Help battling Malware

O

Outsider

New member
Like many people it seems, also have command service problems. According to SpyBot, I had a couple of trojans and viruses, like "command service; Look2Me and others" (I mean all those were removed with Spybot, SpySweep, ewido, Panda Antivirus and hijackthis).
I'm pretty sure most of the problems are gone. I ran Hijackthis and I'll post the log.
After I ran Look2Me - destroyer I'm having one slight problem I'm not sure if it is related or not, but lately, I can change all my desktop ( like delete Shortcuts, Add Program Icons, Change Wallpaper, etc..) but when I boot machine next time, all things that I removed (programs icons and shortcuts) appear again, I don't have problem changing wallpaper, removing some icons but with someones I have, like I removed the program BHODemon2, but Ill time that i rebbot the machine a message saying error with BHODemon.lnk and all shortcuts I had deleted apear again. I've removed Panda Titanium 2006 (because I've problems during the instalation) but the files are still in my drive C. It seems that the computer is note savings my personal setting when I logout and it started when I ran Look2Me-Destroyer, despite that I had a lot of malwares.Is it a malware problem, or is it more likely some other thing wrong with the computer? It's not too much of a bother, but it'll be good if it can be fixed. Any ideas?:scratch:
 
My Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 12:56:45, on 29/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\VRCCfgService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe
C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESOE\ELogSrv.exe
C:\Program Files\ESOE\ESrv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe
C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe
C:\WINNT\system32\IIS\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\PROT_SRV.EXE
C:\WINNT\system32\pagents.exe
C:\WINNT\system32\PSTARTSR.EXE
c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ESOE\EDMS\ECIS.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\AGRSMMSG.exe
C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Pointsec\P95tray.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ESOE\ECC.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Hewlett-Packard\eWorkplace\ControlCenter.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ESOE\EDMS\ECP.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hewlett-Packard\eWorkplace\eWLaunch.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
F2 - REG:system.ini: UserInit=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINNT\Downloaded Program Files\gbieh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LidPolicy] C:\Program Files\Hewlett-Packard\LidSwitch Policy\PwrSchem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Check for Pal Update.lnk = C:\Program Files\RDC\Dial-up Client\PALUpdate.exe
O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe
O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe
O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe
O4 - Global Startup: eWorkplace Control Center.lnk = C:\Program Files\Hewlett-Packard\eWorkplace\ControlCenter.exe
O4 - Global Startup: Monitor de conexão de telefone.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe
O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe
O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab
O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javaconnect/JavaConnect.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace.ericsson.se/qp2.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143827140223
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - https://host3.centra.com/SiteRoots/main/Install/CentraDownloader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINNT\system32\btxppanel.dll
O20 - Winlogon Notify: WinEvents - C:\WINNT\SYSTEM32\WinEvents.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe
O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe
O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: eWorkplace Inventory (Inventory) - Hewlett-Packard Sverige AB - C:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe
O23 - Service: eWorkplace Log (LogSvc) - TODO: <Company name> - C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: Microsoft Security Center - Unknown owner - C:\WINNT\system32\IIS\svchost.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pointsec - Unknown owner - C:\WINNT\system32\PROT_SRV.EXE
O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINNT\system32\pagents.exe
O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINNT\system32\PSTARTSR.EXE
O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
O23 - Service: eWorkplace Scheduler (Scheduler) - Hewlett-Packard Sverige AB - C:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Access Client Configuration Support (VRCCfgService) - C:\WINNT\system32\VRCCfgService.exe
O23 - Service: Access Client (VRCService) - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe
 
I'll be happy to look this over for you. Could you please post a fresh HijackThis log so I can see where you are at this point?

In addition, I'd like to see an additional report...Open HijackThis and instead of scan, choose *Open Misc. Tools Section*

From there, choose *Open Uninstall Manager*. Wait while it builds the list. When done, press the *Save List* button. Copy the contents of that report along with the new HijackThis scan log :)
 
My new Hijack log

Logfile of HijackThis v1.99.1
Scan saved at 16:15:16, on 7/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\VRCCfgService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe
C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESOE\ELogSrv.exe
C:\Program Files\ESOE\ESrv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe
C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe
C:\WINNT\system32\IIS\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\PROT_SRV.EXE
C:\WINNT\system32\pagents.exe
C:\WINNT\system32\PSTARTSR.EXE
c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ESOE\EDMS\ECIS.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\AGRSMMSG.exe
C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Pointsec\P95tray.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Babylon\Babylon.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
F2 - REG:system.ini: UserInit=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINNT\Downloaded Program Files\gbieh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LidPolicy] C:\Program Files\Hewlett-Packard\LidSwitch Policy\PwrSchem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Check for Pal Update.lnk = C:\Program Files\RDC\Dial-up Client\PALUpdate.exe
O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe
O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe
O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe
O4 - Global Startup: eWorkplace Control Center.lnk = C:\Program Files\Hewlett-Packard\eWorkplace\ControlCenter.exe
O4 - Global Startup: Monitor de conexão de telefone.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe
O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe
O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Documentum Content Transfer 5.2.5 SP - http://esealmw066:8080/r8a10/wdk/contentXfer/ContentXfer.cab
O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javaconnect/JavaConnect.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143827140223
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - https://host3.centra.com/SiteRoots/main/Install/CentraDownloader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINNT\system32\btxppanel.dll
O20 - Winlogon Notify: WinEvents - C:\WINNT\SYSTEM32\WinEvents.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe
O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe
O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: eWorkplace Inventory (Inventory) - Hewlett-Packard Sverige AB - C:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe
O23 - Service: eWorkplace Log (LogSvc) - TODO: <Company name> - C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: Microsoft Security Center - Unknown owner - C:\WINNT\system32\IIS\svchost.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pointsec - Unknown owner - C:\WINNT\system32\PROT_SRV.EXE
O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINNT\system32\pagents.exe
O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINNT\system32\PSTARTSR.EXE
O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
O23 - Service: eWorkplace Scheduler (Scheduler) - Hewlett-Packard Sverige AB - C:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Access Client Configuration Support (VRCCfgService) - C:\WINNT\system32\VRCCfgService.exe
O23 - Service: Access Client (VRCService) - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe
 
Now the Uninstall List

ACDSee
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Acrobat 7.0.2 and Reader 7.0.2 Update
Adobe Acrobat 7.0.3 and Reader 7.0.3 Update
Agere Systems AC'97 Modem
ATI Display Driver
ATI MOBILITY RADEON 9600 Video Driver
Authorware Web Player
Babylon
Bluetooth by hp
Bluetooth Fix
Canon Camera TWAIN Driver 6.0
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
CentraOne
Chipset Software Installation Utility
Data Access Objects (DAO) 3.5
Dial-Up Client 4.1 for RACOM
DirectX 9 Hotfix - KB839643
Ericsson Fonts
ESOE2000 General Update
ESOE2000ClientUpdate
ewido anti-malware
Google Earth
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix Q296861 (QCHAIN)
Hotfix Q814078
Hotfix Q818043
Hotfix Q820888
Hotfix Q822831
Hotfix Q823353
Hotfix Q824105
Hotfix Q828028
Hotfix Q828741
Hotfix Q829558
Hotfix Q831167
Hotfix Q832353
Hotfix Q832414
Hotfix Q835732
Hotfix Q837001
Hotfix Q839643
Hotfix Q839645
Hotfix Q839654
Hotfix Q840315
Hotfix Q841872
Hotfix Q841873
Hotfix Q842526
HP BIOS Utility
HP Diagnostics for Windows
HP Driver Pack
HP Notebook LidSwitch Policy
IE5 Registration
Intel SpeedStep technology Applet 3.00 B4
Internet Explorer Q903235
InterVideo WinDVD
IRPF2004 - Declaração de Ajuste Anual
IRPF2005 - Declaração de Ajuste Anual
IRPF2006 - Declaração de Ajuste Anual
Kaspersky On-line Scanner
Kazaa Lite Resurrection 0.0.7.6 F
KB244474
KB824151
KB832483
KB833989
KB840987
KB841356
KB841533
KB883939
KB890046
KB890859
KB892944
KB893086
KB893756
KB894320
KB896358
KB896422
KB896423
KB896424
KB896688
KB896727
KB897715
KB898060
KB899587
KB899588
KB899589
KB900725
KB901017
KB901214
KB902400
KB903235
KB904706
KB905414
KB905495
KB905749
KB905915
KB908519
KB908523
KB911564
KB911565
KB912919
Macromedia Flash Player 8
MapInfo Professional 5.0
MapInfo Professional 6.5
MCOM3g V1.0.2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft DirectX 9.0
Microsoft Netmeeting
Microsoft Office Professional Edition 2003
Microsoft Streets and Trips 2005
Microsoft VGX Q833989
Monitor Drivers for Compaq 9500, HP L1730 and HP L1702
MSN Messenger 7.0
Multi-Calendar Viewer
NC 8000 Bios V F.17
Office 2000 Hotfix 021211
Office 2000 Hotfix 030226
Office Animation Runtime
Pointsec
Quick Launch Buttons 5.10 A2
RACOM via Internet Client
Receitanet 2006
Saída Definitiva do País 2005
Sametime Java Client
Security Update for Windows 2000 (KB904706)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
SEMC DSS SyncStation Driver
Shockwave and Flash Plug-In
Skype 2.0
SmartForce Player
Sony Ericsson PC Suite 3.2.0
Spybot - Search & Destroy 1.3
SteelRay Project Viewer
Sygate Security Agent 4.1
Symantec AntiVirus Client Special Non-Admin Install
Synaptics Pointing Device Driver
Update Rollup 1 for Windows 2000 SP4
VNC Agent - ESOE Edition
Windows 2000 Hotfix - KB839654
Windows 2000 Hotfix - KB883939
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB890923
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB898060
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB905915
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix (SP5) Q818043
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Codecs
Windows Media Player system update (9 Series)
WinRAR archiver
Winzip 8.1
WS_FTP Pro 7
ZSMC USB PC Camera
 
Got 'em :)

I'm reviewing these now. It takes a few minutes to go over them and come back with a response.
 
Your Spybot is outdated - you need to uninstall it and download and install Spybot v. 1.4
http://www.spybot.info/en/download/index.html

A couple of suspcious looking files I can't identify, I would like for you to get them checked out here:

Virus Total
http://www.virustotal.com/

(Use the browse button to the files, using the path below and submit them)

C:\WINNT\SYSTEM32\WinEvents.dll

C:\WINNT\system32\IIS\svchost.exe (Note the unusual location...it the svchost.exe located in a folder named: IIS. Don't confuse it with the legitimate svchost, located directly in the System32 folder)

Wait while VirusTotal scans the file. It will present a report at the end. Please copy and paste all of the report into notepad and repeat for the second file. Please post the results of both back here.
 
Logs from Virus Total

STATUS: FINISHEDComplete scanning result of "WinEvents.dll", received in VirusTotal at 05.08.2006, 00:47:15 (CET).

Antivirus Version Update Result
AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 05.05.2006 no virus found
AVG 386 05.05.2006 no virus found
Avira 6.34.1.58 05.07.2006 no virus found
BitDefender 7.2 05.07.2006 no virus found
CAT-QuickHeal 8.00 05.05.2006 no virus found
ClamAV devel-20060426 05.07.2006 no virus found
DrWeb 4.33 05.07.2006 no virus found
eTrust-InoculateIT 23.72.2 05.07.2006 no virus found
eTrust-Vet 12.4.2194 05.04.2006 no virus found
Ewido 3.5 05.07.2006 no virus found
Fortinet 2.71.0.0 05.07.2006 no virus found
F-Prot 3.16c 05.05.2006 no virus found
Ikarus 0.2.65.0 05.05.2006 no virus found
Kaspersky 4.0.2.24 05.08.2006 no virus found
McAfee 4756 05.05.2006 no virus found
Microsoft 1.1372 05.07.2006 no virus found
NOD32v2 1.1523 05.05.2006 no virus found
Norman 5.90.17 05.05.2006 no virus found
Panda 9.0.0.4 05.07.2006 no virus found
Sophos 4.05.0 05.07.2006 no virus found
Symantec 8.0 05.07.2006 no virus found
TheHacker 5.9.7.139 05.05.2006 no virus found
UNA 1.83 05.06.2006 no virus found
VBA32 3.11.0 05.06.2006 no virus found


Aditional Information
File size: 98304 bytes
MD5: 3e9437091dd889d45c3d7e743247d7b9
SHA1: def2db9c773f4d059f43f0ab1301806eea04d2a4

STATUS: FINISHEDComplete scanning result of "svchost.exe", received in VirusTotal at 05.08.2006, 00:51:50 (CET).

Antivirus Version Update Result
AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 05.05.2006 no virus found
AVG 386 05.05.2006 no virus found
Avira 6.34.1.58 05.07.2006 no virus found
BitDefender 7.2 05.07.2006 no virus found
CAT-QuickHeal 8.00 05.05.2006 Tool.XYNTService.c (Not a Virus)
ClamAV devel-20060426 05.07.2006 no virus found
DrWeb 4.33 05.07.2006 no virus found
eTrust-InoculateIT 23.72.2 05.07.2006 no virus found
eTrust-Vet 12.4.2194 05.04.2006 no virus found
Ewido 3.5 05.07.2006 no virus found
Fortinet 2.71.0.0 05.07.2006 no virus found
F-Prot 3.16c 05.05.2006 no virus found
Ikarus 0.2.65.0 05.05.2006 no virus found
Kaspersky 4.0.2.24 05.08.2006 no virus found
McAfee 4756 05.05.2006 no virus found
Microsoft 1.1372 05.07.2006 no virus found
NOD32v2 1.1523 05.05.2006 no virus found
Norman 5.90.17 05.05.2006 no virus found
Panda 9.0.0.4 05.07.2006 no virus found
Sophos 4.05.0 05.07.2006 no virus found
Symantec 8.0 05.07.2006 no virus found
TheHacker 5.9.7.139 05.05.2006 no virus found
UNA 1.83 05.06.2006 no virus found
VBA32 3.11.0 05.06.2006 no virus found


Aditional Information
File size: 53760 bytes
MD5: ea2e9e72f5bc8ac2549b325a757d321d
SHA1: 82968811c3329c44edf796acaaf3f04618f99d97

I'm installing the new Spybot now.
 
Thank you. I'd just like to verify those files. Can you put those two files into a zip file and send in an email to me (by clicking this link)
 
Last edited:
Sorry, I have had connection problems since Sunday night (bad modem), and they got me a replacement today late.

Those two files were ok (as I was at least able to email you that info).

So what problems remain at this point, Outsider?
 
Problem

Like one month ago I noticed that my computer was infected by Look2Me and after I ran Look2Me - destroyer I'm having one slight problem I'm not sure if it is related or not, but lately, I can change all my desktop ( like delete Shortcuts, Add Program Icons, Change Wallpaper, etc..) but when I boot machine next time, all things that I removed (programs icons and shortcuts) appear again, I don't have problem changing wallpaper just with links and icons that appear on the desktop, like I removed the program BHODemon2, but when I rebbot the machine a message saying error with BHODemon.lnk it occurs with all icons or links I had deleted, all apear again. I've removed Panda Titanium 2006 (because I've problems during the instalation) but the files were still in my drive C. It seems that the computer is note savings my personal setting when I logout and it started when I ran Look2Me-Destroyer, despite that I had a lot of malwares.Is it a malware problem, or is it more likely some other thing wrong with the computer? It's not too much of a bother, but it'll be good if it can be fixed. Any ideas?
I mean this the problem, can you help me ?
 
No, those symtoms would not be caused by running Look2me destroyer. It sounds more like something you have installed is protecting or blocking changes. Is there any notices coming up from software on reboot saying something to advise changes were made/not made?
 
Save settings

No, it just start to show that message from BHODemon and I see at my desktop all icons that I've deleted back again, but no message from other software saying something like an autorecover, by the way my SO is Windows 2000.
 
Let's see if this tool reveals anything:
Download Silent runners here (follow the instructions on that page)
http://www.silentrunners.org/sr_scriptuse.html

If you have antivirus script protection, please allow it (silentrunners.vbs) to run. While waiting, a box will say done.
Wait until there is a All Done message !! (this can take more than a few minutes), Then open and post the log next to it.
 
Silent Runners Log

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Internat.exe" = "internat.exe" [MS]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"vptray" = "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" ["Symantec Corporation"]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"ATIPTA" = "C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe" ["ATI Technologies, Inc."]
"eabconfg.cpl" = "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start" ["Hewlett-Packard "]
"PRPCMonitor" = "PRPCUI.exe" ["Intel Corporation"]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"LidPolicy" = "C:\Program Files\Hewlett-Packard\LidSwitch Policy\PwrSchem.exe" ["Hewlett-Packard"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe" [null data]
"Protect Tray" = ""C:\Program Files\Pointsec\P95tray.exe"" ["Pointsec Mobile Technologies AB"]
"SmcService" = "C:\PROGRA~1\Sygate\SSA\smc.exe -startgui" ["Sygate Technologies, Inc."]
"VRCNotify" = "C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe" ["Ericsson Enterprise AB"]
"Babylon Client" = "C:\Program Files\Babylon\Babylon.exe -AutoStart" ["Babylon Ltd."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{C41A1C0E-EA6C-11D4-B1B8-444553540000}\(Default) = "G-Buster Browser Defense"
-> {HKLM...CLSID} = "GbIehObj Class"
\InProcServer32\(Default) = "C:\WINNT\Downloaded Program Files\gbieh.dll" ["Banco do Brasil"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\system32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
\InProcServer32\(Default) = "C:\WINNT\system32\btneighborhood.dll" ["Broadcom Corporation"]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{fc181130-05a0-11d6-8140-000102e745a6}" = "Meu P910i"
-> {HKLM...CLSID} = "Meu P910i"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\auexpext.dll" ["Teleca Software Solutions AB"]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"
-> {HKLM...CLSID} = "GbPluginObj Class"
\InProcServer32\(Default) = "C:\WINNT\Downloaded Program Files\gbieh.dll" ["Banco do Brasil"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"
-> {HKLM...CLSID} = "GbPluginObj Class"
\InProcServer32\(Default) = "C:\WINNT\Downloaded Program Files\gbieh.dll" ["Banco do Brasil"]
INFECTION WARNING! "{26A75E82-BB37-4F5F-98ED-8524EECB9CC9}" = (no title provided)
-> {HKLM...CLSID} = "CHook Object"
\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\eWorkplace\eWHook.dll" ["Hewlett-Packard Sverige AB"]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "GinaDLL" = "pssogina.dll" ["Pointsec Mobile Technologies AB"]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! WinEvents\DLLName = "WinEvents.dll" [null data]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" [file not found]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoWindowsUpdate"=dword:00000001
[removes Windows Update GUI links and disables web site functionality]
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove links and access to Windows Update}

HIJACK WARNING! "DisableWindowsUpdateAccess"=dword:00000001
[disables Windows Update web site functionality]
{User Configuration|Administrative Templates|Windows Components|
Windows Update|Remove access to use all Windows Update features}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\pscr_nt.SCR" ["Pointsec Mobile Technologies AB"]


Startup items in "edbmja" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\edbmja\Start Menu\Programs\Startup
"BHODemon 2.0" -> shortcut to: "C:\Program Files\BHODemon 2\BHODemon.exe" [file not found]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"BTTray" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation"]
"Check for Pal Update" -> shortcut to: "C:\WINNT\Installer\{171CCEE2-E89C-4C40-8849-EE6D86E9AE7E}\Icon096DFE551.exe" [null data]
"ESOE 2000 Client Update" -> shortcut to: "C:\WINNT\Installer\{82E85313-9E2F-4FDD-9D3A-3FBE2E5EACF1}\Icon82E85313.exe" [null data]
"ESOE Control Center" -> shortcut to: "C:\WINNT\Installer\{2A12A86D-31D8-4144-B61A-364D23F7AAAF}\Icon2A12A86D1.exe" [null data]
"ESOE2000ClientUpdate2" -> shortcut to: "C:\WINNT\Installer\{BD4BDBDF-AB9F-4DF8-89EB-4553F4FA833C}\IconBD4BDBDF.exe" [null data]
"eWorkplace Control Center" -> shortcut to: "C:\WINNT\Installer\{2862D052-7680-4016-8215-43204AA3040A}\Icon2862D052.exe" [null data]
"Monitor de conexão de telefone" -> shortcut to: "C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe" ["Teleca Software Solutions AB"]
"RVIMsgBox.exe" -> shortcut to: "C:\WINNT\Installer\{3A5BD0B8-D1FB-4ED3-92E8-F4771A66E74E}\Icon3A5BD0B81.exe" [null data]
"Visio Viewer Update Check" -> shortcut to: "C:\WINNT\Installer\{90520409-6000-11D3-8CFE-0150048383C9}\Icon905204091.ico" [null data]
"WinVNC" -> shortcut to: "C:\WINNT\Installer\{0AA12B8D-A8A0-46F5-A4DF-6B782772965A}\Icon0AA12B8D.exe" [null data]
"WinZip Quick Pick" -> shortcut to: "C:\WINNT\Installer\{C2361C98-E1D6-4B34-A8DF-3728E2958BA5}\Icon48FB34A8.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation"]
Ericsson Access Client, VRCService, "C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe" ["Ericsson Enterprise AB"]
Ericsson Access Client Configuration Support, VRCCfgService, "C:\WINNT\system32\VRCCfgService.exe" ["Ericsson Enterprise AB"]
ESOE Client Inventory Service, ECIS, "C:\Program Files\ESOE\EDMS\ECIS.exe" ["Hewlett-Packard Sverige AB"]
ESOE Log Service, ELogSrv, "C:\Program Files\ESOE\ELogSrv.exe" ["Hewlett-Packard Sverige AB"]
ESOE Process Manager, ESrv, "C:\Program Files\ESOE\ESrv.exe" ["Hewlett-Packard Sverige AB"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
eWorkplace Inventory, Inventory, "C:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe" ["Hewlett-Packard Sverige AB"]
eWorkplace Log, LogSvc, "C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe" ["TODO: <Company name>"]
eWorkplace Scheduler, Scheduler, "C:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe" ["Hewlett-Packard Sverige AB"]
Microsoft Security Center, Microsoft Security Center, "C:\WINNT\system32\IIS\svchost.exe" [null data]
Pointsec, Pointsec, "C:\WINNT\system32\PROT_SRV.EXE" [null data]
Pointsec service start, Pointsec_start, "C:\WINNT\system32\PSTARTSR.EXE" [null data]
Pointsec update agent, Pointsec_agent, "C:\WINNT\system32\pagents.exe" [null data]
SAVRoam, SAVRoam, "c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe" ["symantec"]
Sygate Security Agent, SmcService, "C:\Program Files\Sygate\SSA\smc.exe" ["Sygate Technologies, Inc."]
Symantec AntiVirus Client, Norton AntiVirus Server, "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe" ["Symantec Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 2004 seconds, including 16 seconds for message boxes)
 
And a fresh HijackThis log please :blush:

I think I missed something, but I've been online 15 hours looking at nothing but logs and I'll revisit this in the a.m.

My apologies if I have but I'm too tired to see straight at the moment :sick:
 
I still need a fresh HijackThis log when you get a chance.

Also, in going over the silent runners log, I noticed a few things, but I have some questions.

1. Is this a home or office computer?

2. I see SpySweeper is one of the installed programs. What version is it? When did you install it?

3. Windows update is disabled. Is that on purpose? If not, I need to know so we can fix it.

4. Do you see any errors in the Windows application event log ?
 
You must log in or register to reply here.
Back
Top