Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Cannot remove WGNSTA.DLL


  • Please log in to reply

#1
markymarc

markymarc

    New Member

  • Member
  • Pip
  • 9 posts
As a last resort I am seeking help on the net to see if perhaps anyone else had the same problem. I am running Windows XP home edition with SP2. I have the following symptoms:

1. Windows has slowed down to a crawl
2. I get the BSOD and STOP errors I have never seen before.
3. Everytime I boot my firewall (Running Outpost Pro 2.7) warmns me that wgnsta.dll and "somerandomname".dll is trying to execute as an app. I block the attempt but on next boot I get the same messages. I have noticed the wgnsta.dll located in windows/system32 is 408K as well as the other ramdom name created dlls.

I have tried MS AntiSypware, AdAware, Trojan Hunter, Killbox, Spysubtract, system restore and even manually editing the registry file. I am unable to delete the WGNSTA.DLL file or the ramdomname.dll file using delete on next boot or safe mode login.

Seems that the DLL is loaded using WINLOGON AppInitDLL process. Any help would be greatly appreciated!

Here is my HIJACKTHIS log file:
Logfile of HijackThis v1.99.1
Scan saved at 8:04:32 AM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Avant Browser\avant.exe
C:\Documents and Settings\Marco\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: (no name) - -{724d43a9-0d85-11d4-9908-00400523e39a} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1225f8dbc043ba2e1c05/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1112830767796
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\wgnsta.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe

  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi markymarc and Welcome!

Would you go to this site and Upload that file for Examination
http://www.thespykiller.co.uk/forum/

C:\WINDOWS\system32\wgnsta.dll

Then I am going to PM you with my email and get a copy as well!

Right Click the Desktop and Select Compressed(zipped)Folder

Place a Copy of that file in it and before you close it>> Click File>> Add a Password>> Make the Pasword "infected" (All lower Case)

You should get the PM shortly!

Download the l2mfix from here
http://www.atribune....oads/l2mfix.exe
or
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.

Edited by Cretemonster, 07 July 2005 - 09:06 AM.

  • 0

#3
markymarc

markymarc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks for the help Cretemonster. Here is the result of the NEW log (7/8/05):
L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\wgnsta.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FDCA03A2-0F34-E2EE-2F09-DE15B3B06249}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
@=""
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}"="PhotoToys"
"{19F500E0-9964-11cf-B63D-08002B317C03}"="Desktop Icon Layout"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{C169E5F0-E2B3-41F3-B81A-7BA529CBE193}"="ZipGenius Shell Extension"
"{2E5AC2E0-406D-11D4-86B3-FA5861508E25}"="ZipGenius Zip InfoTip"
"{310A0C95-EA11-42AE-A8E4-53E69E650310}"="ZipGenius Zip Drop handler"
"{FE8D01BF-610A-4261-9C6E-32D65A42C907}"="ZipGenius DnD Extract handler"
"{20082881-FC36-4E47-9A7A-644C95FF749F}"="IntelliPoint Wireless Control Panel Property Page"
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}"="IntelliPoint Wheel Control Panel Property Page"
"{653DCCC2-13DB-45B2-A389-427885776CFE}"="IntelliPoint Activities Control Panel Property Page"
"{124597D8-850A-41AE-849C-017A4FA99CA2}"="IntelliPoint Buttons Control Panel Property Page"
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}"="IntelliType Pro Zooming Control Panel Property Page"
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}"="IntelliType Pro Scrolling Control Panel Property Page"
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}"="IntelliType Pro Key Settings Control Panel Property Page"
"{A2569D1F-4E06-43EC-9825-0088B471BE47}"="IntelliType Pro Wireless Control Panel Property Page"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{5E44E225-A408-11CF-B581-008029601108}"="Roxio DragToDisc Shell Extension"
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}"="My Media"
"{472083B0-C522-11CF-8763-00608CC02F24}"="avast"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{2F5AC606-70CF-461C-BFE1-734234536262}"="WindowBlinds CPL Extension"
"{29e3fb5b-cf62-45b5-b8bf-1ad500385fc7}"="Shell Context Menu Handler for Application References"
"{29e3fb5b-cf62-45b5-b8bf-1ad500385fc6}"="Shell Context Menu Handler for Application Manifests"
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"
"{B089FE88-FB52-11d3-BDF1-0050DA34150D}"="NOD32 Context Menu Shell Extension"
"{661825E5-B9A4-4D3E-8B74-3B6B63C32A80}"="Shell Extensions for Font Creator"
"{AF32DAFE-1358-4F35-A673-FB123BC6303F}"="Cutter 4.1 Shell Extension"
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}"="SnagIt"
"{CF74B903-3389-469c-B3B6-0204D204FCBD}"="SnagIt Shell Extension"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{66548754-6CDB-47DA-855B-96AEB492CC66}"=""
"{DA189BDA-9C96-4067-B1F3-95DABBF7A874}"=""
"{7BA5C285-B0C5-483D-9322-6F4F74AA95C8}"=""
"{38FF58C2-B89B-4792-B550-2DA928335903}"=""
"{8FB2BB91-2F64-42A6-A99E-8AC8DFCD9B58}"=""
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"
"{921EE1FC-D7C2-455C-B6BC-6A1DC964B693}"=""
"{3A55F745-33D5-4466-B871-87627D5D0445}"=""
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}"="aż Context Menu Shell Extension"
"{4A89DA98-3AEE-45F4-A2C1-017E40E8A78C}"=""
"{804B5642-4025-4325-92E1-7EFE18151948}"=""
"{0756DC05-F870-4511-8660-F752A9E9ACC4}"=""
"{2F530CD1-731C-47AF-AF16-79A6FEBF46E8}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{66548754-6CDB-47DA-855B-96AEB492CC66}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{66548754-6CDB-47DA-855B-96AEB492CC66}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{66548754-6CDB-47DA-855B-96AEB492CC66}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{66548754-6CDB-47DA-855B-96AEB492CC66}\InprocServer32]
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0756DC05-F870-4511-8660-F752A9E9ACC4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0756DC05-F870-4511-8660-F752A9E9ACC4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0756DC05-F870-4511-8660-F752A9E9ACC4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0756DC05-F870-4511-8660-F752A9E9ACC4}\InprocServer32]
@="C:\\WINDOWS\\system32\\wcpasf.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2F530CD1-731C-47AF-AF16-79A6FEBF46E8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F530CD1-731C-47AF-AF16-79A6FEBF46E8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F530CD1-731C-47AF-AF16-79A6FEBF46E8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F530CD1-731C-47AF-AF16-79A6FEBF46E8}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
   browseui.dll   Mon May  2 2005   4:52:34p  A....      1,019,904   996.00 K
   cdfview.dll    Mon May  2 2005   4:52:34p  A....        151,040   147.50 K
   cdm.dll        Thu May 26 2005   4:16:24a  A....         75,544    73.77 K
   dxva2.dll      Mon Apr 18 2005   2:22:08p  A....         31,976    31.23 K
   evr.dll        Mon Apr 18 2005   2:22:14p  A....        191,208   186.73 K
   gccoll~1.dll   Fri Jun 24 2005   3:24:22p  A....        126,680   123.71 K
   hashlib.dll    Fri Jun 24 2005   3:24:22p  A....        117,976   115.21 K
   hhsetup.dll    Thu May 26 2005  10:04:28p  A....         41,472    40.50 K
   iepeers.dll    Mon May  2 2005   4:52:34p  A....        250,880   245.00 K
   imon.dll       Fri Jun 24 2005   7:51:32a  A....        270,336   264.00 K
   infoca~1.dll   Tue May  3 2005  10:29:30p  A....         10,240    10.00 K
   inseng.dll     Mon May  2 2005   4:52:34p  A....         96,256    94.00 K
   itircl.dll     Thu May 26 2005  10:04:28p  A....        155,136   151.50 K
   itss.dll       Thu May 26 2005  10:04:28p  A....        137,216   134.00 K
   iuengine.dll   Thu May 26 2005   4:16:24a  A....        198,424   193.77 K
   legitc~1.dll   Fri Jun 17 2005  11:40:36a  A....        459,528   448.76 K
   milcore.dll    Fri Apr 29 2005  10:00:54a  A....      1,722,600     1.64 M
   mscoree.dll    Sat Apr  9 2005  12:40:10a  A....        253,952   248.00 K
   mscorier.dll   Sat Apr  9 2005   2:17:28a  A....        150,528   147.00 K
   mshtml.dll     Mon May  2 2005   4:52:36p  A....      3,012,608     2.87 M
   mshtmled.dll   Mon May  2 2005   4:52:36p  A....        448,512   438.00 K
   msi.dll        Wed May  4 2005   2:45:32p  A....      2,890,240     2.75 M
   msrating.dll   Mon May  2 2005   4:52:36p  A....        146,432   143.00 K
   natura~1.dll   Mon Apr 18 2005   2:22:56p  A....      1,919,208     1.83 M
   netshell.dll   Wed Apr 20 2005   3:21:34p  A....      1,705,472     1.63 M
   nlsdat~1.dll   Mon Apr 18 2005   2:22:58p  A....      7,393,512     7.05 M
   nlslex~1.dll   Mon Apr 18 2005   2:23:02p  A....      2,643,688     2.52 M
   nv4_disp.dll   Wed Jun 15 2005   5:20:00p  A....      3,896,320     3.71 M
   nvcod.dll      Wed Jun 15 2005   5:20:00p  A....         32,768    32.00 K
   nvcodins.dll   Wed Jun 15 2005   5:20:00p  A....         32,768    32.00 K
   nvcpl.dll      Wed Jun 15 2005   5:20:00p  A....      6,803,456     6.49 M
   nvhwvid.dll    Wed Jun 15 2005   5:20:00p  A....        540,672   528.00 K
   nview.dll      Wed Jun 15 2005   5:20:00p  A....      1,462,272     1.39 M
   nvmctray.dll   Wed Jun 15 2005   5:20:00p  A....         86,016    84.00 K
   nvnt4cpl.dll   Wed Jun 15 2005   5:20:00p  A....        286,720   280.00 K
   nvoglnt.dll    Wed Jun 15 2005   5:20:00p  A....      5,136,384     4.90 M
   nvshell.dll    Wed Jun 15 2005   5:20:00p  A....        466,944   456.00 K
   nvwddi.dll     Wed Jun 15 2005   5:20:00p  A....         81,920    80.00 K
   nvwdmcpl.dll   Wed Jun 15 2005   5:20:00p  A....      1,662,976     1.59 M
   nvwimg.dll     Wed Jun 15 2005   5:20:00p  A....      1,019,904   996.00 K
   oodagmg.dll    Wed May 11 2005   3:08:18a  A....          9,728     9.50 K
   oodagrs.dll    Wed May 11 2005   3:09:00a  A....         10,240    10.00 K
   oodbsrs.dll    Wed May 11 2005   3:12:56a  A....          3,584     3.50 K
   ootmapi.dll    Wed May 11 2005   1:37:32a  A....          9,216     9.00 K
   penimc.dll     Fri Apr 29 2005   9:45:18a  A....         94,952    92.73 K
   pndx5016.dll   Sun May 29 2005   8:52:04a  A....          6,656     6.50 K
   pndx5032.dll   Sun May 29 2005   8:52:04a  A....          5,632     5.50 K
   pngfilt.dll    Mon May  2 2005   4:52:36p  A....         39,424    38.50 K
   presen~1.dll   Fri Apr 29 2005   9:45:16a  A....         98,536    96.23 K
   presen~2.dll   Fri Apr 29 2005   9:45:28a  A....        652,008   636.73 K
   prntvpt.dll    Mon Apr 18 2005   2:23:06p  A....         97,512    95.23 K
   rmoc3260.dll   Sun May 29 2005   8:52:20a  A....        176,167   172.04 K
   shdocvw.dll    Mon May  2 2005   4:52:36p  A....      1,483,776     1.41 M
   shlwapi.dll    Mon May  2 2005   4:52:36p  A....        473,600   462.50 K
   sulsrv32.dll   Fri Jul  8 2005   1:17:36p  ..S.R        417,792   408.00 K
   urlmon.dll     Mon May  2 2005   4:52:36p  A....        607,744   593.50 K
   uxtheme.dll    Wed May 25 2005   6:16:38p  A....        218,624   213.50 K
   wcpasf.dll     Fri Jul  8 2005   1:25:28p  ..S.R        417,792   408.00 K
   wfxhel~1.dll   Sat May  7 2005   6:30:20a  A....             10     0.01 K
   wgnsta.dll     Wed Jul  6 2005   8:27:02p  ..S.R        417,792   408.00 K
   window~1.dll   Fri Apr 29 2005  10:01:00a  A....        505,576   493.73 K
   wininet.dll    Mon May  2 2005   4:52:36p  A....        657,920   642.50 K
   wmp.dll        Sat Apr 30 2005   5:00:02p  A....      5,533,696     5.28 M
   wmvcore.dll    Sat Apr 30 2005   5:23:50p  A....      2,374,392     2.26 M
   wmvdmod.dll    Sat Apr 30 2005   5:23:50p  A....        900,856   879.74 K
   wuapi.dll      Thu May 26 2005   4:16:30a  A....        465,176   454.27 K
   wuaueng.dll    Thu May 26 2005   4:16:30a  A....      1,343,768     1.28 M
   wuaueng1.dll   Thu May 26 2005   4:16:30a  A....        194,328   189.77 K
   wucltui.dll    Thu May 26 2005   4:16:30a  A....        127,256   124.27 K
   wups.dll       Thu May 26 2005   4:16:30a  A....         41,240    40.27 K
   wups2.dll      Thu May 26 2005   4:16:30a  A....         18,200    17.77 K
   wuweb.dll      Thu May 26 2005   4:16:30a  A....        173,536   169.47 K
   wzcdlg.dll     Wed Apr 20 2005   3:21:34p  A....        381,440   372.50 K
   wzcsapi.dll    Wed Apr 20 2005   3:21:34p  A....         52,736    51.50 K
   wzcsvc.dll     Wed Apr 20 2005   3:21:34p  A....        474,624   463.50 K
   xpsp3res.dll   Mon May 16 2005   8:26:30p  A....         17,920    17.50 K

76 items found:  76 files (3 H/S), 0 directories.
   Total of file sizes:  65,633,137 bytes     62.59 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
   guard.tmp      Fri Jul  8 2005   1:14:38p  ..S.R        417,792   408.00 K
   perfst~1.tmp   Fri Jul  8 2005   7:17:56a  A....          4,764     4.65 K

2 items found:  2 files (1 H/S), 0 directories.
   Total of file sizes:  422,556 bytes    412.65 K
**********************************************************************************
Directory Listing of system files:
 Volume in drive C is MARCO LOCAL
 Volume Serial Number is 68BB-A1A0

 Directory of C:\WINDOWS\System32

07/08/2005  01:25 PM           417,792 wcpasf.dll
07/08/2005  01:17 PM           417,792 sulsrv32.dll
07/08/2005  01:14 PM           417,792 guard.tmp
07/08/2005  01:04 AM    <DIR>          DLLCACHE
07/06/2005  08:27 PM           417,792 wgnsta.dll
06/25/2005  07:02 AM             6,144 Thumbs.db
07/26/2004  11:29 PM    <DIR>          Microsoft
               5 File(s)      1,677,312 bytes
               2 Dir(s)  58,792,173,568 bytes free

Edited by markymarc, 08 July 2005 - 11:28 AM.

  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Close any programs you have open since this step requires a reboot.


From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer.

After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.

Copy the contents of that log and paste it back into this thread

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!


Once Restarted, Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download and Install
CleanUp!
Dont use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

Run Cleanup,when prompted to log off>> Select No

Scan the PC with Ewido just as described in the link,make sure to Save the Report

Scan the System with Ad Aware,remove everything it finds and delete all quaratine files!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Kaspersky

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates


Post back with a fresh HijackThis log and the reports from Ewido and Kaspersky!
  • 0

#5
markymarc

markymarc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here are the contents of the log file after option #2 was run:
L2Mfix 1.03
 
Running From:
C:\Documents and Settings\Marco\Desktop\l2mfix
 
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read       	 BUILTIN\Users
(ID-IO) ALLOW  Read       	 BUILTIN\Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Full access  MARCO\Marco
(ID-IO) ALLOW  Full access  CREATOR OWNER


 
Setting registry permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
 - adding new ACCESS DENY entry

 
Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------    BUILTIN\Administrators
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read       	 BUILTIN\Users
(ID-IO) ALLOW  Read       	 BUILTIN\Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Full access  MARCO\Marco
(ID-IO) ALLOW  Full access  CREATOR OWNER


 
Setting up for Reboot
 
 
Starting Reboot!
 
C:\Documents and Settings\Marco\Desktop\l2mfix 
System Rebooted! 
 
Running From:
C:\Documents and Settings\Marco\Desktop\l2mfix
 
killing explorer and rundll32.exe 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 712 'explorer.exe'
Killing PID 712 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1172 'rundll32.exe'
Killing PID 1128 'rundll32.exe'
 
Scanning First Pass. Please Wait!
 
First Pass Completed 
 
Second Pass Scanning 
 
Second pass Completed!
Backing Up: C:\WINDOWS\system32\hqtplug.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hqtplug.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ohdbsrs.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ohdbsrs.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wcpasf.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wcpasf.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wgnsta.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wgnsta.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
        1 file(s) copied.
deleting: C:\WINDOWS\system32\hqtplug.dll  
Successfully Deleted: C:\WINDOWS\system32\hqtplug.dll
deleting: C:\WINDOWS\system32\hqtplug.dll  
Successfully Deleted: C:\WINDOWS\system32\hqtplug.dll
deleting: C:\WINDOWS\system32\ohdbsrs.dll  
Successfully Deleted: C:\WINDOWS\system32\ohdbsrs.dll
deleting: C:\WINDOWS\system32\ohdbsrs.dll  
Successfully Deleted: C:\WINDOWS\system32\ohdbsrs.dll
deleting: C:\WINDOWS\system32\wcpasf.dll  
Successfully Deleted: C:\WINDOWS\system32\wcpasf.dll
deleting: C:\WINDOWS\system32\wcpasf.dll  
Successfully Deleted: C:\WINDOWS\system32\wcpasf.dll
deleting: C:\WINDOWS\system32\wgnsta.dll  
Successfully Deleted: C:\WINDOWS\system32\wgnsta.dll
deleting: C:\WINDOWS\system32\wgnsta.dll  
Successfully Deleted: C:\WINDOWS\system32\wgnsta.dll
deleting: C:\WINDOWS\system32\guard.tmp  
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp  
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
 
 
Zipping up files for submission:
  adding: hqtplug.dll (164 bytes security) (deflated 48%)
  adding: ohdbsrs.dll (164 bytes security) (deflated 48%)
  adding: wcpasf.dll (164 bytes security) (deflated 48%)
  adding: wgnsta.dll (164 bytes security) (deflated 48%)
  adding: guard.tmp (164 bytes security) (deflated 48%)
  adding: clear.reg (164 bytes security) (deflated 65%)
  adding: echo.reg (164 bytes security) (deflated 9%)
  adding: direct.txt (164 bytes security) (stored 0%)
  adding: lo2.txt (164 bytes security) (deflated 80%)
  adding: readme.txt (164 bytes security) (deflated 49%)
  adding: report.txt (164 bytes security) (deflated 63%)
  adding: test.txt (164 bytes security) (deflated 81%)
  adding: test2.txt (164 bytes security) (deflated 46%)
  adding: test3.txt (164 bytes security) (deflated 46%)
  adding: test5.txt (164 bytes security) (deflated 46%)
  adding: xfind.txt (164 bytes security) (deflated 77%)
  adding: backregs/0756DC05-F870-4511-8660-F752A9E9ACC4.reg (164 bytes security) (deflated 70%)
  adding: backregs/2F530CD1-731C-47AF-AF16-79A6FEBF46E8.reg (164 bytes security) (deflated 70%)
  adding: backregs/66548754-6CDB-47DA-855B-96AEB492CC66.reg (164 bytes security) (deflated 72%)
  adding: backregs/shell.reg (164 bytes security) (deflated 73%)
 
Restoring Registry Permissions: 
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

 
Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read       	 BUILTIN\Users
(ID-IO) ALLOW  Read       	 BUILTIN\Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Full access  MARCO\Marco
(ID-IO) ALLOW  Full access  CREATOR OWNER


Restoring Sedebugprivilege:
 
 Granting SeDebugPrivilege to Administrators   ... successful
 
deleting local copy: hqtplug.dll   
deleting local copy: hqtplug.dll   
deleting local copy: ohdbsrs.dll   
deleting local copy: ohdbsrs.dll   
deleting local copy: wcpasf.dll   
deleting local copy: wcpasf.dll   
deleting local copy: wgnsta.dll   
deleting local copy: wgnsta.dll   
deleting local copy: guard.tmp   
deleting local copy: guard.tmp   
 
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 
The following are the files found: 
****************************************************************************
C:\WINDOWS\system32\hqtplug.dll 
C:\WINDOWS\system32\hqtplug.dll 
C:\WINDOWS\system32\ohdbsrs.dll 
C:\WINDOWS\system32\ohdbsrs.dll 
C:\WINDOWS\system32\wcpasf.dll 
C:\WINDOWS\system32\wcpasf.dll 
C:\WINDOWS\system32\wgnsta.dll 
C:\WINDOWS\system32\wgnsta.dll 
C:\WINDOWS\system32\guard.tmp 
C:\WINDOWS\system32\guard.tmp 
 
Registry Entries that were Deleted: 
Please verify that the listing looks ok.  
If there was something deleted wrongly there are backups in the backreg folder. 
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{66548754-6CDB-47DA-855B-96AEB492CC66}"=-
"{DA189BDA-9C96-4067-B1F3-95DABBF7A874}"=-
"{7BA5C285-B0C5-483D-9322-6F4F74AA95C8}"=-
"{38FF58C2-B89B-4792-B550-2DA928335903}"=-
"{8FB2BB91-2F64-42A6-A99E-8AC8DFCD9B58}"=-
"{921EE1FC-D7C2-455C-B6BC-6A1DC964B693}"=-
"{3A55F745-33D5-4466-B871-87627D5D0445}"=-
"{4A89DA98-3AEE-45F4-A2C1-017E40E8A78C}"=-
"{804B5642-4025-4325-92E1-7EFE18151948}"=-
"{0756DC05-F870-4511-8660-F752A9E9ACC4}"=-
"{2F530CD1-731C-47AF-AF16-79A6FEBF46E8}"=-
[-HKEY_CLASSES_ROOT\CLSID\{66548754-6CDB-47DA-855B-96AEB492CC66}]
[-HKEY_CLASSES_ROOT\CLSID\{DA189BDA-9C96-4067-B1F3-95DABBF7A874}]
[-HKEY_CLASSES_ROOT\CLSID\{7BA5C285-B0C5-483D-9322-6F4F74AA95C8}]
[-HKEY_CLASSES_ROOT\CLSID\{38FF58C2-B89B-4792-B550-2DA928335903}]
[-HKEY_CLASSES_ROOT\CLSID\{8FB2BB91-2F64-42A6-A99E-8AC8DFCD9B58}]
[-HKEY_CLASSES_ROOT\CLSID\{921EE1FC-D7C2-455C-B6BC-6A1DC964B693}]
[-HKEY_CLASSES_ROOT\CLSID\{3A55F745-33D5-4466-B871-87627D5D0445}]
[-HKEY_CLASSES_ROOT\CLSID\{4A89DA98-3AEE-45F4-A2C1-017E40E8A78C}]
[-HKEY_CLASSES_ROOT\CLSID\{804B5642-4025-4325-92E1-7EFE18151948}]
[-HKEY_CLASSES_ROOT\CLSID\{0756DC05-F870-4511-8660-F752A9E9ACC4}]
[-HKEY_CLASSES_ROOT\CLSID\{2F530CD1-731C-47AF-AF16-79A6FEBF46E8}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents: 
****************************************************************************
****************************************************************************

  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,looking good so far,I suspect we will have a little cleanup afterwards but continue on with the Instructions! :tazz:
  • 0

#7
markymarc

markymarc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Whew! After almost 12+ hrs of scanning here are the log file. Things are definitely lookin better on my PC.

EWIDO LOG:
---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on: 	 8:15:29 PM, 7/8/2005
 + Report-Checksum:  4742C5F0

 + Scan result:

	HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Spyware.BookedSpace : Cleaned with backup
	HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
	HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Spyware.BookedSpace : Cleaned with backup
	HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Spyware.BookedSpace : Cleaned with backup
	HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Spyware.BookedSpace : Cleaned with backup
	HKLM\SOFTWARE\Classes\CLSID\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
	HKLM\SOFTWARE\Classes\CLSID\{FF8DA190-3574-11D4-8068-0060082AE372} -> Spyware.BingoFun : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{05080E6B-A88A-4CFD-8C3D-9B2557670B6E} -> Spyware.BookedSpace : Cleaned with backup
	HKLM\SOFTWARE\Classes\TypeLib\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
	HKU\S-1-5-21-1385254544-1419329099-1590176149-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
	C:\Documents and Settings\Marco\Desktop\l2mfix\backup.zip/hqtplug.dll -> Spyware.Look2Me : Cleaned with backup
	C:\Documents and Settings\Marco\Desktop\l2mfix\backup.zip/ohdbsrs.dll -> Spyware.Look2Me : Cleaned with backup
	C:\Documents and Settings\Marco\Desktop\l2mfix\backup.zip/wcpasf.dll -> Spyware.Look2Me : Cleaned with backup
	C:\Documents and Settings\Marco\Desktop\l2mfix\backup.zip/wgnsta.dll -> Spyware.Look2Me : Cleaned with backup
	C:\Documents and Settings\Marco\Local Settings\Application Data\IM\Identities\{F980FB52-A998-4030-89C8-C0EBA2B65601}\Message Store\Attachments\KUDLV.zip/KUDLV.DLL -> Spyware.Look2Me : Cleaned with backup
	F:\DOWNLOAD\screensaversinstaller.exe/dmproxy.dll -> Spyware.CometCursor : Cleaned with backup
	F:\DOWNLOAD\screensaversinstaller.exe/dmserver.exe -> Spyware.CometCursor : Cleaned with backup
	F:\DOWNLOAD\screensaversinstaller.exe/DMUpdate.exe -> Spyware.CometCursor : Cleaned with backup
	F:\DOWNLOAD\Web Graphics\Nutrition Breakthroughs - Nutrition Dictionary_files\sitetracker.htm -> Spyware.BookedSpace : Cleaned with backup


::Report End

KAPERSKY LOG:
-------------------------------------------------------------------------------
 KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
 Saturday, July 09, 2005 09:13:58
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
 Kaspersky Anti-Virus database last update:  9/07/2005
 Kaspersky Anti-Virus database records: 129832
-------------------------------------------------------------------------------

Scan Settings:
	Scan using the following antivirus database: standard
	Scan Archives: true
	Scan Mail Bases: true

Scan Target - My Computer:
	C:\
	D:\
	F:\

Scan Statistics:
	Total number of scanned objects: 189883
	Number of viruses found: 0
	Number of infected objects: 0
	Number of suspicious objects: 0
	Duration of the scan process: 44248 sec
No malware has been detected. The sections that have been scanned are CLEAN.
Finally the HIJACKTHIS LOG:
Logfile of HijackThis v1.99.1
Scan saved at 9:16:51 AM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Avant Browser\avant.exe
C:\Documents and Settings\Marco\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: (no name) - -{724d43a9-0d85-11d4-9908-00400523e39a} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL5 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sorry about the delays,had some rough storms here!

See what you can dig up on this file for me

C:\Program.exe

If you dont know what the file is,scan it at these 2 sites

http://www.virustota...h/index_en.html

http://virusscan.jotti.org/

Maybe you know why this service is running

O23 - Service: MySQL5 - Unknown owner - C:\Program.exe (file missing)

Lets go ahead and take care of what we know is bad

Open HijackThis and out a check next to these

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites

O2 - BHO: (no name) - -{724d43a9-0d85-11d4-9908-00400523e39a} - (no file)

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun

O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16

Make sure all Windows and Browsers are Closed and click "Fix Checked"

Search for and Delete if found

C:\WINDOWS\cfgmgr52.dll

C:\WINDOWS\system32\AUNPS2.DLL

Empty the Recycle Bin and Have the PC Scanned here
http://www.pandasoft...n_principal.htm

Save that Report and Post it along with a fresh HijackThis log!

Let me know what you find out about that file and Service
  • 0

#9
markymarc

markymarc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Could not locate PROGRAM.EXE nor do I know what that file was for.

Ok, here is the log from PANDA SOFTWARE:
Incident                      Status                        Location                                                                                                                                                                                                                                                        

Adware:Adware/ExactSearch     No disinfected                Windows Registry                                                                                                                                                                                                                                                
Adware:Adware/Startpage.PH    No disinfected                C:\Program Files\Web CEO\BIN\Uploader_Res.dll                                                                                                                                                                                                                   
Adware:Adware/Midaddle        No disinfected                C:\WINDOWS\ru.exe                                                                                                                                                                                                                                               
Adware:Adware/Look2Me         No disinfected                C:\WINDOWS\SYSTEM\UpdInst.exe                                                                                                                                                                                          

Here is the NEW HjackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 7:53:26 PM, on 7/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\File-Ex 3\FileEx.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Avant Browser\avant.exe
C:\Documents and Settings\Marco\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Startup: File-Ex.lnk = C:\Program Files\File-Ex 3\FileEx.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL5 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe

Edited by markymarc, 10 July 2005 - 06:01 PM.

  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please download rkfiles.zip and unzip it to its own permanent folder.
http://skads.org/special/rkfiles.zip

Dont Run it just yet!

Restart the PC in Safe Mode and Make sure Windows is Showing Hidden Files

Locate and Delete

C:\WINDOWS\ru.exe<< File

C:\WINDOWS\SYSTEM\UpdInst.exe<< File

C:\Program Files\Web CEO\BIN\Uploader_Res.dll<< Remove the dll and look through the rest of the folders and see whats inside!

I will explain in a minute why I am so Inquisitive about all this

Locate the rkfiles.bat file and double-click it to run it.

It will start scanning your computer and could take a little while so be patient.

When the DOS window closes, reboot back to normal mode.

Post the contents of C:\log.txt


OK,the reason I am asking about these entries below

C:\Program Files\Web CEO\BIN\Uploader_Res.dll

O23 - Service: MySQL5 - Unknown owner - C:\Program.exe

Click Start>> Run>> Type in Services.msc and Click OK!

Scroll the list and look for this entry>> MySQL5<< Gather me as much Info as you can!

Number one,I cant find squat on either of these,they seem to be unheard of!


Number 2,if my guess is right,these will be associated with some form of Networking or Remote Access!

Remote Access is the most predominent way that PCs are being Hacked!

So while you are in Safe Mode,please look for C:\Program.exe

If you locate that file,Zip a Copy of it up and Submit it here
http://www.bleepingc...mit-malware.php

If you dont know why the folder below is on the System,do the same with it

C:\Program Files\Web CEO


Post back with the Results of RKFiles and as much Info as you can!
  • 0

Advertisements


#11
markymarc

markymarc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
OK. Could not find that PROGRAM.EXE file anywhere. I removed my SQL4 and SQL5 install since it was not being used and dont want to have another issue with any other program attemting to use it.
The Web CEO I know about. Its a freeware Web Analyzer that I downloaded and was trying out. Its gone now though.

Anyway here is the result of log.txt:
C:\Documents and Settings\Marco\Desktop 
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
Files Found in system Folder............ 
------------------------
C:\WINDOWS\SYSTEM32\aswBoot.exe: UPX!t$
C:\WINDOWS\SYSTEM32\Uharc.exe: UPX!
C:\WINDOWS\SYSTEM32\DFRG.MSC: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
 
Files Found in all users startup Folder............ 
------------------------
Files Found in all users windows Folder............ 
------------------------
C:\WINDOWS\ss3unstl.exe: UPX!
Finished
bye
And the latest HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 1:29:47 PM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\Agnitum\OUTPOS~2\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\File-Ex 3\FileEx.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Avant Browser\avant.exe
C:\Documents and Settings\Marco\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~2\outpost.exe /waitservice
O4 - Startup: File-Ex.lnk = C:\Program Files\File-Ex 3\FileEx.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost FirewallNEW\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~2\wl_hook.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~2\outpost.exe

My system is running much faster now and I definitely appreciate the help. I get paid on Friday and will definitely be making a donation. Thanks again!
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Get these @ Files Scanned at the 2 sites listed below

C:\WINDOWS\ss3unstl.exe<< Almost 100% sure that file sucks wind!

C:\WINDOWS\SYSTEM32\Uharc.exe<< Seems to be related to some type of File Compression Utility!

http://www.virustota...h/index_en.html

http://virusscan.jotti.org/

The others in RKFIles are legit and OK!

Since the SQL Program is Gone and we Know the Programs.exe is no longer needed

Go to the Command Prompt Screen(Start-> Run-> Type in CMD and hit enter)

At the Command Prompt Screen type in cd\ and hit Enter

Type in del C:\Program.exe and hit enter

If the files return nasty,delete them as well!

Either way let me know what the Scans Return!

If you havent allready,Install Spyware Blaster

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

More added Security for Internet Explorer

IE Spyad:
http://www.bleepingc...showtutorial=53
There is a direct download inside and great tutorial also!

Give the Hosts File a Boost
http://www.mvps.org/...p2002/hosts.htm
and made easy here
http://www.mvps.org/...2002/hosts2.htm

Look through those little black links in my signature for some tips to Safer Browsing!

Disable System Restore
http://service1.syma...src=sec_doc_nam


Post back and let me know what ya find on those files!
  • 0

#13
markymarc

markymarc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok, the second site reported no visrus on both files. Virustotal reports:
This is a report processed by VirusTotal on 07/12/2005 at 00:26:04 (CET) after scanning the file "ss3unstl.exe" file.
Antivirus Version Update Result 
AntiVir 6.31.0.9 07.11.2005 no virus found 
AVG 718 07.11.2005 no virus found 
Avira 6.31.0.9 07.11.2005 no virus found 
BitDefender 7.0 07.11.2005 no virus found 
ClamAV devel-20050501 07.11.2005 no virus found 
DrWeb 4.32b 07.11.2005 no virus found 
eTrust-Iris 7.1.194.0 07.11.2005 no virus found 
eTrust-Vet 11.9.1.0 07.11.2005 no virus found 
Fortinet 2.36.0.0 07.11.2005 suspicious 
Ikarus 2.32 07.11.2005 no virus found 
Kaspersky 4.0.2.24 07.11.2005 no virus found 
McAfee 4532 07.11.2005 no virus found 
NOD32v2 1.1166 07.11.2005 no virus found 
Norman 5.70.10 07.07.2005 no virus found 
Panda 8.02.00 07.11.2005 no virus found 
Sybari 7.5.1314 07.12.2005 no virus found 
Symantec 8.0 07.11.2005 no virus found 
TheHacker 5.8.2.069 07.11.2005 no virus found 
VBA32 3.10.4 07.11.2005 no virus found 



This is a report processed by VirusTotal on 07/12/2005 at 00:29:04 (CET) after scanning the file "Uharc.exe" file.
Antivirus Version Update Result 
AntiVir 6.31.0.9 07.11.2005 no virus found 
AVG 718 07.11.2005 no virus found 
Avira 6.31.0.9 07.11.2005 no virus found 
BitDefender 7.0 07.11.2005 no virus found 
ClamAV devel-20050501 07.11.2005 no virus found 
DrWeb 4.32b 07.11.2005 no virus found 
eTrust-Iris 7.1.194.0 07.11.2005 no virus found 
eTrust-Vet 11.9.1.0 07.11.2005 no virus found 
Fortinet 2.36.0.0 07.11.2005 no virus found 
Ikarus 2.32 07.11.2005 no virus found 
Kaspersky 4.0.2.24 07.11.2005 no virus found 
McAfee 4532 07.11.2005 no virus found 
NOD32v2 1.1166 07.11.2005 no virus found 
Norman 5.70.10 07.07.2005 no virus found 
Panda 8.02.00 07.11.2005 no virus found 
Sybari 7.5.1314 07.12.2005 no virus found 
Symantec 8.0 07.11.2005 no virus found 
TheHacker 5.8.2.069 07.11.2005 no virus found 
VBA32 3.10.4 07.11.2005 no virus found

Attempt to delete program.exe resulted in "File not found"
  • 0

#14
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,thats fine!

Why dont you do this,Make a copy of those 2 files and place them in a Zipped Folder

If you want to upload them,I will have a look!

Upload them here
http://www.bleepingc...mit-malware.php
Leave a link to this post!

Leave the files in the Zipped Folder and place then somewhere safe like My Documents!


Delete the 2 origianals and restart,if the PC Burps at all,just place the copied files back in the appropriate location!

Post back and let me know how the machine is running!
  • 0

#15
markymarc

markymarc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok I zipped up both files and uploaded them. I deleted the original files and rebooted. No hic-cups so far. Everything is running smoothly! ;)

I do apprecicate all the time and effort spent on this. An ENORMOUS thank you!

A definite donation is on the way!! :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP