Spyware

daredare11 · 10-17-2005, 03:55 PM

I got spyware from a poker download? Any good sites to get rid of it?

**apj101** · 10-17-2005, 05:27 PM

here are some free apps
Basic Malware Prevention
download, update and then run each one

daredare11 · 10-17-2005, 07:18 PM

already have, no help can't get rid of any of them. Anymore suggestions?

**apj101** · 10-17-2005, 07:20 PM

well what programs are telling you that you have infections. The only freeware programs you should be relying on are the ones in that list. Try posting your HiJackthis log
Hijackthis Logs

daredare11 · 10-17-2005, 07:25 PM

where abouts is the hijacks log?

Yusuke · 10-17-2005, 07:29 PM

Hey daredare11

You try also to do an online scanning here and send me the report by forum

[FOR HIJACKTHIS]

1. Download Hijackthis here Download Hijackthis

2. Make a permanent folder for Hijackthis. Name it Hijackthis.

3. Run Hijackthis -> Do a system scan and save log life.

4. Post your log here. I or someone else will look at it.

daredare11 · 10-17-2005, 07:55 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:55:13 PM, on 10/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Derek\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp82F8.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: TimeSync.lnk = C:\Program Files\eOn\TimeSync\TimeSync.exe
O4 - Global Startup: Ufmt32.lnk = C:\Program Files\eOn\Unformatted Reports\Ufmt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.playfirst.com/play/game/l...jolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: style32 - C:\WINDOWS\q126181.dll (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

daredare11 · 10-17-2005, 08:13 PM

nothing wrong?

Yusuke · 10-17-2005, 08:35 PM

I'm sorry, I gone to dinner

Can you send me the scanning complete of report?

When scan is finished, you click on SEE REPORT

and SAVE REPORT

Saves, copies the report and glues it here

__________________________________________________ __________________________________________________ _______

You must download this software before proceeding:

Microsoft Antispyware Beta <<- only if you have Windows XP or Windows 2000
SpyBot Seatch and Destroy
Ad Aware SE
RegSeeker
Cclenaer
SpyWare Blaster
CwShredder

__________________________________________________ __________________________________________________ ______

Enabling Show All Files

This procedure allows you to access hidden malware files using Windows Explorer.

• On Windows NT

1. Open Windows Explorer. Right-click Start then click Explore.
2. On the View menu, click Options or Folders Options.
3. Click the View tab.
4. Select Show all files, then click OK.

• On Windows 2000 and XP

1. Open Windows Explorer. Right-click Start then click Explore.
2. On the Tools menu, click Folder Options.
3. Click the View tab.
4. Select Show hidden files and folders, then click OK.
5. Uncheck the Hide protected operating system files check box (if found).
6. Click Yes when prompted.
7. Uncheck the Hide file extension for known file types check box.
8. Click OK.

__________________________________________________ __________________________________________________ ______

How to disable System Restore

The following procedure disables the System Restore feature:

For Windows ME

1. Right-click the My Computer icon on the Desktop and click Properties.
2. Click the Performance tab.
3. Click the File System button.
4. Click the Troubleshooting tab.
5. Select Disable System Restore.
6. Click Apply > Close > Close.
7. When prompted to restart, click Yes.
8. Press F8 while the system restarts.
9. Choose Safe Mode then hit the Enter key.
10. After your system has restarted, continue with the scan/clean process. Files under the _Restore folder can now be deleted.
11. Re-enable System Restore by clearing Disable System Restore and restarting your system normally.

For Windows XP

1. Log on as Administrator.
2. Right-click the My Computer icon on the desktop and click Properties.
3. Click the System Restore tab.
4. Select Turn off System Restore.
5. Click Apply > Yes > OK.
6. Continue with the scan/clean process. Files under the _Restore folder can now be deleted.
7. Re-enable System Restore by clearing Turn off System Restore.

__________________________________________________ __________________________________________________ ______

Restarting in Safe Mode

• On Windows NT (VGA mode)

1. Click Start>Settings>Control Panel.
2. Double-click the System icon.
3. Click the Startup/Shutdown tab.
4. Set the Show List field to 10 seconds and click OK to save this change.
5. Shut down and restart your computer.
6. Select VGA mode from the startup menu.

• On Windows 2000

1. Restart your computer.
2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

• On Windows XP

1. Restart your computer.
2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

__________________________________________________ __________________________________________________ ______

1. Start hijack and click on "do a system scan only"

2. Tick off the following lines and click on "fix checked"

__________________________________________________ __________________________________________________ ______

C:\WINDOWS\popuper.exe

C:\WINDOWS\System32\shnlog.exe

C:\WINDOWS\System32\intmon.exe

C:\WINDOWS\System32\intmonp.exe

O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp82F8.tmp

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.playfirst.com/play/game/...mjolauncher.cab

O20 - Winlogon Notify: style32 - C:\WINDOWS\q126181.dll (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)

O4 - Global Startup: Ufmt32.lnk = C:\Program Files\eOn\Unformatted Reports\Ufmt32.exe

__________________________________________________ __________________________________________________ ______

Open task manager (CTRL+ALT+CANC) and terminate this process:

popuper.exe

shnlog.exe

intmon.exe

intmonp.exe

msmsgs.exe
__________________________________________________ __________________________________________________ ______

Deleting Malware File

1. Start/Find
2. In the Named input box, type:

popuper.exe

shnlog.exe

intmon.exe

intmonp.exe

msmsgs.exe

3. Select the file then press Delete.

__________________________________________________ __________________________________________________ ______

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices
4. In the right pane, delete the following value:

Rundll64 c:\windows\rundll64.exe
5. Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
6. In the right pane, delete the following values:

Windows Update C:\WINDOWS\Start Menu\Programs\Windows Update\file###.###.exe
Regedit C:\windows\regedit.exe

7. Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

8. In the right pane, delete the following values:

Windows c:\windows\windows.exe
MSMSGS c:\msmsgs.exe
9. Navigate to the following keys and restore their default values:

NOTE: The default value in these cases refers to what program you have set up to open files of these types when you double-click these files. This will vary according to which programs you have installed on your computer. The worm changes these values so that the worm will run when you attempt to run any of these file types. Unless you know what each value should be, it may be easier to reinstall the software that you normally use to open each type of file.

HKEY_CLASSES_ROOT\mp3file\shell\open\command
HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command
HKEY_CLASSES_ROOT\VBSFile\Shell\Open2\Command
HKEY_CLASSES_ROOT\mp3file\shell\play\command
HKEY_CLASSES_ROOT\JSFile\Shell\Open\Command
HKEY_CLASSES_ROOT\JSFile\Shell\Open2\Command
HKEY_CLASSES_ROOT\txtfile\shell\open\command
10. Click Registry, and click Exit.

10-17-2005, 03:55 PM	#1 (permalink)
daredare11 New Member Join Date: Aug 2005 Posts: 23	Spyware I got spyware from a poker download? Any good sites to get rid of it? Last edited by daredare11; 10-19-2005 at 11:57 PM.

10-17-2005, 05:27 PM	#2 (permalink)
apj101 Administrator Join Date: Apr 2005 Location: London Age: 26 Posts: 9,147	here are some free apps Basic Malware Prevention download, update and then run each one __________________ What did one snow man say to the other? can you smell carrot? The fight is won or lost far away from witnesses - behind the lines, in the gym, and out there on the road, long before I dance under those lights. How you do anything, is how you do everything!

10-17-2005, 07:18 PM	#3 (permalink)
daredare11 New Member Join Date: Aug 2005 Posts: 23	a already have, no help can't get rid of any of them. Anymore suggestions?

10-17-2005, 07:20 PM	#4 (permalink)
apj101 Administrator Join Date: Apr 2005 Location: London Age: 26 Posts: 9,147	well what programs are telling you that you have infections. The only freeware programs you should be relying on are the ones in that list. Try posting your HiJackthis log Hijackthis Logs __________________ What did one snow man say to the other? can you smell carrot? The fight is won or lost far away from witnesses - behind the lines, in the gym, and out there on the road, long before I dance under those lights. How you do anything, is how you do everything!

10-17-2005, 07:25 PM	#5 (permalink)
daredare11 New Member Join Date: Aug 2005 Posts: 23	a where abouts is the hijacks log?

10-17-2005, 07:29 PM	#6 (permalink)
Yusuke New Member Join Date: Oct 2005 Posts: 7	Hey daredare11 You try also to do an online scanning here and send me the report by forum [FOR HIJACKTHIS] 1. Download Hijackthis here Download Hijackthis 2. Make a permanent folder for Hijackthis. Name it Hijackthis. 3. Run Hijackthis -> Do a system scan and save log life. 4. Post your log here. I or someone else will look at it. Last edited by Yusuke; 10-17-2005 at 07:41 PM.

10-17-2005, 07:55 PM	#7 (permalink)
daredare11 New Member Join Date: Aug 2005 Posts: 23	Logfile of HijackThis v1.99.1 Scan saved at 2:55:13 PM, on 10/17/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\popuper.exe C:\WINDOWS\System32\shnlog.exe C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Dell\AccessDirect\dadapp.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe C:\Program Files\Dell\AccessDirect\DadTray.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Dell Support\DSAgnt.exe C:\WINDOWS\System32\intmon.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\System32\intmonp.exe C:\WINDOWS\explorer.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Derek\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp82F8.tmp O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - Global Startup: TimeSync.lnk = C:\Program Files\eOn\TimeSync\TimeSync.exe O4 - Global Startup: Ufmt32.lnk = C:\Program Files\eOn\Unformatted Reports\Ufmt32.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.playfirst.com/play/game/l...jolauncher.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: style32 - C:\WINDOWS\q126181.dll (file missing) O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

10-17-2005, 08:13 PM	#8 (permalink)
daredare11 New Member Join Date: Aug 2005 Posts: 23	nothing wrong?

10-17-2005, 08:35 PM	#9 (permalink)
Yusuke New Member Join Date: Oct 2005 Posts: 7	I'm sorry, I gone to dinner Can you send me the scanning complete of report? When scan is finished, you click on SEE REPORT and SAVE REPORT Saves, copies the report and glues it here __________________________________________________ __________________________________________________ _______ You must download this software before proceeding: Microsoft Antispyware Beta <<- only if you have Windows XP or Windows 2000 SpyBot Seatch and Destroy Ad Aware SE RegSeeker Cclenaer SpyWare Blaster CwShredder __________________________________________________ __________________________________________________ ______ Enabling Show All Files This procedure allows you to access hidden malware files using Windows Explorer. • On Windows NT 1. Open Windows Explorer. Right-click Start then click Explore. 2. On the View menu, click Options or Folders Options. 3. Click the View tab. 4. Select Show all files, then click OK. • On Windows 2000 and XP 1. Open Windows Explorer. Right-click Start then click Explore. 2. On the Tools menu, click Folder Options. 3. Click the View tab. 4. Select Show hidden files and folders, then click OK. 5. Uncheck the Hide protected operating system files check box (if found). 6. Click Yes when prompted. 7. Uncheck the Hide file extension for known file types check box. 8. Click OK. __________________________________________________ __________________________________________________ ______ How to disable System Restore The following procedure disables the System Restore feature: For Windows ME 1. Right-click the My Computer icon on the Desktop and click Properties. 2. Click the Performance tab. 3. Click the File System button. 4. Click the Troubleshooting tab. 5. Select Disable System Restore. 6. Click Apply > Close > Close. 7. When prompted to restart, click Yes. 8. Press F8 while the system restarts. 9. Choose Safe Mode then hit the Enter key. 10. After your system has restarted, continue with the scan/clean process. Files under the _Restore folder can now be deleted. 11. Re-enable System Restore by clearing Disable System Restore and restarting your system normally. For Windows XP 1. Log on as Administrator. 2. Right-click the My Computer icon on the desktop and click Properties. 3. Click the System Restore tab. 4. Select Turn off System Restore. 5. Click Apply > Yes > OK. 6. Continue with the scan/clean process. Files under the _Restore folder can now be deleted. 7. Re-enable System Restore by clearing Turn off System Restore. __________________________________________________ __________________________________________________ ______ Restarting in Safe Mode • On Windows NT (VGA mode) 1. Click Start>Settings>Control Panel. 2. Double-click the System icon. 3. Click the Startup/Shutdown tab. 4. Set the Show List field to 10 seconds and click OK to save this change. 5. Shut down and restart your computer. 6. Select VGA mode from the startup menu. • On Windows 2000 1. Restart your computer. 2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen. 3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter. • On Windows XP 1. Restart your computer. 2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen. 3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter. __________________________________________________ __________________________________________________ ______ 1. Start hijack and click on "do a system scan only" 2. Tick off the following lines and click on "fix checked" __________________________________________________ __________________________________________________ ______ C:\WINDOWS\popuper.exe C:\WINDOWS\System32\shnlog.exe C:\WINDOWS\System32\intmon.exe C:\WINDOWS\System32\intmonp.exe O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp82F8.tmp O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.playfirst.com/play/game/...mjolauncher.cab O20 - Winlogon Notify: style32 - C:\WINDOWS\q126181.dll (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing) O4 - Global Startup: Ufmt32.lnk = C:\Program Files\eOn\Unformatted Reports\Ufmt32.exe __________________________________________________ __________________________________________________ ______ Open task manager (CTRL+ALT+CANC) and terminate this process: popuper.exe shnlog.exe intmon.exe intmonp.exe msmsgs.exe __________________________________________________ __________________________________________________ ______ Deleting Malware File 1. Start/Find 2. In the Named input box, type: popuper.exe shnlog.exe intmon.exe intmonp.exe msmsgs.exe 3. Select the file then press Delete. __________________________________________________ __________________________________________________ ______ 1. Click Start, and click Run. The Run dialog box appears. 2. Type regedit and then click OK. The Registry Editor opens. 3. Navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices 4. In the right pane, delete the following value: Rundll64 c:\windows\rundll64.exe 5. Navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run 6. In the right pane, delete the following values: Windows Update C:\WINDOWS\Start Menu\Programs\Windows Update\file###.###.exe Regedit C:\windows\regedit.exe 7. Navigate to the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run 8. In the right pane, delete the following values: Windows c:\windows\windows.exe MSMSGS c:\msmsgs.exe 9. Navigate to the following keys and restore their default values: NOTE: The default value in these cases refers to what program you have set up to open files of these types when you double-click these files. This will vary according to which programs you have installed on your computer. The worm changes these values so that the worm will run when you attempt to run any of these file types. Unless you know what each value should be, it may be easier to reinstall the software that you normally use to open each type of file. HKEY_CLASSES_ROOT\mp3file\shell\open\command HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command HKEY_CLASSES_ROOT\VBSFile\Shell\Open2\Command HKEY_CLASSES_ROOT\mp3file\shell\play\command HKEY_CLASSES_ROOT\JSFile\Shell\Open\Command HKEY_CLASSES_ROOT\JSFile\Shell\Open2\Command HKEY_CLASSES_ROOT\txtfile\shell\open\command 10. Click Registry, and click Exit. Last edited by Yusuke; 10-17-2005 at 08:51 PM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode