asd.cpy.cll keeps coming back!!!

Discussion in 'adware, spyware & hijack cleaning' started by adamsapl, Apr 29, 2004.

Thread Status:
Not open for further replies.
  1. adamsapl

    adamsapl Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    2
    I know I've got some sort of spyware/hijack going on...

    the file c:\windows\syste32\asd.cpy.dll keeps on coming back, no matter what I do. I ran startuplist.exe and got the following:


    StartupList report, 4/29/2004, 3:10:48 AM
    StartupList version: 1.52
    Started from : C:\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using verbose mode
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\Fast.exe
    C:\WINDOWS\System32\mqsvc.exe
    C:\WINDOWS\System32\mqtgsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cmd.exe
    C:\StartupList.exe

    This lists all processes running in memory, which are all active
    programs and some non-exe system components.

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    These are Windows NT/2000/XP specific startup locations. They
    execute when the user logs on to his workstation.

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    CoolSwitch = C:\WINDOWS\System32\taskswitch.exe
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

    This lists programs that run Registry keys marked by Windows as
    'Autostart key'. To the left are values that are used to clarify what
    program they belong to, to the right the program file that is started.

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\AutoCADScript\shell\open\command

    (Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

    This Registry value determines how Windows runs files (in this case
    .SCR files). If this file is executable, it should read "%1" %*.
    ("%1" /S for screensavers, .SCR files.) If it needs to be opened
    with some other program, it should read program.exe "%1" %*.
    File types that are executable are .EXE, .COM, .PIF, .BAT, .SCR.
    File types that are not executable are types like .DOC, .LNK, .BMP,
    .JPEG, .SHS, .VBS, .HTA etc.

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

    Programs listed here are components of the Windows Setup that were
    only ran when Windows started for the first time. To prevent them
    from running multiple times, Windows checks for a key with the same
    name at the HKCU root. If it's not found, the component at the HKLM
    root is ran, and a matching key is created at the HKCU root so the
    component is not ran again next time. Most entries involve either
    RUNDLL.EXE or RUNDLL32.EXE, so a suspicious key is not hard to find.

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=hplun.dll

    These two entries in WIN.INI are leftover from Windows 3.x, which
    used them as values denoting programs that should be started up
    with Windows. Since Windows 95 and higher uses the Registry to
    store locations of autostart folders, these two entries in WIN.INI
    are redundant, and are rarely used.

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\SHARKV~1.SCR
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    The Shell key from SYSTEM.INI tells Windows what file handles
    the Windows shell, i.e. creates the taskbar, desktop icons etc. If
    programs are added to this line, they are all ran at startup.
    The SCRNSAVE.EXE line tells Windows what is the default screensaver
    file. This is also a leftover from Windows 3.x and should not be used.
    (Since Windows 95 and higher stores this setting in the Registry.)
    The 'drivers' line loads non-standard DLLs or programs.

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present

    Due to a bug in Windows 9x, it mistakenly uses C:\Explorer.exe and
    other instances (if present) when searching for Explorer.exe.
    Explorer.exe should only exists in the Windows folder.
    Windows NT is vulnerable to this as well, but only if the
    'Shell' Registry value from the previous section
    is just 'Explorer.exe' instead of the full path.
    Additionally, presence of \WINDOWS\Explorer\Explorer.exe indicates
    infection with the W32@Trojan.Dlder virus.

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: *Registry value not found*
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    Some file extensions are always hidden, like .lnk (shortcut) and
    .pif (shortcut to MS-DOS program). The Life_Stages virus was a .shs
    (Shell Scrap) file that had the extension hidden by default. This can
    be a security risk when a virus with a double-extension filename is
    on the loose, since the extension can be hidden even when 'Don't show
    extensions for known filetypes' is turned off.
    The shortcut overlay acts as a reminder that the file is just a shortcut.
    If the shortcut overlay is removed, the difference between a file and
    a shortcut is invisible.

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Norton SystemWorks One Button Checkup.job
    Symantec Drmc.job
    Symantec NetDetect.job

    The Windows Task Scheduler can run programs at a certain time,
    automatically. Though very unlikely, this can be exploited by
    making a job that runs a virus or trojan.

    --------------------------------------------------

    Enumerating Download Program Files:

    [ICSScannerLight Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ICSScannerLight.dll
    CODEBASE = http://download.zonelabs.com/bin/free/cm/ICSCM.cab

    The items in Download Program Files are programs you downloaded and
    automatically installed themselves in MSIE. Most of these are Java
    classes Media Player codecs and the likes. Some items are only
    visible from the Registry and may not show up in the folder.

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
    Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
    Indexing Service: %SystemRoot%\system32\cisvc.exe (autostart)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    InteractiveLogon: C:\WINDOWS\System32\Fast.exe -service (autostart)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    LicCtrl Service: C:\WINDOWS\runservice.exe (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
    Message Queuing: C:\WINDOWS\System32\mqsvc.exe (autostart)
    Message Queuing Triggers: C:\WINDOWS\System32\mqtgsvc.exe (autostart)
    Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe" (autostart)
    NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    Password: %SystemRoot%\System32\PwdServ.exe (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    SAVScan: C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe (autostart)
    ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Speed Disk service: C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE (autostart)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
    Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
    symlcbrd: \??\C:\WINDOWS\System32\drivers\symlcbrd.sys (autostart)
    SYMTDI: \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS (autostart)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    vsdatant: \??\C:\WINDOWS\System32\vsdatant.sys (autostart)
    TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    WMDM PMSP Service: C:\WINDOWS\System32\MsPMSPSv.exe (autostart)
    Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)


    Windows NT4/2000/XP launches several dozen of 'services' when
    your system starts that range in importance from system-
    critical (like RPCSS) to redundant (Remote Registry Editor),
    or even dangerous (Universal Plug & Play). Though very little
    malicious programs use this type of startup, it is included here
    for completeness.
    Windows 9x/ME launches system-critical files in a similar way
    at system startup, but unlike Windows NT services, the Windows 9x
    VxD services are all important, and much less in number. Practically
    the only non-Microsoft programs starting from here are software firewalls.

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll
    CDBurn: *Registry key not found*

    This Registry key lists several system components are loaded at
    system startup. Not much is known about this key since it is
    virtually undocumented and only used by programs like the Volume
    Control, IE Webcheck and Power Management icons. However, a
    virus/trojan in the form of a DLL can also load from this key.
    The Hitcap trojan is an example of this.

    --------------------------------------------------
    End of report, 16,558 bytes
    Report generated in 0.172 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    any help with this would be greatly appreciated
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  3. adamsapl

    adamsapl Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    2
    Hijack this log

    Thanks for the help, logging into my local account is fast like it used to be, and no more asd.cpy.dll error anymore.

    I downloaded and ran the kill2me program, it successfully removed what it set out to.

    I then ran pest patrol, and it showed a few cookies, nothing serious.

    Followed by running Ad-Aware and it showed clean system.

    The following is my Hijack This log:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:07:38 PM, on 4/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\Fast.exe
    C:\WINDOWS\System32\mqsvc.exe
    C:\WINDOWS\System32\mqtgsvc.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\explorer.exe
    C:\hij\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = nov
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\System32\page.htm
    O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\System32\link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Control Pad (HKLM)
    O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\rma_resource.dll,-40971 (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\rma_resource.dll,-205 (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\rma_resource.dll,-40970 (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\rma_resource.dll,-40971 (HKCU)
    O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\rma_resource.dll,-205 (HKCU)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\rma_resource.dll,-40970 (HKCU)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Re: Hijack this log

    Hi adamsapl,

    Good job. :cool:

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 ieautosearch

    And read https://www.wilderssecurity.com/showthread.php?t=27971 for some tips to stay out of trouble.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.