Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

69.20.16.183 Removal Help

Started by ohnonotbunny , Mar 18 2005 09:34 AM

  • This topic is locked This topic is locked

#1
ohnonotbunny
Posted 18 March 2005 - 09:34 AM

ohnonotbunny

    New Member

  • Member
  • Pip
  • 6 posts
On the 16th, I noticed that I was getting pop-up's left and right. My pop-up blocker was not like it wasn't there what so ever.

I have run a full scan numerous times since then using AdAware Professional, I also have used XoftSpy as well. They both show the files, and they are still not removing the problem.

I am not one to download a million programs to help remove it as alot out there I have found bring there own with them when they eliminate another one.

I noticed in this forum post: http://www.geekstogo...val-t10579.html That you referred him to download L2mfix.

I did that, and followed the steps you had listed. Here is my 'report.txt', can you please advise me as to what to do next?

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MediaContentIndex]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\s0880aluedq80.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C3A73FEB-D1AF-BC42-BB2C-49D3ABCE33E9}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{EEB5B6C2-E405-11d0-9318-0004AC946C18}"="AS/400 Shell Extensions - AS/400 IPL"
"{38482e00-0ad5-11cf-bc9d-0004ac325a18}"="AS/400 Network"
"{DCA251A0-38AC-11d0-82BD-08005AA74F5C}"="AS/400 Shell Extensions - AS/400 Network"
"{8CA2EBC1-40C7-4451-AD01-7DEEB4690358}"="AS/400 Related Tasks"
"{5E44E520-2F69-11d1-9318-0004AC946C18}"="AS/400 Shell Extensions - Auto Refresh"
"{C94AFD20-98C1-11d1-9E01-0004AC760C57}"="AS/400 Shell Extensions - Drag Drop Handler"
"{870C83E1-FF73-11cf-B7F1-0004AC7609F6}"="AS/400 Shell Extensions - File Systems Properties"
"{1827A857-9C20-11d1-96C3-00062912C9B2}"="AS/400 Shell Extensions - Java Components"
"{DCAF7D81-60C4-11d1-9E01-0004AC760C57}"="AS/400 Shell Extensions - Send Message"
"{C60EF841-2F98-11d1-A19A-08005A4F659F}"="AS/400 Shell Extensions - NFS Server"
"{8D742A40-77FF-11CF-8877-444553540000}"="AS/400 Shell Extensions - Security"
"{040606B2-1C19-11d2-AA12-08005AD17735}"="AS/400 Shell Extensions - Visual Basic Components"
"{D63E20C4-3F6D-11d3-BCE6-002035C0A6DA}"="AS/400 Shell Extensions - Journaling"
"{01FE9570-15A3-11d2-8309-000629AA1859}"="AS/400 Shell Extensions - Management Central"
"{7D7E1B60-0EF8-11d2-8307-000629AA1859}"="AS/400 Shell Extensions - Management Central Task Activity/Scheduled Tasks"
"{3B453C20-21CD-11d2-8318-000629AA1859}"="AS/400 Shell Extensions - Management Central SW Inventory"
"{4CE18940-3E8B-11d2-834B-000629AA1859}"="AS/400 Shell Extensions - Management Central HW Inventory"
"{B08B7EAD-2FD4-11d3-917F-00203531488C}"="AS/400 Shell Extensions - Management Central Inventory Tasks"
"{90BE6B50-1041-11d2-8307-000629AA1859}"="AS/400 Shell Extensions - Management Central Endpoint Systems"
"{E4C59510-1050-11d2-8307-000629AA1859}"="AS/400 Shell Extensions - Management Central System Groups"
"{C2661801-FFE8-11cf-B14B-08005AA7218E}"="AS/400 Shell Extensions - Messages"
"{22982561-EEC8-11cf-B14B-08005AA7218E}"="AS/400 Shell Extensions - Spool Files"
"{8514E881-FF45-11cf-B14B-08005AA7218E}"="AS/400 Shell Extensions - Printers"
"{FF142762-FAB1-11cf-B14B-08005AA7218E}"="AS/400 Shell Extensions - Jobs"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{E8715F96-3FA9-4273-BC4B-54E9633BD04E}"=""
"{2B570D37-3EBD-48CB-B769-D485E50BE6CD}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E8715F96-3FA9-4273-BC4B-54E9633BD04E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E8715F96-3FA9-4273-BC4B-54E9633BD04E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E8715F96-3FA9-4273-BC4B-54E9633BD04E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E8715F96-3FA9-4273-BC4B-54E9633BD04E}\InprocServer32]
@="C:\\WINDOWS\\system32\\mtacm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2B570D37-3EBD-48CB-B769-D485E50BE6CD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2B570D37-3EBD-48CB-B769-D485E50BE6CD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2B570D37-3EBD-48CB-B769-D485E50BE6CD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2B570D37-3EBD-48CB-B769-D485E50BE6CD}\InprocServer32]
@="C:\\WINDOWS\\system32\\egcdec.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
aklsp.dll Wed Mar 16 2005 1:16:04p A.... 196,608 192.00 K
dnlo01~1.dll Thu Mar 17 2005 5:08:44p ..S.R 234,959 229.45 K
dolsp.dll Thu Mar 17 2005 11:05:12a A.... 139,264 136.00 K
e6202g~1.dll Wed Mar 16 2005 2:17:44p ..S.R 233,248 227.78 K
egcdec.dll Fri Mar 18 2005 8:19:42a ..S.R 234,959 229.45 K
itss.dll Fri Mar 4 2005 1:43:58p A.... 123,392 120.50 K
mshtml.dll Thu Jan 27 2005 3:35:12p A.... 2,806,272 2.68 M
mstask.dll Fri Mar 4 2005 1:38:52p A.... 260,096 254.00 K
mtacm.dll Wed Mar 16 2005 2:40:02p ..S.R 233,248 227.78 K
netapi32.dll Fri Mar 4 2005 1:38:52p A.... 306,688 299.50 K
ole32.dll Fri Jan 14 2005 12:33:52a A.... 1,258,496 1.20 M
olecli32.dll Fri Jan 14 2005 12:33:52a A.... 68,608 67.00 K
olecnv32.dll Fri Jan 14 2005 12:33:52a A.... 35,328 34.50 K
rpcss.dll Fri Jan 14 2005 12:33:52a A.... 284,672 278.00 K
s0880a~1.dll Thu Mar 17 2005 11:04:48a ..S.R 234,959 229.45 K
s32evnt1.dll Thu Mar 3 2005 4:29:54p A.... 83,208 81.26 K
schedsvc.dll Fri Mar 4 2005 1:38:52p A.... 172,544 168.50 K
shell32.dll Tue Dec 21 2004 3:55:12p A.... 8,443,904 8.05 M
sporder.dll Wed Mar 16 2005 1:16:04p A.... 8,464 8.27 K
user32.dll Tue Dec 28 2004 8:31:44p A.... 574,464 561.00 K

20 items found: 20 files (5 H/S), 0 directories.
Total of file sizes: 15,933,381 bytes 15.19 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 3C9C-44E7

Directory of C:\WINDOWS\System32

03/18/2005 08:19 AM 234,959 egcdec.dll
03/17/2005 05:08 PM 234,959 dnlo0133e.dll
03/17/2005 11:04 AM 234,959 s0880aluedq80.dll
03/16/2005 02:40 PM 233,248 mtacm.dll
03/16/2005 02:17 PM 233,248 e6202gfmg62a2.dll
03/08/2005 10:23 AM <DIR> dllcache
03/04/2005 10:27 AM <DIR> Microsoft
5 File(s) 1,171,373 bytes
2 Dir(s) 29,720,690,688 bytes free
  • 0

Advertisements

#2
Michelle
Posted 23 March 2005 - 01:59 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Download Hijack This. Follow the instructions in step five of this guide, and post your log here.

Most of what Hijack This lists will be harmless AND essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

Michelle :tazz:
  • 0

#3
ohnonotbunny
Posted 24 March 2005 - 08:17 AM

ohnonotbunny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Per your request:

Logfile of HijackThis v1.99.1
Scan saved at 9:10:40 AM, on 3/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
C:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Ocy\Desktop\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [PopUpInspector.exe] "C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\allowsite.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O9 - Extra 'Tools' menuitem: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.c...SWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109886797998
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vigo-alessi.com
O17 - HKLM\Software\..\Telephony: DomainName = vigo-alessi.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vigo-alessi.com
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\q8psli7718.dll (file missing)
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\f82m0if1e82.dll
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe

Please let me know what I am to do now, I am getting sick of this and all the pop up's. Atleast I have PopUp Inspector and that is stopping alot of them, but I still get alot that gets through it.

Thanks... :tazz:
  • 0

#4
ohnonotbunny
Posted 24 March 2005 - 08:49 AM

ohnonotbunny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
WHOO HOO - It looks like the CWS Shredder got it - THANK GOD!!!!

Thanks for your help anyhow. :tazz: ;)
  • 0

#5
Michelle
Posted 25 March 2005 - 12:40 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, if you have anymore problems you know where to find us! :tazz:

Michelle
  • 0

#6
Michelle
Posted 25 March 2005 - 02:19 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
This topic has been resolved and is now closed. If the original poster has any other problems and needs it reopened, please contact a staff member.
  • 0

#7
Guest_thatman_*
Posted 27 March 2005 - 08:27 AM

Guest_thatman_*
  • Guest
Hi ohnonotbunny

I have reopened this topic your system is infected with the new VX2

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Thank you

Kc
  • 0

#8
Michelle
Posted 27 March 2005 - 01:11 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Oh my gosh, I totally wasn't paying attention when I closed this thread... ;)

Thank you for opening it back up, Kc!

Michelle :tazz:
  • 0

#9
ohnonotbunny
Posted 28 March 2005 - 07:21 AM

ohnonotbunny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C3A73FEB-D1AF-BC42-BB2C-49D3ABCE33E9}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{EEB5B6C2-E405-11d0-9318-0004AC946C18}"="AS/400 Shell Extensions - AS/400 IPL"
"{38482e00-0ad5-11cf-bc9d-0004ac325a18}"="AS/400 Network"
"{DCA251A0-38AC-11d0-82BD-08005AA74F5C}"="AS/400 Shell Extensions - AS/400 Network"
"{8CA2EBC1-40C7-4451-AD01-7DEEB4690358}"="AS/400 Related Tasks"
"{5E44E520-2F69-11d1-9318-0004AC946C18}"="AS/400 Shell Extensions - Auto Refresh"
"{C94AFD20-98C1-11d1-9E01-0004AC760C57}"="AS/400 Shell Extensions - Drag Drop Handler"
"{870C83E1-FF73-11cf-B7F1-0004AC7609F6}"="AS/400 Shell Extensions - File Systems Properties"
"{1827A857-9C20-11d1-96C3-00062912C9B2}"="AS/400 Shell Extensions - Java Components"
"{DCAF7D81-60C4-11d1-9E01-0004AC760C57}"="AS/400 Shell Extensions - Send Message"
"{C60EF841-2F98-11d1-A19A-08005A4F659F}"="AS/400 Shell Extensions - NFS Server"
"{8D742A40-77FF-11CF-8877-444553540000}"="AS/400 Shell Extensions - Security"
"{040606B2-1C19-11d2-AA12-08005AD17735}"="AS/400 Shell Extensions - Visual Basic Components"
"{D63E20C4-3F6D-11d3-BCE6-002035C0A6DA}"="AS/400 Shell Extensions - Journaling"
"{01FE9570-15A3-11d2-8309-000629AA1859}"="AS/400 Shell Extensions - Management Central"
"{7D7E1B60-0EF8-11d2-8307-000629AA1859}"="AS/400 Shell Extensions - Management Central Task Activity/Scheduled Tasks"
"{3B453C20-21CD-11d2-8318-000629AA1859}"="AS/400 Shell Extensions - Management Central SW Inventory"
"{4CE18940-3E8B-11d2-834B-000629AA1859}"="AS/400 Shell Extensions - Management Central HW Inventory"
"{B08B7EAD-2FD4-11d3-917F-00203531488C}"="AS/400 Shell Extensions - Management Central Inventory Tasks"
"{90BE6B50-1041-11d2-8307-000629AA1859}"="AS/400 Shell Extensions - Management Central Endpoint Systems"
"{E4C59510-1050-11d2-8307-000629AA1859}"="AS/400 Shell Extensions - Management Central System Groups"
"{C2661801-FFE8-11cf-B14B-08005AA7218E}"="AS/400 Shell Extensions - Messages"
"{22982561-EEC8-11cf-B14B-08005AA7218E}"="AS/400 Shell Extensions - Spool Files"
"{8514E881-FF45-11cf-B14B-08005AA7218E}"="AS/400 Shell Extensions - Printers"
"{FF142762-FAB1-11cf-B14B-08005AA7218E}"="AS/400 Shell Extensions - Jobs"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{E8715F96-3FA9-4273-BC4B-54E9633BD04E}"=""
"{2B570D37-3EBD-48CB-B769-D485E50BE6CD}"=""
"{B92E6947-E077-434A-A850-6D95C84152FE}"=""
"{4377B037-7511-48F4-8131-204A4B59895D}"=""
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E8715F96-3FA9-4273-BC4B-54E9633BD04E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E8715F96-3FA9-4273-BC4B-54E9633BD04E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E8715F96-3FA9-4273-BC4B-54E9633BD04E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2B570D37-3EBD-48CB-B769-D485E50BE6CD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2B570D37-3EBD-48CB-B769-D485E50BE6CD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2B570D37-3EBD-48CB-B769-D485E50BE6CD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B92E6947-E077-434A-A850-6D95C84152FE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B92E6947-E077-434A-A850-6D95C84152FE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B92E6947-E077-434A-A850-6D95C84152FE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4377B037-7511-48F4-8131-204A4B59895D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4377B037-7511-48F4-8131-204A4B59895D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4377B037-7511-48F4-8131-204A4B59895D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
aklsp.dll Wed Mar 16 2005 1:16:04p A.... 196,608 192.00 K
d8j00i~1.dll Wed Mar 23 2005 5:33:56p ..S.R 233,059 227.59 K
dkdim.dll Tue Mar 22 2005 11:28:46a ..S.R 234,239 228.75 K
dolsp.dll Thu Mar 17 2005 11:05:12a A.... 139,264 136.00 K
e6202g~1.dll Wed Mar 16 2005 2:17:44p ..S.R 233,248 227.78 K
egcdec.dll Fri Mar 18 2005 8:19:42a ..S.R 234,959 229.45 K
en2ul1~1.dll Tue Mar 22 2005 1:29:18p ..S.R 233,184 227.72 K
ennql1~1.dll Fri Mar 18 2005 10:58:58a ..S.R 234,959 229.45 K
fuultrep.dll Fri Mar 18 2005 11:00:32a ..S.R 234,959 229.45 K
gktuname.dll Fri Mar 18 2005 1:02:44p ..S.R 233,014 227.55 K
itss.dll Fri Mar 4 2005 1:43:58p A.... 123,392 120.50 K
kedpl.dll Wed Mar 23 2005 1:08:36p ..S.R 233,059 227.59 K
mshtml.dll Thu Jan 27 2005 3:35:12p A.... 2,806,272 2.68 M
mstask.dll Fri Mar 4 2005 1:38:52p A.... 260,096 254.00 K
netapi32.dll Fri Mar 4 2005 1:38:52p A.... 306,688 299.50 K
njapi32.dll Tue Mar 22 2005 1:16:04p ..S.R 235,780 230.25 K
nvmssvc.dll Tue Mar 22 2005 1:29:18p ..S.R 235,780 230.25 K
nydenb32.dll Mon Mar 21 2005 1:20:14p ..S.R 233,014 227.55 K
o2lulc~1.dll Tue Mar 22 2005 12:00:54p ..S.R 234,239 228.75 K
ole32.dll Fri Jan 14 2005 12:33:52a A.... 1,258,496 1.20 M
olecli32.dll Fri Jan 14 2005 12:33:52a A.... 68,608 67.00 K
olecnv32.dll Fri Jan 14 2005 12:33:52a A.... 35,328 34.50 K
rpcss.dll Fri Jan 14 2005 12:33:52a A.... 284,672 278.00 K
s0rs0a~1.dll Thu Mar 24 2005 8:20:32a ..S.R 235,137 229.63 K
s32evnt1.dll Thu Mar 3 2005 4:29:54p A.... 83,208 81.26 K
schedsvc.dll Fri Mar 4 2005 1:38:52p A.... 172,544 168.50 K
sporder.dll Wed Mar 16 2005 1:16:04p A.... 8,464 8.27 K
thbyuv.dll Tue Mar 22 2005 2:14:16p ..S.R 234,347 228.85 K
user32.dll Tue Dec 28 2004 8:31:44p A.... 574,464 561.00 K
uyrdpa.dll Mon Mar 21 2005 8:32:48a ..S.R 234,959 229.45 K
wevdmoe2.dll Tue Mar 22 2005 1:35:44p ..S.R 235,780 230.25 K

31 items found: 31 files (17 H/S), 0 directories.
Total of file sizes: 10,301,820 bytes 9.82 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Thu Mar 24 2005 9:23:58a ..S.R 234,347 228.85 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 234,347 bytes 228.85 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 3C9C-44E7

Directory of C:\WINDOWS\System32

03/24/2005 10:01 AM <DIR> dllcache
03/24/2005 09:23 AM 234,347 guard.tmp
03/24/2005 08:20 AM 235,137 s0rs0a97ed.dll
03/23/2005 05:33 PM 233,059 d8j00i1me8.dll
03/23/2005 01:08 PM 233,059 kedpl.dll
03/22/2005 02:14 PM 234,347 thbyuv.dll
03/22/2005 01:35 PM 235,780 wevdmoe2.dll
03/22/2005 01:29 PM 235,780 nvmssvc.dll
03/22/2005 01:29 PM 233,184 en2ul1f91.dll
03/22/2005 01:16 PM 235,780 njapi32.dll
03/22/2005 12:00 PM 234,239 o2lulc391f.dll
03/22/2005 11:28 AM 234,239 dKdim.dll
03/21/2005 01:20 PM 233,014 nydenb32.dll
03/21/2005 08:32 AM 234,959 uyrdpa.dll
03/18/2005 01:02 PM 233,014 gktuname.dll
03/18/2005 11:00 AM 234,959 fUultrep.dll
03/18/2005 10:58 AM 234,959 ennql1551.dll
03/18/2005 08:19 AM 234,959 egcdec.dll
03/16/2005 02:17 PM 233,248 e6202gfmg62a2.dll
03/04/2005 10:27 AM <DIR> Microsoft
18 File(s) 4,218,063 bytes
2 Dir(s) 33,243,140,096 bytes free
  • 0

#10
Guest_thatman_*
Posted 28 March 2005 - 07:28 AM

Guest_thatman_*
  • Guest
Hi ohnonotbunny

I am happy you called back now we start to clean out the Malware. ;)

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Credit: Shadowwar, OSC

Kc :tazz:
  • 0

#11
ohnonotbunny
Posted 28 March 2005 - 08:07 AM

ohnonotbunny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
This is the first log:

L2Mfix 1.03

Running From:
C:\Documents and Settings\Ocy\Desktop\l2mfix\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Ocy\Desktop\l2mfix\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Ocy\Desktop\l2mfix\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 980 'explorer.exe'
Killing PID 980 'explorer.exe'
Killing PID 980 'explorer.exe'
Killing PID 980 'explorer.exe'
Killing PID 980 'explorer.exe'
Killing PID 980 'explorer.exe'
Killing PID 980 'explorer.exe'
Killing PID 980 'explorer.exe'
Killing PID 980 'explorer.exe'
Killing PID 980 'explorer.exe'
Killing PID 980 'explorer.exe'
Killing PID 980 'explorer.exe'
Killing PID 980 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 568 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\d8j00i1me8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dKdim.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\e6202gfmg62a2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\egcdec.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en2ul1f91.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ennql1551.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fUultrep.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gktuname.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kedpl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\njapi32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nvmssvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nydenb32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o2lulc391f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\s0rs0a97ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\thbyuv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uyrdpa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wevdmoe2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\d8j00i1me8.dll
Successfully Deleted: C:\WINDOWS\system32\d8j00i1me8.dll
deleting: C:\WINDOWS\system32\dKdim.dll
Successfully Deleted: C:\WINDOWS\system32\dKdim.dll
deleting: C:\WINDOWS\system32\e6202gfmg62a2.dll
Successfully Deleted: C:\WINDOWS\system32\e6202gfmg62a2.dll
deleting: C:\WINDOWS\system32\egcdec.dll
Successfully Deleted: C:\WINDOWS\system32\egcdec.dll
deleting: C:\WINDOWS\system32\en2ul1f91.dll
Successfully Deleted: C:\WINDOWS\system32\en2ul1f91.dll
deleting: C:\WINDOWS\system32\ennql1551.dll
Successfully Deleted: C:\WINDOWS\system32\ennql1551.dll
deleting: C:\WINDOWS\system32\fUultrep.dll
Successfully Deleted: C:\WINDOWS\system32\fUultrep.dll
deleting: C:\WINDOWS\system32\gktuname.dll
Successfully Deleted: C:\WINDOWS\system32\gktuname.dll
deleting: C:\WINDOWS\system32\kedpl.dll
Successfully Deleted: C:\WINDOWS\system32\kedpl.dll
deleting: C:\WINDOWS\system32\njapi32.dll
Successfully Deleted: C:\WINDOWS\system32\njapi32.dll
deleting: C:\WINDOWS\system32\nvmssvc.dll
Successfully Deleted: C:\WINDOWS\system32\nvmssvc.dll
deleting: C:\WINDOWS\system32\nydenb32.dll
Successfully Deleted: C:\WINDOWS\system32\nydenb32.dll
deleting: C:\WINDOWS\system32\o2lulc391f.dll
Successfully Deleted: C:\WINDOWS\system32\o2lulc391f.dll
deleting: C:\WINDOWS\system32\s0rs0a97ed.dll
Successfully Deleted: C:\WINDOWS\system32\s0rs0a97ed.dll
deleting: C:\WINDOWS\system32\thbyuv.dll
Successfully Deleted: C:\WINDOWS\system32\thbyuv.dll
deleting: C:\WINDOWS\system32\uyrdpa.dll
Successfully Deleted: C:\WINDOWS\system32\uyrdpa.dll
deleting: C:\WINDOWS\system32\wevdmoe2.dll
Successfully Deleted: C:\WINDOWS\system32\wevdmoe2.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: d8j00i1me8.dll (164 bytes security) (deflated 4%)
adding: dKdim.dll (164 bytes security) (deflated 5%)
adding: e6202gfmg62a2.dll (164 bytes security) (deflated 4%)
adding: egcdec.dll (164 bytes security) (deflated 5%)
adding: en2ul1f91.dll (164 bytes security) (deflated 4%)
adding: ennql1551.dll (164 bytes security) (deflated 5%)
adding: fUultrep.dll (164 bytes security) (deflated 5%)
adding: gktuname.dll (164 bytes security) (deflated 4%)
adding: kedpl.dll (164 bytes security) (deflated 4%)
adding: njapi32.dll (164 bytes security) (deflated 5%)
adding: nvmssvc.dll (164 bytes security) (deflated 5%)
adding: nydenb32.dll (164 bytes security) (deflated 4%)
adding: o2lulc391f.dll (164 bytes security) (deflated 5%)
adding: s0rs0a97ed.dll (164 bytes security) (deflated 5%)
adding: thbyuv.dll (164 bytes security) (deflated 5%)
adding: uyrdpa.dll (164 bytes security) (deflated 5%)
adding: wevdmoe2.dll (164 bytes security) (deflated 5%)
adding: guard.tmp (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 51%)
adding: echo.reg (164 bytes security) (deflated 11%)
adding: direct.txt (164 bytes security) (deflated 8%)
adding: lo2.txt (164 bytes security) (deflated 83%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 64%)
adding: test.txt (164 bytes security) (deflated 77%)
adding: test2.txt (164 bytes security) (deflated 34%)
adding: test3.txt (164 bytes security) (deflated 34%)
adding: test5.txt (164 bytes security) (deflated 34%)
adding: xfind.txt (164 bytes security) (deflated 71%)
adding: backregs/2B570D37-3EBD-48CB-B769-D485E50BE6CD.reg (164 bytes security) (deflated 69%)
adding: backregs/4377B037-7511-48F4-8131-204A4B59895D.reg (164 bytes security) (deflated 69%)
adding: backregs/B92E6947-E077-434A-A850-6D95C84152FE.reg (164 bytes security) (deflated 69%)
adding: backregs/E8715F96-3FA9-4273-BC4B-54E9633BD04E.reg (164 bytes security) (deflated 69%)
adding: backregs/shell.reg (164 bytes security) (deflated 75%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: d8j00i1me8.dll
deleting local copy: dKdim.dll
deleting local copy: e6202gfmg62a2.dll
deleting local copy: egcdec.dll
deleting local copy: en2ul1f91.dll
deleting local copy: ennql1551.dll
deleting local copy: fUultrep.dll
deleting local copy: gktuname.dll
deleting local copy: kedpl.dll
deleting local copy: njapi32.dll
deleting local copy: nvmssvc.dll
deleting local copy: nydenb32.dll
deleting local copy: o2lulc391f.dll
deleting local copy: s0rs0a97ed.dll
deleting local copy: thbyuv.dll
deleting local copy: uyrdpa.dll
deleting local copy: wevdmoe2.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\d8j00i1me8.dll
C:\WINDOWS\system32\dKdim.dll
C:\WINDOWS\system32\e6202gfmg62a2.dll
C:\WINDOWS\system32\egcdec.dll
C:\WINDOWS\system32\en2ul1f91.dll
C:\WINDOWS\system32\ennql1551.dll
C:\WINDOWS\system32\fUultrep.dll
C:\WINDOWS\system32\gktuname.dll
C:\WINDOWS\system32\kedpl.dll
C:\WINDOWS\system32\njapi32.dll
C:\WINDOWS\system32\nvmssvc.dll
C:\WINDOWS\system32\nydenb32.dll
C:\WINDOWS\system32\o2lulc391f.dll
C:\WINDOWS\system32\s0rs0a97ed.dll
C:\WINDOWS\system32\thbyuv.dll
C:\WINDOWS\system32\uyrdpa.dll
C:\WINDOWS\system32\wevdmoe2.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{E8715F96-3FA9-4273-BC4B-54E9633BD04E}"=-
"{2B570D37-3EBD-48CB-B769-D485E50BE6CD}"=-
"{B92E6947-E077-434A-A850-6D95C84152FE}"=-
"{4377B037-7511-48F4-8131-204A4B59895D}"=-
[-HKEY_CLASSES_ROOT\CLSID\{E8715F96-3FA9-4273-BC4B-54E9633BD04E}]
[-HKEY_CLASSES_ROOT\CLSID\{2B570D37-3EBD-48CB-B769-D485E50BE6CD}]
[-HKEY_CLASSES_ROOT\CLSID\{B92E6947-E077-434A-A850-6D95C84152FE}]
[-HKEY_CLASSES_ROOT\CLSID\{4377B037-7511-48F4-8131-204A4B59895D}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************



This is the Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:04:49 AM, on 3/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ocy\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [PopUpInspector.exe] "C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\allowsite.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O9 - Extra 'Tools' menuitem: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.c...SWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109886797998
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vigo-alessi.com
O17 - HKLM\Software\..\Telephony: DomainName = vigo-alessi.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vigo-alessi.com
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
  • 0

#12
Guest_thatman_*
Posted 28 March 2005 - 08:16 AM

Guest_thatman_*
  • Guest
Hi ohnonotbunny

Welcome to geekstogo

Your HJT.log is looking good. ;)

You are running HijackThis from the Desktop; please create a new folder C:\HJT and move HijackThis.exe into the new folder

This to make sure there are no hidden viruses on your system
Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

How is your system running now.

Kc :tazz:
  • 0

#13
ohnonotbunny
Posted 28 March 2005 - 03:32 PM

ohnonotbunny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is one:


Incident Status Location
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\farmmext.ini
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\System32\Aklsp.dll
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Ocy\Desktop\l2mfix\l2mfix\backup.zip[e6202gfmg62a2.dll]
Adware:Adware/Minibug.A No disinfected C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Spyware:Spyware/BetterInet No disinfected C:\RECYCLER\S-1-5-21-1409082233-839522115-1343024091-500\Dc10\3p_1n.exe
Adware:Adware/Look2Me No disinfected C:\RECYCLER\S-1-5-21-1409082233-839522115-1343024091-500\Dc18.exe
Adware:Adware/DelFinMedia No disinfected C:\RECYCLER\S-1-5-21-1409082233-839522115-1343024091-500\Dc2\wsx.dll
Adware:Adware/DelFinMedia No disinfected C:\RECYCLER\S-1-5-21-1409082233-839522115-1343024091-500\Dc2\wsx.ocx
Adware:Adware/DelFinMedia No disinfected C:\RECYCLER\S-1-5-21-1409082233-839522115-1343024091-500\Dc2\wsxsvc.exe
Virus:Trj/Downloader.BBB Disinfected C:\RECYCLER\S-1-5-21-1409082233-839522115-1343024091-500\Dc3\vmss.exe
Adware:Adware/Look2Me No disinfected C:\RECYCLER\S-1-5-21-1409082233-839522115-1343024091-500\Dc5.dll
Adware:Adware/Look2Me No disinfected C:\RECYCLER\S-1-5-21-1409082233-839522115-1343024091-500\Dc6.dll
Adware:Adware/ISearch No disinfected C:\WINDOWS\delprot.ini
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\aklsp.dll
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\system32\dolsp.dll
Virus:Trj/Delprot.A Disinfected C:\WINDOWS\system32\drivers\delprot.sys Trendmicro didn't find anything.

Logfile of HijackThis v1.99.1
Scan saved at 4:28:41 PM, on 3/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\PROGRA~1\IBM\CLIENT~1\Emulator\pcsws.exe
C:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\userinit.exe
C:\Documents and Settings\Ocy\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [PopUpInspector.exe] "C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\allowsite.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O9 - Extra 'Tools' menuitem: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.c...SWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109886797998
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vigo-alessi.com
O17 - HKLM\Software\..\Telephony: DomainName = vigo-alessi.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vigo-alessi.com
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
  • 0

#14
Guest_thatman_*
Posted 28 March 2005 - 11:10 PM

Guest_thatman_*
  • Guest
Hi ohnonotbunny

Now… there is more than one way to repair this issue. In the Knowledge Base on the Microsoft website, there are two articles, 811259 and 299257 that will give you instructions to remove the proper Registry entries to cause Winsock and the IP stack to reload, and also command line NetShell instructions to reset Winsock.

Or, there is a freeware application called WinSock XP Fix 1.2 that will create a backup of your registry and then repair any Registry entries that may have been affected by the adware removal tools. This does NOT remove the stack and force you to reload Winsock, which is what the Microsoft solution above does.

Winsock XP fix 1.2 can be found at freeware sites, as well as http://www.spychecke...nsockxpfix.html
This is a very handy tool allways keep a copy on your system

1) You may wish to print out a copy of these instructions to follow while you complete this procedure.

2) Be sure you're able to view hidden files,

3) First download lspfix.exe from http://www.spyware91...oads/LSPFix.exe. Launch the application, and click the "I know what I'm doing" checkbox.
And move all instances of dolsp.dll to the remove pane(left hand) and click finish.

c:\winnt\system32\ aklsp.dll
c:\winnt\system32\ dolsp.dll
c:\winnt\system32\ aklsp.dll


4) Reboot into safemode.

Using Windows Explorer delete the following file and folders

C:\keys.ini<--Delete the whole folder
C:\WINDOWS\farmmext.ini<--Delete this file
C:\WINDOWS\deskbar.ini<--Delete this file
C:\Documents and Settings\Ocy\Desktop\l2mfix\l2mfix\backup.zip[e6202gfmg62a2.dll]<--delete this file
C:\WINDOWS\delprot.ini<--Delete this file

Empty your recycle bin
C:\RECYCLER\S-1-5-21-1409082233-839522115-1343024091-500\Dc10\3p_1n.exe

Reboot back to nornal.

Download the CCleaner unzip the file to install.
Unzip the program then open the ccleaner.
Place a check by everything in the Applications tab.
Place a check by Internet Explorer, Windows explorer, and System in the Windows tab.
Double click on the ccleaner icon then run the program.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm

Please post the logs FromPanda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#15
Guest_thatman_*
Posted 15 April 2005 - 11:31 AM

Guest_thatman_*
  • Guest
No reply from user

Topic closed

Kc
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP