Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help? please random things being poping up, installed, notworking


  • Please log in to reply

#1
eternalduck

eternalduck

    New Member

  • Member
  • Pip
  • 5 posts
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\S2hhbmg\command.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
G:\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aanet.com.au/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [33b7b426.exe] C:\WINDOWS\System32\33b7b426.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [33b7b426.exe] C:\Documents and Settings\Khanh.KHANH-MPJXPNS0M\Local Settings\Application Data\33b7b426.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1162
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgAU2404.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{858ECA30-F71B-4EBC-AE17-F33EB33EFD16}: NameServer = 202.63.39.130 202.63.43.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{858ECA30-F71B-4EBC-AE17-F33EB33EFD16}: NameServer = 202.63.39.130 202.63.43.130
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\s4rsle971h.dll
O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)
O23 - Service: aol software (Aol Software) - Unknown owner - C:\WINDOWS\smss.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2hhbmg\command.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

lots of annoying things
-popups mainly ending in tau.html
-shortcuts being made for websites
-.exe files being made
-new random processers being run
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi eternalduck and Welcome to GeekstoGo!

Go to Add\Remove Programs and Remove these

Network Monitor

Command<-- Download and Run the Uninstaller,follow the prompts to reboot.


Download WinPFind to your C Drive.
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

F2 - REG:system.ini: UserInit=userinit.exe

O4 - HKLM\..\Run: [33b7b426.exe] C:\WINDOWS\System32\33b7b426.exe

O4 - HKCU\..\Run: [33b7b426.exe] C:\Documents and Settings\Khanh.KHANH-MPJXPNS0M\Local Settings\Application Data\33b7b426.exe

O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1162

O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgAU2404.exe

O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)

O23 - Service: aol software (Aol Software) - Unknown owner - C:\WINDOWS\smss.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2hhbmg\command.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\smss.exe
    C:\WINDOWS\System32\33b7b426.exe
    C:\Documents and Settings\Khanh.KHANH-MPJXPNS0M\Local Settings\Application Data\33b7b426.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam


Click Start-> Run-> Copy&Paste the bold text below into the Open Box and Click OK

sc delete Aol Software


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

Once you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Normal and Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.


Post back with a fresh HijackThis log and the reports from WinPFind and Look2Me-Destroyer.txt
  • 0

#3
eternalduck

eternalduck

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\The Cleaner\tcm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\NOTEPAD.EXE
G:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aanet.com.au/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{858ECA30-F71B-4EBC-AE17-F33EB33EFD16}: NameServer = 202.63.39.130 202.63.43.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{858ECA30-F71B-4EBC-AE17-F33EB33EFD16}: NameServer = 202.63.39.130 202.63.43.130
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: aol software (Aol Software) - Unknown owner - C:\WINDOWS\smss.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2hhbmg\command.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Scanning for infected files.....
Scan started at 4/06/2006 11:04:35 PM

Infected! C:\WINDOWS\system32\f40o0ed3eh0.dll
Infected! C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP15\A0004257.dll
Infected! C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP15\A0004299.dll
Infected! C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP16\A0004393.dll
Infected! C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP16\A0004419.dll
Infected! C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004440.dll
Infected! C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004441.dll
Infected! C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004494.dll
Infected! C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004519.dll
Infected! C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004521.dll
Infected! C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004530.dll
Infected! C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004534.dll
Infected! C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004542.dll
Infected! C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004546.dll
Infected! C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004554.dll
Infected! C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004561.dll
Infected! C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004567.dll
Infected! C:\WINDOWS\system32\f40o0ed3eh0.dll
Infected! C:\WINDOWS\system32\ggmf32.dll
Infected! C:\WINDOWS\system32\hrpq0575e.dll
Infected! C:\WINDOWS\system32\mtw3prt.dll
Infected! C:\WINDOWS\system32\q0nula591d.dll
Infected! C:\WINDOWS\system32\swrobj.dll
Infected! C:\WINDOWS\system32\ujdmxfrm.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\f40o0ed3eh0.dll
C:\WINDOWS\system32\f40o0ed3eh0.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP15\A0004257.dll
C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP15\A0004257.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP15\A0004299.dll
C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP15\A0004299.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP16\A0004393.dll
C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP16\A0004393.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP16\A0004419.dll
C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP16\A0004419.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004440.dll
C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004440.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004441.dll
C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004441.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004494.dll
C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004494.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004519.dll
C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004519.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004521.dll
C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004521.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004530.dll
C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004530.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004534.dll
C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004534.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004542.dll
C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004542.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004546.dll
C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004546.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004554.dll
C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004554.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004561.dll
C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004561.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004567.dll
C:\System Volume Information\_restore{9EEC3BE8-6AA3-4536-9A67-C4EE4EA8C0D0}\RP17\A0004567.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\f40o0ed3eh0.dll
C:\WINDOWS\system32\f40o0ed3eh0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ggmf32.dll
C:\WINDOWS\system32\ggmf32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hrpq0575e.dll
C:\WINDOWS\system32\hrpq0575e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mtw3prt.dll
C:\WINDOWS\system32\mtw3prt.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\q0nula591d.dll
C:\WINDOWS\system32\q0nula591d.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\swrobj.dll
C:\WINDOWS\system32\swrobj.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ujdmxfrm.dll
C:\WINDOWS\system32\ujdmxfrm.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8A945C2E-8503-43F0-9E5D-3871AFFA6F77}"
HKCR\Clsid\{8A945C2E-8503-43F0-9E5D-3871AFFA6F77}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C023B9CF-B891-477E-8945-7AE218EA7FAC}"
HKCR\Clsid\{C023B9CF-B891-477E-8945-7AE218EA7FAC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{16520110-8B74-4B69-A55A-2F6DEA294CB6}"
HKCR\Clsid\{16520110-8B74-4B69-A55A-2F6DEA294CB6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{961ACFF6-0969-467C-B13E-081AF8BBE2F6}"
HKCR\Clsid\{961ACFF6-0969-467C-B13E-081AF8BBE2F6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{37BD33D4-D5E7-498D-ADB3-EC31F9E38521}"
HKCR\Clsid\{37BD33D4-D5E7-498D-ADB3-EC31F9E38521}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{23E8B9F9-19BB-4DB8-A3DE-0B620BD827C0}"
HKCR\Clsid\{23E8B9F9-19BB-4DB8-A3DE-0B620BD827C0}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E9D46026-AB89-4E4A-BDA4-7E01F2EFA2F7}"
HKCR\Clsid\{E9D46026-AB89-4E4A-BDA4-7E01F2EFA2F7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{968D8994-A0C3-4858-AA13-4957B5B83045}"
HKCR\Clsid\{968D8994-A0C3-4858-AA13-4957B5B83045}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
That has to feel better allready! :whistling:

Lets try deleting those services again.

Click Start-> Run-> Copy&Paste the bold text below into the Open Box and Click OK

sc delete Aol Software

and

sc delete cmdService


Locate and Delete this folder

C:\WINDOWS\S2hhbmg


Post the results from WinPFind as soon as its completed.
  • 0

#5
eternalduck

eternalduck

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
S2hhbmg
doesn't exist cant find it, serched mycomputer and looked in windows
Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 19/08/2001 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
WinShutDown 4/06/2006 11:02:42 PM R S 234572 C:\WINDOWS\SYSTEM32\micpx32r.dLL
Umonitor 29/08/2002 1:41:10 PM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 19/08/2001 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
5/06/2006 9:55:02 AM S 2048 C:\WINDOWS\bootstat.dat
1/06/2006 10:22:36 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
3/06/2006 6:50:40 PM HS 32 C:\WINDOWS\{D3A54A98-E0B2-47AF-90E2-0B6ECD69BD96}.dat
2/06/2006 10:33:16 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
2/06/2006 10:33:16 PM RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
2/06/2006 10:33:16 PM RH 0 C:\WINDOWS\assembly\pubpol1.dat
3/06/2006 10:57:20 AM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index28.dat
2/06/2006 10:35:16 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index8.dat
1/06/2006 10:22:42 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
1/06/2006 10:23:20 PM HS 67 C:\WINDOWS\Fonts\desktop.ini
2/06/2006 10:50:00 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem11.inf
2/06/2006 10:50:00 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem11.PNF
1/06/2006 10:22:42 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
1/06/2006 10:23:00 PM RHS 727 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_1.cab
1/06/2006 10:23:00 PM RHS 19854 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_2.cab
1/06/2006 10:23:00 PM RHS 243124 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_3.cab
1/06/2006 10:23:54 PM H 229376 C:\WINDOWS\repair\ntuser.dat
1/06/2006 10:22:36 PM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
1/06/2006 10:22:42 PM RH 488 C:\WINDOWS\system32\logonui.exe.manifest
4/06/2006 11:02:42 PM R S 234572 C:\WINDOWS\system32\micpx32r.dLL
1/06/2006 10:22:36 PM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
1/06/2006 10:22:36 PM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
1/06/2006 10:22:36 PM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
5/06/2006 9:55:16 AM H 35986 C:\WINDOWS\system32\vsconfig.xml
1/06/2006 10:22:42 PM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
1/06/2006 10:22:36 PM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
3/06/2006 8:54:44 PM H 4212 C:\WINDOWS\system32\zllictbl.dat
3/06/2006 6:50:40 PM HS 32 C:\WINDOWS\system32\{54450ED9-F96C-4E35-89AC-3604996FD745}.dat
17/05/2006 2:50:50 PM S 95392 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem11.CAT
5/06/2006 10:01:48 AM H 1024 C:\WINDOWS\system32\config\default.LOG
5/06/2006 9:55:02 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
5/06/2006 9:56:28 AM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
5/06/2006 10:00:30 AM H 1024 C:\WINDOWS\system32\config\software.LOG
5/06/2006 9:57:22 AM H 1024 C:\WINDOWS\system32\config\system.LOG
2/06/2006 8:12:34 AM H 1024 C:\WINDOWS\system32\config\TempKey.LOG
2/06/2006 8:12:36 AM H 1024 C:\WINDOWS\system32\config\userdiff.LOG
3/06/2006 7:42:32 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NtUser.dat.LOG
2/06/2006 8:14:20 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
2/06/2006 8:14:20 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
1/06/2006 10:23:02 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
1/06/2006 10:23:02 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
1/06/2006 10:23:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
1/06/2006 10:23:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
1/06/2006 10:23:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\56XABU5J\desktop.ini
1/06/2006 10:23:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\J65BRNYU\desktop.ini
1/06/2006 10:23:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SK1L6Z5A\desktop.ini
1/06/2006 10:23:02 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YNDWW7VN\desktop.ini
1/06/2006 10:22:44 PM HS 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
2/06/2006 8:14:20 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
1/06/2006 10:23:52 PM HS 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
1/06/2006 10:23:52 PM HS 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
1/06/2006 10:23:52 PM HS 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
1/06/2006 10:23:52 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
1/06/2006 10:23:52 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
1/06/2006 10:45:30 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\7c6f210f-7205-4d70-9bac-84b84a4efa0a
1/06/2006 10:45:30 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
5/06/2006 9:55:04 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 19/08/2001 5:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 3/05/2006 2:56:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 20/02/2003 5:39:50 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Silicon Image 26/11/2003 5:59:36 PM R 69120 C:\WINDOWS\SYSTEM32\SilSupp.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 20/02/2003 5:39:50 PM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 19/08/2001 5:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2/06/2006 12:07:46 AM 1757 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
1/06/2006 10:23:52 PM HS 84 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini
2/06/2006 9:40:04 PM 779 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\hp psc 1000 series.lnk
2/06/2006 9:35:42 PM 779 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\hpoddt01.exe.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2/06/2006 8:14:20 AM HS 62 C:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini
2/06/2006 9:37:52 PM 188 C:\Documents and Settings\All Users.WINDOWS\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
1/06/2006 10:23:52 PM HS 84 C:\Documents and Settings\Khanh.KHANH-MPJXPNS0M\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
2/06/2006 8:14:20 AM HS 62 C:\Documents and Settings\Khanh.KHANH-MPJXPNS0M\Application Data\desktop.ini
3/06/2006 7:46:20 PM 530840 C:\Documents and Settings\Khanh.KHANH-MPJXPNS0M\Application Data\Sskknwrd.dll
3/06/2006 7:57:46 PM 73 C:\Documents and Settings\Khanh.KHANH-MPJXPNS0M\Application Data\Sskuknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TheCleaner
{2DE506B9-4320-11d3-8E42-002035221EDA} = C:\Program Files\The Cleaner\tcshellex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TheCleaner
{2DE506B9-4320-11D3-8E42-002035221EDA} = C:\Program Files\The Cleaner\tcshellex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TheCleaner
{2DE506B9-4320-11D3-8E42-002035221EDA} = C:\Program Files\The Cleaner\tcshellex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
ButtonText = Spyware Doctor :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
tcactive C:\Program Files\The Cleaner\tca.exe
tcmonitor C:\Program Files\The Cleaner\tcm.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
Steam
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 5/06/2006 10:02:09 AM
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
See if you can get this file--> C:\WINDOWS\system32\micpx32r.dLL scanned at the site below.
http://www.virustota.../en/indexf.html

If there are any detections,try to copy the results to notepad and post them back here.
  • 0

#7
eternalduck

eternalduck

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
AntiVir 6.34.1.37 06.04.2006 ADSPY/Look2Me.ab
Authentium 4.93.8 06.02.2006 no virus found
Avast 4.7.844.0 06.02.2006 no virus found
AVG 386 06.02.2006 Look2me
BitDefender 7.2 06.04.2006 Adware.Dinky.A.Trojan
CAT-QuickHeal 8.00 06.03.2006 Adware.Look2Me
ClamAV devel-20060426 06.04.2006 no virus found
DrWeb 4.33 06.04.2006 Adware.Look2me
eTrust-InoculateIT 23.72.28 06.04.2006 Win32/Candebe!Trojan
eTrust-Vet 12.6.2240 06.02.2006 Win32/Canbede
Ewido 3.5 06.04.2006 Adware.Look2Me
Fortinet 2.77.0.0 06.05.2006 suspicious
F-Prot 3.16f 06.02.2006 no virus found
Ikarus 0.2.65.0 06.02.2006 AdWare.Look2Me.AB
Kaspersky 4.0.2.24 06.05.2006 not-a-virus:AdWare.Win32.Look2Me.ab
McAfee 4776 06.02.2006 potentially unwanted program Adware-Look2Me
Microsoft 1.1441 06.05.2006 no virus found
NOD32v2 1.1578 06.04.2006 Win32/Adware.Look2Me
Norman 5.90.17 06.02.2006 W32/Look2Me.DJ
Panda 9.0.0.4 06.04.2006 Adware/Look2Me
Sophos 4.05.0 06.04.2006 no virus found
Symantec 8.0 06.05.2006 no virus found
TheHacker 5.9.8.154 06.01.2006 no virus found
UNA 1.83 06.02.2006 no virus found
VBA32 3.11.0 06.05.2006 no virus found

Edited by eternalduck, 04 June 2006 - 06:54 PM.

  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Use Killbox just as you did before and delete the file on reboot.

C:\WINDOWS\system32\micpx32r.dLL


Restart in Safe Mode and Scan with WinPfind again.


Restart the Machine and Please run the F-Secure Online Scanner
  • Follow the directions in the F-Secure page for proper Installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Custom Scan and be sure the following are checked.
    • Scan whole System
    • Scan programs and documents
    • Scan all files
    • Scan whole system for rootkits
    • Scan whole system for spyware
    • Scan inside archives
    • Use advanced heuristics
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the I want to decide item by item button.
  • For each item found,Select Disinfect and Click Next
  • Click the Show Report button and Copy&Paste the entire report in your next reply along with the WinPfind log.

  • 0

#9
eternalduck

eternalduck

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
this is getting annoying F-secure keeps crashing on disinfect proceder
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hmmm,OK,try this scanner
http://www.bitdefend...can/licence.php
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP