Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help Please!


  • Please log in to reply

#1
ladycove

ladycove

    New Member

  • Member
  • Pip
  • 4 posts
please help me get rid of these nasty popups!!! I am so pleased to have found a place that may be able to help me. I am so digusted with these popups... This is my lastest scan;


Logfile of HijackThis v1.99.1
Scan saved at 5:40:21 PM, on 5/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\COMMON~1\AOL\110108~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110108~1\EE\AOLServiceHost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://red.clientapp...faults/sb/*http

://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: McAfee VirusScan -

{BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search -

{40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM

Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O4 - HKLM\..\Run: [VSOCheckTask]

"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online]

"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe]

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe]

C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common

Files\AOL\1101083502\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common

Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection]

"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program

Files\Cookie Washer\washidx.exe "Owner"
O4 - HKCU\..\Run: [Weather] C:\Program

Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [TClockEx] C:\Program

Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie

Washer\aolwasher.exe /0
O8 - Extra context menu item: &AIM Search - res://C:\Program

Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search -

res://c:\program files\broderbund\the print

shop\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary -

file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM -

{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug -

{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} -

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: http://www.passport.com
O15 - Trusted Zone: http://www.passport.net
O15 - Trusted Zone: http://january.rr.com
O16 - DPF: Aces Up! by pogo -

http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo -

http://superbingo.po...ngo/superbingo-

ob-assets.cab
O16 - DPF: Harvest Mania by pogo -

http://game1.pogo.co...est-ob-assets.c

ab
O16 - DPF: Jungle Gin by pogo -

http://game1.pogo.co...n-ob-assets.cab
O16 - DPF: Lottso by pogo -

http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo -

http://game1.pogo.co...hjong-ob-assets

.cab
O16 - DPF: Perfect Pair Solitaire by pogo -

http://game1.pogo.co.../waterwheel-ob-

assets.cab
O16 - DPF: Phlinx by pogo -

http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Pop Fu by pogo -

http://game1.pogo.co...u-ob-assets.cab
O16 - DPF: Squelchies by pogo -

http://game1.pogo.co...quelchies-ob-as

sets.cab
O16 - DPF: Texas Hold'em Poker by pogo -

http://game4.pogo.co...dem-ob-assets.c

ab
O16 - DPF: Tri-Peaks by pogo -

http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo -

http://whackdown.pog...ackdown/whackdo

wn-ob-assets.cab
O16 - DPF: WordJong by pogo -

http://wordjong.pogo.../wordjong-ob-as

sets.cab
O16 - DPF: World Class Solitaire by pogo -

http://game1.pogo.co...orldclass-ob-as

sets.cab
O16 - DPF: Yahoo! Chess -

http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Dominoes -

http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Graffiti -

http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Klondike Solitaire -

http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! Literati -

http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! MahJong -

http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! Pool 2 -

http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids -

http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Reversi -

http://download.game...nts/y/rt0_x.cab
O16 - DPF: Yahoo! Spelldown -

http://download.game...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 -

http://download.game...ts/y/ywt0_x.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB}

(BrowseFolderPopup Class) -

http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop

Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C}

(ICSScannerLight Class) -

http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}

(Symantec AntiVirus scanner) -

http://security1.nor...bin/AvSniff.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D}

(WildTangent Active Launcher) -

http://install.wildt...iveLauncher.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF}

(PopCapLoaderCtrl Class) -

http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class)

- http://www.pcpitstop...virus/PCPAV.CAB
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File

Upload Control) -

http://sc.communitie...eUC/MsnUpld.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma

Image Uploader 3.0 Control) -

http://memory-of.com...geUploader3.cab
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B}

(Download Class) -

http://expressit.bro...in/Download.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D}

(CDToolCtrl Class) -

http://free.aol.com/...5/aolcdt175.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

http://us.dl1.yimg.c...ls/suite/autoco

mplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F}

(RealArcadeRdxIE Class) -

http://games-dl.real...B/RealArcadeRdx

IE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}

(DwnldGroupMgr Class) -

http://bin.mcafee.co...s/1,0,0,16/mcgd

mgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6}

(McFreeScan Class) -

http://download.mcaf...s/tools/mcfscan

/1,5,0,4304/mcfscan.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46}

(IMDownloader Class) -

http://www2.incredim...loader/imloader.

cab
O20 - Winlogon Notify: policies -

C:\WINDOWS\system32\dnro0193e.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America

Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) -

America Online, Inc - C:\Program Files\Common

Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) -

Unknown owner - C:\Program Files\Common Files\AOL\AOL

Spyware Protection\\aolserv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International,

Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager

(mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine

(MCVSRte) - McAfee, Inc -

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs

LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hey ladycove and Welcome to G2G!!!

I have a sneaky suspicion this is the L2M Infection!!!

Lets find out!!

Use one of the links below to download the L2MFix:
http://www.atribune....oads/l2mfix.exe
or
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter.

This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.
  • 0

#3
ladycove

ladycove

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
ok, here we go....



L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dnro0193e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{132B74AD-D907-4096-4B4A-D5E67550BE96}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{eb9ebda0-b3e7-11cf-81c9-0000c0aa665f}"="FTP Explorer Shell Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{1CAA843A-6DBD-40EF-AB71-8F7B209997C0}"="IntelliType Pro Key Settings Control Panel Property Page"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}"="Multiscan"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{B60E604A-E02F-46C2-BD80-7F6B2CBC659B}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B60E604A-E02F-46C2-BD80-7F6B2CBC659B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B60E604A-E02F-46C2-BD80-7F6B2CBC659B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B60E604A-E02F-46C2-BD80-7F6B2CBC659B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B60E604A-E02F-46C2-BD80-7F6B2CBC659B}\InprocServer32]
@="C:\\WINDOWS\\system32\\eq.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C is HP_PAVILION
Volume Serial Number is 7427-1CD8

Directory of C:\WINDOWS\System32

05/01/2005 07:09 AM 234,823 guard.tmp
04/30/2005 06:42 PM <DIR> dllcache
04/30/2005 03:43 PM 234,953 u8ruli9918.dll
04/29/2005 10:21 PM 234,823 dnro0193e.dll
04/29/2005 06:37 AM 5 AuxDrv32b_g.oxc
04/16/2005 05:38 AM 233,551 h24mlch11f4.dll
11/15/2003 06:39 PM 14,336 Thumbs.db
11/16/2001 07:06 PM <DIR> Microsoft
6 File(s) 952,491 bytes
2 Dir(s) 15,143,546,880 bytes free
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Did you Recieve any error messages when running the L2MFix,like an autoexec.bat error or a cmd error?

If so,Open the L2MFix select Option 3,this will open a new browser page,scroll that page and find the link that applies to your Operating System!
Then run Option 1 of the L2MFix again and post those results!!

If Not,proceed to Option 2:

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
  • 0

#5
ladycove

ladycove

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Logfile of HijackThis v1.99.1
Scan saved at 7:22:12 AM, on 5/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\COMMON~1\AOL\110108~1\EE\AOLHOS~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\AOL\110108~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101083502\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "Owner"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://c:\program files\broderbund\the print shop\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: http://www.passport.com
O15 - Trusted Zone: http://www.passport.net
O15 - Trusted Zone: http://january.rr.com
O16 - DPF: Aces Up! by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.co...n-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.co...u-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.co...m-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pog...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Reversi - http://download.game...nts/y/rt0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.nor...bin/AvSniff.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildt...iveLauncher.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop...virus/PCPAV.CAB
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communitie...eUC/MsnUpld.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://memory-of.com...geUploader3.cab
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.bro...in/Download.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/...5/aolcdt175.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...304/mcfscan.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe





-----------------------------------------------------------------------------------------------

L2Mfix 1.03

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows

NT 4 and above
Copyright © 1999-2001 Frank Heyne Software

(http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key

HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows

NT 4 and above
Copyright © 1999-2001 Frank Heyne Software

(http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows

NT 4 and above
Copyright © 1999-2001 Frank Heyne Software

(http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key

HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Owner\Desktop\l2mfix\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows

NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1500 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows

NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\u8ruli9918.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\u8ruli9918.dll
Successfully Deleted: C:\WINDOWS\system32\u8ruli9918.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: u8ruli9918.dll (188 bytes security) (deflated 5%)
adding: guard.tmp (188 bytes security) (deflated 5%)
adding: clear.reg (188 bytes security) (deflated 22%)
adding: echo.reg (188 bytes security) (deflated 12%)
adding: direct.txt (188 bytes security) (deflated 7%)
adding: lo2.txt (188 bytes security) (deflated 72%)
adding: readme.txt (188 bytes security) (deflated 49%)
adding: test.txt (188 bytes security) (deflated 30%)
adding: test2.txt (188 bytes security) (stored 0%)
adding: test3.txt (188 bytes security) (stored 0%)
adding: test5.txt (188 bytes security) (stored 0%)
adding: xfind.txt (188 bytes security) (deflated 23%)
adding: backregs/B60E604A-E02F-46C2-BD80-7F6B2CBC659B.reg

(188 bytes security) (deflated 70%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows

NT 4 and above
Copyright © 1999-2001 Frank Heyne Software

(http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows

NT 4 and above
Copyright © 1999-2001 Frank Heyne Software

(http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key

HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: u8ruli9918.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
*****************************************************************

***********
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00

,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00

,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,

2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00

,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,

2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
*****************************************************************

***********
C:\WINDOWS\system32\u8ruli9918.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the

backreg folder.
*****************************************************************

***********
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi

on\Shell Extensions\Approved]
"{B60E604A-E02F-46C2-BD80-7F6B2CBC659B}"=-
[-HKEY_CLASSES_ROOT\CLSID\{B60E604A-E02F-46C2-BD80-7F6B2

CBC659B}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVe

rsion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer

sion\Internet Settings\User Agent\Post Platform]
"SV1"=""
*****************************************************************

***********
Desktop.ini Contents:
****************************
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,that looks much better!!!

Go to Add\Remove Programs and remove:

AWS\Weatherbug

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O15 - Trusted Zone: http://www.msn.com<<< Unless you put these there!!!
O15 - Trusted Zone: http://www.passport.com
O15 - Trusted Zone: http://www.passport.net
O15 - Trusted Zone: http://january.rr.com

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildt...iveLauncher.cab

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://memory-of.com...geUploader3.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Locate and Delete:

C:\Documents and Settings\Owner\Application Data\wtta.exe<< File Only!

C:\Program Files\AWS<< The Entire AWS folder!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Make Sure Normal Startup is Checked!!

Select the tab labeled Startup and put a Check by every box there!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Once Restarted Normal,Have the PC scanned here:
http://www.pandasoft...n_principal.htm

You will have to be using Internet Exoplorer for the Scan to Work!

Please save the Report and Post it along with a fresh HijackThis log!!
  • 0

#7
ladycove

ladycove

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello, Thank you so much for all your help.


Logfile of HijackThis v1.99.1
Scan saved at 6:01:51 AM, on 5/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\COMMON~1\AOL\110108~1\EE\AOLHOS~1.EXE
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\COMMON~1\AOL\110108~1\EE\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe
C:\hp\drivers\keyboard\ps2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common

Files\Real\Update_OB\RealOneMessageCenter.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: McAfee VirusScan -

{BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search -

{40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM

Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O4 - HKLM\..\Run: [VSOCheckTask]

"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online]

"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe]

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe]

C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common

Files\AOL\1101083502\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common

Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection]

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program

Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [tsvcin] c:\windows\system32\n20050308.exe
O4 - HKLM\..\Run: [RealTray] C:\Program

Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] c:\hp\drivers\keyboard\ps2.exe
O4 - HKLM\..\Run: [PrinTray]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead

Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program

Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft

Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IncrediMail]

C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DM_Server]

C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [checktime] c:\program

files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program

Files\Cookie Washer\washidx.exe "Owner"
O4 - HKCU\..\Run: [TClockEx] C:\Program

Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie

Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program

Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN

Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program

Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Acme.PCHButton]

C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Startup: Webshots.lnk = C:\Program

Files\Webshots\WebshotsTray.exe
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program

Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search -

res://c:\program files\broderbund\the print

shop\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary -

file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM -

{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://january.rr.com
O16 - DPF: Aces Up! by pogo -

http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo -

http://superbingo.po...ngo/superbingo-

ob-assets.cab
O16 - DPF: Harvest Mania by pogo -

http://game1.pogo.co...est-ob-assets.c

ab
O16 - DPF: Jungle Gin by pogo -

http://game1.pogo.co...n-ob-assets.cab
O16 - DPF: Lottso by pogo -

http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo -

http://game1.pogo.co...hjong-ob-assets

.cab
O16 - DPF: Perfect Pair Solitaire by pogo -

http://game1.pogo.co.../waterwheel-ob-

assets.cab
O16 - DPF: Phlinx by pogo -

http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Pop Fu by pogo -

http://game1.pogo.co...u-ob-assets.cab
O16 - DPF: Squelchies by pogo -

http://game1.pogo.co...quelchies-ob-as

sets.cab
O16 - DPF: Texas Hold'em Poker by pogo -

http://game4.pogo.co...dem-ob-assets.c

ab
O16 - DPF: Tri-Peaks by pogo -

http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo -

http://whackdown.pog...ackdown/whackdo

wn-ob-assets.cab
O16 - DPF: WordJong by pogo -

http://wordjong.pogo.../wordjong-ob-as

sets.cab
O16 - DPF: World Class Solitaire by pogo -

http://game1.pogo.co...orldclass-ob-as

sets.cab
O16 - DPF: Yahoo! Chess -

http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Dominoes -

http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Graffiti -

http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Klondike Solitaire -

http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: Yahoo! Literati -

http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! MahJong -

http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! Pool 2 -

http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids -

http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Reversi -

http://download.game...nts/y/rt0_x.cab
O16 - DPF: Yahoo! Spelldown -

http://download.game...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 -

http://download.game...ts/y/ywt0_x.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB}

(BrowseFolderPopup Class) -

http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop

Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C}

(ICSScannerLight Class) -

http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}

(Symantec AntiVirus scanner) -

http://security1.nor...bin/AvSniff.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF}

(PopCapLoaderCtrl Class) -

http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class)

- http://www.pcpitstop...virus/PCPAV.CAB
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File

Upload Control) -

http://sc.communitie...eUC/MsnUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B}

(Download Class) -

http://expressit.bro...in/Download.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D}

(CDToolCtrl Class) -

http://free.aol.com/...5/aolcdt175.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

http://us.dl1.yimg.c...ls/suite/autoco

mplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F}

(RealArcadeRdxIE Class) -

http://games-dl.real...B/RealArcadeRdx

IE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}

(DwnldGroupMgr Class) -

http://bin.mcafee.co...s/1,0,0,16/mcgd

mgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6}

(McFreeScan Class) -

http://download.mcaf...s/tools/mcfscan

/1,5,0,4304/mcfscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America

Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) -

America Online, Inc - C:\Program Files\Common

Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) -

Unknown owner - C:\Program Files\Common Files\AOL\AOL

Spyware Protection\\aolserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -

C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International,

Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager

(mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine

(MCVSRte) - McAfee, Inc -

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs

LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



-----------------------------------------------------------------------------------------------



Incident Status Location

Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall*.exe
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/BrilliantDigitalNo disinfected C:\WINDOWS\BDE
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\xmlparse?.dll
Adware:Adware/FunWeb No disinfected Windows Registry
Adware:Adware/WildTangent No disinfected C:\Program Files\WILDTANGENT
Adware:Adware/WUpd No disinfected Windows Registry
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\system32\pacis.exe
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Owner\Application Data\wtta.exe
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\l2mfix\backup.zip[u8ruli9918.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\l2mfix\l2mfix\backup.zip[guard.tmp]
Possible Virus. No disinfected C:\Documents and Settings\Owner\Local Settings\Application Data\93806413341044.exe.php
Adware:Adware/FunWeb No disinfected C:\HJT\backups\backup-20050427-185156-210.inf
Possible Virus. No disinfected C:\My Games\Magic Ball 2\MagicBall2.exe
Adware:Adware/Minibug No disinfected C:\Program Files\AIM\Sysfiles\WxBug.EXE
Adware:Adware/Apropos No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\31424060.asw
Adware:Adware/Apropos No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\31434371.asw
Adware:Adware/Apropos No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\31448752.asw
Adware:Adware/Apropos No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\71857656.asw
Adware:Adware/Apropos No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\71857859.asw
Adware:Adware/Apropos No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\71858109.asw
Adware:Adware/Envolo No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\71859921.asw
Virus:Trojan Horse Disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Adware:Adware/SAHAgent No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20050415214349.zip[lsp_.dll]
Adware:Adware/SAHAgent No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20050415214349.zip[SAHAgent_.exe]
Adware:Adware/SAHAgent No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20050415214349.zip[SahHtml_.exe]
Adware:Adware/SAHAgent No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20050415214349.zip[SAHUninstall_.exe]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\installer_MARKETING14.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\xmlparse.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\icont.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\iconu.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_30.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UpdInst.exe
Adware:Adware/Specofer No disinfected C:\WINDOWS\SYSTEM32\httppost.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\ncase.dll
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\SYSTEM32\pacis.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\SHAgentNew.dll
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Sorry it took me so long to reply,weorks been real busy this week!!!

Download the Hoster from here.
http://www.funkytoad...load/hoster.zip
Press "Restore Original Hosts" and press "OK". Exit Program.
This will restore the original Hosts file.


Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.
Download,UnZip,Extract All Files and Have it ready to Use!

Go to Add\Remove Programs and Remove:

WildTangent CDA
CometCursor/Shop
CometCursor/Plus
CometCursor/Toolbar


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program
Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [tsvcin] c:\windows\system32\n20050308.exe

O4 - HKLM\..\Run: [DM_Server]
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot

O4 - Global Startup: VTAgentReboot.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
http://www.bleepingc...showtutorial=62

Once in Safe Mode,Open Pocket KillBox,In the Open box labeled "Full Path of File to Delete"

Copy&Paste this into it:

C:\WINDOWS\SYSTEM32\SHAgentNew.dll

Now put a Tick by these:

"Standard File Delete"
"End Explorer Shell while Killing File"
"Unregister .dll before deleting file"

Now Click the Red Circle with the White X in the middle to Delete!

You shoud get a message saying File was deleted successfully!!!
If not,let me know in the next post!

Do the exact same for these:

C:\WINDOWS\SYSTEM32\ncase.dll

C:\WINDOWS\Downloaded Program Files\xmlparse.dll


For the next list,make sure these have a tick by them:

"Standard File Delete"
"End Explorer Shell while Killing File"
"Deltree(Include SubDirectories)"<< When its available

c:\windows\system32\n20050308.exe

C:\Documents and Settings\Owner\Local Settings\Application Data\93806413341044.exe.php

C:\Program Files\Windows Media Player\wmplayer.exe.tmp

C:\WINDOWS\Downloaded Program Files\installer_MARKETING14.exe

C:\WINDOWS\icont.exe

C:\WINDOWS\iconu.exe

C:\WINDOWS\NDNuninstall6_30.exe

C:\WINDOWS\SYSTEM\UpdInst.exe

C:\WINDOWS\SYSTEM32\httppost.exe

C:\WINDOWS\SYSTEM32\pacis.exe

C:\Documents and Settings\Owner\Application Data\wtta.exe

C:\Program Files\AIM\Sysfiles\WxBug.EXE

C:\WINDOWS\BDE

C:\Program Files\WILDTANGENT

C:\My Games\Magic Ball 2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VTAgentReboot.exe


Make a list of ant files,not found or unable to delete!!
Place that list in the next post!!

Once all is completed,please do one more Online Scan to be sure everything is OK!

http://www3.ca.com/s...sinfo/scan.aspx
or
http://www.ravantivirus.com/scan/

Please post any results they provide!!

Scan the PC with HijackThis again and Post those results!!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP