Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Oh man, do I need help.. [RESOLVED]

Started by Mick_Wood , Aug 14 2005 06:04 PM

This topic is locked

#1
Mick_Wood

Posted 14 August 2005 - 06:04 PM

Member

Member
10 posts

Hey guys,

FInally overcame my fear of asking for help, and I am desperate here, as my business launches in two weeks and my computer is central to it. Here are my problems:

I am getting a blue screen of death that tells me its a fatal system error. Next time it happens I will write down the exact string, but it goes something like:
c21000000a0 or something to that effect.
Also have the AUNps2.dll missing box when I start up, and I have this annoying flashing icon of a yellow triangle with an exclamation point in the middle of it down on my icons at bottom right. I am constantly bombarded with pop ups, and am using eacceleration's stop sign anti-virus programs, with ad-aware also.
Here is my logfile from hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 4:48:30 PM, on 8/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ACCELE~1\SCRIPT~1\scan.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\msole32.exe
C:\Program Files\Acceleration Software\StopSignProducts\Firewall\FWService.exe
C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\lanbrup.exe
C:\WINDOWS\agwyenc.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\Common Files\eAcceleration\eanthology.exe
C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\wecssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\hijack\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\System32\idmctjhg.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nshFF.dll
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dpkspd.exe reg_run
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [agwyenc] C:\WINDOWS\agwyenc.EXE
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd
O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mwp4RgYth] mgmmmgr.exe
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\accele~1\velozd~1\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\accele~1\velozd~1\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\accele~1\velozd~1\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\accele~1\velozd~1\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\accele~1\velozd~1\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\accele~1\velozd~1\asiclayer.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.reds...ller/rssoft.cab
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\dNdxof.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FWService - Acceleration Software International Corporation - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\FWService.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\wecssvc.exe
O23 - Service: Network Security Service (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\apprp32.exe (file missing)

Ok...anyone out there want to tackle this? I am a computer amatuer, but I am willing to give this a go if you are.

Thanks in advance,

Michael

#2
Excal

Posted 14 August 2005 - 06:18 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi Michael and welcome to GeeksToGo! My name is Excal and I will be helping you.

Yikes where do we start....wow. Nice collection here.

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

1. Please download LSPFix from here.
2. Run the LSPFix.exe that you have just finished downloading.
3. Check the I know what I'm doing box.
4. In the Keep box you should see one or more instances of asiclayer.dll
5. Select every instance of asiclayer.dll and move each one to the Remove box by clicking the >> button.
6. When you are done click Finish>>.
7. Reboot and please post a fresh HiJackThis log..

Thanks,

:tazz:

Excal

#3
Mick_Wood

Posted 14 August 2005 - 08:15 PM

Member

Topic Starter
Member
10 posts

Hello Excal, and thank you for your help. Ok, I've taken some pain killers to help the process along. Reading everyone else's posts is really scary, but here goes:

Followed your instructions..

New Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 7:09:10 PM, on 8/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Acceleration Software\StopSignProducts\Firewall\FWService.exe
C:\WINDOWS\wecssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\Userinit.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ACCELE~1\SCRIPT~1\scan.exe
C:\WINDOWS\System32\msole32.exe
C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe
C:\WINDOWS\System32\lanbrup.exe
C:\WINDOWS\agwyenc.EXE
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\Common Files\eAcceleration\eanthology.exe
C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet

Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} -

C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} -

C:\WINDOWS\System32\idmctjhg.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -

C:\WINDOWS\System32\nshFF.dll
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration

Software\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dpkspd.exe reg_run
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [agwyenc] C:\WINDOWS\agwyenc.EXE
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration

Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration

Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common

Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd
O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mwp4RgYth] mgmmmgr.exe
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft

Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} -

C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} -

C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} -

C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} -

C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} -

http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} -

http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -

http://online.comcast.net/help/ (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -

C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}

- C:\Program Files\PartyPoker\PartyPoker.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -

http://www.creative....119/CTSUEng.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

http://ak.imgfarm.co...itialSetup1.0.0

.8-2.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) -

http://musicstore.co...ALStreaming.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) -

http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -

http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) -

http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate

Support Package) - http://www.creative....12119/CTPID.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} -

http://download.reds...ller/rssoft.cab
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\dNdxof.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o -

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FWService - Acceleration Software International Corporation - C:\Program

Files\Acceleration Software\StopSignProducts\Firewall\FWService.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\wecssvc.exe
O23 - Service: Network Security Service (%AFå¤¶À¨) - Unknown owner -

C:\WINDOWS\apprp32.exe (file missing)

Thanks again and also thanks for the compliment on my nice collection of..whatever it is I have. :tazz:

#4
Excal

Posted 14 August 2005 - 09:35 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

You may have the latest version of VX2. Download L2mfix from one of these two locations:

One
Two
Save the file to your desktop and double click l2mfix.exe.
Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Note; if you recieve any error messages for CMD or Autoexec.bat>> select option 5 from the l2mfix and once at the site, click on the link that apply to your operating system!
Double-click the file it downloads and extract the files to its predetermined System32 folder!

Then post a HijackThis log (not attach) together with the log of the L2Mfix

#5
Mick_Wood

Posted 14 August 2005 - 09:52 PM

Member

Topic Starter
Member
10 posts

Ok...ran the task, and here is my log with the new hijack this log also.

L2MFIX find log 1.03b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dNdxof.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{2826A5E1-5215-6297-5F38-351BC8FE51B1}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{B1D7A1AB-0304-4FA5-BE04-69297229935B}"=""
"{F76BF92A-0B0C-401E-BDBB-BB4241834FB4}"=""
"{2E59905D-8939-4FC9-9610-CD322B899A31}"=""
"{0E9456D6-86E7-4ECA-961B-7A6D404A10D6}"=""
"{AF6DDE31-4CF1-4302-ACBE-E83F3FA07EEF}"=""
"{BB83FD23-AC96-472D-8AA2-7D8560A61D1A}"="StopSignRCS"
"{46D570D9-71C8-44E5-A76C-AADFE94442CA}"="defscan"
"{F1461E36-66D5-4D36-A388-F426BEF5FA5F}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B1D7A1AB-0304-4FA5-BE04-69297229935B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B1D7A1AB-0304-4FA5-BE04-69297229935B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B1D7A1AB-0304-4FA5-BE04-69297229935B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B1D7A1AB-0304-4FA5-BE04-69297229935B}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F76BF92A-0B0C-401E-BDBB-BB4241834FB4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F76BF92A-0B0C-401E-BDBB-BB4241834FB4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F76BF92A-0B0C-401E-BDBB-BB4241834FB4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F76BF92A-0B0C-401E-BDBB-BB4241834FB4}\InprocServer32]
@="C:\\WINDOWS\\system32\\mcawt.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2E59905D-8939-4FC9-9610-CD322B899A31}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2E59905D-8939-4FC9-9610-CD322B899A31}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2E59905D-8939-4FC9-9610-CD322B899A31}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2E59905D-8939-4FC9-9610-CD322B899A31}\InprocServer32]
@="C:\\WINDOWS\\system32\\xrob2res.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0E9456D6-86E7-4ECA-961B-7A6D404A10D6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0E9456D6-86E7-4ECA-961B-7A6D404A10D6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0E9456D6-86E7-4ECA-961B-7A6D404A10D6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0E9456D6-86E7-4ECA-961B-7A6D404A10D6}\InprocServer32]
@="C:\\WINDOWS\\system32\\qldit.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AF6DDE31-4CF1-4302-ACBE-E83F3FA07EEF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AF6DDE31-4CF1-4302-ACBE-E83F3FA07EEF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AF6DDE31-4CF1-4302-ACBE-E83F3FA07EEF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AF6DDE31-4CF1-4302-ACBE-E83F3FA07EEF}\InprocServer32]
@="C:\\WINDOWS\\system32\\rrched20(2).dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F1461E36-66D5-4D36-A388-F426BEF5FA5F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1461E36-66D5-4D36-A388-F426BEF5FA5F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1461E36-66D5-4D36-A388-F426BEF5FA5F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1461E36-66D5-4D36-A388-F426BEF5FA5F}\InprocServer32]
@="C:\\WINDOWS\\system32\\wkninet(3).dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is F007-E2BE

Directory of C:\WINDOWS\System32

08/14/2005 07:08 PM 417,792 rrched20(2).dll
08/14/2005 03:11 AM 417,792 wkninet(3).dll
08/11/2005 12:04 PM 417,792 medrv.dll
08/10/2005 01:48 PM 417,792 qldit.dll
08/10/2005 10:02 AM 417,792 xrob2res.dll
08/04/2005 01:14 PM 417,792 swell.dll
08/02/2005 05:50 PM 417,792 cuyptdll.dll
08/01/2005 05:02 PM 417,792 morapi.dll
08/01/2005 03:31 PM 417,792 mcawt.dll
07/22/2005 11:53 AM <DIR> dllcache
07/21/2005 04:59 PM 417,792 dUd9.dll
07/21/2005 04:59 PM 417,792 dNdxof.dll
07/21/2005 03:58 PM 417,792 wlnbrand.dll
07/21/2005 03:58 PM 417,792 wtavideo.dll
07/21/2005 02:30 PM 417,792 wedconns.dll
07/21/2005 02:30 PM 417,792 wukex.dll
07/13/2005 05:55 PM 417,792 guard.tmp
07/13/2005 01:02 PM 401,408 ?ttrib.exe
04/09/2005 02:21 PM 1,682 KGyGaAvL.sys
04/09/2005 02:21 PM 56 EF987662A0.sys
02/23/2005 04:32 PM 3,567 dmodg.log
02/18/2005 05:24 AM 7,471 kkqns.txt
02/17/2005 09:12 PM 3,567 lkpac.dat
02/16/2005 04:48 PM 3,567 jucyp.txt
02/14/2005 07:16 AM 3,567 nkonw.txt
02/13/2005 06:42 PM 3,567 lqstf.dat
02/12/2005 07:52 PM 3,567 gkaxx.dat
02/12/2005 05:39 PM 7,471 gcbyz.txt
02/12/2005 12:14 AM 3,567 qwerv.txt
02/11/2005 11:34 PM 7,471 stlkk.dat
02/11/2005 08:02 PM 3,567 zbtwf.log
02/11/2005 04:31 PM 7,471 qmuwo.txt
02/11/2005 01:17 AM 3,567 juqhs.txt
02/10/2005 12:17 PM 3,567 nsqqr.log
02/10/2005 12:17 PM 7,471 crfxd.dat
02/05/2005 07:07 PM 7,471 agrny.dat
02/05/2005 12:31 PM 7,471 niwku.log
02/02/2005 12:04 AM 7,471 nfajw.log
02/01/2005 11:43 PM 3,567 fgspq.txt
02/01/2005 08:37 PM 3,567 fyysj.log
01/30/2005 07:52 AM 7,471 dvxkh.log
01/27/2005 03:12 PM 475 lpxzauqm.dll
01/27/2005 09:54 AM 3,567 jmmbq.dat
01/21/2005 06:08 PM 7,471 lrsmf.txt
01/21/2005 08:17 AM 7,471 rsopd.dat
01/21/2005 05:54 AM 3,567 fihxw.log
01/18/2005 01:09 PM 64,000 zvzxa.dll
01/17/2005 10:59 PM 3,567 utjig.dat
01/17/2005 01:41 AM 7,471 afase.dat
12/16/2004 03:06 PM 4,402 kxrrp.log
06/21/2004 01:38 PM <DIR> Microsoft
49 File(s) 7,299,852 bytes
2 Dir(s) 97,754,263,552 bytes free

Logfile of HijackThis v1.99.1
Scan saved at 8:48:09 PM, on 8/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Acceleration Software\StopSignProducts\Firewall\FWService.exe
C:\WINDOWS\wecssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ACCELE~1\SCRIPT~1\scan.exe
C:\WINDOWS\System32\msole32.exe
C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe
C:\WINDOWS\System32\lanbrup.exe
C:\WINDOWS\agwyenc.EXE
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\Common Files\eAcceleration\eanthology.exe
C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet

Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} -

C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} -

C:\WINDOWS\System32\idmctjhg.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -

C:\WINDOWS\System32\nshFF.dll
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration

Software\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dpkspd.exe reg_run
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [agwyenc] C:\WINDOWS\agwyenc.EXE
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration

Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration

Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common

Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd
O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mwp4RgYth] mgmmmgr.exe
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft

Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} -

C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} -

C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} -

C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} -

C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} -

http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} -

http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -

http://online.comcast.net/help/ (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -

C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}

- C:\Program Files\PartyPoker\PartyPoker.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -

http://www.creative....119/CTSUEng.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

http://ak.imgfarm.co...itialSetup1.0.0

.8-2.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) -

http://musicstore.co...ALStreaming.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) -

http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -

http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) -

http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate

Support Package) - http://www.creative....12119/CTPID.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} -

http://download.reds...ller/rssoft.cab
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\dNdxof.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o -

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FWService - Acceleration Software International Corporation - C:\Program

Files\Acceleration Software\StopSignProducts\Firewall\FWService.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\wecssvc.exe
O23 - Service: Network Security Service (%AFå¤¶À¨) - Unknown owner -

C:\WINDOWS\apprp32.exe (file missing)

As per every new post, thank you for the great help Excal.

#6
Excal

Posted 15 August 2005 - 07:01 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter
Press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.
Copy the contents of log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

#7
Mick_Wood

Posted 15 August 2005 - 11:35 AM

Member

Topic Starter
Member
10 posts

Ok, steps completed, and here are the files:

L2Mfix 1.03b

Running From:
C:\Documents and Settings\Michael Wood\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Michael Wood\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Michael Wood\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 160 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 292 'rundll32.exe'
Killing PID 448 'rundll32.exe'
Killing PID 480 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\alstream.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\alstream.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cuyptdll.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cuyptdll.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dcauth.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dcauth.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dNdxof.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dNdxof.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dUd9.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dUd9.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mcawt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mcawt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\medrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\medrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\morapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\morapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qldit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qldit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sfi_ci.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sfi_ci.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\spripto.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\spripto.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swell.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swell.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wedconns.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wedconns.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wkninet(3).dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wkninet(3).dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wlnbrand.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wlnbrand.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtavideo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtavideo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wukex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wukex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\xrob2res.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\xrob2res.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\alstream.dll
Successfully Deleted: C:\WINDOWS\system32\alstream.dll
deleting: C:\WINDOWS\system32\alstream.dll
Successfully Deleted: C:\WINDOWS\system32\alstream.dll
deleting: C:\WINDOWS\system32\cuyptdll.dll
Successfully Deleted: C:\WINDOWS\system32\cuyptdll.dll
deleting: C:\WINDOWS\system32\cuyptdll.dll
Successfully Deleted: C:\WINDOWS\system32\cuyptdll.dll
deleting: C:\WINDOWS\system32\dcauth.dll
Successfully Deleted: C:\WINDOWS\system32\dcauth.dll
deleting: C:\WINDOWS\system32\dcauth.dll
Successfully Deleted: C:\WINDOWS\system32\dcauth.dll
deleting: C:\WINDOWS\system32\dNdxof.dll
Successfully Deleted: C:\WINDOWS\system32\dNdxof.dll
deleting: C:\WINDOWS\system32\dNdxof.dll
Successfully Deleted: C:\WINDOWS\system32\dNdxof.dll
deleting: C:\WINDOWS\system32\dUd9.dll
Successfully Deleted: C:\WINDOWS\system32\dUd9.dll
deleting: C:\WINDOWS\system32\dUd9.dll
Successfully Deleted: C:\WINDOWS\system32\dUd9.dll
deleting: C:\WINDOWS\system32\mcawt.dll
Successfully Deleted: C:\WINDOWS\system32\mcawt.dll
deleting: C:\WINDOWS\system32\mcawt.dll
Successfully Deleted: C:\WINDOWS\system32\mcawt.dll
deleting: C:\WINDOWS\system32\medrv.dll
Successfully Deleted: C:\WINDOWS\system32\medrv.dll
deleting: C:\WINDOWS\system32\medrv.dll
Successfully Deleted: C:\WINDOWS\system32\medrv.dll
deleting: C:\WINDOWS\system32\morapi.dll
Successfully Deleted: C:\WINDOWS\system32\morapi.dll
deleting: C:\WINDOWS\system32\morapi.dll
Successfully Deleted: C:\WINDOWS\system32\morapi.dll
deleting: C:\WINDOWS\system32\qldit.dll
Successfully Deleted: C:\WINDOWS\system32\qldit.dll
deleting: C:\WINDOWS\system32\qldit.dll
Successfully Deleted: C:\WINDOWS\system32\qldit.dll
deleting: C:\WINDOWS\system32\sfi_ci.dll
Successfully Deleted: C:\WINDOWS\system32\sfi_ci.dll
deleting: C:\WINDOWS\system32\sfi_ci.dll
Successfully Deleted: C:\WINDOWS\system32\sfi_ci.dll
deleting: C:\WINDOWS\system32\spripto.dll
Successfully Deleted: C:\WINDOWS\system32\spripto.dll
deleting: C:\WINDOWS\system32\spripto.dll
Successfully Deleted: C:\WINDOWS\system32\spripto.dll
deleting: C:\WINDOWS\system32\swell.dll
Successfully Deleted: C:\WINDOWS\system32\swell.dll
deleting: C:\WINDOWS\system32\swell.dll
Successfully Deleted: C:\WINDOWS\system32\swell.dll
deleting: C:\WINDOWS\system32\wedconns.dll
Successfully Deleted: C:\WINDOWS\system32\wedconns.dll
deleting: C:\WINDOWS\system32\wedconns.dll
Successfully Deleted: C:\WINDOWS\system32\wedconns.dll
deleting: C:\WINDOWS\system32\wkninet(3).dll
Successfully Deleted: C:\WINDOWS\system32\wkninet(3).dll
deleting: C:\WINDOWS\system32\wkninet(3).dll
Successfully Deleted: C:\WINDOWS\system32\wkninet(3).dll
deleting: C:\WINDOWS\system32\wlnbrand.dll
Successfully Deleted: C:\WINDOWS\system32\wlnbrand.dll
deleting: C:\WINDOWS\system32\wlnbrand.dll
Successfully Deleted: C:\WINDOWS\system32\wlnbrand.dll
deleting: C:\WINDOWS\system32\wtavideo.dll
Successfully Deleted: C:\WINDOWS\system32\wtavideo.dll
deleting: C:\WINDOWS\system32\wtavideo.dll
Successfully Deleted: C:\WINDOWS\system32\wtavideo.dll
deleting: C:\WINDOWS\system32\wukex.dll
Successfully Deleted: C:\WINDOWS\system32\wukex.dll
deleting: C:\WINDOWS\system32\wukex.dll
Successfully Deleted: C:\WINDOWS\system32\wukex.dll
deleting: C:\WINDOWS\system32\xrob2res.dll
Successfully Deleted: C:\WINDOWS\system32\xrob2res.dll
deleting: C:\WINDOWS\system32\xrob2res.dll
Successfully Deleted: C:\WINDOWS\system32\xrob2res.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Zipping up files for submission:
adding: alstream.dll (140 bytes security) (deflated 48%)
adding: cuyptdll.dll (140 bytes security) (deflated 48%)
adding: dcauth.dll (140 bytes security) (deflated 48%)
adding: dNdxof.dll (140 bytes security) (deflated 48%)
adding: dUd9.dll (140 bytes security) (deflated 48%)
adding: mcawt.dll (140 bytes security) (deflated 48%)
adding: medrv.dll (140 bytes security) (deflated 48%)
adding: morapi.dll (140 bytes security) (deflated 48%)
adding: qldit.dll (140 bytes security) (deflated 48%)
adding: sfi_ci.dll (140 bytes security) (deflated 48%)
adding: spripto.dll (140 bytes security) (deflated 48%)
adding: swell.dll (140 bytes security) (deflated 48%)
adding: wedconns.dll (140 bytes security) (deflated 48%)
adding: wkninet(3).dll (140 bytes security) (deflated 48%)
adding: wlnbrand.dll (140 bytes security) (deflated 48%)
adding: wtavideo.dll (140 bytes security) (deflated 48%)
adding: wukex.dll (140 bytes security) (deflated 48%)
adding: xrob2res.dll (140 bytes security) (deflated 48%)
adding: guard.tmp (140 bytes security) (deflated 48%)
adding: clear.reg (140 bytes security) (deflated 58%)
adding: echo.reg (140 bytes security) (deflated 10%)
adding: direct.txt (140 bytes security) (stored 0%)
adding: lo2.txt (140 bytes security) (deflated 88%)
adding: readme.txt (140 bytes security) (deflated 50%)
adding: report.txt (140 bytes security) (deflated 68%)
adding: test.txt (140 bytes security) (deflated 89%)
adding: test2.txt (140 bytes security) (deflated 39%)
adding: test3.txt (140 bytes security) (deflated 39%)
adding: test5.txt (140 bytes security) (deflated 39%)
adding: xfind.txt (140 bytes security) (deflated 86%)
adding: backregs/0E9456D6-86E7-4ECA-961B-7A6D404A10D6.reg (140 bytes security)

(deflated 70%)
adding: backregs/2E59905D-8939-4FC9-9610-CD322B899A31.reg (140 bytes security)

(deflated 70%)
adding: backregs/AF6DDE31-4CF1-4302-ACBE-E83F3FA07EEF.reg (140 bytes security)

(deflated 70%)
adding: backregs/B1D7A1AB-0304-4FA5-BE04-69297229935B.reg (140 bytes security)

(deflated 70%)
adding: backregs/F1461E36-66D5-4D36-A388-F426BEF5FA5F.reg (140 bytes security)

(deflated 70%)
adding: backregs/F76BF92A-0B0C-401E-BDBB-BB4241834FB4.reg (140 bytes security)

(deflated 70%)
adding: backregs/notibac.reg (140 bytes security) (deflated 87%)
adding: backregs/shell.reg (140 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: alstream.dll
deleting local copy: alstream.dll
deleting local copy: cuyptdll.dll
deleting local copy: cuyptdll.dll
deleting local copy: dcauth.dll
deleting local copy: dcauth.dll
deleting local copy: dNdxof.dll
deleting local copy: dNdxof.dll
deleting local copy: dUd9.dll
deleting local copy: dUd9.dll
deleting local copy: mcawt.dll
deleting local copy: mcawt.dll
deleting local copy: medrv.dll
deleting local copy: medrv.dll
deleting local copy: morapi.dll
deleting local copy: morapi.dll
deleting local copy: qldit.dll
deleting local copy: qldit.dll
deleting local copy: sfi_ci.dll
deleting local copy: sfi_ci.dll
deleting local copy: spripto.dll
deleting local copy: spripto.dll
deleting local copy: swell.dll
deleting local copy: swell.dll
deleting local copy: wedconns.dll
deleting local copy: wedconns.dll
deleting local copy: wkninet(3).dll
deleting local copy: wkninet(3).dll
deleting local copy: wlnbrand.dll
deleting local copy: wlnbrand.dll
deleting local copy: wtavideo.dll
deleting local copy: wtavideo.dll
deleting local copy: wukex.dll
deleting local copy: wukex.dll
deleting local copy: xrob2res.dll
deleting local copy: xrob2res.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\alstream.dll
C:\WINDOWS\system32\alstream.dll
C:\WINDOWS\system32\cuyptdll.dll
C:\WINDOWS\system32\cuyptdll.dll
C:\WINDOWS\system32\dcauth.dll
C:\WINDOWS\system32\dcauth.dll
C:\WINDOWS\system32\dNdxof.dll
C:\WINDOWS\system32\dNdxof.dll
C:\WINDOWS\system32\dUd9.dll
C:\WINDOWS\system32\dUd9.dll
C:\WINDOWS\system32\mcawt.dll
C:\WINDOWS\system32\mcawt.dll
C:\WINDOWS\system32\medrv.dll
C:\WINDOWS\system32\medrv.dll
C:\WINDOWS\system32\morapi.dll
C:\WINDOWS\system32\morapi.dll
C:\WINDOWS\system32\qldit.dll
C:\WINDOWS\system32\qldit.dll
C:\WINDOWS\system32\sfi_ci.dll
C:\WINDOWS\system32\sfi_ci.dll
C:\WINDOWS\system32\spripto.dll
C:\WINDOWS\system32\spripto.dll
C:\WINDOWS\system32\swell.dll
C:\WINDOWS\system32\swell.dll
C:\WINDOWS\system32\wedconns.dll
C:\WINDOWS\system32\wedconns.dll
C:\WINDOWS\system32\wkninet(3).dll
C:\WINDOWS\system32\wkninet(3).dll
C:\WINDOWS\system32\wlnbrand.dll
C:\WINDOWS\system32\wlnbrand.dll
C:\WINDOWS\system32\wtavideo.dll
C:\WINDOWS\system32\wtavideo.dll
C:\WINDOWS\system32\wukex.dll
C:\WINDOWS\system32\wukex.dll
C:\WINDOWS\system32\xrob2res.dll
C:\WINDOWS\system32\xrob2res.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell

Extensions\Approved]
"{B1D7A1AB-0304-4FA5-BE04-69297229935B}"=-
"{F76BF92A-0B0C-401E-BDBB-BB4241834FB4}"=-
"{2E59905D-8939-4FC9-9610-CD322B899A31}"=-
"{0E9456D6-86E7-4ECA-961B-7A6D404A10D6}"=-
"{AF6DDE31-4CF1-4302-ACBE-E83F3FA07EEF}"=-
"{F1461E36-66D5-4D36-A388-F426BEF5FA5F}"=-
[-HKEY_CLASSES_ROOT\CLSID\{B1D7A1AB-0304-4FA5-BE04-69297229935B}]
[-HKEY_CLASSES_ROOT\CLSID\{F76BF92A-0B0C-401E-BDBB-BB4241834FB4}]
[-HKEY_CLASSES_ROOT\CLSID\{2E59905D-8939-4FC9-9610-CD322B899A31}]
[-HKEY_CLASSES_ROOT\CLSID\{0E9456D6-86E7-4ECA-961B-7A6D404A10D6}]
[-HKEY_CLASSES_ROOT\CLSID\{AF6DDE31-4CF1-4302-ACBE-E83F3FA07EEF}]
[-HKEY_CLASSES_ROOT\CLSID\{F1461E36-66D5-4D36-A388-F426BEF5FA5F}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 10:33:31 AM, on 8/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\wecssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\msole32.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\agwyenc.EXE
C:\Program Files\Common Files\eAcceleration\eanthology.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet

Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} -

C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} -

C:\WINDOWS\System32\idmctjhg.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -

C:\WINDOWS\System32\nshFF.dll
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration

Software\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dpkspd.exe reg_run
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [agwyenc] C:\WINDOWS\agwyenc.EXE
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration

Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration

Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd
O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common

Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mwp4RgYth] mgmmmgr.exe
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft

Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} -

C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} -

C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} -

C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} -

C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} -

http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} -

http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -

http://online.comcast.net/help/ (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -

C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}

- C:\Program Files\PartyPoker\PartyPoker.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -

http://www.creative....119/CTSUEng.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

http://ak.imgfarm.co...itialSetup1.0.0

.8-2.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) -

http://musicstore.co...ALStreaming.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) -

http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -

http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) -

http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate

Support Package) - http://www.creative....12119/CTPID.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} -

http://download.reds...ller/rssoft.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o -

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FWService - Unknown owner - C:\Program Files\Acceleration

Software\StopSignProducts\Firewall\FWService.exe (file missing)
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\wecssvc.exe
O23 - Service: Network Security Service (%AFå¤¶À¨) - Unknown owner -

C:\WINDOWS\apprp32.exe (file missing)

Once again, many thanks! :tazz:

#8
Excal

Posted 15 August 2005 - 12:16 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

eAcceleration software company is not a trusted anti-virus/spyware program. I have marked all their products for deletion on your computer. When we get you all cleaned, I will give you some links where you can get some free spyware, antivirus and firewall programs that are trusted.
http://www.spywarewa...nti-spyware.htm

DOWNLOAD PROGRAMS

Download and install CleanUp! Here
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

Please download ewido security suite it is a trial version of the program.

Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Then click on Start Update

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.

Download and unzip HSfix to your desktop :
HSRegFix

THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3. Ensure you are NOT connected to the internet.

4. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

5. Go to Start->Run and type in services.msc and hit OK. Then look for Network Security Service and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Do the same for the following services: Windows VisFx Components and
FWService

6. Open up and run Ewido:

Click on scanner
Click Complete System Scan and the scan will begin.
During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop

Close Ewido

7. Close all browsers, windows and unneeded programs.

8. Open HiJack and do a scan.

9. Put a Check next to the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\System32\idmctjhg.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nshFF.dll
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\AccelerationSoftware\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dpkspd.exe reg_run
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [agwyenc] C:\WINDOWS\agwyenc.EXE
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\AccelerationSoftware\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\AccelerationSoftware\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd
O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\CommonFiles\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Mwp4RgYth] mgmmmgr.exe
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...itialSetup1.0.0
.8-2.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O23 - Service: FWService - Unknown owner - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\FWService.exe (file missing)
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\wecssvc.exe
O23 - Service: Network Security Service (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\apprp32.exe (file missing)

10. click the Fix Checked box

11. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

eAcceleration (uninstall anything that realted to this)
PrivacyScanner/Champion
MaxSpeed

12. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\AccelerationSoftware
C:\Program Files\Privacy Champion
C:\Program Files\CommonFiles\eAcceleration

13. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\System32\dpkspd.exe
C:\WINDOWS\System32\lanbrup.exe
C:\WINDOWS\agwyenc.EXE
C:\WINDOWS\System32\maxspeed.exe
C:\WINDOWS\wecssvc.exe
C:\WINDOWS\apprp32.exe
Use Start>Search for these:
Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.
AUNPS2.DLL
svshost.exe
mgmmmgr.exe
msnmsgr.exe <===this will not be the one in the MSN Messanger Folder.

14. Scan with AdAware and let it remove any bad files found.

15. Double click on the HSFix and when asked to merge say yes.

16. Run the program CleanUp!

17. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

18. Please post the Active scan log. Ewido Log and a fresh HiJackThis log. Let me know how your computer is running.

#9
Mick_Wood

Posted 15 August 2005 - 03:28 PM

Member

Topic Starter
Member
10 posts

Ok, here are my latest files Excal:

Incident Status Location

Adware:Adware/QoolAid No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tadi.exe
Adware:Adware/QoolAid No disinfected C:\WINDOWS\SYSTEM32\DPKSPD.EXE
Adware:adware/clkoptimizer No disinfected C:\WINDOWS\SYSTEM32\datadx.dll
Adware:adware/wupd No disinfected C:\WINDOWS\SYSTEM32\ide21201.vxd
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/funweb No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.8-2.inf
Spyware:spyware/iehelp No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ipreg32.inf
Adware:adware/statblaster No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WildApp.inf
Spyware:spyware/yoursitebar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ysbactivex.inf
Adware:adware/pacimedia No disinfected C:\DOCUMENTS AND SETTINGS\MICHAEL WOOD\FAVORITES\1111\1111.url
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\banner.inf
Adware:adware/superspider No disinfected C:\m00.exe
Adware:adware/gator No disinfected C:\WINDOWS\FT1_02_0_402_GEPFAH.EXE
Adware:adware/sidesearch No disinfected C:\WINDOWS\sepsd.bin
Adware:adware/sbsoft No disinfected C:\WINDOWS\webdlg32.inf
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/elitebar No disinfected C:\WINDOWS\etb
Adware:adware/wintools No disinfected Windows Registry
Adware:Adware/QoolAid No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tadi.exe
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[alstream.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[cuyptdll.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[dcauth.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[dNdxof.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[dUd9.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[mcawt.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[medrv.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[morapi.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[qldit.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[sfi_ci.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[spripto.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[swell.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[wedconns.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[wkninet(3).dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[wlnbrand.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[wtavideo.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[wukex.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[xrob2res.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip[guard.tmp]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix.exe[Process.exe]
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\CMAPP\Client\cmappmf.dll
Adware:Adware/FunWeb No disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf
Spyware:Spyware/Iehelp No disinfected C:\WINDOWS\Downloaded Program Files\ipreg32.inf
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\casino.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\dating.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\drugs.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\fav.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\virus.bmp
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\banner.inf
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\alta\!update-2314.0000
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\alta\!update-2364.0000
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\system32\datadx.dll
Adware:Adware/QoolAid No disinfected C:\WINDOWS\system32\dpkspd.exe
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\system32\uninst.exe
Adware:Adware/QoolAid No disinfected C:\WINDOWS\system32\vuqku.dat
Adware:Adware/Imibar No disinfected C:\WINDOWS\ttext.dll
Adware:Adware/SBSoft No disinfected C:\WINDOWS\webdlg32.inf
Adware:Adware/Popup.pop No disinfected C:\WINDOWS\winsx.inf
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002

Logfile of HijackThis v1.99.1
Scan saved at 2:23:55 PM, on 8/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dpkspd.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.reds...ller/rssoft.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Thanks again, hope this is getting all cleaned up..I still notice the occassional pop up, but am not currently running any blockers, firewalls, or any programs. You mentioned some sites for good anti-virus programs and such, so let me know.

Michael Wood

#10
Mick_Wood

Posted 15 August 2005 - 03:30 PM

Member

Topic Starter
Member
10 posts

I think this is the real Ewido file you wanted..not that middle one I posted with the fails...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:29:40 PM, 8/15/2005
+ Report-Checksum: 8F97CD0B

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{05C2ECE7-AB9F-8750-F571-7DD76F135929} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{459729AC-727D-4D97-B18A-72EE224EFEC0} -> Spyware.StopSign : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{67D02480-710B-80D7-0624-27BB57B32CDE} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} -> Spyware.eAcceleration : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{771A1334-6B08-4a6b-AEDC-CF994BA2CEBE} -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{88261A8F-96F3-66D7-0279-B1C677B30B41} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B4F697AE-7E58-DC0D-D012-24F83EAB9F25} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BB83FD23-AC96-472D-8AA2-7D8560A61D1A} -> Spyware.eAcceleration : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEaid.Gd\GLSID -> Spyware.eAcceleration : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{963DD0FF-4836-4DE4-9590-D7EFE8F62F8D} -> Spyware.eAcceleration : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CurVer -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{120E090D-9136-4b78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} -> Spyware.eAcceleration : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winds_24 -> Spyware.CoolWebSearch : Cleaned with backup
HKU\.DEFAULT\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-602162358-507921405-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-602162358-507921405-725345543-1004\Software\{12EE7A5E-0674-42f9-A76B-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
HKU\S-1-5-18\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.459:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Grandonline : Cleaned with backup
:mozilla.592:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Epilot : Cleaned with backup
:mozilla.628:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.851:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.959:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.960:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.961:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.963:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.964:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.965:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.976:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.979:C:\Documents and Settings\Michael Wood\Application Data\Mozilla\Firefox\Profiles\hhkdivl0.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael wood@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael wood@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael wood@adorigin[2].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael wood@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael wood@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael wood@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael wood@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael wood@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael wood@goldenpalace[2].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael wood@grandonline[1].txt -> Spyware.Cookie.Grandonline : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael wood@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael wood@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael wood@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael wood@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Grandonline : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Michael Wood\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/alstream.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/cuyptdll.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/dcauth.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/dNdxof.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/dUd9.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/mcawt.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/medrv.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/morapi.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/qldit.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/sfi_ci.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/spripto.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/swell.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/wedconns.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/wkninet(3).dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/wlnbrand.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/wtavideo.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/wukex.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/xrob2res.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Desktop\l2mfix\backup.zip/guard.tmp -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Michael Wood\Local Settings\Temp\!update.exe -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temp\b.com -> Spyware.AdURL : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temp\Cookies\michael [email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temp\labpengs.tmp -> Spyware.SafeSurfing : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temp\temp.fr39D0\Anti-Virus\engine_setup.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temp\temp.fr39D0\Anti-Virus\ssupload_setup_update.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temp\temp.fr39D0\Anti-Virus\syssnap_update.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temp\temp.fr39D0\Anti-Virus\vclnr_setup_update.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temp\temp.frB042\Anti-Virus\engine_setup.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temp\temp.frB042\Anti-Virus\syssnap_update.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temp\temp.frDF87\Anti-Virus\engine_setup.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temp\temp.frDF87\Anti-Virus\ssupload_setup_update.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temp\temp.frDF87\Anti-Virus\syssnap_update.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temp\temp.frDF87\Anti-Virus\vclnr_setup_update.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temp\thin-94-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temporary Internet Files\Content.IE5\7Z0JKUMW\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temporary Internet Files\Content.IE5\7Z0JKUMW\AppWrap[2].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temporary Internet Files\Content.IE5\7Z0JKUMW\AppWrap[3].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temporary Internet Files\Content.IE5\7Z0JKUMW\AppWrap[4].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temporary Internet Files\Content.IE5\8RSBC4N6\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temporary Internet Files\Content.IE5\8RSBC4N6\AppWrap[2].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temporary Internet Files\Content.IE5\8RSBC4N6\AppWrap[3].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temporary Internet Files\Content.IE5\8RSBC4N6\AppWrap[4].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temporary Internet Files\Content.IE5\8RSBC4N6\thin-94-1-x-x[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temporary Internet Files\Content.IE5\IAKLVNO7\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temporary Internet Files\Content.IE5\IAKLVNO7\AppWrap[2].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temporary Internet Files\Content.IE5\IAKLVNO7\AppWrap[4].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temporary Internet Files\Content.IE5\IAKLVNO7\AppWrap[5].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Michael Wood\Local Settings\Temporary Internet Files\Content.IE5\XGHISB3D\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\EanthComponents\cnr_setup.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\EanthComponents\eaccel_setup.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\EanthComponents\firewall_install.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\EanthComponents\konxisp_install.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\EanthComponents\search_setup.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\EanthComponents\ssupload_setup.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\EanthComponents\station_setup.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\EanthComponents\syssnap_install.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\EanthComponents\vclnr_setup.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\eanthmngr_update.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\eAnthologyApp_Update.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\eAnthology_updater.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\firewall_update.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\Installer\eaccel_updater.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\Installer\killasic.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\SysSnap\setup.exe -> Spyware.eAcceleration : Cleaned with backup
C:\Program Files\Common Files\eAcceleration\SysSnap\sfx.exe -> Spyware.eAcceleration : Cleaned with backup
C:\WINDOWS\agwyenc.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\bvefc.log:gkyvll -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\CTCCW.DLL:aatqaw -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ActiveX.ocx -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\equwm.dll -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\etb\nt_hide61.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\icont.exe -> Spyware.AdURL : Cleaned with backup
C:\WINDOWS\ilbzi.dll -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\KB824141.log:asaici -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\KB824146.log:ggcmrn -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\KB825119.log:uwwfxx -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\KB833407.log:ibaqdu -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\kkfte.dll -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\netyb32.dll:ofzwgo -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\nildjrql.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\ocmsn.log:fnitwy -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\Prairie Wind.bmp:inxmkb -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\Q329048.log:fursup -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\Q329390.log:qrsgwk -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\Q810577.log:dqyyhd -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\QTFont.qfn:sayeoo -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\system\UpdInst.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\badaa.dll -> TrojanDownloader.Qoologic.t : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IJ2HAXKZ\!update-2104[1].0000 -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\conres.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\e6f1873b.dll -> TrojanDownloader.Braidupdate.d : Cleaned with backup
C:\WINDOWS\system32\ebjms.dll -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\system32\HyperLinker3.exe -> Spyware.iSearch : Cleaned with backup
C:\WINDOWS\system32\idmctjhg.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\installer_MARKETING58.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\WINDOWS\system32\jaqpk.dll -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\system32\lanbrup.exe -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\lfjed.dll -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\system32\msole32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\mtcwg.dll -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\system32\nshFF.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\ole32vbs.exe -> Trojan.Favadd.af : Cleaned with backup
C:\WINDOWS\system32\pnqvg.dll -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\system32\thin-144-1-2-2.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\wuiqd.dll -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\system32\xpttb.dll -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\system32\zvzxa.dll -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\Temp\!update.exe -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Error during cleaning
C:\WINDOWS\Temp\Del3BA.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
C:\WINDOWS\Temp\Del3C6.tmp -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\Temp\MediaAccessInstPack.exe -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\Temp\res3BB.tmp -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\Temp\upd208.exe -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\Temp\upd209.exe -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\twain.dll:riqmlb -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\usnsh.dll -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\visfxun.exe._eac_qt_ -> TrojanDownloader.VB.kd : Cleaned with backup
C:\WINDOWS\wiaservc.log:admpnx -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\wininit.ini:daaovw -> Spyware.OneMoreSearch : Cleaned with backup
C:\~WRF0409.tmp -> TrojanDropper.Small.acb : Cleaned with backup

::Report End

#11
Excal

Posted 15 August 2005 - 03:48 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Looks much better!! you can delete the L2Mfix folder on your dektop. :tazz:

DOWNLOAD PROGRAMS

Download LQfix Here
save it to your desktop, please do not use yet

THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Open up and run Ewido:

Click on scanner
Click Complete System Scan and the scan will begin.
During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop

Close Ewido

5. Close all browsers, windows and unneeded programs.

6. Open HiJack and do a scan.

7. Put a Check next to the following items:

O17 - HKLM\System\CS1\Services\Tcpip\..\{47C850D5-3646-4836-9DB9-58D3C9873A66}: NameServer = 66.133.170.2

8. click the Fix Checked box

9. Please remove the following folders using Windows Explorer (if present):

C:\DOCUMENTS AND SETTINGS\MICHAEL WOOD\FAVORITES\1111
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\WINDOWS\etb
C:\WINDOWS\system32\alta

10. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\SYSTEM32\DPKSPD.EXE
C:\WINDOWS\SYSTEM32\datadx.dll
C:\WINDOWS\SYSTEM32\ide21201.vxd
C:\WINDOWS\SYSTEM32\stlb2.xml
C:\WINDOWS\system32\datadx.dll
C:\WINDOWS\system32\dpkspd.exe
C:\WINDOWS\FT1_02_0_402_GEPFAH.EXE
C:\WINDOWS\sepsd.bin
C:\WINDOWS\system32\uninst.exe
C:\WINDOWS\system32\vuqku.dat
C:\WINDOWS\ttext.dll
C:\WINDOWS\webdlg32.inf
C:\WINDOWS\winsx.inf
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tadi.exe
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\ipreg32.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\WildApp.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\ysbactivex.inf
C:\WINDOWS\INF\banner.inf
C:\m00.exe

11. Double click on LQFix program u downloaded.
A doswindow will open and close again, this is normal.

12. Run the program CleanUp!

13. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

14. delete bad services

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
click on "delete an NT service"
Copy and paste this in the box: FWService
Click "ok", then reboot

do the same for these services also: Windows VisFx Components and %AFå¤¶À¨

15. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.

#12
Mick_Wood

Posted 15 August 2005 - 08:37 PM

Member

Topic Starter
Member
10 posts

Ok, latest instructions done. The last step, #14 where you ask me to delete the NT service FWService...that file wasn't found. Tried it twice. The other file I have no idea how to type in, the one with the boxes and AFa in the middle of it.

The computer is running much better, faster, so thats an improvement.

Logs to follow:

Active-scan:

Incident Status Location

Adware:adware/funweb No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.8-2.inf
Spyware:spyware/iehelp No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ipreg32.inf
Adware:adware/statblaster No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WildApp.inf
Spyware:spyware/yoursitebar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ysbactivex.inf
Spyware:spyware/betterinet No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Michael Wood\Desktop\l2mfix.exe[Process.exe]
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\CMAPP\Client\cmappmf.dll
Adware:Adware/FunWeb No disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf
Spyware:Spyware/Iehelp No disinfected C:\WINDOWS\Downloaded Program Files\ipreg32.inf
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.inf

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 7:29:27 PM, on 8/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\Userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dpkspd.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.reds...ller/rssoft.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

I noticed some of the same files appearing in the latest active-scan file are ones you had me look for and delete in my Windows\downloaded program files folder...but none of them appeared...at least not under those names.

Thanks again for sticking through this...its a big relief to see progress here.

#13
Excal

Posted 15 August 2005 - 08:52 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Ok, latest instructions done. The last step, #14 where you ask me to delete the NT service FWService...that file wasn't found. Tried it twice. The other file I have no idea how to type in, the one with the boxes and AFa in the middle of it.

Just copy and paste this into that box, instead of trying to type it: %AFå¤¶À¨

I was hoping that ewido would take care of you qoologic infection, but I guess your not that lucky....lol

Please Download the following tools to assist us in removing this infection!

Download WinPFind
- Right Click the Zip Folder and Select "Extract All"
- Extract it somewhere you will remember like the Desktop
- Dont do anything with it yet!
Download Track qoo
- Save it somewhere you will remember like the Desktop

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe

Click "Start Scan"
It will scan the entire System, so please be patient!
Once the Scan is Complete
Go to the WinPFind folder
Locate WinPFind.txt
Place those results in the next post!

Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

#14
Mick_Wood

Posted 15 August 2005 - 10:37 PM

Member

Topic Starter
Member
10 posts

Ok, pasted that sting before I ran the new instructions, and it said the file wasn't in the registry.

Here are the logs for the WinPFind and Track qoo operations:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="\"C:\\Program Files\\support.com\\bin\\tgcmd.exe\" /server"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"winsync"="C:\\WINDOWS\\System32\\dpkspd.exe reg_run"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- qygxyqkn
{2fe374b5-41bc-492f-9ab1-7497d65d1974}
C:\WINDOWS\System32\badaa.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
==============================
C:\Documents and Settings\Michael Wood\Start Menu\Programs\Startup

desktop.ini
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files

access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
CTDetect.cpl Creative Technology Ltd.
CTDevCtrl.cpl Creative Technology Ltd.
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 9/3/2002 9:30:40 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
69.59.186.63 8/15/2005 1:51:32 PM 42496 C:\WINDOWS\SYSTEM32\gsdssgd.dll
209.66.67.134 8/15/2005 1:51:32 PM 42496 C:\WINDOWS\SYSTEM32\gsdssgd.dll
web-nex 8/15/2005 1:51:32 PM 42496 C:\WINDOWS\SYSTEM32\gsdssgd.dll
winsync 8/15/2005 1:51:32 PM 42496 C:\WINDOWS\SYSTEM32\gsdssgd.dll
Umonitor 9/3/2002 9:54:44 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 9/3/2002 10:10:48 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\OldHosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S 8/15/2005 9:20:14 PM 2048 C:\WINDOWS\bootstat.dat
H 6/28/2005 5:19:08 PM 0 C:\WINDOWS\inf\oem8.inf
SH 7/21/2005 11:34:42 PM 286777 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_56.cab
H 8/15/2005 9:20:08 PM 8192 C:\WINDOWS\system32\config\default.LOG
H 8/15/2005 9:20:30 PM 1024 C:\WINDOWS\system32\config\SAM.LOG
H 8/15/2005 9:20:16 PM 12288 C:\WINDOWS\system32\config\SECURITY.LOG
H 8/15/2005 9:21:30 PM 81920 C:\WINDOWS\system32\config\software.LOG
H 8/15/2005 9:20:18 PM 790528 C:\WINDOWS\system32\config\system.LOG
H 7/21/2005 11:51:32 PM 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
S 7/21/2005 11:34:42 PM 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
S 7/21/2005 11:34:42 PM 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
SH 8/15/2005 6:59:34 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2ZW9Q3\desktop.ini
SH 8/15/2005 6:59:34 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CDEF01MR\desktop.ini
SH 8/15/2005 6:59:34 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CTIBOLI7\desktop.ini
SH 8/15/2005 6:59:34 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S5UBGPIV\desktop.ini
SH 8/15/2005 10:29:20 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4ab98a29-9f31-42ef-a524-2cee508a2d0b
SH 8/15/2005 10:29:20 AM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
SH 8/15/2005 7:29:14 PM 204 C:\WINDOWS\Tasks\RUTASK.job
H 8/15/2005 9:19:40 PM 6 C:\WINDOWS\Tasks\SA.DAT
SH 7/21/2005 11:48:56 PM 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
SH 7/21/2005 11:48:56 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
SH 7/21/2005 11:48:56 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\07JRYSNA\desktop.ini
SH 7/21/2005 11:48:56 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\68CJ8OMT\desktop.ini
SH 7/21/2005 11:48:56 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\9503193R\desktop.ini
SH 7/21/2005 11:48:56 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GIU874KQ\desktop.ini

Checking for CPL files...
Microsoft Corporation 9/3/2002 9:26:48 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 9/3/2002 9:27:24 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Creative Technology Ltd. 3/30/2001 2:00:00 AM 230912 C:\WINDOWS\SYSTEM32\CTDetect.cpl
Creative Technology Ltd. 2/21/2002 1:00:00 AM 212992 C:\WINDOWS\SYSTEM32\CTDevCtrl.cpl
Microsoft Corporation 9/3/2002 9:30:36 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 9/3/2002 9:34:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 9/3/2002 9:35:14 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 9/3/2002 9:35:24 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 9/3/2002 9:37:12 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 9/3/2002 9:40:02 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 9/3/2002 9:42:08 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 9/3/2002 9:47:04 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 9/3/2002 9:50:26 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 9/3/2002 9:50:44 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 9/3/2002 9:52:44 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 4/8/2004 2:12:42 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 9/3/2002 10:05:50 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 9/3/2002 10:06:38 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 9/3/2002 10:06:48 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 9/3/2002 9:26:48 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 9/3/2002 9:27:24 AM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 9/3/2002 9:30:36 AM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 9/3/2002 9:34:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 9/3/2002 9:35:14 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 9/3/2002 9:35:24 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 9/3/2002 9:37:12 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 9/3/2002 9:40:02 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 9/3/2002 9:42:08 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 9/3/2002 9:47:04 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 9/3/2002 9:50:26 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 9/3/2002 9:50:44 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 9/3/2002 9:52:44 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 9/3/2002 9:57:12 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 9/3/2002 10:05:50 AM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 9/3/2002 10:06:38 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 9/3/2002 10:06:48 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/21/2004 2:12:56 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
6/21/2004 2:11:18 PM 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
5/5/2005 1:33:58 PM 81752 C:\Documents and Settings\Michael Wood\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qygxyqkn
{2fe374b5-41bc-492f-9ab1-7497d65d1974} = C:\WINDOWS\System32\badaa.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{669B269B-0D4E-41FB-A3D8-FD67CA94F646}
ButtonText = ComcastHSI : http://www.comcast.net/
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{8828075D-D097-4055-AA02-2DBFA9D85E8A}
ButtonText = Support : http://www.comcastsupport.com/
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{97809617-3937-4F84-B335-9BB05EF1A8D4}
ButtonText = Help : http://online.comcast.net/help/
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
ButtonText = PartyPoker.com : C:\Program Files\PartyPoker\PartyPoker.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
tgcmd "C:\Program Files\support.com\bin\tgcmd.exe" /server
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
winsync C:\WINDOWS\System32\dpkspd.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
CMAPP "C:\Program Files\CMAPP\Client\cmappclient.exe"
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveTypeAutoRun _

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
winlogon.exe msole32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0
DisableTaskMgr 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\Userinit.exe
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/15/2005 9:26:57 PM

Thanks again...I haven't seen a problem with going online for a while now, so that has to be good. :tazz:

#15
Excal

Posted 15 August 2005 - 11:06 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Download Pocket KillBox from here. There is a Direct Download and a description of what the Program does inside this link.

Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"=-

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qygxyqkn]

Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"

C:\WINDOWS\System32\badaa.dll
C:\WINDOWS\SYSTEM32\gsdssgd.dll
C:\WINDOWS\System32\dpkspd.exe
C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
C:\WINDOWS\Downloaded Program Files\WildApp.inf
C:\WINDOWS\Downloaded Program Files\ipreg32.inf
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf
C:\Program Files\CMAPP\Client\cmappmf.dll

As you Paste each entry into Killbox,place a tick by any of these Selections available

"Delete on Reboot"
"Unregister .dll before Deleting"

Click the Red Circle with the White X in the Middle to Delete!

Restart in Safe Mode and Run those files through Killbox once more to be sure nothing survived.

This time place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"

Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dpkspd.exe reg_run

Now close all windows other than HiJackThis, then click Fix Checked.

Restart back in Normal Mode and Post a fresh HijackThis log!

Edited by Excal, 15 August 2005 - 11:06 PM.