Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spy Sheriff won't leave !


  • Please log in to reply

#1
doolittt

doolittt

    New Member

  • Member
  • Pip
  • 5 posts
I have tried and tried and am losing my patience (and my mind!) ...

Could you help me?

Logfile of HijackThis v1.99.1
Scan saved at 8:28:20 PM, on 7/31/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\wm.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\RunDll32.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINNT\system32\nalwin32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\winnt\system32\mdms.exe
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\system32\naldesk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\winstall.exe
C:\winstall.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\USR\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CBC/SRC
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NALWIN32] C:\WINNT\system32\nalwin32.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SysMemory manager] c:\winnt\system32\mdms.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.photolab....geUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O20 - Winlogon Notify: Unimodem - C:\WINNT\system32\wvplenc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
  • 0

Advertisements


#2
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Welcome to the Geeks To Go forum.:tazz:

Rerun HJT,and put a checkmark beside these :-


O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O20 - Winlogon Notify: Unimodem - C:\WINNT\system32\wvplenc.dll

now close all windows and browsers and click FIX CHECKED



Then boot up in SAFE MODE

Then navigate to and delete these files\folders in BOLD


C:\winstall.exe


then reboot Normally


Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#3
doolittt

doolittt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here goes Bricat!


L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\wvplenc.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{589E9083-D906-5B0C-D8A2-4526E1B87A88}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{FD39139E-9E10-4D84-96C9-AD8D495224AF}"=""
"{73885FD5-820F-4E90-9C93-AEC8A67B94E9}"=""
"{71908A95-C2A9-4107-991D-F0FC9AC82059}"=""
"{AAA5D255-B02F-4CE9-9216-96F2338212B1}"=""
"{87BACFEB-47B4-48BD-845B-3727F9617568}"=""
"{6ADF968D-02B1-4BD4-B49D-B6BB5AE0AA9F}"=""
"{2CAE8375-D327-4266-BE29-943F5ED6DBBB}"=""
"{0CA9A258-936E-405A-8F8A-275845239657}"=""
"{6DE0795E-A0E9-43D5-9F73-ED792704DE70}"=""
"{5E2121EE-0300-11D4-8D3B-444553540000}"="st"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FD39139E-9E10-4D84-96C9-AD8D495224AF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FD39139E-9E10-4D84-96C9-AD8D495224AF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FD39139E-9E10-4D84-96C9-AD8D495224AF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FD39139E-9E10-4D84-96C9-AD8D495224AF}\InprocServer32]
@="C:\\WINNT\\system32\\wxsched.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{73885FD5-820F-4E90-9C93-AEC8A67B94E9}]
@=""
"IDEx"="ST"

[HKEY_CLASSES_ROOT\CLSID\{73885FD5-820F-4E90-9C93-AEC8A67B94E9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73885FD5-820F-4E90-9C93-AEC8A67B94E9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73885FD5-820F-4E90-9C93-AEC8A67B94E9}\InprocServer32]
@="C:\\WINNT\\system32\\udl.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{71908A95-C2A9-4107-991D-F0FC9AC82059}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{71908A95-C2A9-4107-991D-F0FC9AC82059}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{71908A95-C2A9-4107-991D-F0FC9AC82059}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{71908A95-C2A9-4107-991D-F0FC9AC82059}\InprocServer32]
@="C:\\WINNT\\system32\\wxv8dmoe.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AAA5D255-B02F-4CE9-9216-96F2338212B1}]
@=""
"IDEx"="ST"

[HKEY_CLASSES_ROOT\CLSID\{AAA5D255-B02F-4CE9-9216-96F2338212B1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AAA5D255-B02F-4CE9-9216-96F2338212B1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AAA5D255-B02F-4CE9-9216-96F2338212B1}\InprocServer32]
@="C:\\WINNT\\system32\\rfvpsp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{87BACFEB-47B4-48BD-845B-3727F9617568}]
@=""
"IDEx"="ST"

[HKEY_CLASSES_ROOT\CLSID\{87BACFEB-47B4-48BD-845B-3727F9617568}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87BACFEB-47B4-48BD-845B-3727F9617568}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87BACFEB-47B4-48BD-845B-3727F9617568}\InprocServer32]
@="C:\\WINNT\\system32\\cogmgr32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6ADF968D-02B1-4BD4-B49D-B6BB5AE0AA9F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6ADF968D-02B1-4BD4-B49D-B6BB5AE0AA9F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6ADF968D-02B1-4BD4-B49D-B6BB5AE0AA9F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6ADF968D-02B1-4BD4-B49D-B6BB5AE0AA9F}\InprocServer32]
@="C:\\WINNT\\system32\\tlhklock.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2CAE8375-D327-4266-BE29-943F5ED6DBBB}]
@=""
"IDEx"="ST"

[HKEY_CLASSES_ROOT\CLSID\{2CAE8375-D327-4266-BE29-943F5ED6DBBB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2CAE8375-D327-4266-BE29-943F5ED6DBBB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2CAE8375-D327-4266-BE29-943F5ED6DBBB}\InprocServer32]
@="C:\\WINNT\\system32\\wfbvw.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0CA9A258-936E-405A-8F8A-275845239657}]
@=""
"IDEx"="ST"

[HKEY_CLASSES_ROOT\CLSID\{0CA9A258-936E-405A-8F8A-275845239657}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0CA9A258-936E-405A-8F8A-275845239657}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0CA9A258-936E-405A-8F8A-275845239657}\InprocServer32]
@="C:\\WINNT\\system32\\wsmioctl.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6DE0795E-A0E9-43D5-9F73-ED792704DE70}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6DE0795E-A0E9-43D5-9F73-ED792704DE70}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6DE0795E-A0E9-43D5-9F73-ED792704DE70}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6DE0795E-A0E9-43D5-9F73-ED792704DE70}\InprocServer32]
@="C:\\WINNT\\system32\\bqowsewm.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
avsetupc.dll Sun Jul 17 2005 9:05:20a ..S.R 417,792 408.00 K
axl.dll Sun Jul 17 2005 9:05:30a ..S.R 417,792 408.00 K
bqowsewm.dll Tue Aug 2 2005 7:52:42p ..S.R 417,792 408.00 K
cdcfg32.dll Mon Jul 11 2005 10:10:20p ..S.R 417,792 408.00 K
cdral.dll Thu May 26 2005 7:32:50p A.... 45,056 44.00 K
cdrtc.dll Thu May 26 2005 7:32:50p A.... 49,152 48.00 K
cdxwin32.dll Mon Jul 4 2005 1:51:32a ..S.R 417,792 408.00 K
chgmgr32.dll Sat Jul 16 2005 4:01:56p ..S.R 417,792 408.00 K
ckmctl32.dll Sun Jul 17 2005 2:03:26p ..S.R 417,792 408.00 K
clmsvcs.dll Sun Jul 3 2005 3:38:10p ..S.R 417,792 408.00 K
cmyptext.dll Fri Jul 15 2005 4:35:22p ..S.R 417,792 408.00 K
cogmgr32.dll Sun Jul 17 2005 9:38:16p A.... 417,792 408.00 K
ctgmgr32.dll Mon Jul 11 2005 10:10:16p ..S.R 417,792 408.00 K
cumaddin.dll Thu Jun 30 2005 6:16:22p ..S.R 417,792 408.00 K
ddomext.dll Sun Jul 17 2005 12:30:48a ..S.R 417,792 408.00 K
dfnhpast.dll Thu Jul 21 2005 5:31:50p ..S.R 417,792 408.00 K
dfnlobby.dll Thu Jul 21 2005 5:31:46p ..S.R 417,792 408.00 K
dgrgres.dll Wed Jul 13 2005 8:23:06p ..S.R 417,792 408.00 K
dhutil.dll Tue Jul 12 2005 4:36:16a ..S.R 417,792 408.00 K
dnusic.dll Thu Jul 14 2005 10:13:58p ..S.R 417,792 408.00 K
dpdskres.dll Thu Jul 21 2005 6:34:46p ..S.R 417,792 408.00 K
dpnput.dll Thu Jul 21 2005 6:34:50p ..S.R 417,792 408.00 K
drcprop2.dll Tue Jul 12 2005 4:36:22a ..S.R 417,792 408.00 K
drtmsft.dll Thu Jul 7 2005 11:49:40p ..S.R 417,792 408.00 K
dwd8.dll Sun Jul 17 2005 2:03:02p ..... 417,792 408.00 K
dxpwin32.dll Thu Jul 14 2005 10:14:02p ..S.R 417,792 408.00 K
dzdskmgr.dll Thu Jul 7 2005 2:37:48p ..S.R 417,792 408.00 K
dzlayx.dll Thu Jun 30 2005 9:16:28p ..S.R 417,792 408.00 K
etent.dll Sun Jul 17 2005 12:31:26a ..S.R 417,792 408.00 K
fqlemgmt.dll Thu Jul 7 2005 2:50:42p ..S.R 417,792 408.00 K
fsxocm.dll Thu Jun 30 2005 2:14:26p ..S.R 417,792 408.00 K
fwclient.dll Thu Jul 7 2005 3:09:26p ..S.R 417,792 408.00 K
gamf32.dll Sun Jul 17 2005 1:39:00a ..S.R 417,792 408.00 K
gbabl132.dll Mon Jul 11 2005 6:23:18p ..S.R 417,792 408.00 K
gdedit.dll Sun Jul 17 2005 1:38:58a ..S.R 417,792 408.00 K
gduninst.dll Fri Jul 1 2005 8:13:44a ..S.R 417,792 408.00 K
geabp132.dll Thu Jun 30 2005 6:03:16p ..S.R 417,792 408.00 K
gituname.dll Tue Aug 2 2005 7:40:06p ..S.R 417,792 408.00 K
gjabp1us.dll Mon Jul 11 2005 6:23:14p ..S.R 417,792 408.00 K
gqabl1us.dll Sun Jul 17 2005 1:38:56a ..S.R 417,792 408.00 K
gtabl1us.dll Sun Jul 17 2005 1:38:52a ..S.R 417,792 408.00 K
gxtuname.dll Sun Jul 17 2005 1:39:04a ..S.R 417,792 408.00 K
iaxrip.dll Fri Jul 15 2005 1:03:34p ..... 417,792 408.00 K
idxpromn.dll Fri Jul 15 2005 1:03:32p ..S.R 417,792 408.00 K
ifircl.dll Tue Jul 12 2005 8:03:18a ..S.R 417,792 408.00 K
igxmontr.dll Fri Jul 15 2005 1:03:28p ..... 417,792 408.00 K
ijxmontr.dll Fri Jul 15 2005 1:03:26p ..... 417,792 408.00 K
ilxpromn.dll Thu Jun 30 2005 6:17:56p ..S.R 417,792 408.00 K
imsecsnp.dll Fri Jul 15 2005 1:03:22p ..... 417,792 408.00 K
imseng.dll Tue Jul 12 2005 5:47:16a ..S.R 417,792 408.00 K
ipign32.dll Tue Jul 12 2005 8:03:22a ..S.R 417,792 408.00 K
iwetcomm.dll Tue Jul 12 2005 5:47:22a ..S.R 417,792 408.00 K
ixxrip.dll Mon Jul 4 2005 1:53:14a ..S.R 417,792 408.00 K
kadca.dll Sun Jul 17 2005 6:10:40p ..... 417,792 408.00 K
kadgae.dll Mon Jul 18 2005 1:42:12p ..S.R 417,792 408.00 K
khdir.dll Mon Jul 18 2005 1:42:34p ..S.R 417,792 408.00 K
kjdir.dll Mon Jul 18 2005 1:42:30p ..S.R 417,792 408.00 K
kmdic.dll Mon Jul 18 2005 1:42:28p ..S.R 417,792 408.00 K
kmdmac.dll Fri Jul 15 2005 2:00:58a ..S.R 417,792 408.00 K
kpdgr1.dll Mon Jul 18 2005 1:42:24p ..S.R 417,792 408.00 K
krdes.dll Sun Jul 17 2005 6:10:58p ..S.R 417,792 408.00 K
ksdfi.dll Mon Jul 18 2005 1:42:18p ..S.R 417,792 408.00 K
ksdgr.dll Mon Jul 18 2005 1:42:22p ..S.R 417,792 408.00 K
kvdfc.dll Mon Jul 18 2005 1:42:16p ..S.R 417,792 408.00 K
kwdsw.dll Fri Jul 15 2005 2:01:04a ..S.R 417,792 408.00 K
lbnwnt32.dll Fri Jul 15 2005 1:04:02p ..S.R 417,792 408.00 K
ldimg13n.dll Fri Jul 15 2005 1:04:12p ..S.R 417,792 408.00 K
lgc32vc.dll Sat Jul 16 2005 10:56:24a ..S.R 417,792 408.00 K
lkcmgr10.dll Thu Jul 14 2005 9:36:28a ..S.R 417,792 408.00 K
lqc32vc.dll Sun Jul 17 2005 6:11:16p ..S.R 417,792 408.00 K
madimap.dll Mon Jul 11 2005 12:55:54p ..S.R 417,792 408.00 K
maxclu.dll Fri Jul 15 2005 12:45:26p ..S.R 417,792 408.00 K
mbrddm.dll Fri Jul 15 2005 12:45:04a ..S.R 417,792 408.00 K
mcdxmlc.dll Fri Jul 15 2005 12:44:52p ..S.R 417,792 408.00 K
mdslgn32.dll Thu Jul 14 2005 8:45:12a ..... 417,792 408.00 K
mdxbde40.dll Tue Jul 12 2005 1:51:24a ..S.R 417,792 408.00 K
merepl40.dll Fri Jul 15 2005 10:26:44p ..S.R 417,792 408.00 K
micndmgr.dll Mon Jul 11 2005 12:55:48p ..S.R 417,792 408.00 K
migina.dll Mon Jul 18 2005 2:39:18p ..S.R 417,792 408.00 K
mivideo.dll Tue Jul 12 2005 1:51:18a ..S.R 417,792 408.00 K
mkminst.dll Tue Jul 12 2005 12:09:18p ..... 417,792 408.00 K
mljeto~1.dll Fri Jul 15 2005 10:26:52p ..S.R 417,792 408.00 K
moobjs.dll Fri Jul 15 2005 10:26:50p ..S.R 417,792 408.00 K
mpobjs.dll Thu Jun 30 2005 2:09:42p ..S.R 417,792 408.00 K
mqjeto~1.dll Sun Jul 17 2005 10:16:20a ..S.R 417,792 408.00 K
mrang.dll Fri Jul 15 2005 12:44:58a ..S.R 417,792 408.00 K
mrprivs.dll Fri Jul 15 2005 10:26:46p ..S.R 417,792 408.00 K
msang.dll Thu Jul 7 2005 11:46:24a ..S.R 417,792 408.00 K
msg205.dll Mon Jul 4 2005 9:54:08p ..S.R 417,792 408.00 K
msneth~1.dll Sat Jul 30 2005 3:26:52a A..H. 10,240 10.00 K
msvcp71.dll Tue Jul 19 2005 11:20:44p A.... 499,712 488.00 K
msvcr71.dll Tue Jul 19 2005 11:20:44p A.... 348,160 340.00 K
mtw3prt.dll Sun Jul 17 2005 1:52:50p ..S.R 417,792 408.00 K
muxbde40.dll Sat Jul 16 2005 9:52:22p ..S.R 417,792 408.00 K
mydet.dll Sun Jul 17 2005 5:09:48p ..S.R 417,792 408.00 K
myls31.dll Thu Jul 21 2005 11:03:50a ..S.R 417,792 408.00 K
mzobjs.dll Thu Jun 30 2005 2:09:46p ..S.R 417,792 408.00 K
nbtmsg.dll Mon Jul 11 2005 5:41:30p ..S.R 417,792 408.00 K
ncdskcc.dll Sat Jul 16 2005 1:25:18p ..S.R 417,792 408.00 K
nfshlxnt.dll Sat Jul 16 2005 1:25:14p ..... 417,792 408.00 K
nhevent.dll Sat Jul 16 2005 1:25:12p ..... 417,792 408.00 K
njtlogon.dll Mon Jul 11 2005 5:41:24p ..S.R 417,792 408.00 K
nkshrui.dll Sat Jul 16 2005 1:25:10p ..... 417,792 408.00 K
nosso.dll Tue Jul 12 2005 12:42:22a ..S.R 417,792 408.00 K
nqlsapi.dll Tue Jul 12 2005 10:46:18a ..S.R 417,792 408.00 K
nshtml.dll Sun Jul 17 2005 11:18:36a ..S.R 417,792 408.00 K
nurrhook.dll Fri Jul 15 2005 12:45:32p ..S.R 417,792 408.00 K
nuvdmd.dll Tue Jul 12 2005 12:42:16a ..S.R 417,792 408.00 K
nxdskcc.dll Tue Jul 12 2005 10:46:24a ..S.R 417,792 408.00 K
nxmsapi.dll Sat Jul 16 2005 1:25:06p ..... 417,792 408.00 K
ofeaut32.dll Thu Jul 14 2005 11:22:02p ..S.R 417,792 408.00 K
ogecli.dll Sun Jul 17 2005 9:28:00p ..S.R 417,792 408.00 K
ogecli32.dll Sun Jul 17 2005 12:24:26p ..S.R 417,792 408.00 K
one2.dll Thu Jul 14 2005 11:21:58p ..S.R 417,792 408.00 K
pbtwin32.dll Sat Jul 9 2005 8:53:44p ..S.R 417,792 408.00 K
pclstore.dll Fri Jul 15 2005 10:35:26p ..S.R 417,792 408.00 K
pdpcui.dll Sat Jul 16 2005 1:25:44p ..S.R 417,792 408.00 K
pflagent.dll Thu Jun 30 2005 2:11:00p ..S.R 417,792 408.00 K
pflmon.dll Thu Jul 14 2005 8:27:40a ..... 417,792 408.00 K
phdlib32.dll Tue Jul 12 2005 3:08:22a ..S.R 417,792 408.00 K
pjdlib32.dll Sat Jul 16 2005 7:20:16p ..S.R 417,792 408.00 K
plapi.dll Thu Jun 30 2005 6:06:16p ..S.R 417,792 408.00 K
pndx5016.dll Tue May 10 2005 4:14:38a A.... 6,656 6.50 K
pndx5032.dll Tue May 10 2005 4:14:38a A.... 5,632 5.50 K
pplagent.dll Thu Jun 30 2005 2:11:06p ..S.R 417,792 408.00 K
pppcui.dll Mon Jul 11 2005 7:33:20p ..S.R 417,792 408.00 K
puapi.dll Mon Jul 11 2005 7:33:14p ..S.R 417,792 408.00 K
pxlagent.dll Tue Jul 12 2005 3:08:16a ..S.R 417,792 408.00 K
rboc3260.dll Mon Jul 18 2005 1:31:02p ..S.R 417,792 408.00 K
rbuteext.dll Mon Jul 18 2005 1:31:04p ..S.R 417,792 408.00 K
rdsapi32.dll Tue Jul 12 2005 6:49:18a ..S.R 417,792 408.00 K
rdstls.dll Thu Jun 30 2005 2:11:30p ..S.R 417,792 408.00 K
rfvpsp.dll Sun Jul 17 2005 9:28:54p A.... 417,792 408.00 K
rgched20.dll Mon Jul 18 2005 1:30:54p ..S.R 417,792 408.00 K
rgsmontr.dll Mon Jul 18 2005 1:30:58p ..S.R 417,792 408.00 K
rjnd.dll Mon Jul 18 2005 1:30:52p ..S.R 417,792 408.00 K
rmoc3260.dll Tue May 10 2005 4:14:54a A.... 176,167 172.04 K
rnsmontr.dll Tue Jul 12 2005 6:49:22a ..S.R 417,792 408.00 K
rond.dll Mon Jul 18 2005 1:30:50p ..S.R 417,792 408.00 K
rrgapi.dll Mon Jul 18 2005 1:30:46p ..S.R 417,792 408.00 K
rrvpsp.dll Sat Jul 16 2005 12:23:10a ..S.R 417,792 408.00 K
rsstapi.dll Thu Jun 30 2005 6:06:38p ..S.R 417,792 408.00 K
rtstapi.dll Thu Jun 30 2005 2:11:26p ..S.R 417,792 408.00 K
ruocurs.dll Mon Jul 18 2005 1:30:44p ..S.R 417,792 408.00 K
rxaenh.dll Sat Jul 16 2005 9:44:56a ..S.R 417,792 408.00 K
rzgwizc.dll Mon Jul 4 2005 9:51:26p ..S.R 417,792 408.00 K
satupdll.dll Mon Jul 4 2005 9:51:48p ..S.R 417,792 408.00 K
scdocvw.dll Sat Jul 16 2005 12:23:38a ..S.R 417,792 408.00 K
sdreamci.dll Sun Jul 17 2005 6:00:22p ..S.R 417,792 408.00 K
sgfilshr.dll Fri Jul 15 2005 2:18:52p ..S.R 417,792 408.00 K
sicfiles.dll Tue Jul 12 2005 9:24:22a ..S.R 417,792 408.00 K
soim.dll Sat Jul 16 2005 9:45:24a ..S.R 417,792 408.00 K
srrobj.dll Fri Jul 15 2005 2:18:44p ..S.R 417,792 408.00 K
ssdocvw.dll Mon Jul 4 2005 5:25:38p ..S.R 417,792 408.00 K
ssntpcoi.dll Sun Jul 17 2005 6:00:30p ..S.R 417,792 408.00 K
stbrsrc.dll Fri Jul 15 2005 9:29:02p ..S.R 417,792 408.00 K
stfilshr.dll Sat Jul 16 2005 6:14:38p ..S.R 417,792 408.00 K
syndmail.dll Tue Jul 12 2005 9:24:18a ..S.R 417,792 408.00 K
tdd32.dll Fri Jul 15 2005 10:08:40p ..S.R 417,792 408.00 K
tdpi32.dll Mon Jul 11 2005 11:18:16p ..S.R 417,792 408.00 K
tdpmib.dll Fri Jul 15 2005 10:08:52p ..S.R 417,792 408.00 K
tdpmon.dll Fri Jul 15 2005 10:08:48p ..S.R 417,792 408.00 K
tgrmmgr.dll Fri Jul 15 2005 10:08:46p ..S.R 417,792 408.00 K
tjhklock.dll Fri Jul 15 2005 10:08:42p ..S.R 417,792 408.00 K
tlhklock.dll Mon Jul 18 2005 7:57:16a ..S.R 417,792 408.00 K
tppi32.dll Thu Jul 7 2005 3:07:04p ..S.R 417,792 408.00 K
tvpisrv.dll Mon Jul 11 2005 11:18:22p ..S.R 417,792 408.00 K
txembed.dll Fri Jul 15 2005 10:08:54p ..S.R 417,792 408.00 K
udl.dll Thu Jul 14 2005 3:39:56p ..S.R 417,792 408.00 K
ulpnpmgr.dll Thu Jun 30 2005 2:55:14p ..S.R 417,792 408.00 K
uoerenv.dll Thu Jul 14 2005 5:09:56p ..S.R 417,792 408.00 K
vmscript.dll Fri Jul 15 2005 7:54:38p ..S.R 417,792 408.00 K
vvmdbg.dll Thu Jul 14 2005 5:10:02p ..S.R 417,792 408.00 K
wawfaxui.dll Sun Jul 17 2005 7:17:12p ..S.R 417,792 408.00 K
wbwfax.dll Mon Jul 11 2005 8:50:22p ..S.R 417,792 408.00 K
wccchlpr.dll Sun Jul 17 2005 9:04:48a ..... 417,792 408.00 K
wcpcore.dll Fri Jul 15 2005 10:30:12p ..S.R 417,792 408.00 K
wensmon.dll Wed Jul 13 2005 9:52:10p ..... 417,792 408.00 K
westream.dll Thu Jul 14 2005 2:36:00p ..S.R 417,792 408.00 K
wevcore.dll Mon Jul 11 2005 8:50:16p ..S.R 417,792 408.00 K
wfbvw.dll Mon Jul 18 2005 1:55:26a A.... 417,792 408.00 K
wffeman.dll Sun Jul 17 2005 9:04:46a ..... 417,792 408.00 K
wfpui.dll Fri Jul 15 2005 7:55:10p ..S.R 417,792 408.00 K
whpcore.dll Sun Jul 17 2005 9:04:56a ..S.R 417,792 408.00 K
winacpi.dll Tue Aug 2 2005 7:52:58p A.... 55,809 54.50 K
wknsrv.dll Thu Jul 7 2005 10:09:08p ..S.R 417,792 408.00 K
wlfeman.dll Sun Jul 17 2005 9:04:40a ..... 417,792 408.00 K
wsmioctl.dll Mon Jul 18 2005 7:57:38a A.... 417,792 408.00 K
wsnstrm.dll Sun Jul 17 2005 9:04:44a ..... 417,792 408.00 K
wvadmoe.dll Thu Jul 14 2005 8:35:34a ..... 417,792 408.00 K
wvplenc.dll Thu Jul 21 2005 8:03:46p ..S.R 417,792 408.00 K
wxsched.dll Thu Jul 14 2005 2:35:56p ..S.R 417,792 408.00 K
wxv8dmoe.dll Sun Jul 17 2005 9:37:14p ..S.R 417,792 408.00 K
wzi.dll Sun Jul 17 2005 9:04:52a ..... 417,792 408.00 K

194 items found: 194 files (162 H/S), 0 directories.
Total of file sizes: 78,488,104 bytes 74.85 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
guard.tmp Mon Aug 1 2005 12:28:10a ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is C808-CBBC

Directory of C:\WINNT\System32

08/02/2005 07:52p 417,792 bqowsewm.dll
08/02/2005 07:40p 417,792 gituname.dll
08/01/2005 12:28a 417,792 guard.tmp
07/21/2005 08:03p 417,792 wvplenc.dll
07/21/2005 06:34p 417,792 dpnput.dll
07/21/2005 06:34p 417,792 dpdskres.dll
07/21/2005 05:31p 417,792 dfnhpast.dll
07/21/2005 05:31p 417,792 dfnlobby.dll
07/21/2005 11:03a 417,792 myls31.dll
07/18/2005 02:39p 417,792 MIGINA.DLL
07/18/2005 01:42p 417,792 khdir.dll
07/18/2005 01:42p 417,792 kjdir.dll
07/18/2005 01:42p 417,792 kmdic.dll
07/18/2005 01:42p 417,792 kpdgr1.dll
07/18/2005 01:42p 417,792 ksdgr.dll
07/18/2005 01:42p 417,792 ksdfi.dll
07/18/2005 01:42p 417,792 kvdfc.dll
07/18/2005 01:42p 417,792 kadgae.dll
07/18/2005 01:31p 417,792 rbuteext.dll
07/18/2005 01:31p 417,792 rboc3260.dll
07/18/2005 01:30p 417,792 rGsmontr.dll
07/18/2005 01:30p 417,792 rgched20.dll
07/18/2005 01:30p 417,792 rjnd.dll
07/18/2005 01:30p 417,792 rond.dll
07/18/2005 01:30p 417,792 rrgapi.dll
07/18/2005 01:30p 417,792 RUOCURS.DLL
07/18/2005 07:57a 417,792 tlhklock.dll
07/17/2005 09:37p 417,792 wxv8dmoe.dll
07/17/2005 09:27p 417,792 ogecli.dll
07/17/2005 07:17p 417,792 wawfaxui.dll
07/17/2005 06:11p 417,792 lqc32vc.dll
07/17/2005 06:10p 417,792 krdes.dll
07/17/2005 06:00p 417,792 SsnTPCoI.dll
07/17/2005 06:00p 417,792 sdreamci.dll
07/17/2005 05:09p 417,792 mydet.dll
07/17/2005 02:03p 417,792 ckmctl32.dll
07/17/2005 01:52p 417,792 mtw3prt.dll
07/17/2005 12:24p 417,792 ogecli32.dll
07/17/2005 11:18a 417,792 nshtml.dll
07/17/2005 10:16a 417,792 mqjetoledb40.dll
07/17/2005 09:05a 417,792 axl.dll
07/17/2005 09:05a 417,792 avsetupc.dll
07/17/2005 09:04a 417,792 whpcore.dll
07/17/2005 01:39a 417,792 gxtuname.dll
07/17/2005 01:38a 417,792 gamf32.dll
07/17/2005 01:38a 417,792 gdedit.dll
07/17/2005 01:38a 417,792 GQABL1US.DLL
07/17/2005 01:38a 417,792 GTABL1US.DLL
07/17/2005 12:31a 417,792 etent.dll
07/17/2005 12:30a 417,792 DDomExt.dll
07/16/2005 09:52p 417,792 muxbde40.dll
07/16/2005 07:20p 417,792 PJDLIB32.DLL
07/16/2005 06:14p 417,792 stfilshr.dll
07/16/2005 04:01p 417,792 chgmgr32.dll
07/16/2005 01:25p 417,792 PDPCUI.dll
07/16/2005 01:25p 417,792 ncdskcc.dll
07/16/2005 10:56a 417,792 lgc32vc.dll
07/16/2005 09:45a 417,792 soim.dll
07/16/2005 09:44a 417,792 rxaenh.dll
07/16/2005 12:23a 417,792 scdocvw.dll
07/16/2005 12:23a 417,792 rrvpsp.dll
07/15/2005 10:35p 417,792 pclstore.dll
07/15/2005 10:30p 417,792 wcpcore.dll
07/15/2005 10:26p 417,792 mljetoledb40.dll
07/15/2005 10:26p 417,792 moobjs.dll
07/15/2005 10:26p 417,792 mrprivs.dll
07/15/2005 10:26p 417,792 merepl40.dll
07/15/2005 10:08p 417,792 tXembed.dll
07/15/2005 10:08p 417,792 tdpmib.dll
07/15/2005 10:08p 417,792 tdpmon.dll
07/15/2005 10:08p 417,792 tgrmmgr.dll
07/15/2005 10:08p 417,792 tjhklock.dll
07/15/2005 10:08p 417,792 tdd32.dll
07/15/2005 09:29p 417,792 stbrsrc.dll
07/15/2005 07:55p 417,792 wfpui.dll
07/15/2005 07:54p 417,792 vmscript.dll
07/15/2005 04:35p 417,792 cmyptext.dll
07/15/2005 02:18p 417,792 sgfilshr.dll
07/15/2005 02:18p 417,792 srrobj.dll
07/15/2005 01:04p 417,792 ldimg13n.dll
07/15/2005 01:04p 417,792 lbnwnt32.dll
07/15/2005 01:03p 417,792 idxpromn.dll
07/15/2005 12:45p 417,792 nUrrhook.dll
07/15/2005 12:45p 417,792 maxclu.dll
07/15/2005 12:44p 417,792 mcdxmlc.dll
07/15/2005 02:01a 417,792 kwdsw.dll
07/15/2005 02:00a 417,792 kmdmac.dll
07/15/2005 12:45a 417,792 mbrddm.dll
07/15/2005 12:44a 417,792 mrang.dll
07/14/2005 11:22p 417,792 OFEAUT32.DLL
07/14/2005 11:21p 417,792 one2.dll
07/14/2005 10:14p 417,792 dxpwin32.dll
07/14/2005 10:13p 417,792 dnusic.dll
07/14/2005 05:10p 417,792 vvmdbg.dll
07/14/2005 05:09p 417,792 UOERENV.DLL
07/14/2005 03:39p 417,792 udl.dll
07/14/2005 02:35p 417,792 westream.dll
07/14/2005 02:35p 417,792 wxsched.dll
07/14/2005 09:36a 417,792 lkcmgr10.dll
07/13/2005 08:23p 417,792 dgrgres.dll
07/12/2005 10:46a 417,792 nxdskcc.dll
07/12/2005 10:46a 417,792 nqlsapi.dll
07/12/2005 09:24a 417,792 sicfiles.dll
07/12/2005 09:24a 417,792 syndmail.dll
07/12/2005 08:03a 417,792 ipign32.dll
07/12/2005 08:03a 417,792 ifircl.dll
07/12/2005 06:49a 417,792 rNsmontr.dll
07/12/2005 06:49a 417,792 RDSAPI32.DLL
07/12/2005 05:47a 417,792 iwetcomm.dll
07/12/2005 05:47a 417,792 imseng.dll
07/12/2005 04:36a 417,792 drcprop2.dll
07/12/2005 04:36a 417,792 dhutil.dll
07/12/2005 03:08a 417,792 PHDLIB32.DLL
07/12/2005 03:08a 417,792 pxlagent.dll
07/12/2005 01:51a 417,792 mdxbde40.dll
07/12/2005 01:51a 417,792 mivideo.dll
07/12/2005 12:42a 417,792 nosso.dll
07/12/2005 12:42a 417,792 nuvdmd.dll
07/11/2005 11:18p 417,792 tVpisrv.dll
07/11/2005 11:18p 417,792 tDpi32.dll
07/11/2005 10:10p 417,792 cdcfg32.dll
07/11/2005 10:10p 417,792 ctgmgr32.dll
07/11/2005 08:50p 417,792 wbwfax.dll
07/11/2005 08:50p 417,792 wevcore.dll
07/11/2005 07:33p 417,792 PPPCUI.dll
07/11/2005 07:33p 417,792 puapi.dll
07/11/2005 06:23p 417,792 GBABL132.DLL
07/11/2005 06:23p 417,792 GJABP1US.DLL
07/11/2005 05:41p 417,792 nbtmsg.dll
07/11/2005 05:41p 417,792 NJTLOGON.DLL
07/11/2005 12:55p 417,792 madimap.dll
07/11/2005 12:55p 417,792 micndmgr.dll
07/09/2005 08:53p 417,792 pbtwin32.dll
07/07/2005 11:49p 417,792 drtmsft.dll
07/07/2005 10:09p 417,792 WKNSRV.DLL
07/07/2005 03:09p 417,792 fwclient.dll
07/07/2005 03:07p 417,792 tPpi32.dll
07/07/2005 02:51p <DIR> dllcache
07/07/2005 02:50p 417,792 fqlemgmt.dll
07/07/2005 02:37p 417,792 dzdskmgr.dll
07/07/2005 11:46a 417,792 msang.dll
07/04/2005 09:54p 417,792 msg205.dll
07/04/2005 09:51p 417,792 satupdll.dll
07/04/2005 09:51p 417,792 rzgwizc.dll
07/04/2005 05:25p 417,792 ssdocvw.dll
07/04/2005 01:53a 417,792 ixxrip.dll
07/04/2005 01:51a 417,792 cdxwin32.dll
07/03/2005 03:38p 417,792 clmsvcs.dll
07/01/2005 08:13a 417,792 gduninst.dll
06/30/2005 09:16p 417,792 dzlayx.dll
06/30/2005 06:17p 417,792 ilxpromn.dll
06/30/2005 06:16p 417,792 cumaddin.dll
06/30/2005 06:06p 417,792 rSstapi.dll
06/30/2005 06:06p 417,792 plapi.dll
06/30/2005 06:03p 417,792 GEABP132.DLL
06/30/2005 02:55p 417,792 ulpnpmgr.dll
06/30/2005 02:14p 417,792 fSxocm.dll
06/30/2005 02:11p 417,792 rDstls.dll
06/30/2005 02:11p 417,792 rTstapi.dll
06/30/2005 02:11p 417,792 pplagent.dll
06/30/2005 02:10p 417,792 pflagent.dll
06/30/2005 02:09p 417,792 mzobjs.dll
06/30/2005 02:09p 417,792 mpobjs.dll
162 File(s) 67,682,304 bytes
1 Dir(s) 36,821,471,232 bytes free
  • 0

#4
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

#5
doolittt

doolittt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
L2Mfix 1.03a

Running From:
C:\Documents and Settings\USR\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\USR\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\USR\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1056 'explorer.exe'
Killing PID 1056 'explorer.exe'
Error 0x5 : Access is denied.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1232 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
updating: clear.reg (152 bytes security) (deflated 2%)
updating: echo.reg (152 bytes security) (deflated 8%)
updating: direct.txt (152 bytes security) (stored 0%)
updating: lo2.txt (152 bytes security) (deflated 74%)
updating: readme.txt (152 bytes security) (deflated 49%)
updating: report.txt (152 bytes security) (deflated 78%)
updating: test.txt (152 bytes security) (stored 0%)
updating: test2.txt (152 bytes security) (stored 0%)
updating: test3.txt (152 bytes security) (stored 0%)
updating: test5.txt (152 bytes security) (stored 0%)
adding: log.txt (152 bytes security) (deflated 91%)
updating: backregs/6DE0795E-A0E9-43D5-9F73-ED792704DE70.reg (152 bytes security) (deflated 70%)
updating: backregs/shell.reg (152 bytes security) (deflated 40%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
**********************************************************************Logfile of HijackThis v1.99.1
Scan saved at 11:42:40 PM, on 8/5/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINNT\system32\nalwin32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\winnt\system32\mdms.exe
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\system32\naldesk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\USR\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CBC/SRC
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NALWIN32] C:\WINNT\system32\nalwin32.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SysMemory manager] c:\winnt\system32\mdms.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.photolab....geUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
******
  • 0

#6
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
that looks ok.

Please download the trial version of Ewido Security Suite from
here. Install it and
update the program with the latest definitions. Setup the program
following the instructions here and then close it without running a scan.

Reboot into Safe Mode

Then please run Ewido security suite, and perform a full system scan.
Remove anything found,

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

* Click Save report
* Save the report to your desktop.


then reboot normally, and post a new HJT log, and the scan log from Ewido.
  • 0

#7
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
oop's, post removed.

Edited by bricat, 06 August 2005 - 02:10 AM.

  • 0

#8
doolittt

doolittt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here it is Bricat-

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:00:36 AM, 8/6/2005
+ Report-Checksum: C58C902F

+ Scan result:

C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/cdcfg32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/cdxwin32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/clmsvcs.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/ctgmgr32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/cumaddin.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/dfnhpast.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/dfnlobby.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/dgrgres.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/dhutil.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/dmvvox.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/dpdskres.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/dpnput.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/drcprop2.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/drtmsft.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/dzdskmgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/dzlayx.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/fqlemgmt.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/fSxocm.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/fwclient.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/GBABL132.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/gdedit.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/gduninst.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/GEABP132.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/gituname.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/GJABP1US.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/ifircl.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/igxmontr.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/ilxpromn.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/imseng.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/ipign32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/iwetcomm.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/ixxrip.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/kjdir.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/ksdus.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/lkcmgr10.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/madimap.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/mdslgn32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/mdxbde40.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/micndmgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/mivideo.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/mkminst.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/mljetoledb40.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/mpobjs.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/msang.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/msg205.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/mzobjs.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/nbtmsg.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/nhevent.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/NJTLOGON.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/nosso.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/nqlsapi.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/nuvdmd.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/nxdskcc.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/pbtwin32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/pflagent.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/PFLMON.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/PHDLIB32.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/plapi.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/pplagent.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/PPPCUI.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/puapi.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/pxlagent.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/RDSAPI32.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/rDstls.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/rNsmontr.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/rond.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/rSstapi.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/rTstapi.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/rzgwizc.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/satupdll.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/sicfiles.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/ssdocvw.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/syndmail.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/tDpi32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/tgrmmgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/tPpi32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/tVpisrv.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/ulpnpmgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/vmscript.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/wbwfax.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/wcpcore.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/wensmon.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/wevcore.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/WKNSRV.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/wsnstrm.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/wvadmoe.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/wvplenc.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\USR\Desktop\l2mfix\backup.zip/guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\w -> TrojanProxy.Cimuz.h : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 11:06:41 AM, on 8/6/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\wm.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\RunDll32.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINNT\system32\nalwin32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\winnt\system32\mdms.exe
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\system32\naldesk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\USR\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CBC/SRC
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NALWIN32] C:\WINNT\system32\nalwin32.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SysMemory manager] c:\winnt\system32\mdms.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.photolab....geUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
  • 0

#9
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Rerun HJT,and put a checkmark beside these :-


O4 - HKLM\..\Run: [SysMemory manager] c:\winnt\system32\mdms.exe


now close all windows and browsers and click FIX CHECKED



Then boot up in SAFE MODE

Then navigate to and delete these files\folders in BOLD


C:\winnt\system32\mdms.exe


then reboot and post a fresh Hijackthis log.
  • 0

#10
doolittt

doolittt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Bricat, in the safe mode I couldn't locate the file ".....mdms.exe"

ogfile of HijackThis v1.99.1
Scan saved at 2:31:44 PM, on 8/6/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\CA\SHARED~1\SCANEN~1\InoDist.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\RunDll32.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINNT\system32\nalwin32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINNT\system32\naldesk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Documents and Settings\USR\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CBC/SRC
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NALWIN32] C:\WINNT\system32\nalwin32.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.photolab....geUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
  • 0

#11
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
HJT has taken care of that file, but we had to check.

that looks clean now.:tazz:

DISABLE SYSTEM RESTORE run your anti virus, when you get the all clear
restart your system restore.(same page).then create a new restore point :-

click START\ALL PROGRAMS\ACCESSORIES\SYSTEM TOOLS\SYSTEM RESTORE. click on "create new restore point"
click on NEXT and follow the prompts.


this is to ensure that if you have to do a system restore in the future that you don't get all the nasties reinstalled again.

Then

Go to TOOLS\INTERNET OPTIONS. and delete all TEMP INTERNET FILES

Download CCLEANER


then run the scan under the windows tab.



then DEFRAG your C:\ drive.

to help speed up your system.

then let us know how the computer is running.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP