Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Steps taken - still infected possibly ac2_0003[1].exe

Started by effi13 , May 25 2006 09:40 AM

  • Please log in to reply

#1
effi13
Posted 25 May 2006 - 09:40 AM

effi13

    New Member

  • Member
  • Pip
  • 6 posts
I am still haveing extreme pop-ups and windows desktop appears different with weird outlinning around icons....

Ran various programs including Adaware, SpyBot, TrojanHunter, Online scan, Ewido...
Still no luck

Any help would be greatly appreciated

Getting multiple measages from symantec antivirus about ac2_0003[1].exe.
Here is my hijakThis log

Logfile of HijackThis v1.99.1
Scan saved at 11:39:31 AM, on 5/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\DivX\uninstal.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [Video Lan Player] VideoLanPlayer.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\f8j2li1o18.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGhpbGlwIEVmZmxhbmQ\command.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
cfa-ddg2
Posted 25 May 2006 - 02:02 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello effi13...I am reviewning you HJT log now and will work with G2G staff to help with your computer problem. I will post back as soon as possible.
  • 0

#3
cfa-ddg2
Posted 25 May 2006 - 03:08 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello effi...

Download L2mfix.exe from one of these two locations...
- http://www.atribune.org/downloads/l2mfix.exe
- http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

If you receive, while running option #1, an error similar like:

C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application..

Then please use "option #5" or the web page link in the l2mfix folder to solve this error condition. Do not run the fix portion without fixing this first. After you have run "Option #5", use the instructions above run "Option #1" again.
  • 0

#4
effi13
Posted 26 May 2006 - 01:30 PM

effi13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks for helping sorry i didnt see your post untill today. : )

Here is the log from l2mfix

L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\s8rsli9718.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FA8CA798-CDF3-21D6-D2AC-DB3CDE0087BD}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{4C42D583-DB84-49DE-8361-F11F82D699A7}"=""
"{CD7EF96E-D056-43A5-9DAE-E6619C85FC52}"=""
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"
"{229D00CB-12E9-424F-8740-14095DAFB4DC}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4C42D583-DB84-49DE-8361-F11F82D699A7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C42D583-DB84-49DE-8361-F11F82D699A7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C42D583-DB84-49DE-8361-F11F82D699A7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C42D583-DB84-49DE-8361-F11F82D699A7}\InprocServer32]
@="C:\\WINDOWS\\system32\\ldk.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CD7EF96E-D056-43A5-9DAE-E6619C85FC52}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CD7EF96E-D056-43A5-9DAE-E6619C85FC52}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CD7EF96E-D056-43A5-9DAE-E6619C85FC52}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CD7EF96E-D056-43A5-9DAE-E6619C85FC52}\InprocServer32]
@="C:\\WINDOWS\\system32\\vus_ps.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{229D00CB-12E9-424F-8740-14095DAFB4DC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{229D00CB-12E9-424F-8740-14095DAFB4DC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{229D00CB-12E9-424F-8740-14095DAFB4DC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{229D00CB-12E9-424F-8740-14095DAFB4DC}\InprocServer32]
@="C:\\WINDOWS\\system32\\iMlmgdev.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
atmtd.dll Fri May 12 2006 12:25:46a A.... 687,592 671.48 K
bho.dll Fri May 12 2006 8:53:52a A.... 425,984 416.00 K
dmcl.dll Fri May 12 2006 8:53:44a A.... 94,208 92.00 K
imlmgdev.dll Thu May 25 2006 11:56:30a ..S.R 236,206 230.67 K
legitc~1.dll Wed May 17 2006 11:23:38a ..... 579,888 566.30 K
msxml3a.dll Thu May 11 2006 1:35:00p A.... 24,576 24.00 K
s8rsli~1.dll Thu May 25 2006 12:51:30p ..S.R 236,206 230.67 K
spmsg.dll Mon Apr 3 2006 11:40:10a ..... 14,048 13.72 K
sporder.dll Fri May 12 2006 8:55:38a A.... 8,464 8.27 K
stream~1.dll Thu May 25 2006 10:07:52a ....R 59,392 58.00 K

10 items found: 10 files (2 H/S), 0 directories.
Total of file sizes: 2,366,564 bytes 2.25 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Thu May 25 2006 9:37:48p ..S.R 236,206 230.67 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 236,206 bytes 230.67 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C is IBM_PRELOAD
Volume Serial Number is 4443-B81A

Directory of C:\WINDOWS\System32

05/25/2006 09:37 PM 236,206 guard.tmp
05/25/2006 12:51 PM 236,206 s8rsli9718.dll
05/25/2006 11:56 AM 236,206 iMlmgdev.dll
05/16/2006 08:54 PM <DIR> dllcache
05/08/2006 03:47 PM 409,600 r?gsvr32.exe
09/24/2002 02:11 PM <DIR> Microsoft
4 File(s) 1,118,218 bytes
2 Dir(s) 38,316,769,280 bytes free
  • 0

#5
cfa-ddg2
Posted 26 May 2006 - 04:52 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello again effi13....

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your Desktop, double-click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing "Enter", then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2Mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new Hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Note : Once the PC has restarted if a log does not appear or the icons didn't disappear, run the "second.bat" located inside the L2Mfix folder.
  • 0

#6
effi13
Posted 26 May 2006 - 05:28 PM

effi13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
L2mfix log:


L2mfix 051206
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)


HijakThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:28:21 PM, on 5/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {0F9CE4DB-E187-447E-AB73-4ACAB93C4FF6} - \
O2 - BHO: (no name) - {4BAB2FFB-3D72-4DD4-8D38-511CA6921805} - C:\Program Files\MSN Gaming Zone\mewo.dll (file missing)
O2 - BHO: (no name) - {8072D0F3-012F-49C0-9689-1EC6FC915455} - \
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1263
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\s8rsli9718.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGhpbGlwIEVmZmxhbmQ\command.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#7
cfa-ddg2
Posted 27 May 2006 - 08:59 AM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello effi13...that didn't work...let's try this:

Please download Look2Me-Destroyer.exe to your desktop.* Close all windows before continuing.
* Double-click Look2Me-Destroyer.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
* When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
* Your computer will then shutdown.
* Turn your computer back on.
* Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support

Edited by cfa-ddg2, 27 May 2006 - 09:00 AM.

  • 0

#8
effi13
Posted 31 May 2006 - 09:36 AM

effi13

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Sorry i've been away the past couple days.


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/31/2006 9:12:02 AM

Infected! C:\WINDOWS\system32\owedlg.dll
Infected! C:\WINDOWS\system32\e6020gdoe60c0.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105275.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105276.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105277.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105278.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105279.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105280.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105281.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105283.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105291.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105305.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105306.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105380.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105391.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105396.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105405.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105409.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105413.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105422.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105426.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105435.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105445.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105446.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105458.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105459.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105469.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105470.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105480.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105481.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105491.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105492.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105502.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105503.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105517.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105518.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105528.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105532.dll
Infected! C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105536.dll
Infected! C:\WINDOWS\system32\e6020gdoe60c0.dll
Infected! C:\WINDOWS\system32\iMlmgdev.dll
Infected! C:\WINDOWS\system32\owedlg.dll
Infected! C:\WINDOWS\system32\__delete_on_reboot__iretppui.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\owedlg.dll
C:\WINDOWS\system32\owedlg.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\e6020gdoe60c0.dll
C:\WINDOWS\system32\e6020gdoe60c0.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105275.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105275.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105276.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105276.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105277.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105277.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105278.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105278.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105279.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105279.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105280.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105280.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105281.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105281.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105283.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105283.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105291.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105291.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105305.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105305.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105306.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1154\A0105306.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105380.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105380.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105391.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105391.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105396.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105396.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105405.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105405.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105409.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105409.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105413.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105413.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105422.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105422.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105426.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105426.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105435.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105435.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105445.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105445.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105446.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105446.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105458.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105458.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105459.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105459.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105469.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105469.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105470.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105470.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105480.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105480.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105481.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105481.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105491.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105491.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105492.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105492.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105502.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105502.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105503.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105503.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105517.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105517.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105518.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105518.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105528.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105528.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105532.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105532.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105536.dll
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP1158\A0105536.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\e6020gdoe60c0.dll
C:\WINDOWS\system32\e6020gdoe60c0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\iMlmgdev.dll
C:\WINDOWS\system32\iMlmgdev.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\owedlg.dll
C:\WINDOWS\system32\owedlg.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\__delete_on_reboot__iretppui.dll
C:\WINDOWS\system32\__delete_on_reboot__iretppui.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DateTime
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reliability

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4C42D583-DB84-49DE-8361-F11F82D699A7}"
HKCR\Clsid\{4C42D583-DB84-49DE-8361-F11F82D699A7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CD7EF96E-D056-43A5-9DAE-E6619C85FC52}"
HKCR\Clsid\{CD7EF96E-D056-43A5-9DAE-E6619C85FC52}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{229D00CB-12E9-424F-8740-14095DAFB4DC}"
HKCR\Clsid\{229D00CB-12E9-424F-8740-14095DAFB4DC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4629D9E2-24B5-4D3B-B24D-9D96BAB276B2}"
HKCR\Clsid\{4629D9E2-24B5-4D3B-B24D-9D96BAB276B2}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded










Logfile of HijackThis v1.99.1
Scan saved at 11:33:38 AM, on 5/31/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [Video Lan Player] VideoLanPlayer.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [wallp2.exe] C:\Documents and Settings\Diane Effland\Application Data\System Restore\wallp2.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGhpbGlwIEVmZmxhbmQ\command.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#9
cfa-ddg2
Posted 31 May 2006 - 11:47 AM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello again effi..welcome back. Looks like L2MDestroyer did it's job...



1. Please download Ewido Anti-Malware from here
  • Install ewido security suite
  • When installing the program, under "Additional Options" UNCHECK...
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should now be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files:
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Close Ewido Anti-Malware
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates

Do not use it yet, we will use it later.

2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3. We need to stop a Service...
- Click "Start" button then select "Run"
- Type "services.msc" (without quotes) then hit OK
- Scroll down and find the service called.

cmdService

- Right-click on Service and choose "Properties"
- On the "General" tab under "Service Status" click the "Stop" button to stop the service
- Beside "Startup Type" in the dropdown menu select "Disabled"
- Click Apply then OK. Exit the Services utility

4.Reveal Hidden Files
  • Click Start.
  • Open My Computer.
  • SelectTools menu
  • Click Folder Options.
  • Select the View Tab.
  • Check Show hidden files and foldersin the Hidden files and folders section.
  • Uncheck Hide protected operating system files (recommended) option.
  • Uncheck the Hide file extensions for known file types option.
  • Click Yes.
  • Click OK.
5.Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O4 - HKCU\..\Run: [Video Lan Player] VideoLanPlayer.exe
O4 - HKCU\..\Run: [wallp2.exe] C:\Documents and Settings\Diane Effland\Application Data\System Restore\wallp2.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGhpbGlwIEVmZmxhbmQ\command.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

6. Reboot into safe mode by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

7. Please remove these entries from Add/Remove Programs in the Control Panel(if present). Click start>>control panel>>add/remove programs:

SurfSideKick


8.Please delete these folders using Windows Explorer(if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed folders, then right-click to select them and click delete


C:\WINDOWS\UGhpbGlwIEVmZmxhbmQ
C:\Documents and Settings\Diane Effland\Application Data\System Restore

9.Please delete these files using Windows Explorer(if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • I need you to search for the following file (click the search tab and select all files and folders)
  • Type/paste VideoLanPlayer.exe in the search box. Delete this file when found by right-clicking the file to select it and then clicking delete
10. Still in Safe Mode start Ewido Anti-Malware
  • Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be prompted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido Anti-Malware
After running Ewido, Reboot into normal Windows mode.

11. Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
12. Post back with the contents of:
  • the ActiveScan report
  • the Ewido log
  • a new HJT log
  • tell me how your system is running and what problems you are having

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP