Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

winfix 2005 problem

Started by iloan , Aug 09 2005 08:20 PM

  • Please log in to reply

#1
iloan
Posted 09 August 2005 - 08:20 PM

iloan

    New Member

  • Member
  • Pip
  • 5 posts
Winfix 2005 keeps popping up and I can't get rid of it. Other programs keep opening new browsers and i can't get them to stop either. Here is my Hijack this logfile.

Logfile of HijackThis v1.99.1
Scan saved at 7:12:00 PM, on 08/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\fsgdge.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\WINDOWS\System32\j?vaw.exe
C:\Program Files\maao\oiat.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ivan Stevens\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [70ul63c2] C:\WINDOWS\System32\70ul63c2.exe
O4 - HKLM\..\Run: [mscin] C:\Documents and Settings\Ivan Stevens\m190309.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\fsgdge.exe reg_run
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [mkro] C:\PROGRA~1\COMMON~1\mkro\mkrom.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Sqfktr] C:\WINDOWS\System32\j?vaw.exe
O4 - HKCU\..\Run: [Udua] C:\Program Files\maao\oiat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bc.edu/sc...er/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - http://www.myfamily..../Install_UE.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123636147270
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - http://www.clickloan...PtClickLoan.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\sfrwvdrv.dll
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Any help would be appreciated!
  • 0

Advertisements

#2
Wizard
Posted 10 August 2005 - 06:41 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi iloan and Welcome to GeekstoGo!

That appears to be the Look2me Infection amongst others!

Please download the l2mfix from here
http://www.atribune....oads/l2mfix.exe
or
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.


If you recieve any error messages for CMD or Autoexec.bat>> Select Option 5 from the l2mfix and once at the Site,Click on the link that apply to your Operating System!

Double Click the file it downloads and Extract the files to its predetermined System32 folder!
  • 0

#3
iloan
Posted 10 August 2005 - 07:51 PM

iloan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you so much for helping me with this problem. This thing has got ahold of my computer and taken over. I can't even open some of my normal programs at all.

Here's the log you asked for from 12mfix.exe

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\sfrwvdrv.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F9D6FC72-A29A-2040-0CBD-C7414C222D73}"=""
"acc=marketingsector"=" "

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{858456CD-86B1-46A0-927E-26171B65F294}"=""
"{8D00FE08-1B50-4B37-8B7C-8AA26AD6A737}"=""
"{998A8339-D2C7-499A-819D-AEDD6D1E44E4}"=""
"{427A7818-0924-4599-8027-B55EB99E870B}"=""
"{F4195965-7CFD-4683-B85F-F9C0C793CDC1}"=""
"{9BB50D18-B28B-4955-8267-1B8FF29759F1}"=""
"{83E6A73F-B572-4F4E-A8C1-E42F88B407C3}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{858456CD-86B1-46A0-927E-26171B65F294}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{858456CD-86B1-46A0-927E-26171B65F294}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{858456CD-86B1-46A0-927E-26171B65F294}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{858456CD-86B1-46A0-927E-26171B65F294}\InprocServer32]
@="C:\\WINDOWS\\system32\\rlgwizc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8D00FE08-1B50-4B37-8B7C-8AA26AD6A737}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8D00FE08-1B50-4B37-8B7C-8AA26AD6A737}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8D00FE08-1B50-4B37-8B7C-8AA26AD6A737}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8D00FE08-1B50-4B37-8B7C-8AA26AD6A737}\InprocServer32]
@="C:\\WINDOWS\\system32\\dssapi.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{998A8339-D2C7-499A-819D-AEDD6D1E44E4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{998A8339-D2C7-499A-819D-AEDD6D1E44E4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{998A8339-D2C7-499A-819D-AEDD6D1E44E4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{998A8339-D2C7-499A-819D-AEDD6D1E44E4}\InprocServer32]
@="C:\\WINDOWS\\system32\\rnaenh.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{427A7818-0924-4599-8027-B55EB99E870B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{427A7818-0924-4599-8027-B55EB99E870B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{427A7818-0924-4599-8027-B55EB99E870B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{427A7818-0924-4599-8027-B55EB99E870B}\InprocServer32]
@="C:\\WINDOWS\\system32\\oveaut32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F4195965-7CFD-4683-B85F-F9C0C793CDC1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F4195965-7CFD-4683-B85F-F9C0C793CDC1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F4195965-7CFD-4683-B85F-F9C0C793CDC1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F4195965-7CFD-4683-B85F-F9C0C793CDC1}\InprocServer32]
@="C:\\WINDOWS\\system32\\wtwfaxui.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9BB50D18-B28B-4955-8267-1B8FF29759F1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9BB50D18-B28B-4955-8267-1B8FF29759F1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9BB50D18-B28B-4955-8267-1B8FF29759F1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9BB50D18-B28B-4955-8267-1B8FF29759F1}\InprocServer32]
@="C:\\WINDOWS\\system32\\sfrwvdrv.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{83E6A73F-B572-4F4E-A8C1-E42F88B407C3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{83E6A73F-B572-4F4E-A8C1-E42F88B407C3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{83E6A73F-B572-4F4E-A8C1-E42F88B407C3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{83E6A73F-B572-4F4E-A8C1-E42F88B407C3}\InprocServer32]
@="C:\\WINDOWS\\system32\\roipxmib.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 0C78-19D3

Directory of C:\WINDOWS\System32

08/10/2005 10:56 AM 417,792 oveaut32.dll
08/10/2005 08:41 AM 417,792 roipxmib.dll
08/09/2005 07:39 PM <DIR> dllcache
07/28/2005 07:28 AM 417,792 sfrwvdrv.dll
07/24/2005 04:00 PM 417,792 cpseqchk.dll
07/22/2005 08:50 PM 417,792 issecsvc.dll
07/21/2005 06:57 AM 401,408 j?vaw.exe
07/17/2005 01:17 PM 417,792 oue2.dll
07/16/2005 11:11 AM 417,792 FZ20ENU.DLL
07/09/2005 10:31 AM 417,792 wwnetmgr.dll
07/08/2005 08:54 AM <DIR> Microsoft
06/24/2005 09:16 PM 417,792 guard.tmp
06/24/2005 06:58 PM 417,792 sDmsrv.dll
11 File(s) 4,579,328 bytes
2 Dir(s) 29,734,846,464 bytes free

Thanks again for all your help!!
  • 0

#4
Wizard
Posted 10 August 2005 - 08:04 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Close any programs you have open since this step requires a reboot.


From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer.

After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.

Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

After posting those 2 logs,proceed with the Instructions below!

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download and Install
CleanUp!
Dont use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

Run Cleanup,when prompted to log off>> Select No

Scan the PC with Ewido just as described in the link-> Clean everthing it finds and make sure to Save the Report

Scan the System with Ad Aware,remove everything it finds and delete all quaratine files!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates


Download the Hoster from here:
http://www.funkytoad...load/hoster.zip
Press "Restore Original Hosts" and press "OK"!
Exit Program!


Post back with a fresh HijackThis log and the reports from Ewido and Panda!
  • 0

#5
iloan
Posted 11 August 2005 - 06:08 PM

iloan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ok!

I tried to install and run the L2mfix program with no luck. It sat all night without any luck. I did get an error and tried option number 5 but got another error message. I rebooted in safe mode, deleted L12mfix and proceeded with the other instructions.

Here are the results...

Weido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:02:50 PM, 08/11/2005
+ Report-Checksum: 57325E3E

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{031B6D43-CBC4-46A5-8E46-CF8B407C1A33} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7C559105-9ECF-42b8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer\CLSID -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer\CurVer -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1390067357-1383384898-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
C:\Program Files\Common Files\mkro\mkrol.exe -> TrojanDownloader.TSUpdate.j : Cleaned with backup
C:\Program Files\Common Files\mkro\mkrop.exe -> Spyware.Xupiter : Cleaned with backup
C:\Program Files\Mozilla Firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de}\chrome\isearch.jar/content/isearch/isearch.js -> Spyware.iSearch : Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cpbrkpie.ocx -> Spyware.Coupon : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ActiveX.ocx -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\enhuninstall.exe -> Spyware.NoName : Cleaned with backup
C:\WINDOWS\enhupdt.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\etb\nt_hide63.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\etb\pokapoka62.exe -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\etb\xud_62.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\install.exe -> TrojanDownloader.Small.aha : Cleaned with backup
C:\WINDOWS\isrvs\ceres.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\ru.exe -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\saap.exe -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\spxhnhwq.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\system\UpdInst.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\6fn1fl6l.dll -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\70ul63c2.exe -> Adware.Saha : Cleaned with backup
C:\WINDOWS\system32\FZ20ENU.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\numssvc.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\oue2.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\oveaut32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\roipxmib.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\sDmsrv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\sfrwvdrv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\sys10000.exe -> TrojanDownloader.Domcom.a : Cleaned with backup
C:\WINDOWS\system32\webdlg32.dll -> Spyware.SBSoft : Cleaned with backup
C:\WINDOWS\system32\wwnetmgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\webdlg32.cab/webdlg32.dll -> Spyware.SBSoft : Cleaned with backup
C:\WINDOWS\webdlg32.dll -> Spyware.SBSoft : Cleaned with backup


::Report End

I did run ad aware after ewido and found 2 things that I deleted.

I then ran clean up and followed your instructions for MSCONFIG.

After that I ran Panda and came up with the following log:

Incident Status Location

Possible Virus. No disinfected C:\DOCUME~1\IVANST~1\LOCALS~1\Temp\263196_1368_1012_2376_63.41.tmp
Possible Virus. No disinfected C:\DOCUME~1\IVANST~1\LOCALS~1\Temp\66200_1368_1012_1604_63.41.tmp
Virus:Trj/Downloader.DRJ Disinfected Operating system
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Spyware:spyware/iehelp No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ipreg32.inf
Adware:adware/elitebar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\OSDEB.OSD
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Spyware:spyware/aveo-attune No disinfected C:\PROGRAM FILES\Aveo
Adware:adware/consumeralertsystemNo disinfected C:\PROGRAM FILES\CasStub
Adware:adware/oemji No disinfected C:\PROGRAM FILES\COMMON FILES\Oem Common
Adware:adware/dealhelper No disinfected C:\WINDOWS\SYSTEM32\Newmsrdk
Adware:adware/delfinmedia No disinfected C:\WINDOWS\SYSTEM32\nsvsvc
Adware:adware/sahagent No disinfected C:\WINDOWS\SYSTEM32\SahImages
Adware:adware/transponder No disinfected C:\WINDOWS\inst
Adware:adware/isearch No disinfected C:\WINDOWS\isrvs
Adware:adware/wupd No disinfected Windows Registry
Possible Virus. No disinfected C:\Documents and Settings\Ivan Stevens\Local Settings\Temp\263196_1368_1012_2376_63.41.tmp
Possible Virus. No disinfected C:\Documents and Settings\Ivan Stevens\Local Settings\Temp\66200_1368_1012_1604_63.41.tmp
Virus:Trj/Downloader.DRJ Disinfected C:\Documents and Settings\Ivan Stevens\Local Settings\Temp\BC.tmp
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\Uninstall.exe
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\mkro\mkrod\mkroc.dll
Hacktool:Hacktool/Processor No disinfected C:\RECYCLER\S-1-5-21-1390067357-1383384898-1202660629-1003\Dc1\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\RECYCLER\S-1-5-21-1390067357-1383384898-1202660629-1003\Dc2.exe[Process.exe]
Spyware:Spyware/Iehelp No disinfected C:\WINDOWS\Downloaded Program Files\ipreg32.inf
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\casino.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\dating.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\drugs.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\fav.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\virus.bmp
Possible Virus. No disinfected C:\WINDOWS\system32\cpseqchk.dll
Possible Virus. No disinfected C:\WINDOWS\system32\issecsvc.dll
Hacktool:Hacktool/Processor No disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Adware:Adware/SBSoft No disinfected C:\WINDOWS\system32\webdlg32.inf
Adware:Adware/Popup.pop No disinfected C:\WINDOWS\system32\winsx.inf
After that I ran a hijack this again and the following log is the result:

Logfile of HijackThis v1.99.1
Scan saved at 4:59:42 PM, on 08/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\fsgdge.exe
C:\WINDOWS\etb\pokapoka63.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ivan Stevens\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [mscin] C:\Documents and Settings\Ivan Stevens\m190309.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\fsgdge.exe reg_run
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Ivan Stevens\Desktop\l2mfix\second.bat
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [mkro] C:\PROGRA~1\COMMON~1\mkro\mkrom.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Sqfktr] C:\WINDOWS\System32\j?vaw.exe
O4 - HKCU\..\Run: [Udua] C:\Program Files\maao\oiat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bc.edu/sc...er/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - http://www.myfamily..../Install_UE.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123636147270
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - http://www.clickloan...PtClickLoan.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I again appreciate any help that you are offering. The problem seems to be getting better but not all the way solved as of yet.

thanks!!!!!!
  • 0

#6
Wizard
Posted 11 August 2005 - 06:36 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Go to this Site
http://www.tech-foru...opic/29806.html

Click the link that applies to your Operating System!

Download the file,Double Click the File and a Small Window will Open!

Leave the default destination and Click Unzip!

Thats it,that part is done!

ReDownload the l2mfix from here
http://www.atribune....oads/l2mfix.exe

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select Option #2 by typing 2 and then pressing enter, then press any key to reboot your computer.

After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.

Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
  • 0

#7
Wizard
Posted 11 August 2005 - 06:41 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Go to this Site
http://www.tech-foru...opic/29806.html

Click the link that applies to your Operating System!

Download the file,Double Click the File and a Small Window will Open!

Leave the default destination and Click Unzip!

Thats it,that part is done!

ReDownload the l2mfix from here
http://www.atribune....oads/l2mfix.exe

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select Option #2 by typing 2 and then pressing enter, then press any key to reboot your computer.

After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.

Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Generate a HijackThis Uninstall list

If you have the Opening page in HijackThis activated,then click "Open the MiscTools Section"!

If you have the Normal View Set,Click on Config and then Misc Tools!

Now Click on "Open Uninstall Manager"-> Click on "Save List" and post those results also!
  • 0

#8
iloan
Posted 11 August 2005 - 07:29 PM

iloan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ok, cool! You are so smart...thanks so much...Her's the new log file from L2mfkx.exe

L2Mfix 1.03a

Running From:
C:\Documents and Settings\Ivan Stevens\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- removing existing ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Ivan Stevens\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Ivan Stevens\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 404 'explorer.exe'
Killing PID 404 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\cpseqchk.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cpseqchk.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\issecsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\issecsvc.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\cpseqchk.dll
Successfully Deleted: C:\WINDOWS\system32\cpseqchk.dll
deleting: C:\WINDOWS\system32\cpseqchk.dll
Successfully Deleted: C:\WINDOWS\system32\cpseqchk.dll
deleting: C:\WINDOWS\system32\issecsvc.dll
Successfully Deleted: C:\WINDOWS\system32\issecsvc.dll
deleting: C:\WINDOWS\system32\issecsvc.dll
Successfully Deleted: C:\WINDOWS\system32\issecsvc.dll


Zipping up files for submission:
adding: cpseqchk.dll (140 bytes security) (deflated 48%)
adding: issecsvc.dll (140 bytes security) (deflated 48%)
adding: clear.reg (140 bytes security) (deflated 2%)
adding: echo.reg (140 bytes security) (deflated 10%)
adding: direct.txt (140 bytes security) (stored 0%)
adding: lo2.txt (140 bytes security) (deflated 77%)
adding: readme.txt (140 bytes security) (deflated 49%)
adding: test.txt (140 bytes security) (deflated 67%)
adding: test2.txt (140 bytes security) (stored 0%)
adding: test3.txt (140 bytes security) (stored 0%)
adding: test5.txt (140 bytes security) (stored 0%)
adding: xfind.txt (140 bytes security) (deflated 64%)
adding: backregs/shell.reg (140 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: cpseqchk.dll
deleting local copy: cpseqchk.dll
deleting local copy: issecsvc.dll
deleting local copy: issecsvc.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\cpseqchk.dll
C:\WINDOWS\system32\cpseqchk.dll
C:\WINDOWS\system32\issecsvc.dll
C:\WINDOWS\system32\issecsvc.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


And her is the new Hijack this log file:
Logfile of HijackThis v1.99.1
Scan saved at 6:26:34 PM, on 08/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\fsgdge.exe
C:\WINDOWS\etb\pokapoka63.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ivan Stevens\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [mscin] C:\Documents and Settings\Ivan Stevens\m190309.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\fsgdge.exe reg_run
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [mkro] C:\PROGRA~1\COMMON~1\mkro\mkrom.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Sqfktr] C:\WINDOWS\System32\j?vaw.exe
O4 - HKCU\..\Run: [Udua] C:\Program Files\maao\oiat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bc.edu/sc...er/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - http://www.myfamily..../Install_UE.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123636147270
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - http://www.clickloan...PtClickLoan.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

I hope this helps! Thanks a bunch for all your time and help...

It's horrible to know that someone can do this to your computer!
  • 0

#9
iloan
Posted 11 August 2005 - 07:36 PM

iloan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here is the new "open uninstall manager" from hijack this you asked for as well.

Log:

1000 Best Games
1000 Solitaire Games
1999 World Book (Deluxe)
300 Arcade Games
3D Frog Frenzy
3D Pinball Express
501 Legal Forms and Form Letters
Absolute Poker
Ad-Aware SE Personal
Adobe Acrobat Reader 3.01
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0
Attune 2.3.2
Board Games
CleanUp!
Eds Viewer
EPSON Printer Software
ewido security suite
HijackThis 1.99.1
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
HP Software Update
IBM OnDemand AFP Web Viewer
INF-Tool
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft Office XP Professional with FrontPage
Multimedia Law Library 1000
OIN
Panda ActiveScan
Point
PokerStars.net
QuickTime
RealPlayer
Select CashBack
Spybot - Search & Destroy 1.3
SpySpotter
Super Huey III
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB829558
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773

Thanks again for all your help!!!
  • 0

#10
Wizard
Posted 12 August 2005 - 05:30 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
First,lets get HijackThis into a permanent folder!

Right Click the Desktop and Select New-> Folder-> Name it whatever you like!

Find the original Zip folder for HijackThis and Move it to the new folder on the desktop!

Unzip it and be sure to Extract All Files!

Here is a list of programs to remove from Add\Remove programs

Absolute Poker
PokerStars.net
Select CashBack
SpySpotter
Attune 2.3.2

Here is a list I am unsure of and you will have to determine what to do with them

1000 Best Games
1000 Solitaire Games
300 Arcade Games
3D Frog Frenzy
3D Pinball Express
INF-Tool
OIN

Now to repair the other problems we are going to need to see a series of scans and I will need you to download several special tools to do this with!

Next go to the l2mfix folder and double click l2mfix.exe-> Select Option 4 and Save that log!

Download Process Explorer
http://www.sysintern...ssExplorer.html

Scroll down and click the link that applies to your System,if you are unsure,just download the 32-bit version!

Unzip and Extract All Files-> Double Click Procexp.exe to Open the program!

Now double click this process-> "fsgdge.exe"-> Click "Strings"-> put a tick in "Memory"-> Give it a second to load and Click "Save"-> Save that log!

Download TrackQoo from here
http://webpages.char...Track qoo 1.zip

Double Click on "Track qoo.vbs"

If you Antivirus has Script Blocking,you will get a Pop Up Windows asking you what to do

Allow this Entire Script to Run,its harmless!

Wait a few seconds and a notepad page will pop up,Copy&Paste those results as soon as completed along with the Results from Option 4 of the l2mfix and the Strings log from Process Explorer!

After the logs are posted lets do some cleaning while I go through those logs!

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Download LQfix.zip:
http://users.pandora...atchy/LQfix.zip
Unzip it and save it to your desktop, don't use it yet!

Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam


From the LQfix folder-> Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, this is normal.


From the list below,Copy&Paste each entry into Pocket Killbox and use the Instructions that follow!

C:\WINDOWS\SYSTEM32\stlb2.xml
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\inst
C:\WINDOWS\isrvs
C:\WINDOWS\etb
C:\WINDOWS\system32\webdlg32.inf
C:\WINDOWS\system32\winsx.inf
C:\WINDOWS\system32\Shex.exe
C:\WINDOWS\system32\cpseqchk.dll
C:\WINDOWS\system32\issecsvc.dll
C:\WINDOWS\SYSTEM32\SahImages
C:\WINDOWS\SYSTEM32\Newmsrdk
C:\WINDOWS\SYSTEM32\nsvsvc
C:\WINDOWS\DOWNLOADED PROGRAM FILES\ipreg32.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\OSDEB.OSD
C:\Documents and Settings\Ivan Stevens\m190309.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker
C:\Program Files\SpyKiller
C:\Program Files\BestPopUpKiller
C:\Program Files\Cas
C:\PROGRAM FILES\CasStub
C:\Program Files\maao
C:\PROGRAM FILES\Aveo
C:\PROGRAM FILES\COMMON FILES\Oem Common
C:\Program Files\Common Files\mkro

As you paste each entry into Killbox,place a tick by any of these selections available!

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

Click the Red Circle with the White X in the Middle to Delete!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O4 - HKLM\..\Run: [mscin] C:\Documents and Settings\Ivan Stevens\m190309.EXE

O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka63.exe

O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup

O4 - HKCU\..\Run: [mkro] C:\PROGRA~1\COMMON~1\mkro\mkrom.exe

O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"

O4 - HKCU\..\Run: [Sqfktr] C:\WINDOWS\System32\j?vaw.exe

O4 - HKCU\..\Run: [Udua] C:\Program Files\maao\oiat.exe

O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - http://www.myfamily..../Install_UE.exe

O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab

O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) -

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx

O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - http://www.clickloan...PtClickLoan.cab

O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

Now from the WinPFind Folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

Once you see "Scan Complete"-> there will be a log(WinPFind.txt) automatically generated!

Restart Normal and do the following

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\System32\j?vaw.exe /a h > files.txt
notepad files.txt


Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log and the results of WinPFind!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP