.. thanks for all your help ^_^... is there still anything wrong with my computer other than the windows explorer error O_O?
Bobbi Flekman
Jan 9 2006, 10:44 AM
Hi darren62,

We're not out of the woods yet... You have a CoolWebSearch Infection. Please download CoolWebShredder, from http://www.trendmicro.com/cwshredder/
Extract CWShredder to its own folder. Restart in Safe Mode (How do I Safe Boot my computer?) and run the program.

Be sure all open windows are closed. Click the "Fix ->" button.

Make sure you let it fix all CWS Remnants.

Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.
Post the contents of the logfile c\windelf.txt, along with a new hijackhislog.
darren62
Jan 10 2006, 12:54 AM
Logfile of HijackThis v1.99.1
Scan saved at 8:52:01 AM, on 1/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06

\bin\jusched.exe
C:\Program

Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec

Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark X1100

Series\lxbkbmgr.exe
C:\Program Files\ewido anti-

malware\ewidoctrl.exe
C:\Program Files\Alcatel\SpeedTouch

USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100

Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\Program Files\Norton

AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\darren\My

Documents\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://global.acer.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-

C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0

\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-

462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-

474BF36AF6E4} - C:\Program Files\MSN

Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-

11D3-9CD9-0090271D075B} - C:\PROGRA~1

\FLASHGET\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-

4A17-ADC1-64B5B4FF55D0} - C:\Program

Files\MSN Apps\MSN Toolbar\01.02.3000.1001

\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-

A544-FADC6B084872} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray]

C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched]

C:\Program Files\Java\jre1.5.0_06

\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl]

"C:\Program

Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program

Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series]

"C:\Program Files\Lexmark X1100

Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB

Diagnostics] "C:\Program

Files\Alcatel\SpeedTouch USB\Dragdiag.exe"

/icon
O4 - HKLM\..\Run: [Symantec NetDriver

Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

/Consumer
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -

atboottime
O4 - HKLM\..\Run: [SystemLoader]

C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [Windows Services]

service32.exe
O4 - HKLM\..\RunServices: [Windows Services]

service32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program

Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Services]

service32.exe
O4 - HKCU\..\Run: [aupd]

C:\WINDOWS\system32\sywsvcs.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer]

C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [Windows Services]

service32.exe
O4 - Global Startup: Microsoft Office.lnk =

C:\Program Files\Microsoft Office\Office10

\OSA.EXE
O8 - Extra context menu item: Download All

by FlashGet - C:\Program

Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using

FlashGet - C:\Program

Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to

Microsoft Excel - res://C:\PROGRA~1

\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-

4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java

Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-

E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1

\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet -

{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-

F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows

Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O14 - IERESET.INF:

START_PAGE_URL=http://global.acer.com/
O15 - Trusted Zone: http://*.gunbound.net
O15 - Trusted Zone: http://*.nprotect.net
O15 - Trusted Zone: http://*.softnyx.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-

00104BD12D94} (PCPitstop Utility) -

http://www.pcpitstop.com/pcpitstop/PCPitStop

.CAB
O16 - DPF: {17492023-C23A-453E-A040-

C7C580BBF700} (Windows Genuine Advantage

Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-

494B6333150B} (Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary/MineSwe

eper.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-

9FADAC41408E} (EGamesPlugin Class) -

https://www.e-

games.com.my/com/EGamesPlugin.cab
O16 - DPF: {56393399-041A-4650-94C7-

13DFCB1F4665} (PSFormX Control) -

http://www.pestpatrol.com/pestscan/pestscan.

cab
O16 - DPF: {6414512B-B978-451D-A0D8-

FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6

/V5Controls/en/x86/client/wuweb_site.cab?

1121153143218
O16 - DPF: {6E32070A-766D-4EE6-879C-

DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/

v6/V5Controls/en/x86/client/muweb_site.cab?

1130976709265
O16 - DPF: {8E0D4DE5-3180-4024-A327-

4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/Messeng

erStatsClient.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-

B4171D8556A7} (PhotoPickConvert Class) -

http://appdirectory.messenger.msn.com/AppDir

ectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {9732FB42-C321-11D1-836F-

00A0C993F125} (mhLabel Class) -

http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-

D3BAA72477D6} (BatchDownloader Class) -

http://appdirectory.messenger.msn.com/AppDir

ectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-

595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMesseng

erSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009

-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1

\msgrapp.dll" (file missing)
O20 - Winlogon Notify: browsela -

C:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: igfxcui -

C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: msupdate -

msupdate32.dll (file missing)
O23 - Service: Symantec Password Validation

(ccPwdSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager

(ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: ewido security suite control

- ewido networks - C:\Program Files\ewido

anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) -

Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect

Service (navapsvc) - Symantec Corporation -

C:\Program Files\Norton

AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co.,

Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: SAVScan - Symantec

Corporation - C:\Program Files\Norton

AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers

Service (SNDSrvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) -

Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe




************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie


BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------
adsldpbf.dll
alt.exe

File(s) found in system32 folder
--------------------------------
browsela.dll

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui

Notify key
----------
subkey browsela is present!



The logs u need. Any other problems beside the windows explorer problem im still having?
Bobbi Flekman
Jan 10 2006, 11:35 AM
Hi darren62,

Was that the complete log from the Delfkiller? It seems to be missing something...

You might want to save this page on your favorites, so you can find it again when you return. You can also click on your name and click on "Find All Posts" to find your thread.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [Windows Services] service32.exe
O4 - HKLM\..\RunServices: [Windows Services] service32.exe
O4 - HKCU\..\Run: [Windows Services] service32.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe
O4 - HKCU\..\RunServices: [Windows Services] service32.exe

O15 - Trusted Zone: http://*.gunbound.net
O15 - Trusted Zone: http://*.nprotect.net
O15 - Trusted Zone: http://*.softnyx.net

O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?
At the end if the fix you can return the files to hidden status if you want.

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\sysldr32.exe
C:\WINDOWS\system32\sywsvcs.exe
C:\WINDOWS\system32\service32.exe
C:\WINDOWS\system32\browsela.dll
C:\WINDOWS\system32\msupdate32.dll

Restart your computer and post a new log in this thread.

I don't want to address the problem with Explorer as long as the log is not clean. It might have come thanks to the malware on your system...
darren62
Jan 10 2006, 09:00 PM
I wasn't able to find the rest of the files to delete. I found

C:\WINDOWS\system32\browsela.dll

But i wasn't able to delete it. It says that the file is being used by another program and i can't move it either.
Bobbi Flekman
Jan 11 2006, 10:25 AM
Hi darren62,

Did you run the delfkill program? Browsela is part of Win.Delf, and that should have taken care of it.

Can you run it again, and post the complete c:\windelf.txt file.
darren62
Jan 12 2006, 12:42 AM
************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie


BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------
adsldpbf.dll
alt.exe

File(s) found in system32 folder
--------------------------------
browsela.dll

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui

Notify key
----------
subkey browsela is present!



AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------
browsela.dll

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui

Notify key
----------
subkey browsela is present!
AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------
browsela.dll

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui

Notify key
----------
subkey browsela is present!
AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------
browsela.dll

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui

Notify key
----------
subkey browsela is present!
AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------
browsela.dll

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui

Notify key
----------
subkey browsela is present!
AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------
browsela.dll

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui

Notify key
----------
subkey browsela is present!
darren62
Jan 12 2006, 12:44 AM
Sorry if its messy, but i think its all the same.
Bobbi Flekman
Jan 12 2006, 12:15 PM
Hi darren62,


grrrrr..... It doesn't really want to go, does it!

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

QUOTE
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\browsela]
Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Click on "Delete on Reboot", in the "Full Path of File to Delete" box, enter C:\Windows\system32\browsela.dll and click on the button with the white cross in a red circle. You will get a question "File will be Deleted on Next Reboot, Process & Reboot now?", answer "Yes". Let Killbox do it's work.

Afterwards please post a new log from HijackThis.
darren62
Jan 12 2006, 04:32 PM
Logfile of HijackThis v1.99.1
Scan saved at 12:31:06 AM, on 1/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\alt.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\darren\My Documents\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: C:\WINDOWS\adsldpbf.dll - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINDOWS\adsldpbf.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121153143218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130976709265
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Bobbi Flekman
Jan 13 2006, 01:27 PM
Did you do my instructions? Did you get any error messages?
darren62
Jan 13 2006, 02:01 PM
Yea i did exactly as u said. But i had to restart it my own. LOL, i just received the windows explorer message again. OMG.gif
Bobbi Flekman
Jan 14 2006, 08:46 AM
I meant error messages during the execution of my instructions. This would get rid of it, the only way it cannot is if you did not completely follow instructions, or if there were error messages during fixing...
darren62
Jan 15 2006, 04:42 AM
Yea.. I did exactly as u said.. Well i tried it again and i get this error that the file has been deleted already.

The log:

Pocket Killbox version 2.0.0.588
Running on Windows XP as darren(Administrator)
was started @ Friday, January 13, 2006, 12:26 AM

# 1 [Delete on Reboot]
Path = C:\Windows\system32\browsela.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 12:27:43 AM
Killbox Closed(Exit) @ 12:28:13 AM
__________________________________________________

Pocket Killbox version 2.0.0.588
Running on Windows XP as darren(Administrator)
was started @ Sunday, January 15, 2006, 12:40 PM

# 1 [Delete on Reboot]
Path = C:\Windows\system32\browsela.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 12:41:02 PM
# 2 [Delete on Reboot]
Path = C:\Windows\system32\browsela.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 12:41:23 PM
Killbox Closed(Exit) @ 12:41:25 PM
__________________________________________________


well i found browsella.dll inside the same folder with the log called !Killerbox in my C drive.
Bobbi Flekman
Jan 15 2006, 11:00 AM
Hi darren62,

QUOTE
Yea.. I did exactly as u said.. Well i tried it again and i get this error that the file has been deleted already.
Is that file gone from the Windows\System32 folder?

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer and post a new log in this thread.
darren62
Jan 16 2006, 08:52 AM
Logfile of HijackThis v1.99.1
Scan saved at 4:50:43 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\alt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\darren\My Documents\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: C:\WINDOWS\adsldpbf.dll - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINDOWS\adsldpbf.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121153143218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130976709265
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


this is weird. i've deleted that browsella 3 times yet each time it still reappears.
Bobbi Flekman
Jan 16 2006, 12:03 PM
Hey Darren,

let's try something else. Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.

CODE
dir C:\browsela.dll /a h /s > files.txt
notepad files.txt


Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.

Download RegDACL, and extract it.

Launch Notepad, and copy/paste the box below into a new text file. Save it as FixReg.bat and save it in the same folder as where you extracted RegDACL.

CODE
RegDACL
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\browsela /L
RegDACL
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\browsela /E


Locate FixReg.bat in that folder and double-click on it.
darren62
Jan 17 2006, 03:25 PM
Volume in drive C has no label.
Volume Serial Number is 2629-16F0

Directory of C:\WINDOWS\system32

01/01/2006 11:15 PM 67,104 browsela.dll
1 File(s) 67,104 bytes

Directory of C:\!KillBox

01/01/2006 11:15 PM 67,104 browsela.dll
1 File(s) 67,104 bytes
Bobbi Flekman
Jan 18 2006, 11:43 AM
Hi Darren,

I still need the output from RegDACL.

Launch Notepad, and copy/paste the box below into a new text file. Save it as getright.bat and save it on your Desktop.

CODE
cacls C:\WINDOWS\system32\browsela.dll > output.txt
notepad output.txt


Locate getright.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.
darren62
Jan 19 2006, 03:04 AM
The Cacls command can be run only on disk drives that use the NTFS file system.


So am i suppose to use the RegDACL now?
Bobbi Flekman
Jan 19 2006, 01:18 PM
QUOTE (darren62 @ Jan 19 2006, 04:04 AM)
The Cacls command can be run only on disk drives that use the NTFS file system.


So am i suppose to use the RegDACL now?
*
Ah! So.... the file system is FAT. That's one thing that i good to know. At least I know that file permissions will not hold us back. Can you still run RegDACL.

I also spoke with the creator of the Delf killer. He said that in the case of browsela.dll you will have boot manually. So can you run Delfkill again and reboot manually where it says so?
darren62
Jan 20 2006, 04:41 AM
Um, so i should run RegDACL first? Then Defkiller? Do i need to post any logs?
Bobbi Flekman
Jan 20 2006, 12:35 PM
Hi darren62,

QUOTE
Um, so i should run RegDACL first? Then Defkiller? Do i need to post any logs?
You can run then both. They don't have any impact on each other. If you follow the instructions I posted earlier, you will get a file with the output from RegDACL, and WinDelfKiller will reproduce a log of its own. If you can post thowse two, including a new HijackThis log we can go on.

I have also heard that there's a new version of The Delfkiller, so might want to download the new version from http://users.telenet.be/marcvn/tools/win32delfkil.exe.From what I heard the reboot problems have been handled.
darren62
Jan 20 2006, 03:31 PM
Logfile of HijackThis v1.99.1
Scan saved at 11:29:40 PM, on 1/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06

\bin\jusched.exe
C:\Program

Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec

Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark X1100

Series\lxbkbmgr.exe
C:\Program Files\ewido anti-

malware\ewidoctrl.exe
C:\Program Files\Alcatel\SpeedTouch

USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100

Series\lxbkbmon.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\Program Files\Norton

AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet

Explorer\iexplore.exe
C:\Documents and Settings\darren\My

Documents\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://global.acer.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-

C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0

\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-

462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-

474BF36AF6E4} - C:\Program Files\MSN

Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-

11D3-9CD9-0090271D075B} - C:\PROGRA~1

\FLASHGET\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-

4A17-ADC1-64B5B4FF55D0} - C:\Program

Files\MSN Apps\MSN Toolbar\01.02.3000.1001

\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101

-42AD-A544-FADC6B084872} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray]

C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched]

C:\Program Files\Java\jre1.5.0_06

\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl]

"C:\Program

Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program

Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series]

"C:\Program Files\Lexmark X1100

Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB

Diagnostics] "C:\Program

Files\Alcatel\SpeedTouch USB\Dragdiag.exe"

/icon
O4 - HKLM\..\Run: [Symantec NetDriver

Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

/Consumer
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -

atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program

Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer]

C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk =

C:\Program Files\Microsoft Office\Office10

\OSA.EXE
O8 - Extra context menu item: Download All

by FlashGet - C:\Program

Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using

FlashGet - C:\Program

Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to

Microsoft Excel - res://C:\PROGRA~1

\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-

4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java

Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-

E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1

\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet -

{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-

F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows

Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O14 - IERESET.INF:

START_PAGE_URL=http://global.acer.com/
O16 - DPF: {0E5F0222-96B9-11D3-8997-

00104BD12D94} (PCPitstop Utility) -

http://www.pcpitstop.com/pcpitstop/PCPitStop

.CAB
O16 - DPF: {17492023-C23A-453E-A040-

C7C580BBF700} (Windows Genuine Advantage

Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-

494B6333150B} (Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary/MineSwe

eper.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-

9FADAC41408E} (EGamesPlugin Class) -

https://www.e-

games.com.my/com/EGamesPlugin.cab
O16 - DPF: {56393399-041A-4650-94C7-

13DFCB1F4665} (PSFormX Control) -

http://www.pestpatrol.com/pestscan/pestscan.

cab
O16 - DPF: {6414512B-B978-451D-A0D8-

FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6

/V5Controls/en/x86/client/wuweb_site.cab?

1121153143218
O16 - DPF: {6E32070A-766D-4EE6-879C-

DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/

v6/V5Controls/en/x86/client/muweb_site.cab?

1130976709265
O16 - DPF: {8E0D4DE5-3180-4024-A327-

4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/Messeng

erStatsClient.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-

B4171D8556A7} (PhotoPickConvert Class) -

http://appdirectory.messenger.msn.com/AppDir

ectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {9732FB42-C321-11D1-836F-

00A0C993F125} (mhLabel Class) -

http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-

D3BAA72477D6} (BatchDownloader Class) -

http://appdirectory.messenger.msn.com/AppDir

ectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-

595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMesseng

erSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009

-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1

\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui -

C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Password Validation

(ccPwdSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager

(ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: ewido security suite control

- ewido networks - C:\Program Files\ewido

anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) -

Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect

Service (navapsvc) - Symantec Corporation -

C:\Program Files\Norton

AntiVirus\navapsvc.exe
O23 - Service: npkcsvc - INCA Internet Co.,

Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: SAVScan - Symantec

Corporation - C:\Program Files\Norton

AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers

Service (SNDSrvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) -

Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe





************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie


BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------
adsldpbf.dll
alt.exe

File(s) found in system32 folder
--------------------------------
browsela.dll

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui

Notify key
----------
subkey browsela is present!



AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon

Notify key
----------



I couldn't find the log file for RegDACL, where could it be?

Edit - Am i suppose to use RegDACL or FixReg inside the RegTools folder?
Bobbi Flekman
Jan 21 2006, 11:57 AM
Hi darren62,

QUOTE
I couldn't find the log file for RegDACL, where could it be?

Edit - Am i suppose to use RegDACL or FixReg inside the RegTools folder?
There's no need for it anymore :) This log looks clean! If you want you can delete the downloaded tools.

This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Sygate Personal Firewall or Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts. If you are running Windows XP get updated to SP-2

Please post back if you are still having any problems....
darren62
Jan 24 2006, 12:53 PM
Thanks Bobbi ^_^ ahah.gif beer.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.