Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer 2005 problem..please help [RESOLVED]


  • This topic is locked This topic is locked

#1
kaikegelmann

kaikegelmann

    New Member

  • Member
  • Pip
  • 7 posts
Hello,

i have to same problem as many in this forum. Win fixer 2005 always pops up and tries to install the software as well as many other popups who come up.

I did the whole ad-ware, ewido, shredder, spybot thing already...

here the hijackthis log followed by the ewido log...:

thanks


Logfile of HijackThis v1.99.1
Scan saved at 17:41:05, on 10.08.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\ewido\security suite\ewidoguard.exe
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Kegelmann\Desktop\HijackThis.exe
C:\Programme\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinFixer 2005] C:\Programme\WinFixer 2005\wfx5.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120716796686
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave...mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://playroom.icq....dyssey_web8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.co...aploader_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by13fd.bay13....ex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\duprov.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Dokumente und Einstellungen\Kegelmann\Lokale Einstellungen\Temporary Internet Files\Content.IE5\FR5JFL8W\CWShredder[1].exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe



--------------------------------------------------------
ewido security suite - Scan Report
---------------------------------------------------------

+ Erstellt am: 17:35:32, 10.08.2005
+ Report-Checksumme: DCDB65F9

+ Scanergebnis:

HKU\S-1-5-21-4179051517-4025279379-689279713-1004\Software\saap -> Spyware.180Solutions : Gesäubert mit Backup
[724] C:\WINDOWS\system32\duprov.dll -> Spyware.Look2Me : Fehler beim Säubern
[956] C:\WINDOWS\system32\CXMDLG32.DLL -> Spyware.Look2Me : Fehler beim Säubern
[180] C:\WINDOWS\system32\CXMDLG32.DLL -> Spyware.Look2Me : Fehler beim Säubern
C:\WINDOWS\system32\ciedui.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\WINDOWS\system32\sqrmdll.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\WINDOWS\system32\mqjet40.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\WINDOWS\system32\SYHANNEL.DLL -> Spyware.Look2Me : Gesäubert mit Backup
C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Gesäubert mit Backup
C:\WINDOWS\system32\oieacc.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\WINDOWS\system32\rDsrad.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\WINDOWS\system32\mgl_hp.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\WINDOWS\system32\aztapi.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\WINDOWS\system\UpdInst.exe -> Spyware.Look2Me : Gesäubert mit Backup
C:\WINDOWS\Temp\Cookies\kegelmann@paypopup[1].txt -> Spyware.Cookie.Paypopup : Gesäubert mit Backup
C:\WINDOWS\Temp\Cookies\kegelmann@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Gesäubert mit Backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Gesäubert mit Backup
C:\WINDOWS\Downloaded Program Files\website.ocx -> TrojanDownloader.Agent.ex : Gesäubert mit Backup
C:\WINDOWS\Downloaded Program Files\ActiveX.ocx -> Spyware.Look2Me : Gesäubert mit Backup
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Spyware.WinAD : Gesäubert mit Backup
C:\WINDOWS\NDNuninstall4_85.exe -> Spyware.NewDotNet : Gesäubert mit Backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Gesäubert mit Backup
C:\Dokumente und Einstellungen\Kegelmann\Lokale Einstellungen\Temp\Cookies\kegelmann@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Gesäubert mit Backup
C:\Dokumente und Einstellungen\Kegelmann\Lokale Einstellungen\Temp\Cookies\kegelmann@weborama[2].txt -> Spyware.Cookie.Weborama : Gesäubert mit Backup
C:\Dokumente und Einstellungen\Kegelmann\Lokale Einstellungen\Temp\Cookies\kegelmann@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Gesäubert mit Backup
C:\Dokumente und Einstellungen\Kegelmann\Lokale Einstellungen\Temp\Cookies\kegelmann@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP285\A0035380.exe -> TrojanDownloader.Swizzor.cg : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP293\A0035638.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP294\A0035656.dll -> Adware.Gator : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP295\A0035669.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP296\A0035680.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP299\A0036774.dll -> Adware.SAHA : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP299\A0036775.exe -> Adware.SAHA : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP301\A0036865.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP304\A0036895.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP304\A0036904.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP306\A0036957.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP307\A0036970.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP309\A0037023.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP310\A0037035.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP313\A0037165.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037228.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037241.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037250.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP297\A0036702.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP298\A0036736.EXE.tcf -> Adware.Saha : Gesäubert mit Backup


::Report Ende
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Download L2MFix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening. After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!
  • 0

#3
kaikegelmann

kaikegelmann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
thanks for the past reply...I did the test..here is the log:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\duprov.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{51EBBB1A-4B90-BB9B-ECC6-2651C7ADD205}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Eigenschaften fr Multimediadatei"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-Scannerverwaltung"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-Sicherheit"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE-Eigenschaftenseite fr Dokumente"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shellerweiterungen fr Freigaben"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Grafikkarten"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Bildschirme"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Anzeigeverschiebung"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-Sicherheit"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilit„tsseite"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell-Datenauszughandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Erweiterung fr Datentr„gerkopien"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shellerweiterungen fr Microsoft Windows-Netzwerkobjekte"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-Monitorverwaltung"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-Druckerverwaltung"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shellerweiterungen fr die Dateikomprimierung"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Shellerweiterung fr Webdrucker"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontextmen fr die Verschlsselung"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Aktenkoffer"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Erweiterung fr HyperTerminal-Icons"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Schriftarten"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-Profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Druckersicherheit"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shellerweiterungen fr Freigaben"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-PKO-Erweiterung"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-Sign-Erweiterung"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netzwerkverbindungen"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netzwerkverbindungen"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanner und Kameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanner und Kameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanner und Kameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanner und Kameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanner und Kameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shellerweiterungen fr Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Datenverknpfung"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplante Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskleiste und Startmen"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Suchen"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ausfhren..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-Mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Schriftarten"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Verwaltung"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Syntaxanalyse der Adressleiste"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-Verlauf-Dienst"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Verlauf"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Sucheingriff"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-Begráungsbildschirm"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX-Cacheordner"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ Dateiminiaturansicht-Extrahierungsprogramm"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Zusammenfassungs-Miniaturansichthandler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-Extrahierungsprogramm"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Webpublishing-Assistent"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestellung von Abzgen ber das Internet"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shellobjekt des Webpublishing-Assistenten"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Passport-Assistent"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Benutzerkonten"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channeldatei"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channelverknpfung"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channelhandlerobjekt"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Ordner 'Offlinedateien'"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Nach Personen..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universelle Plug & Play-Ger„te"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{718BA9C4-63FE-456A-9EA6-BBD6B0205B2E}"=""
"{C7BC6381-AEF1-4D23-B5A2-4633E7D6EA18}"=""
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{718BA9C4-63FE-456A-9EA6-BBD6B0205B2E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{718BA9C4-63FE-456A-9EA6-BBD6B0205B2E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{718BA9C4-63FE-456A-9EA6-BBD6B0205B2E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{718BA9C4-63FE-456A-9EA6-BBD6B0205B2E}\InprocServer32]
@="C:\\WINDOWS\\system32\\CXMDLG32.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C7BC6381-AEF1-4D23-B5A2-4633E7D6EA18}]
@=""
"IDEx"="ST015"

[HKEY_CLASSES_ROOT\CLSID\{C7BC6381-AEF1-4D23-B5A2-4633E7D6EA18}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C7BC6381-AEF1-4D23-B5A2-4633E7D6EA18}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C7BC6381-AEF1-4D23-B5A2-4633E7D6EA18}\InprocServer32]
@="C:\\WINDOWS\\system32\\sqrmdll.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
vsxml.dll Fri 3 Jun 2005 5:43:42 A.... 100.096 97,75 K
vsdata.dll Fri 3 Jun 2005 5:42:48 A.... 75.528 73,76 K
vsutil.dll Fri 3 Jun 2005 5:43:30 A.... 354.056 345,76 K
vsmonapi.dll Fri 3 Jun 2005 5:43:08 A.... 108.296 105,76 K
vspubapi.dll Fri 3 Jun 2005 5:43:12 A.... 198.408 193,76 K
vsinit.dll Fri 3 Jun 2005 5:43:00 A.... 124.680 121,76 K
vsutil~1.dll Fri 3 Jun 2005 5:16:08 A.... 50.864 49,67 K
xpsp3res.dll Mon 16 May 2005 18:42:14 ..... 17.408 17,00 K
vsregexp.dll Fri 3 Jun 2005 5:43:16 A.... 71.432 69,76 K
zlcomm.dll Fri 3 Jun 2005 5:44:02 A.... 75.528 73,76 K
wuweb.dll Thu 26 May 2005 4:19:32 A.... 173.536 169,47 K
zlcommdb.dll Fri 3 Jun 2005 5:44:06 A.... 67.336 65,76 K
itss.dll Thu 26 May 2005 20:04:48 A.... 137.216 134,00 K
cdm.dll Thu 26 May 2005 4:16:24 A.... 75.544 73,77 K
itircl.dll Thu 26 May 2005 20:04:48 A.... 155.136 151,50 K
iuengine.dll Thu 26 May 2005 4:16:24 A.... 198.424 193,77 K
wuapi.dll Thu 26 May 2005 4:16:22 A.... 466.200 455,27 K
wuaueng.dll Thu 26 May 2005 4:16:30 A.... 1.343.768 1,28 M
wuaueng1.dll Thu 26 May 2005 4:16:22 A.... 194.840 190,27 K
wucltui.dll Thu 26 May 2005 4:16:22 A.... 128.280 125,27 K
wups.dll Thu 26 May 2005 4:16:30 A.... 41.240 40,27 K
cxmdlg32.dll Wed 10 Aug 2005 16:25:38 ..S.R 417.792 408,00 K
atl71.dll Wed 6 Jul 2005 17:17:28 A.... 89.088 87,00 K
hhsetup.dll Thu 26 May 2005 20:04:48 A.... 41.472 40,50 K
duprov.dll Thu 4 Aug 2005 2:34:56 ..S.R 417.792 408,00 K
uyildll.dll Thu 21 Jul 2005 14:07:36 ..S.R 417.792 408,00 K
wups2.dll Thu 26 May 2005 4:16:30 A.... 18.200 17,77 K
s32evnt1.dll Fri 13 May 2005 19:50:10 A.... 91.856 89,70 K
vmsde.dll Thu 21 Jul 2005 14:07:52 ..S.R 417.792 408,00 K
mgports.dll Thu 21 Jul 2005 15:33:36 ..S.R 417.792 408,00 K
rbstapi.dll Thu 21 Jul 2005 15:33:42 ..S.R 417.792 408,00 K
idxsap.dll Thu 21 Jul 2005 16:53:36 ..S.R 417.792 408,00 K
kkdcan.dll Thu 21 Jul 2005 16:53:44 ..S.R 417.792 408,00 K
iygutil.dll Thu 21 Jul 2005 18:22:48 ..S.R 417.792 408,00 K
sulgntfy.dll Thu 21 Jul 2005 21:13:04 ..S.R 417.792 408,00 K
brsesrv.dll Thu 21 Jul 2005 18:22:40 ..S.R 417.792 408,00 K
mord3x40.dll Thu 21 Jul 2005 21:13:10 ..S.R 417.792 408,00 K
ksrnel32.dll Thu 21 Jul 2005 22:23:02 ..S.R 417.792 408,00 K
bptmeter.dll Thu 21 Jul 2005 22:23:10 ..S.R 417.792 408,00 K
mziqtz32.dll Thu 21 Jul 2005 23:27:02 ..S.R 417.792 408,00 K
mthcp.dll Thu 21 Jul 2005 23:27:08 ..S.R 417.792 408,00 K
chtsrv.dll Fri 22 Jul 2005 0:27:04 ..S.R 417.792 408,00 K
poccllct.dll Fri 22 Jul 2005 0:27:14 ..S.R 417.792 408,00 K
pdparse.dll Fri 22 Jul 2005 1:47:08 ..S.R 417.792 408,00 K
mcdtctm.dll Fri 22 Jul 2005 1:47:22 ..S.R 417.792 408,00 K
legitc~1.dll Tue 12 Jul 2005 18:04:22 A.... 520.456 508,26 K
mscms.dll Tue 28 Jun 2005 19:49:40 A.... 74.240 72,50 K
msvcp71.dll Wed 6 Jul 2005 17:17:28 A.... 499.712 488,00 K
mfc71.dll Wed 6 Jul 2005 17:17:28 A.... 1.060.864 1,01 M
msvcr71.dll Wed 6 Jul 2005 17:17:28 A.... 348.160 340,00 K
icm32.dll Tue 28 Jun 2005 19:49:40 A.... 254.976 249,00 K
gwfspi~1.dll Tue 12 Jul 2005 18:04:22 A.... 23.304 22,76 K

52 items found: 52 files (20 H/S), 0 directories.
Total of file sizes: 15.535.984 bytes 14,81 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Datentr„ger in Laufwerk C: ist ACER
Volumeseriennummer: 290E-14EF

Verzeichnis von C:\WINDOWS\System32

10.08.2005 16:25 417.792 CXMDLG32.DLL
04.08.2005 02:34 417.792 duprov.dll
22.07.2005 01:47 417.792 mcdtctm.dll
22.07.2005 01:47 417.792 pdParse.dll
22.07.2005 00:27 417.792 pocCllct.dll
22.07.2005 00:27 417.792 cHtsrv.dll
21.07.2005 23:27 417.792 mthcp.dll
21.07.2005 23:27 417.792 mziqtz32.dll
21.07.2005 22:23 417.792 bPtmeter.dll
21.07.2005 22:23 417.792 KSRNEL32.DLL
21.07.2005 21:13 417.792 mord3x40.dll
21.07.2005 21:13 417.792 sulgntfy.dll
21.07.2005 18:22 417.792 iygutil.dll
21.07.2005 18:22 417.792 bRsesrv.dll
21.07.2005 16:53 417.792 kkdcan.dll
21.07.2005 16:53 417.792 idxsap.dll
21.07.2005 15:33 417.792 rBstapi.dll
21.07.2005 15:33 417.792 mgports.dll
21.07.2005 14:07 417.792 vmsde.dll
21.07.2005 14:07 417.792 uyildll.dll
21.06.2005 12:34 10.022 KGyGaAvL.sys
23.04.2004 11:58 <DIR> Microsoft
23.04.2004 11:37 <DIR> dllcache
21 Datei(en) 8.365.862 Bytes
2 Verzeichnis(se), 11.125.473.280 Bytes frei
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing Enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2MFix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new HijackThis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

#5
kaikegelmann

kaikegelmann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
here is my log:

L2Mfix 1.03a

Running From:
C:\Dokumente und Einstellungen\Kegelmann\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- VORDEFINIERT\Administratoren
(NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-NI) ALLOW Read VORDEFINIERT\Benutzer
(ID-IO) ALLOW Read VORDEFINIERT\Benutzer
(ID-NI) ALLOW Read VORDEFINIERT\Hauptbenutzer
(ID-IO) ALLOW Read VORDEFINIERT\Hauptbenutzer
(ID-NI) ALLOW Full access VORDEFINIERT\Administratoren
(ID-IO) ALLOW Full access VORDEFINIERT\Administratoren
(ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access ERSTELLER-BESITZER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- removing existing ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- VORDEFINIERT\Administratoren
(NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-NI) ALLOW Read VORDEFINIERT\Benutzer
(ID-IO) ALLOW Read VORDEFINIERT\Benutzer
(ID-NI) ALLOW Read VORDEFINIERT\Hauptbenutzer
(ID-IO) ALLOW Read VORDEFINIERT\Hauptbenutzer
(ID-NI) ALLOW Full access VORDEFINIERT\Administratoren
(ID-IO) ALLOW Full access VORDEFINIERT\Administratoren
(ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access ERSTELLER-BESITZER



Setting up for Reboot


Starting Reboot!

C:\Dokumente und Einstellungen\Kegelmann\Desktop\l2mfix
System Rebooted!

Running From:
C:\Dokumente und Einstellungen\Kegelmann\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2136 'explorer.exe'
Killing PID 2136 'explorer.exe'
Killing PID 2136 'explorer.exe'
Killing PID 2136 'explorer.exe'
Killing PID 2136 'explorer.exe'
Killing PID 2136 'explorer.exe'
Killing PID 2136 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2436 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\CXMDLG32.DLL
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\CXMDLG32.DLL
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\duprov.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\duprov.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\uyildll.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\uyildll.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\vmsde.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\vmsde.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\mgports.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\mgports.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\rBstapi.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\rBstapi.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\idxsap.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\idxsap.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\kkdcan.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\kkdcan.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\iygutil.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\iygutil.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\sulgntfy.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\sulgntfy.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\bRsesrv.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\bRsesrv.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\mord3x40.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\mord3x40.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\KSRNEL32.DLL
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\KSRNEL32.DLL
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\bPtmeter.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\bPtmeter.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\mziqtz32.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\mziqtz32.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\mthcp.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\mthcp.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\cHtsrv.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\cHtsrv.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\pocCllct.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\pocCllct.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\pdParse.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\pdParse.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\mcdtctm.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\mcdtctm.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\rVsauto.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\rVsauto.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 Datei(en) kopiert.
deleting: C:\WINDOWS\system32\CXMDLG32.DLL
Successfully Deleted: C:\WINDOWS\system32\CXMDLG32.DLL
deleting: C:\WINDOWS\system32\CXMDLG32.DLL
Successfully Deleted: C:\WINDOWS\system32\CXMDLG32.DLL
deleting: C:\WINDOWS\system32\duprov.dll
Successfully Deleted: C:\WINDOWS\system32\duprov.dll
deleting: C:\WINDOWS\system32\duprov.dll
Successfully Deleted: C:\WINDOWS\system32\duprov.dll
deleting: C:\WINDOWS\system32\uyildll.dll
Successfully Deleted: C:\WINDOWS\system32\uyildll.dll
deleting: C:\WINDOWS\system32\uyildll.dll
Successfully Deleted: C:\WINDOWS\system32\uyildll.dll
deleting: C:\WINDOWS\system32\vmsde.dll
Successfully Deleted: C:\WINDOWS\system32\vmsde.dll
deleting: C:\WINDOWS\system32\vmsde.dll
Successfully Deleted: C:\WINDOWS\system32\vmsde.dll
deleting: C:\WINDOWS\system32\mgports.dll
Successfully Deleted: C:\WINDOWS\system32\mgports.dll
deleting: C:\WINDOWS\system32\mgports.dll
Successfully Deleted: C:\WINDOWS\system32\mgports.dll
deleting: C:\WINDOWS\system32\rBstapi.dll
Successfully Deleted: C:\WINDOWS\system32\rBstapi.dll
deleting: C:\WINDOWS\system32\rBstapi.dll
Successfully Deleted: C:\WINDOWS\system32\rBstapi.dll
deleting: C:\WINDOWS\system32\idxsap.dll
Successfully Deleted: C:\WINDOWS\system32\idxsap.dll
deleting: C:\WINDOWS\system32\idxsap.dll
Successfully Deleted: C:\WINDOWS\system32\idxsap.dll
deleting: C:\WINDOWS\system32\kkdcan.dll
Successfully Deleted: C:\WINDOWS\system32\kkdcan.dll
deleting: C:\WINDOWS\system32\kkdcan.dll
Successfully Deleted: C:\WINDOWS\system32\kkdcan.dll
deleting: C:\WINDOWS\system32\iygutil.dll
Successfully Deleted: C:\WINDOWS\system32\iygutil.dll
deleting: C:\WINDOWS\system32\iygutil.dll
Successfully Deleted: C:\WINDOWS\system32\iygutil.dll
deleting: C:\WINDOWS\system32\sulgntfy.dll
Successfully Deleted: C:\WINDOWS\system32\sulgntfy.dll
deleting: C:\WINDOWS\system32\sulgntfy.dll
Successfully Deleted: C:\WINDOWS\system32\sulgntfy.dll
deleting: C:\WINDOWS\system32\bRsesrv.dll
Successfully Deleted: C:\WINDOWS\system32\bRsesrv.dll
deleting: C:\WINDOWS\system32\bRsesrv.dll
Successfully Deleted: C:\WINDOWS\system32\bRsesrv.dll
deleting: C:\WINDOWS\system32\mord3x40.dll
Successfully Deleted: C:\WINDOWS\system32\mord3x40.dll
deleting: C:\WINDOWS\system32\mord3x40.dll
Successfully Deleted: C:\WINDOWS\system32\mord3x40.dll
deleting: C:\WINDOWS\system32\KSRNEL32.DLL
Successfully Deleted: C:\WINDOWS\system32\KSRNEL32.DLL
deleting: C:\WINDOWS\system32\KSRNEL32.DLL
Successfully Deleted: C:\WINDOWS\system32\KSRNEL32.DLL
deleting: C:\WINDOWS\system32\bPtmeter.dll
Successfully Deleted: C:\WINDOWS\system32\bPtmeter.dll
deleting: C:\WINDOWS\system32\bPtmeter.dll
Successfully Deleted: C:\WINDOWS\system32\bPtmeter.dll
deleting: C:\WINDOWS\system32\mziqtz32.dll
Successfully Deleted: C:\WINDOWS\system32\mziqtz32.dll
deleting: C:\WINDOWS\system32\mziqtz32.dll
Successfully Deleted: C:\WINDOWS\system32\mziqtz32.dll
deleting: C:\WINDOWS\system32\mthcp.dll
Successfully Deleted: C:\WINDOWS\system32\mthcp.dll
deleting: C:\WINDOWS\system32\mthcp.dll
Successfully Deleted: C:\WINDOWS\system32\mthcp.dll
deleting: C:\WINDOWS\system32\cHtsrv.dll
Successfully Deleted: C:\WINDOWS\system32\cHtsrv.dll
deleting: C:\WINDOWS\system32\cHtsrv.dll
Successfully Deleted: C:\WINDOWS\system32\cHtsrv.dll
deleting: C:\WINDOWS\system32\pocCllct.dll
Successfully Deleted: C:\WINDOWS\system32\pocCllct.dll
deleting: C:\WINDOWS\system32\pocCllct.dll
Successfully Deleted: C:\WINDOWS\system32\pocCllct.dll
deleting: C:\WINDOWS\system32\pdParse.dll
Successfully Deleted: C:\WINDOWS\system32\pdParse.dll
deleting: C:\WINDOWS\system32\pdParse.dll
Successfully Deleted: C:\WINDOWS\system32\pdParse.dll
deleting: C:\WINDOWS\system32\mcdtctm.dll
Successfully Deleted: C:\WINDOWS\system32\mcdtctm.dll
deleting: C:\WINDOWS\system32\mcdtctm.dll
Successfully Deleted: C:\WINDOWS\system32\mcdtctm.dll
deleting: C:\WINDOWS\system32\rVsauto.dll
Successfully Deleted: C:\WINDOWS\system32\rVsauto.dll
deleting: C:\WINDOWS\system32\rVsauto.dll
Successfully Deleted: C:\WINDOWS\system32\rVsauto.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed


Zipping up files for submission:
adding: CXMDLG32.DLL (deflated 48%)
adding: duprov.dll (deflated 48%)
adding: uyildll.dll (deflated 48%)
adding: vmsde.dll (deflated 48%)
adding: mgports.dll (deflated 48%)
adding: rBstapi.dll (deflated 48%)
adding: idxsap.dll (deflated 48%)
adding: kkdcan.dll (deflated 48%)
adding: iygutil.dll (deflated 48%)
adding: sulgntfy.dll (deflated 48%)
adding: bRsesrv.dll (deflated 48%)
adding: mord3x40.dll (deflated 48%)
adding: KSRNEL32.DLL (deflated 48%)
adding: bPtmeter.dll (deflated 48%)
adding: mziqtz32.dll (deflated 48%)
adding: mthcp.dll (deflated 48%)
adding: cHtsrv.dll (deflated 48%)
adding: pocCllct.dll (deflated 48%)
adding: pdParse.dll (deflated 48%)
adding: mcdtctm.dll (deflated 48%)
adding: rVsauto.dll (deflated 48%)
adding: guard.tmp (deflated 48%)
adding: echo.reg (deflated 10%)
adding: clear.reg (deflated 37%)
adding: desktop.ini (stored 0%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 63%)
adding: lo2.txt (deflated 88%)
adding: test2.txt (deflated 16%)
adding: test3.txt (deflated 16%)
adding: test5.txt (deflated 16%)
adding: test.txt (deflated 88%)
adding: xfind.txt (deflated 85%)
adding: backregs/shell.reg (deflated 73%)
adding: backregs/718BA9C4-63FE-456A-9EA6-BBD6B0205B2E.reg (deflated 70%)
adding: backregs/C7BC6381-AEF1-4D23-B5A2-4633E7D6EA18.reg (deflated 69%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-NI) ALLOW Read VORDEFINIERT\Benutzer
(ID-IO) ALLOW Read VORDEFINIERT\Benutzer
(ID-NI) ALLOW Read VORDEFINIERT\Hauptbenutzer
(ID-IO) ALLOW Read VORDEFINIERT\Hauptbenutzer
(ID-NI) ALLOW Full access VORDEFINIERT\Administratoren
(ID-IO) ALLOW Full access VORDEFINIERT\Administratoren
(ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access ERSTELLER-BESITZER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

deleting local copy: CXMDLG32.DLL
deleting local copy: CXMDLG32.DLL
deleting local copy: duprov.dll
deleting local copy: duprov.dll
deleting local copy: uyildll.dll
deleting local copy: uyildll.dll
deleting local copy: vmsde.dll
deleting local copy: vmsde.dll
deleting local copy: mgports.dll
deleting local copy: mgports.dll
deleting local copy: rBstapi.dll
deleting local copy: rBstapi.dll
deleting local copy: idxsap.dll
deleting local copy: idxsap.dll
deleting local copy: kkdcan.dll
deleting local copy: kkdcan.dll
deleting local copy: iygutil.dll
deleting local copy: iygutil.dll
deleting local copy: sulgntfy.dll
deleting local copy: sulgntfy.dll
deleting local copy: bRsesrv.dll
deleting local copy: bRsesrv.dll
deleting local copy: mord3x40.dll
deleting local copy: mord3x40.dll
deleting local copy: KSRNEL32.DLL
deleting local copy: KSRNEL32.DLL
deleting local copy: bPtmeter.dll
deleting local copy: bPtmeter.dll
deleting local copy: mziqtz32.dll
deleting local copy: mziqtz32.dll
deleting local copy: mthcp.dll
deleting local copy: mthcp.dll
deleting local copy: cHtsrv.dll
deleting local copy: cHtsrv.dll
deleting local copy: pocCllct.dll
deleting local copy: pocCllct.dll
deleting local copy: pdParse.dll
deleting local copy: pdParse.dll
deleting local copy: mcdtctm.dll
deleting local copy: mcdtctm.dll
deleting local copy: rVsauto.dll
deleting local copy: rVsauto.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\CXMDLG32.DLL
C:\WINDOWS\system32\CXMDLG32.DLL
C:\WINDOWS\system32\duprov.dll
C:\WINDOWS\system32\duprov.dll
C:\WINDOWS\system32\uyildll.dll
C:\WINDOWS\system32\uyildll.dll
C:\WINDOWS\system32\vmsde.dll
C:\WINDOWS\system32\vmsde.dll
C:\WINDOWS\system32\mgports.dll
C:\WINDOWS\system32\mgports.dll
C:\WINDOWS\system32\rBstapi.dll
C:\WINDOWS\system32\rBstapi.dll
C:\WINDOWS\system32\idxsap.dll
C:\WINDOWS\system32\idxsap.dll
C:\WINDOWS\system32\kkdcan.dll
C:\WINDOWS\system32\kkdcan.dll
C:\WINDOWS\system32\iygutil.dll
C:\WINDOWS\system32\iygutil.dll
C:\WINDOWS\system32\sulgntfy.dll
C:\WINDOWS\system32\sulgntfy.dll
C:\WINDOWS\system32\bRsesrv.dll
C:\WINDOWS\system32\bRsesrv.dll
C:\WINDOWS\system32\mord3x40.dll
C:\WINDOWS\system32\mord3x40.dll
C:\WINDOWS\system32\KSRNEL32.DLL
C:\WINDOWS\system32\KSRNEL32.DLL
C:\WINDOWS\system32\bPtmeter.dll
C:\WINDOWS\system32\bPtmeter.dll
C:\WINDOWS\system32\mziqtz32.dll
C:\WINDOWS\system32\mziqtz32.dll
C:\WINDOWS\system32\mthcp.dll
C:\WINDOWS\system32\mthcp.dll
C:\WINDOWS\system32\cHtsrv.dll
C:\WINDOWS\system32\cHtsrv.dll
C:\WINDOWS\system32\pocCllct.dll
C:\WINDOWS\system32\pocCllct.dll
C:\WINDOWS\system32\pdParse.dll
C:\WINDOWS\system32\pdParse.dll
C:\WINDOWS\system32\mcdtctm.dll
C:\WINDOWS\system32\mcdtctm.dll
C:\WINDOWS\system32\rVsauto.dll
C:\WINDOWS\system32\rVsauto.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{718BA9C4-63FE-456A-9EA6-BBD6B0205B2E}"=-
"{C7BC6381-AEF1-4D23-B5A2-4633E7D6EA18}"=-
[-HKEY_CLASSES_ROOT\CLSID\{718BA9C4-63FE-456A-9EA6-BBD6B0205B2E}]
[-HKEY_CLASSES_ROOT\CLSID\{C7BC6381-AEF1-4D23-B5A2-4633E7D6EA18}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************






and the new Hijack log...

logfile of HijackThis v1.99.1
Scan saved at 02:23:49, on 11.08.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\ewido\security suite\ewidoguard.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Kegelmann\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinFixer 2005] C:\Programme\WinFixer 2005\wfx5.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120716796686
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave...mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://playroom.icq....dyssey_web8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.co...aploader_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by13fd.bay13....ex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Dokumente und Einstellungen\Kegelmann\Lokale Einstellungen\Temporary Internet Files\Content.IE5\FR5JFL8W\CWShredder[1].exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Save CWShredder.exe somewhere else besides the TEMP folder - we will be deleting all the files in that folder shortly.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Make sure Spybot's TeaTimer program is closed/disabled during this fix.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WinFixer 2005] C:\Programme\WinFixer 2005\wfx5.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O23 - Service: CWShredder Service - Unknown owner - C:\Dokumente und Einstellungen\Kegelmann\Lokale Einstellungen\Temporary Internet Files\Content.IE5\FR5JFL8W\CWShredder[1].exe (file missing)


Locate and delete the following:

C:\Programme\WinFixer 2005\

Restart your computer. Run L2MFix and choose #4 winlogon. Post that log here along with the Ewido log and a new HijackThis log.
  • 0

#7
kaikegelmann

kaikegelmann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello thanks for your help and sorry for taking so long, was was gone for the last days and not able to access the computer. But followed your instructions and here are the logs:

1) Ewido log:

--------------------------------------------------------
ewido security suite - Scan Report
---------------------------------------------------------

+ Erstellt am: 13:13:41, 15.08.2005
+ Report-Checksumme: 5E6EF50

+ Scanergebnis:

C:\WINDOWS\system32\drivers\df_kmd.sys -> Trojan.Rootkit.Agent.af : Gesäubert mit Backup
C:\Dokumente und Einstellungen\Kegelmann\Desktop\l2mfix\backup.zip/CXMDLG32.DLL -> Spyware.Look2Me : Fehler beim Säubern
C:\Dokumente und Einstellungen\Kegelmann\Desktop\l2mfix\backup.zip/duprov.dll -> Spyware.Look2Me : Fehler beim Säubern
C:\Dokumente und Einstellungen\Kegelmann\Desktop\l2mfix\backup.zip/rVsauto.dll -> Spyware.Look2Me : Fehler beim Säubern
C:\Dokumente und Einstellungen\Kegelmann\Desktop\l2mfix\backup.zip/guard.tmp -> Spyware.Look2Me : Fehler beim Säubern
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP304\A0036906.sys -> Trojan.Rootkit.Agent.af : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037253.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037254.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037255.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037256.DLL -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037257.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037258.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037259.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037260.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037261.exe -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037262.exe -> Spyware.NewDotNet : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037263.exe -> Spyware.NewDotNet : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037272.dll -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037278.DLL -> Spyware.Look2Me : Gesäubert mit Backup
C:\System Volume Information\_restore{37A12002-B956-453E-9E64-6128807EC8E5}\RP316\A0037279.dll -> Spyware.Look2Me : Gesäubert mit Backup


::Report Ende


2) L2Mfix log:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


3) Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 16:37:43, on 15.08.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\ewido\security suite\ewidoguard.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Dokumente und Einstellungen\Kegelmann\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120716796686
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave...mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://playroom.icq....dyssey_web8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.co...aploader_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by13fd.bay13....ex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe



Thanks again
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Delete this file:

C:\Dokumente und Einstellungen\Kegelmann\Desktop\l2mfix\backup.zip


Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#9
kaikegelmann

kaikegelmann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
thanks a lot, it looks pretty clean..you are amazing... :) :tazz:

should i keep all the programs, like ewido, spybot, trojanhunter and cleanup or can i unistall them?

and one thing..in my internet explorer browser is the bottom bar missing, the one who tells you if you are in secure zones and the loading og the page...its gone and you might know how to get it back.. :)

i think thats for now..i will try everything to see if my windows is the same it was before..

thanks a lot to you and the whole staff...good job
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You may keep Ewido if you like since it's compatible with Norton, but it's not required - uninstall if you wish. Spybot is a good antispyware program to keep. So check it for updates and run a scan weekly or bi-weekly.

Trojan Hunter can be uninstalled if you don't want to buy it. CleanUp is good for everyday use since it helps delete a lot of junk from your temp folders.

I think I know what you are referring to. Go to Internet Explorer->View and make sure Status Bar is checked.

Any other problems/questions before I close this topic?
  • 0

#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP