Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer has Got me too


  • Please log in to reply

#1
Aleingarn

Aleingarn

    Member

  • Member
  • PipPip
  • 12 posts
well here is my Hijackthis log
now i have what appears to be a popup window, before the actual windows logon screen, and have several errors crashing my windows logon , and every time i reboot .exe .com.lnk etc, are unassigned so they dont run.

Logfile of HijackThis v1.99.1
Scan saved at 8:56:22 AM, on 8/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O2 - BHO: SDWin32 Class - {28C9E0EE-0E21-4406-A4DE-986C1466032A} - C:\WINDOWS\system32\vrqpx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [vrqpxc] C:\WINDOWS\system32\vrqpxc.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123809163546
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.35/ttinst.cab
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\hlzcon05.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


as well as my Ewido



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:46:06 AM, 8/16/2005
+ Report-Checksum: 35B09089

+ Scan result:

HKLM\SOFTWARE\DKSoftware -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\istsvc -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -> Spyware.ComLoad : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\istsvc -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WCPR -> Spyware.WebRebates : Cleaned with backup
HKU\.DEFAULT\Software\Coulomb -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-19\Software\Coulomb -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-20\Software\Coulomb -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-18\Software\Coulomb -> Dialer.Generic : Cleaned with backup
[492] C:\WINDOWS\system32\hlzcon05.dll -> Spyware.Look2Me : Error during cleaning
[1100] C:\WINDOWS\system32\mbdtcprx.dll -> Spyware.Look2Me : Error during cleaning
[1220] C:\WINDOWS\system32\mbdtcprx.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\97HRP5O4\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\I1KXM16J\AppWrap[2].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\I1KXM16J\AppWrap[4].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\I54Z4JGX\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\I54Z4JGX\AppWrap[3].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KFS80JKC\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KFS80JKC\AppWrap[2].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KFS80JKC\AppWrap[3].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P6PT43DZ\!update-2214[1].0000 -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P6PT43DZ\!update-2264[1].0000 -> Spyware.MediaTickets : Cleaned with backup
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U5OREFMH\!update-2204[1].0000 -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U5OREFMH\!update-2224[1].0000 -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U5OREFMH\!update-2234[1].0000 -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U5OREFMH\!update-2254[1].0000 -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U5OREFMH\!update-2274[1].0000 -> Spyware.MediaTickets : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\070C58E6-6411-472B-99C6-2B154A\EE652BBF-33B8-4C44-A697-520AA8 -> Spyware.BookedSpace : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\240B74F2-5AF2-41E2-97A7-C08D23\7E00758E-EC34-4FE5-B539-AE9FF6 -> Spyware.BookedSpace : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\38574F20-5463-4983-A79B-8583FB\BFD0FE49-9959-467F-9F1C-E36B06 -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7DEB117A-54C4-4F3C-B0A0-2B4CB2\01F3833A-18B4-47F7-BB6C-266C4C -> Adware.eZula : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7DEB117A-54C4-4F3C-B0A0-2B4CB2\0D9E4D4A-0484-49A8-99EA-FF280A -> TrojanDownloader.OneClickSearch.k : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7DEB117A-54C4-4F3C-B0A0-2B4CB2\C83F6F1E-8C06-4EB0-99CC-9C6FB9 -> Adware.eZula : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\87686875-C4FC-49C9-84BF-C4F557\02EFDC9E-D455-4711-AE5F-E36CC7 -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\Program Files\Mozilla Firefox\plugins\npzango.dll -> Spyware.WinAD : Cleaned with backup
:mozilla.15:C:\Program Files\support.com\backup\Co\cookies.txt\1173_5ff64a9f0_/cookies.txt -> Spyware.Cookie.2o7 : Error during cleaning
:mozilla.38:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.39:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.40:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.41:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.42:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.43:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.44:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.45:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.46:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.47:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.92:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Statcounter : Error during cleaning
:mozilla.106:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.107:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.108:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.109:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.158:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.2o7 : Error during cleaning
:mozilla.55:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.56:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.57:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.58:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.59:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.60:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.93:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Statcounter : Error during cleaning
:mozilla.107:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.108:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.109:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.110:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.159:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.2o7 : Error during cleaning
:mozilla.47:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Googleadservices : Error during cleaning
:mozilla.85:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.86:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.87:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.88:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.89:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.90:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.117:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Statcounter : Error during cleaning
:mozilla.129:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.130:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.131:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.132:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.179:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.2o7 : Error during cleaning
:mozilla.34:C:\Program Files\support.com\backup\Co\cookies.txt\2836_57fac3112_/cookies.txt -> Spyware.Cookie.2o7 : Error during cleaning
:mozilla.59:C:\Program Files\support.com\backup\Co\cookies.txt\6583_5d3aa3e66_/cookies.txt -> Spyware.Cookie.2o7 : Error during cleaning
:mozilla.74:C:\Program Files\support.com\backup\Co\cookies.txt\7940_511d93933_/cookies.txt -> Spyware.Cookie.2o7 : Error during cleaning
C:\WINDOWS\icont.exe -> Spyware.AdURL : Cleaned with backup
C:\WINDOWS\SYSTEM32\AUNPS2.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\dgcprop2.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\spe.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup
C:\WINDOWS\Temp\Cookies\administrator@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\administrator@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\debby@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup


::Report End


Help if you can,

Thank You
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi Aleingarn and Welcome to GeekstoGo!

That appears to be the Look2me Infection,so please download the l2mfix from here
http://www.atribune....oads/l2mfix.exe
or
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.


If you recieve any error messages for CMD or Autoexec.bat>> Select Option 5 from the l2mfix and once at the Site,Click on the link that apply to your Operating System!

Double Click the file it downloads and Extract the files to its predetermined System32 folder!
  • 0

#3
Aleingarn

Aleingarn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
well i ran l2mfix, and did encounter some errors, after i had downloaded that "patch" for windows xp home exition please advise, or is this log sufficient?

L2MFIX find log 1.03b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hlzcon05.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A96A0413-6CB8-41B4-7B7D-694FC91E4D19}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{04466240-beb3-11d1-be1c-00aa006b77f4}"="WebDrive Shell Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{1847A8A0-0DC3-4A3C-9BB5-29A46F9A09A2}"=""
"{472083B0-C522-11CF-8763-00608CC02F24}"="avast"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{395D4C38-9888-4C32-B545-7415233CD04D}"=""
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1847A8A0-0DC3-4A3C-9BB5-29A46F9A09A2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1847A8A0-0DC3-4A3C-9BB5-29A46F9A09A2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1847A8A0-0DC3-4A3C-9BB5-29A46F9A09A2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1847A8A0-0DC3-4A3C-9BB5-29A46F9A09A2}\InprocServer32]
@="C:\\WINDOWS\\system32\\dgcprop2.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{395D4C38-9888-4C32-B545-7415233CD04D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{395D4C38-9888-4C32-B545-7415233CD04D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{395D4C38-9888-4C32-B545-7415233CD04D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{395D4C38-9888-4C32-B545-7415233CD04D}\InprocServer32]
@="C:\\WINDOWS\\system32\\mbdtcprx.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 084F-19BA

Directory of C:\WINDOWS\System32

08/16/2005 03:07 AM 417,792 mbdtcprx.dll
08/13/2005 01:21 AM 417,792 hlzcon05.dll
08/11/2005 09:40 PM <DIR> DLLCACHE
10/07/2002 01:38 PM <DIR> Microsoft
2 File(s) 835,584 bytes
2 Dir(s) 21,068,967,936 bytes free
  • 0

#4
Aleingarn

Aleingarn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I did rescan, and found there were some more results, i thought i would repost results here

L2MFIX find log 1.03b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hlzcon05.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A96A0413-6CB8-41B4-7B7D-694FC91E4D19}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{04466240-beb3-11d1-be1c-00aa006b77f4}"="WebDrive Shell Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{1847A8A0-0DC3-4A3C-9BB5-29A46F9A09A2}"=""
"{472083B0-C522-11CF-8763-00608CC02F24}"="avast"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{395D4C38-9888-4C32-B545-7415233CD04D}"=""
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1847A8A0-0DC3-4A3C-9BB5-29A46F9A09A2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1847A8A0-0DC3-4A3C-9BB5-29A46F9A09A2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1847A8A0-0DC3-4A3C-9BB5-29A46F9A09A2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1847A8A0-0DC3-4A3C-9BB5-29A46F9A09A2}\InprocServer32]
@="C:\\WINDOWS\\system32\\dgcprop2.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{395D4C38-9888-4C32-B545-7415233CD04D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{395D4C38-9888-4C32-B545-7415233CD04D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{395D4C38-9888-4C32-B545-7415233CD04D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{395D4C38-9888-4C32-B545-7415233CD04D}\InprocServer32]
@="C:\\WINDOWS\\system32\\mbdtcprx.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Sat Jul 2 2005 10:11:28p A.... 1,019,904 996.00 K
cdfview.dll Sat Jul 2 2005 10:11:28p A.... 151,040 147.50 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
gccoll~1.dll Tue Jul 12 2005 3:35:14p A.... 126,680 123.71 K
gcunco~1.dll Tue Jul 12 2005 3:35:10p A.... 95,448 93.21 K
hashlib.dll Tue Jul 12 2005 3:35:14p A.... 117,976 115.21 K
hhsetup.dll Thu May 26 2005 10:04:28p A.... 41,472 40.50 K
hlzcon05.dll Sat Aug 13 2005 1:21:56a ..S.R 417,792 408.00 K
icm32.dll Tue Jun 28 2005 9:46:00p A.... 254,976 249.00 K
iepeers.dll Sat Jul 2 2005 10:11:28p A.... 251,392 245.50 K
inseng.dll Sat Jul 2 2005 10:11:28p A.... 96,256 94.00 K
itircl.dll Thu May 26 2005 10:04:28p A.... 155,136 151.50 K
itss.dll Thu May 26 2005 10:04:28p A.... 137,216 134.00 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
kerberos.dll Wed Jun 15 2005 1:49:30p A.... 295,936 289.00 K
legitc~1.dll Wed Aug 3 2005 10:33:42a A.... 520,456 508.26 K
mbdtcprx.dll Tue Aug 16 2005 3:07:44a ..S.R 417,792 408.00 K
mscms.dll Tue Jun 28 2005 9:46:00p A.... 74,240 72.50 K
mshtml.dll Tue Jul 19 2005 10:00:30p A.... 3,014,144 2.87 M
mshtmled.dll Sat Jul 2 2005 10:11:30p A.... 448,512 438.00 K
msrating.dll Sat Jul 2 2005 10:11:30p A.... 146,432 143.00 K
mucltui.dll Thu May 26 2005 4:16:24a A.... 127,208 124.23 K
muweb.dll Thu May 26 2005 4:19:32a A.... 178,408 174.23 K
pngfilt.dll Sat Jul 2 2005 10:11:30p A.... 39,424 38.50 K
shdocvw.dll Sat Jul 2 2005 10:11:30p A.... 1,483,776 1.41 M
shlwapi.dll Sat Jul 2 2005 10:11:30p A.... 473,600 462.50 K
tapisrv.dll Fri Jul 8 2005 12:27:56p A.... 249,344 243.50 K
umpnpmgr.dll Wed Jun 29 2005 10:02:40p A.... 118,272 115.50 K
urlmon.dll Sat Jul 2 2005 10:11:30p A.... 607,744 593.50 K
vrqpx.dll Tue Aug 16 2005 4:17:16a A.... 98,816 96.50 K
wininet.dll Sat Jul 2 2005 10:11:30p A.... 658,432 643.00 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:16:30a A.... 173,536 169.47 K

38 items found: 38 files (2 H/S), 0 directories.
Total of file sizes: 14,455,296 bytes 13.79 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 084F-19BA

Directory of C:\WINDOWS\System32

08/16/2005 03:07 AM 417,792 mbdtcprx.dll
08/13/2005 01:21 AM 417,792 hlzcon05.dll
08/11/2005 09:40 PM <DIR> DLLCACHE
10/07/2002 01:38 PM <DIR> Microsoft
2 File(s) 835,584 bytes
2 Dir(s) 21,068,673,024 bytes free
  • 0

#5
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,So you got the error message when you ran Option 1?

If so and you used Option 5 and downloaded the XpHomefiles exe!

So long as you Double Clicked the exe and when the small window popped up you clicked Unzip and didnt change the destination,we are in good shape!

That log does look kinda funky but I think we will be OK!

Close any programs you have open since this step requires a reboot.


From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer.

After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.

Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

After posting those 2 logs,proceed with the Instructions below!

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download and Install
CleanUp!
Dont use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

Run Cleanup,when prompted to log off>> Select No

Scan the PC with Ewido just as described in the link-> Clean everthing it finds and make sure to Save the Report

Scan the System with Ad Aware,remove everything it finds and delete all quaratine files!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates

Download the Hoster from here:
http://www.funkytoad...load/hoster.zip
Press "Restore Original Hosts" and press "OK"!
Exit Program!


Post back with a fresh HijackThis log and the reports from Ewido and Panda!
  • 0

#6
Aleingarn

Aleingarn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
i cannot get it to run active scan in normal windows mode, and i'm still having issues with .exe, .com, and .lnk files becoming un associated in windows registry
  • 0

#7
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Follow the Steps in this link
http://securityrespo...istry.keys.html

Once completed,post the l2mfix (Option2) log and a fresh HijackThis log!
  • 0

#8
Aleingarn

Aleingarn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ogfile of HijackThis v1.99.1
Scan saved at 5:52:26 PM, on 8/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NetDrive\wdservice.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Administrator\Desktop\l2mfix\second.bat
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124219954531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\NetDrive\wdservice.exe

L2Mfix 1.03b

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

L2Mfix 1.03b

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!
  • 0

#9
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Have HijackThis fix this entry first

O4 - HKLM\..\Run: [second] C:\Documents and Settings\Administrator\Desktop\l2mfix\second.bat

Temporarily Uninstall Ad Aware SE as we will be unable to fix the Ad Watch that has been enabled!

Ad Watch is the most likely culprit here!

Go to the l2mfix folder, right click on second.bat and choose open.

This should allow the l2mfix to finish its process and produce the correct log!

Lets see how the Instructions above work because that log from l2mfix is not complete!
  • 0

#10
Aleingarn

Aleingarn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
L2Mfix 1.03b

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

Setting Directory
C:\Documents and Settings\Administrator\Desktop\l2mfix
C:\Documents and Settings\Administrator\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1436 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
updating: clear.reg (164 bytes security) (deflated 2%)
updating: echo.reg (164 bytes security) (deflated 10%)
updating: direct.txt (164 bytes security) (stored 0%)
updating: lo2.txt (164 bytes security) (deflated 73%)
updating: readme.txt (164 bytes security) (deflated 50%)
updating: report.txt (164 bytes security) (deflated 62%)
updating: test.txt (164 bytes security) (stored 0%)
updating: test2.txt (164 bytes security) (stored 0%)
updating: test3.txt (164 bytes security) (stored 0%)
updating: test5.txt (164 bytes security) (stored 0%)
adding: log.txt (164 bytes security) (deflated 79%)
updating: backregs/1847A8A0-0DC3-4A3C-9BB5-29A46F9A09A2.reg (164 bytes security) (deflated 70%)
updating: backregs/395D4C38-9888-4C32-B545-7415233CD04D.reg (164 bytes security) (deflated 70%)
updating: backregs/notibac.reg (164 bytes security) (deflated 87%)
updating: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

  • 0

Advertisements


#11
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,there we go,lets see a fresh HijackThis log and go ahead with the other steps I posted please!
  • 0

#12
Aleingarn

Aleingarn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
L2Mfix 1.03b

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

Setting Directory
C:\Documents and Settings\Administrator\Desktop\l2mfix
C:\Documents and Settings\Administrator\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1436 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
updating: clear.reg (164 bytes security) (deflated 2%)
updating: echo.reg (164 bytes security) (deflated 10%)
updating: direct.txt (164 bytes security) (stored 0%)
updating: lo2.txt (164 bytes security) (deflated 73%)
updating: readme.txt (164 bytes security) (deflated 50%)
updating: report.txt (164 bytes security) (deflated 62%)
updating: test.txt (164 bytes security) (stored 0%)
updating: test2.txt (164 bytes security) (stored 0%)
updating: test3.txt (164 bytes security) (stored 0%)
updating: test5.txt (164 bytes security) (stored 0%)
adding: log.txt (164 bytes security) (deflated 79%)
updating: backregs/1847A8A0-0DC3-4A3C-9BB5-29A46F9A09A2.reg (164 bytes security) (deflated 70%)
updating: backregs/395D4C38-9888-4C32-B545-7415233CD04D.reg (164 bytes security) (deflated 70%)
updating: backregs/notibac.reg (164 bytes security) (deflated 87%)
updating: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:10:51 PM, 8/16/2005
+ Report-Checksum: 8E639A7C

+ Scan result:

:mozilla.15:C:\Program Files\support.com\backup\Co\cookies.txt\1173_5ff64a9f0_/cookies.txt -> Spyware.Cookie.2o7 : Error during cleaning
:mozilla.38:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.39:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.40:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.41:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.42:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.43:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.44:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.45:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.46:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.47:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.92:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Statcounter : Error during cleaning
:mozilla.106:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.107:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.108:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.109:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.158:C:\Program Files\support.com\backup\Co\cookies.txt\14909_51f03718e_/cookies.txt -> Spyware.Cookie.2o7 : Error during cleaning
:mozilla.55:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.56:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.57:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.58:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.59:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.60:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.93:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Statcounter : Error during cleaning
:mozilla.107:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.108:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.109:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.110:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.159:C:\Program Files\support.com\backup\Co\cookies.txt\15112_53410e2d7_/cookies.txt -> Spyware.Cookie.2o7 : Error during cleaning
:mozilla.47:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Googleadservices : Error during cleaning
:mozilla.85:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.86:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.87:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.88:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.89:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.90:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Casalemedia : Error during cleaning
:mozilla.117:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Statcounter : Error during cleaning
:mozilla.129:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.130:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.131:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.132:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.Yieldmanager : Error during cleaning
:mozilla.179:C:\Program Files\support.com\backup\Co\cookies.txt\17207_5733cea81_/cookies.txt -> Spyware.Cookie.2o7 : Error during cleaning
:mozilla.34:C:\Program Files\support.com\backup\Co\cookies.txt\2836_57fac3112_/cookies.txt -> Spyware.Cookie.2o7 : Error during cleaning
:mozilla.59:C:\Program Files\support.com\backup\Co\cookies.txt\6583_5d3aa3e66_/cookies.txt -> Spyware.Cookie.2o7 : Error during cleaning
:mozilla.74:C:\Program Files\support.com\backup\Co\cookies.txt\7940_511d93933_/cookies.txt -> Spyware.Cookie.2o7 : Error during cleaning


::Report End
  • 0

#13
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Lets have a look at a HijackThis log and the report from Panda!
  • 0

#14
Aleingarn

Aleingarn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Incident Status Location

Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\DEBBY\FAVORITES\Fun & Games
Adware:adware/elitebar No disinfected C:\WINDOWS\etb
Adware:adware/navipromo No disinfected Windows Registry
Dialer:dialer.avv No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{2E246FAE-8420-11D9-870D-000C2917DE7F}
Dialer:dialer.asl No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{D19781C5-2051-44F8-8445-DDC82933C191}
Adware:adware/77ttt No disinfected Windows Registry
Dialer:dialer.aas No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{45231111-1111-1111-1111-111111113458}
Adware:adware/otx No disinfected Windows Registry
Dialer:dialer.xd No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{FF3F0F03-0F01-131A-A3F9-08F02B23E0CC}
Spyware:spyware/iesearchtoolbarNo disinfected Windows Registry
Dialer:dialer.cn No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{511F9316-771B-4953-A268-1C36DA667FE9}
Spyware:spyware/istbar No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Administrator\Desktop\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Administrator\Desktop\l2mfix.exe[Process.exe]
Adware:Adware/AdDestroyer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3F6C0D03-4C17-4CDF-9F88-61FA48\352D7025-25FB-4DD0-AF8B-DA5D84
Adware:Adware/Imibar No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\904D02AC-2AFF-4128-8B7E-975D56\1095BC77-21A1-4514-BBDA-630918
Adware:Adware/AdDestroyer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\BF01B07E-6E15-43C9-936E-086BEF\5DD557EE-FE2E-43B7-9419-B82A32
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C0C8F983-741B-4C2E-8A82-35EED5\FF1BF18B-7739-4F0A-B5C5-598166
Adware:Adware/PurityScan No disinfected C:\Program Files\rdso\eetu.exe
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe
Possible Virus. No disinfected C:\WINDOWS\Temp\ASHeuristic\ProcessViewer.exe.vir Logfile of HijackThis v1.99.1
Scan saved at 2:01:37 PM, on 8/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NetDrive\wdservice.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\scans\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124219954531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\NetDrive\wdservice.exe
  • 0

#15
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,looking alot better,I hope the PC is being a bit more User friendly!

Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Copy the text in the code box to a blank notepad page and save it to the desktop as Clr.reg


REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{2E246FAE-8420-11D9-870D-000C2917DE7F}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{D19781C5-2051-44F8-8445-DDC82933C191}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{45231111-1111-1111-1111-111111113458}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{FF3F0F03-0F01-131A-A3F9-08F02B23E0CC}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{511F9316-771B-4953-A268-1C36DA667FE9}]


Restart in Safe Mode and be sure Windows is Showing Hidden Files!
http://www.bleepingc...torial=62#winxp

Locate and Delete the following

C:\WINDOWS\cfgmgr52.ini<- File

C:\DOCUMENTS AND SETTINGS\DEBBY\FAVORITES\Fun & Games<- Folder

C:\WINDOWS\etb<- Folder


Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)

C:\Windows\Temp

C:\Windows\System32\Temp

C:\Documents and Settings\Owner\Local Settings\Temp

C:\Documents and Settings\<Your Profile>\Local Settings\Temp

C:\Documents and Settings\<All other users Profile>\Local Settings\Temp

Empty your "Recycle Bin"

Open Internet Explorer,
Select Tools,
Select Internet Options
Select Delete Cookies and Delete Files(Check the box for Delete all offline content)

Go to Start,
Select All Programs
Select Accessories
Select System Tools
Select and Run Disk Cleanup(Make sure that all boxes are checked for cleaning!!)


Now locate the reg file you made and doouble click to execute-> Allow it to merge into the registry!


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R3 - Default URLSearchHook is missing

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!

Please make sure all is enabled in Msconfig!!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!

Restart Normal and Have the PC scanned here to see how we did!
http://support.f-sec.../home/ols.shtml

Save the Report!

Post back with a fresh HijackThis log and the reports from WinPFind and F-Secure!

Edited by Cretemonster, 17 August 2005 - 05:08 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP