"Only The Best" Spyware on my Computer

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by weirdocreep, Jun 17, 2004.

  1. weirdocreep

    weirdocreep Private E-2

    Basically, i m having the same problem as everybody else. I send you the information so u can tell me what to do. WinShow and iefeatsl are not shown in Control Panel. I´ve already read the others posts, and try some of the solutions u offered but they were not succesfull... so... unless u help me, i m burning my computer! Please help me (Computers are really expensive here in Argentina!).

    Logfile of HijackThis v1.97.7
    Scan saved at 10:09:50 p.m., on 17/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
    C:\Archivos de programa\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
    C:\Archivos de programa\No-IP\DUC20.exe
    C:\Archivos de programa\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Archivos de programa\ORL\VNC\WinVNC.exe
    C:\WINDOWS\system32\sdkxg.exe
    C:\Archivos de programa\Macromedia\Flash Communication Server MX\FlashCom.exe
    C:\WINDOWS\system32\sysvx32.exe
    C:\ARCHIV~1\GENIUS~1\GNETMOUS.EXE
    C:\Archivos de programa\Microsoft Hardware\Keyboard\type32.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
    C:\Archivos de programa\Messenger\msmsgs.exe
    C:\Archivos de programa\Outlook Express\msimn.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\DOCUME~1\Gustavo_\CONFIG~1\Temp\Rar$EX00.453\HijackThis.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {B02D3C44-5088-4292-8040-CB902C2FAA78} - C:\WINDOWS\systn32.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [WinVNC] "C:\Archivos de programa\ORL\VNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [sysvx32.exe] C:\WINDOWS\system32\sysvx32.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NVCLOCK] Rundll32 nvclock.dll,fnNvclock
    O4 - HKLM\..\Run: [mouseElf] C:\ARCHIV~1\GENIUS~1\GNETMOUS.EXE
    O4 - HKLM\..\Run: [IntelliType] "C:\Archivos de programa\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\ARCHIV~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\RunOnce: [crvs32.exe] C:\WINDOWS\system32\crvs32.exe
    O4 - HKLM\..\RunOnce: [netgq.exe] C:\WINDOWS\netgq.exe
    O4 - HKLM\..\RunOnce: [iewh32.exe] C:\WINDOWS\system32\iewh32.exe
    O4 - HKLM\..\RunOnce: [appbj32.exe] C:\WINDOWS\appbj32.exe
    O4 - HKLM\..\RunOnce: [adduo.exe] C:\WINDOWS\system32\adduo.exe
    O4 - HKLM\..\RunOnce: [mfcbm32.exe] C:\WINDOWS\mfcbm32.exe
    O4 - HKLM\..\RunOnce: [d3ip.exe] C:\WINDOWS\d3ip.exe
    O4 - HKLM\..\RunOnce: [mfcng.exe] C:\WINDOWS\system32\mfcng.exe
    O4 - HKLM\..\RunOnce: [ntpa.exe] C:\WINDOWS\system32\ntpa.exe
    O4 - HKLM\..\RunOnce: [atlmw32.exe] C:\WINDOWS\atlmw32.exe
    O4 - HKLM\..\RunOnce: [mfcua32.exe] C:\WINDOWS\system32\mfcua32.exe
    O4 - HKLM\..\RunOnce: [appxl32.exe] C:\WINDOWS\appxl32.exe
    O4 - HKLM\..\RunOnce: [sdkzh32.exe] C:\WINDOWS\sdkzh32.exe
    O4 - HKLM\..\RunOnce: [ipkq.exe] C:\WINDOWS\ipkq.exe
    O4 - HKLM\..\RunOnce: [crcj32.exe] C:\WINDOWS\system32\crcj32.exe
    O4 - HKLM\..\RunOnce: [crfw.exe] C:\WINDOWS\system32\crfw.exe
    O4 - HKLM\..\RunOnce: [mfcgl.exe] C:\WINDOWS\mfcgl.exe
    O4 - HKLM\..\RunOnce: [d3de32.exe] C:\WINDOWS\system32\d3de32.exe
    O4 - HKLM\..\RunOnce: [msvl32.exe] C:\WINDOWS\system32\msvl32.exe
    O4 - HKLM\..\RunOnce: [ieyz.exe] C:\WINDOWS\ieyz.exe
    O4 - Startup: PalNetaware.lnk = C:\Archivos de programa\Paltalk\pnetaware.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2DBEFB64-B6C4-4A2C-BE6A-16FF065B99C6} (cuadruple Class) - http://www.dialerzona.com/cuadruple.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatterbox/download/appdl.cab
    O16 - DPF: {498A0AC2-A3AC-11D4-80A9-0050DA680987} (HearMe (Firewall) Voice Control) - http://www.englishtown.com/EtownResources/HearMe/hmvcfe.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7705BB09-BA19-11D4-ACD9-0050BAD92FE4} (EFSpeech Control) - http://lips.englishtown.com/efsr/EFSpeech.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37994.8547685185
    O16 - DPF: {A03B089C-4C55-11D4-A2F5-009027F1533D} (EFRecorder Control) - http://www.englishtown.com/schoolcontent4/shared/VoiceRecorder/EFVoiceRecorder.cab
    O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://centra.englishtown.com/main/Install/en/US/CentraDownloader.cab
    O16 - DPF: {B397C5F7-629D-4BE7-855F-576C7929C151} (cont.ablb) - http://www.rentasgcba.gov.ar/abl_pat/distribuc/cont.CAB
    O16 - DPF: {C2F38867-251C-4216-9B1C-BBE89B8700E2} (iVocalize Internet Conference 3 Setup) - http://www.talkingcommunities.com/client3/ivsetup3.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4351/mcfscan.cab
    O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab


    --==***@@@ FIND-ALL' VERSION MODIFIED -6/14 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--
    17/06/2004
    10:15 p.m.
    System Info:
    Microsoft Windows XP [Versi¢n 5.1.2600]
    C: "" (7891:B51D) - FS:NTFS clusters:4k
    Total: 40 007 729 152 [37G] - Free: 31 576 559 616 [29G]

    *IE version and Service packs:
    6.0.2800.1106 C:\Archivos de programa\Internet Explorer\Iexplore.exe
    *Notepad version :
    5.1.2600.0 C:\WINDOWS\system32\notepad.exe
    5.1.2600.0 C:\WINDOWS\notepad.exe
    *Media Player version :
    8.0.0.4490 C:\Archivos de programa\Windows Media Player\wmplayer.exe
    ! REG.EXE VERSION 2.0
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;Q330994;Q824145;Q832894;Q837009;Q831167;
    Locked or 'Suspect' file(s) found...
    These may be other files that Dllfix doesnt target.
    If not file is listed than Dllfix may not Help.
    in this case please post the contents of Windows.txt to the appinit
    entry can be checked. You will find it in the dllfix folder after findall completes.
    Scanning for main Hijacker:
    Dllfix must have the Hijackerfiles in system32 to fix properly.
    If there are no protocal keys text/html and text/plain
    then dllfix may not work. This fix targets this type Hijack Entry.
    that keeps reoccuring with different filenames.
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
    = res://C:\WINDOWS\System32\xxxxxx.dll/sp.html (obfuscated)
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B02D3C44-5088-4292-8040-CB902C2FAA78}]
    @=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
    @="NAV Helper"
    REGEDIT4
    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]
    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"
    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    ! REG.EXE VERSION 2.0
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    *Security settings for 'Windows' key:

    If error than registry may need to be restored from option 4.
    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!
    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Usuarios
    (IO) ALLOW Read BUILTIN\Usuarios
    (NI) ALLOW Read BUILTIN\Usuarios avanzados
    (IO) ALLOW Read BUILTIN\Usuarios avanzados
    (NI) ALLOW Full access BUILTIN\Administradores
    (IO) ALLOW Full access BUILTIN\Administradores
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administradores
    (IO) ALLOW Full access CREATOR OWNER
    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Usuarios
    Read BUILTIN\Usuarios avanzados
    Full access BUILTIN\Administradores
    Full access NT AUTHORITY\SYSTEM
     
  2. weirdocreep

    weirdocreep Private E-2

    I forgot to mention that this is the Homepage: res://bmpxy.dll/index.html#96676
    Thank you very much! Salutes!
     
  3. jnick

    jnick Private E-2

    Check out a couple of threads down. The 3 page one. Read my response.

    Jnick
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds