Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

VLINCE.A [CLOSED]


  • This topic is locked This topic is locked

#1
KrazyGrenade

KrazyGrenade

    New Member

  • Member
  • Pip
  • 9 posts
hey im having a serious issue with this virus i cant get it off and whenever it gets detected it changes its name so i have NO idea wat to do so any help would be GREATLY appreciated, This is the hijackthis log.


Logfile of HijackThis v1.99.1
Scan saved at 4:00:43 PM, on 9/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\RXJpawAA\command.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\guhhzd.exe
C:\WINDOWS\system32\icby\yykdmnu.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Erik\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogame.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: SDWin32 Class - {47AB2696-6A80-4364-8B23-73338799044E} - C:\WINDOWS\system32\guhhz.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [System Support] syscfg.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [SystemService] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Erik\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [wmgmin] C:\WINDOWS\system32\w130713.Stub.EXE
O4 - HKLM\..\Run: [newexp] C:\WINDOWS\system32\newexp
O4 - HKLM\..\Run: [pb0g2o1o] C:\WINDOWS\system32\pb0g2o1o.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O4 - HKLM\..\Run: [igafkqma] C:\WINDOWS\system32\igafkqma.exe
O4 - HKLM\..\Run: [ZStart] C:\windows\system32\psdxregu.exe DO0605
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\system32\rsysuw2d.exe DO0605
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [mojvo] C:\WINDOWS\system32\sqbgqg\mojvo.exe
O4 - HKLM\..\Run: [mqmomqe] C:\WINDOWS\system32\bfyovok\mqmomqe.exe
O4 - HKLM\..\Run: [kquhgv] C:\WINDOWS\system32\ucrldd\kquhgv.exe
O4 - HKLM\..\Run: [1h9tpcbj] C:\WINDOWS\system32\1h9tpcbj.exe
O4 - HKLM\..\Run: [seli] C:\WINDOWS\seli.exe
O4 - HKLM\..\Run: [lr9e4037] C:\WINDOWS\system32\lr9e4037.exe
O4 - HKLM\..\Run: [fllclt6s] C:\WINDOWS\system32\fllclt6s.exe
O4 - HKLM\..\Run: [xkvwhp] C:\WINDOWS\system32\jyrjrt\xkvwhp.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [qkjtsqp4] C:\WINDOWS\system32\qkjtsqp4.exe
O4 - HKLM\..\Run: [win32086516126202] C:\WINDOWS\win32086516126202.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus
O4 - HKLM\..\Run: [sh6po5kl] C:\WINDOWS\system32\sh6po5kl.exe
O4 - HKLM\..\Run: [isauszq] C:\WINDOWS\isauszq.exe
O4 - HKLM\..\Run: [isdfs] C:\WINDOWS\system32\trpdjq\isdfs.exe
O4 - HKLM\..\Run: [f0737eed766f] C:\WINDOWS\system32\atmtd454.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [yykdmnu] C:\WINDOWS\system32\icby\yykdmnu.exe
O4 - HKLM\..\RunServices: [System Support] syscfg.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Gzrbcu] C:\WINDOWS\system32\??ool32.exe
O4 - HKCU\..\Run: [System Support] syscfg.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [sesims] C:\WINDOWS\system32\sesims.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [SysCheck32] C:\WINDOWS\SysCheckBop32.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rsysuw2d.exe
O4 - Startup: Zstart.lnk = C:\Documents and Settings\Erik\Local Settings\Temp\zxinst12.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: nknd.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Crazy Poker - {8A8A3162-B5FA-4c54-A862-4E62CBE8A255} - C:\Program Files\crazyvegasMPP\MPPoker.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://ad.trafficmp....ler_VENDARE.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...aa6a2/enter.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...all_cpi1001.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.micro...n7/dlhelper.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/...ner/WFXScan.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O20 - AppInit_DLLs: repairs.dll,wbsys.dll
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\mriavi32.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RXJpawAA\command.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Erik\Desktop\Scan Stuff\CWShredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: mqmomqebfyovok - Unknown owner - C:\WINDOWS\system32\bfyovok\mqmomqe.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\fkiwvoh.exe (file missing)
O23 - Service: xkvwhpjyrjrt - Unknown owner - C:\WINDOWS\system32\jyrjrt\xkvwhp.exe
O23 - Service: yykdmnuicby - Unknown owner - C:\WINDOWS\system32\icby\yykdmnu.exe
  • 0

Advertisements


#2
andydf

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi krazygrenade

Welcome to Geeks to go

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Andy :tazz:
  • 0

#3
KrazyGrenade

KrazyGrenade

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dgskmon.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{09FD139B-E974-8321-0D55-1D5492A8A8F7}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{7D5C4BDD-B015-4401-8731-1507B87DE297}"="QBVersionTool"
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}"="TMD Shell Extension"
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}"="VBPropSheet"
"{2F5AC606-70CF-461C-BFE1-734234536262}"="WindowBlinds CPL Extension"
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"
"{AF3E2661-BF45-4150-A6C2-AF5DA82E54A9}"=""
"{B2CD8C70-42E2-48E3-AD75-EAE876DB9A9D}"=""
"{D235A52F-C62A-4BBE-94B2-9F808036B46C}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AF3E2661-BF45-4150-A6C2-AF5DA82E54A9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AF3E2661-BF45-4150-A6C2-AF5DA82E54A9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AF3E2661-BF45-4150-A6C2-AF5DA82E54A9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AF3E2661-BF45-4150-A6C2-AF5DA82E54A9}\InprocServer32]
@="C:\\WINDOWS\\system32\\wuevqd.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B2CD8C70-42E2-48E3-AD75-EAE876DB9A9D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B2CD8C70-42E2-48E3-AD75-EAE876DB9A9D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B2CD8C70-42E2-48E3-AD75-EAE876DB9A9D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B2CD8C70-42E2-48E3-AD75-EAE876DB9A9D}\InprocServer32]
@="C:\\WINDOWS\\system32\\nQrrhook.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D235A52F-C62A-4BBE-94B2-9F808036B46C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D235A52F-C62A-4BBE-94B2-9F808036B46C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D235A52F-C62A-4BBE-94B2-9F808036B46C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D235A52F-C62A-4BBE-94B2-9F808036B46C}\InprocServer32]
@="C:\\WINDOWS\\system32\\uarlbva.dll"
"ThreadingModel"="Apartment"

********************************************************************
i got an error before running it but i still got a log. above is the error.

C:\Windows\system32\cmd.exe
C:\SYSTEM32\AUTOEXEX.NT. The system file is not suitable for running MS_DOS

**************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 601E-A1E9

Directory of C:\WINDOWS\System32

09/21/2005 05:51 PM 417,792 uarlbva.dll
09/21/2005 05:45 PM <DIR> dllcache
09/18/2005 05:18 PM 417,792 dgskmon.dll
09/08/2005 06:44 AM 401,408 ??ool32.exe
09/08/2005 06:42 AM 401,408 ??plorer.exe
08/10/2004 11:08 AM <DIR> Microsoft
4 File(s) 1,638,400 bytes
2 Dir(s) 53,361,168,384 bytes free
  • 0

#4
andydf

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi KrazyGrenade

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :)

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!


Andy :tazz:
  • 0

#5
KrazyGrenade

KrazyGrenade

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
this is the l2mfix log

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1392 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1440 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: CSERHelper.dll (188 bytes security) (deflated 48%)
adding: dbg.dll (188 bytes security) (deflated 56%)
adding: dbghelp.dll (188 bytes security) (deflated 49%)
adding: Steam.dll (188 bytes security) (deflated 63%)
adding: steamclient.dll (188 bytes security) (deflated 58%)
adding: SteamUI.dll (188 bytes security) (deflated 60%)
adding: tier0_s.dll (188 bytes security) (deflated 53%)
adding: vstdlib_s.dll (188 bytes security) (deflated 56%)
adding: clear.reg (188 bytes security) (deflated 46%)
adding: SystemInfo.ini (188 bytes security) (deflated 3%)
adding: !readme&installtion.txt (188 bytes security) (deflated 43%)
adding: info.txt (188 bytes security) (stored 0%)
adding: lo2.txt (188 bytes security) (deflated 65%)
adding: test.txt (188 bytes security) (stored 0%)
adding: test2.txt (188 bytes security) (deflated 27%)
adding: test3.txt (188 bytes security) (deflated 27%)
adding: test5.txt (188 bytes security) (deflated 27%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{AF3E2661-BF45-4150-A6C2-AF5DA82E54A9}"=-
"{B2CD8C70-42E2-48E3-AD75-EAE876DB9A9D}"=-
"{D235A52F-C62A-4BBE-94B2-9F808036B46C}"=-
[-HKEY_CLASSES_ROOT\CLSID\{AF3E2661-BF45-4150-A6C2-AF5DA82E54A9}]
[-HKEY_CLASSES_ROOT\CLSID\{B2CD8C70-42E2-48E3-AD75-EAE876DB9A9D}]
[-HKEY_CLASSES_ROOT\CLSID\{D235A52F-C62A-4BBE-94B2-9F808036B46C}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************



this is the hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 9:08:01 PM, on 9/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\fdbre\bkntau.exe
C:\WINDOWS\RXJpawAA\command.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Erik\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogame.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: SDWin32 Class - {47AB2696-6A80-4364-8B23-73338799044E} - C:\WINDOWS\system32\guhhz.dll (file missing)
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [SystemService] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Erik\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [wmgmin] C:\WINDOWS\system32\w130713.Stub.EXE
O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [mqmomqe] C:\WINDOWS\system32\bfyovok\mqmomqe.exe
O4 - HKLM\..\Run: [kquhgv] C:\WINDOWS\system32\ucrldd\kquhgv.exe
O4 - HKLM\..\Run: [xkvwhp] C:\WINDOWS\system32\jyrjrt\xkvwhp.exe
O4 - HKLM\..\Run: [win32086516126202] C:\WINDOWS\win32086516126202.exe
O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus
O4 - HKLM\..\Run: [isauszq] C:\WINDOWS\isauszq.exe
O4 - HKLM\..\Run: [isdfs] C:\WINDOWS\system32\trpdjq\isdfs.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [yykdmnu] C:\WINDOWS\system32\icby\yykdmnu.exe
O4 - HKLM\..\Run: [xfsrbpnm] C:\WINDOWS\system32\cgmgjkfs\xfsrbpnm.exe
O4 - HKLM\..\Run: [nnepnkex] C:\WINDOWS\system32\ugujgfl\nnepnkex.exe
O4 - HKLM\..\Run: [rvct] C:\WINDOWS\system32\mnijmtf\rvct.exe
O4 - HKLM\..\Run: [uatwgdtb] C:\WINDOWS\system32\dccnatd\uatwgdtb.exe
O4 - HKLM\..\Run: [hfvypoyd] C:\WINDOWS\system32\tlleil\hfvypoyd.exe
O4 - HKLM\..\Run: [rdjemw] C:\WINDOWS\system32\vsyhuuay\rdjemw.exe
O4 - HKLM\..\Run: [oiemdq] C:\WINDOWS\system32\vdcxvit\oiemdq.exe
O4 - HKLM\..\Run: [spmkocgy] C:\WINDOWS\system32\utgp\spmkocgy.exe
O4 - HKLM\..\Run: [hfdsbny] C:\WINDOWS\system32\xofkve\hfdsbny.exe
O4 - HKLM\..\Run: [dxdyaqrb] C:\WINDOWS\system32\bkxktp\dxdyaqrb.exe
O4 - HKLM\..\Run: [cdgvmgf] C:\WINDOWS\system32\rfcchceo\cdgvmgf.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [win32095161262026] C:\WINDOWS\win32095161262026.exe
O4 - HKLM\..\Run: [tftyrd] C:\WINDOWS\system32\upytecnk\tftyrd.exe
O4 - HKLM\..\Run: [lmhqqpf] C:\WINDOWS\system32\ytte\lmhqqpf.exe
O4 - HKLM\..\Run: [mfqgnvl] C:\WINDOWS\system32\sdwtrdmd\mfqgnvl.exe
O4 - HKLM\..\Run: [xdfnp] C:\WINDOWS\system32\yvesidin\xdfnp.exe
O4 - HKLM\..\Run: [fksw] C:\WINDOWS\system32\qheumcy\fksw.exe
O4 - HKLM\..\Run: [gjvvgsn] C:\WINDOWS\system32\eskbq\gjvvgsn.exe
O4 - HKLM\..\Run: [jqcs] C:\WINDOWS\system32\bcasbyj\jqcs.exe
O4 - HKLM\..\Run: [bkntau] C:\WINDOWS\system32\fdbre\bkntau.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Gzrbcu] C:\WINDOWS\system32\??ool32.exe
O4 - HKCU\..\Run: [System Support] syscfg.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [sesims] C:\WINDOWS\system32\sesims.exe
O4 - HKCU\..\Run: [SysCheck32] C:\WINDOWS\SysCheckBop32.exe
O4 - HKCU\..\Run: [Sen] C:\Program Files\bama\tlii.exe
O4 - HKCU\..\Run: [Sys98] C:\WINDOWS\Sys98.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rsysuw2d.exe
O4 - Startup: Zstart.lnk = C:\Documents and Settings\Erik\Local Settings\Temp\zxinst12.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: Crazy Poker - {8A8A3162-B5FA-4c54-A862-4E62CBE8A255} - C:\Program Files\crazyvegasMPP\MPPoker.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://ad.trafficmp....ler_VENDARE.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...aa6a2/enter.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...tall_bm1002.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.micro...n7/dlhelper.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/...ner/WFXScan.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O20 - AppInit_DLLs: repairs.dll
O23 - Service: bkntaufdbre - Unknown owner - C:\WINDOWS\system32\fdbre\bkntau.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RXJpawAA\command.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: hfdsbnyxofkve - Unknown owner - C:\WINDOWS\system32\xofkve\hfdsbny.exe
O23 - Service: jqcsbcasbyj - Unknown owner - C:\WINDOWS\system32\bcasbyj\jqcs.exe
O23 - Service: mqmomqebfyovok - Unknown owner - C:\WINDOWS\system32\bfyovok\mqmomqe.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: spmkocgyutgp - Unknown owner - C:\WINDOWS\system32\utgp\spmkocgy.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: uatwgdtbdccnatd - Unknown owner - C:\WINDOWS\system32\dccnatd\uatwgdtb.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\fkiwvoh.exe (file missing)
O23 - Service: xfsrbpnmcgmgjkfs - Unknown owner - C:\WINDOWS\system32\cgmgjkfs\xfsrbpnm.exe
O23 - Service: xkvwhpjyrjrt - Unknown owner - C:\WINDOWS\system32\jyrjrt\xkvwhp.exe
O23 - Service: yykdmnuicby - Unknown owner - C:\WINDOWS\system32\icby\yykdmnu.exe
  • 0

#6
andydf

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi KrazyGrenade

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

1.
Make sure Ewido is fully up to date.

2.
Please download LQfix.exe and place it on your desktop.
Double-click LQfix.exe and click install.
Leave the default settings. If you change them, the fix will fail.
Make sure 'Launch LQfix' is checked. After clicking finish in the install, the fix will start.
Follow the prompts on the screen. Your system will reboot afterwards.
Your system may take longer than usual to start up this one time; please be patient.

3.
Download and install CleanUp!
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
It may ask you to reboot at the end, if it does go ahead and reboot into safe mode.

4.
Once in Safe mode
Go to add/remove programs and uninstall the following (if present)

SurfSideKick 3

5.
  • Open Ewido.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin. Ensure no other windows/programs are open for the duratiion of the scan.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite. And reboot[/list]**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

6.
Next
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

If you would please, rescan with HijackThis and post a fresh log along with Ewido log and uninstall list in this same topic, and let us know how your system's working. :)

Andy :tazz:

Edited by andydf, 30 September 2005 - 12:50 PM.

  • 0

#7
KrazyGrenade

KrazyGrenade

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
i dont have ewido anymore as my 14 day trial is up
  • 0

#8
andydf

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi KrazyGrenade

Carry out the instructions in my previous post, but instead of Ewido, I would like you to use a program called a².

a² Free is a trojan removal tool. To be able to use it, you must set up a free a-squared Account, to get access to the update server.
Please setup an a² account at the following link:
http://www.emsisoft....oftware/account

Then download a² free from this link:

http://www.emsisoft....ftware/download
If that does not work try here.
http://www.majorgeek...wnload4281.html

Install it and update it,

Be sure to run it in safe mode with no other programs running.

Andy :tazz:
  • 0

#9
KrazyGrenade

KrazyGrenade

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
hey i ran the lqfix and it didnt do anything, it didnt restart my computer or anything it just said push any key to continue and then it would exit out when i did.

this is the a2 report

a² Report
Filename Diagnosis
C:\Documents and Settings\Erik\Desktop\Stuff\HLServer\hltv.exe Riskware.Server-Proxy.Win32.Hltv
C:\Documents and Settings\Erik\Desktop\Stuff\l2mfix\Process.exe Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\Erik\Desktop\Stuff\SmileyCentralFFSetup2.0.4.0.exe Adware.ToolBar.MyWebSearch
C:\gebaeude\HLServer\hltv.exe Riskware.Server-Proxy.Win32.Hltv
C:\Program Files\asys\Stb.exe Trojan-Downloader.Win32.Agent.tf
C:\Program Files\CMAPP\cmappstub.exe Trojan-Downloader.Win32.Agent.tf
C:\Program Files\Mozilla Firefox\plugins\npzango.dll Adware.WinAD.aw
C:\Program Files\Need2Find\bar\2.bin\N2PLUGIN.DLL Adware.ToolBar.MyWebSearch.l
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MARKETING11.exe Trojan-Downloader.Win32.Adload.a
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_VENDARE.exe Trojan-Downloader.Win32.Adload.a
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\installer_MARKETING11.exe Trojan-Downloader.Win32.Adload.a
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\installer_VENDARE.exe Trojan-Downloader.Win32.Adload.a
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_MARKETING11.exe Trojan-Downloader.Win32.Adload.a
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_VENDARE.exe Trojan-Downloader.Win32.Adload.a
C:\WINDOWS\Downloaded Program Files\installer_MARKETING11.exe Trojan-Downloader.Win32.Adload.a
C:\WINDOWS\Downloaded Program Files\installer_VENDARE.exe Trojan-Downloader.Win32.Adload.a
C:\WINDOWS\dsr.dll Adware.ToolBar.ImiBar.h
C:\WINDOWS\dsr.exe Trojan.Win32.Imiserv.c
C:\WINDOWS\dxjqgvvx.exe Adware.BookedSpace.e
C:\WINDOWS\hvrujey.exe Adware.BetterInternet.s
C:\WINDOWS\hvukttx.exe Trojan-Dropper.Win32.Agent.tb
C:\WINDOWS\icont.exe Adware.AdURL.c
C:\WINDOWS\mm81.ocx Trojan-Downloader.Win32.VB.ov
C:\WINDOWS\seli.exe Adware.MediaMotor.i
C:\WINDOWS\system\UpdInst.exe Adware.Look2Me.ag
C:\WINDOWS\system32\0lqfindd.exe Adware.Sahat.aq
C:\WINDOWS\system32\60001.exe Trojan-Downloader.Win32.Small.bkr
C:\WINDOWS\system32\activeds.exe Adware.UrlSpy.b
C:\WINDOWS\system32\adsmsext.exe Adware.UrlSpy.b
C:\WINDOWS\system32\adupdater.exe Adware.Adstart.i
C:\WINDOWS\system32\bevoed.exe Adware.Adstart.i
C:\WINDOWS\system32\bevoef.exe Adware.Adstart.d
C:\WINDOWS\system32\bnbcnca.exe Trojan-Downloader.Win32.Qoologic.ac
C:\WINDOWS\system32\ciodm923.exe Adware.UrlSpy.b
C:\WINDOWS\system32\guhhzd.exe Adware.Adstart.i
C:\WINDOWS\system32\guhhzf.exe Adware.Adstart.d
C:\WINDOWS\system32\h46spqtl.dll_tobedeleted Adware.Sahat.ad
C:\WINDOWS\system32\hccaw4.exe Trojan-Spy.Win32.VB.eh
C:\WINDOWS\system32\htxvxd.exe Adware.Adstart.i
C:\WINDOWS\system32\htxvxf.exe Adware.Adstart.d
C:\WINDOWS\system32\InstallerV4.exe Adware.SafeSurfing.o
C:\WINDOWS\system32\ipxdtu.exe Trojan-Spy.Win32.VB.eh
C:\WINDOWS\system32\javrmf.exe Trojan-Spy.Win32.VB.eh
C:\WINDOWS\system32\kbdgqd.exe Adware.Adstart.i
C:\WINDOWS\system32\kbdgqf.exe Adware.Adstart.d
C:\WINDOWS\system32\lglkgk.exe Trojan-Downloader.Win32.Qoologic.ac
C:\WINDOWS\system32\mcapis.exe Trojan-Spy.Win32.VB.eh
C:\WINDOWS\system32\mouvid.exe Trojan-Spy.Win32.VB.eh
C:\WINDOWS\system32\mssrmo.exe Trojan-Spy.Win32.VB.eh
C:\WINDOWS\system32\nsd9E.dll Adware.ToolBar.HotSearchBar.i
C:\WINDOWS\system32\nsz2C.dll Adware.ToolBar.HotSearchBar.i
C:\WINDOWS\system32\offiav.exe Trojan-Spy.Win32.VB.eh
C:\WINDOWS\system32\papqa.dat Trojan-Downloader.Win32.Qoologic.ac
C:\WINDOWS\system32\qzehnsli.dll Adware.SafeSurfing.p
C:\WINDOWS\system32\shdng3.exe Trojan-Spy.Win32.VB.eh
C:\WINDOWS\system32\vychmf.exe Adware.Adstart.d
C:\WINDOWS\system32\wirelanb.dll Adware.SafeSurfing.q
C:\WINDOWS\system32\wuauclt.dll Trojan-Downloader.Win32.Qoologic.ae
C:\WINDOWS\system32\__delete_on_reboot__DrPMon.dll Trojan.Win32.Agent.ic
C:\WINDOWS\ttext.dll Adware.ToolBar.ImiBar.g
C:\WINDOWS\yikrsvc.exe Trojan-Dropper.Win32.Agent.mu


this is the uninstall list

Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
America's Army
AMX Mod X Installer 1.01
AOL Instant Messenger
a-squared Personal 1.6
Banctec Service Agreement
Civilization III - Gold Edition
CleanUp!
Command
Crazy Poker
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Picture Studio v3.0
Dell Support 5.0.0 (630)
Display Utility
ewido security suite
Fraps
GameSpy Arcade
GoldWave v5.10
Half-Life Primary Server 4.1.1.0
Half-Life: Counter-Strike
HijackThis 1.99.1
IE Host R3
IE Host R3
Intel® 537EP V9x DF PCI Modem
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internet Explorer Default Page
InternetOffers
J2SE Development Kit 5.0 Update 4
J2SE Runtime Environment 5.0 Update 4
Java 2 Runtime Environment, SE v1.4.2_03
Kazaa 3.0
LANBridge
Learn2 Player (Uninstall Only)
LimeWire 4.9.4
LQfix 2.0
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia Shockwave Player
MechWarrior 4 Mercenaries
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
mIRC
Modem Event Monitor
Modem Helper
Modem On Hold
Mozilla Firefox (1.0.6)
MSN Messenger 7.0
MSXP 1.0
Musicmatch® Jukebox
Need2Find Bar
OIN
Photo Click
Quick Links
QuickBooks Simple Start Special Edition
QuickTime
RealPlayer Basic
Related Sites Toolbar
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
SeeMePlayMe Client
snss
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy 1.4
Steam
Sys98 1.0
Syscheck32 1.0
Sysnet
Talking Tony
The Best Offers
Tokuoitu
Trend Micro PC-cillin Internet Security 2005
TrojanHunter 4.2
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Viewpoint Media Player
Westwood Online
WindowBlinds
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Winhancer 1.0
WordPerfect Office 12
Yahoo! Messenger
Zeno Browser Enhancer removal

this is the hijackthis report
Logfile of HijackThis v1.99.1
Scan saved at 10:04:54 PM, on 10/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Erik\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogame.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: SDWin32 Class - {47AB2696-6A80-4364-8B23-73338799044E} - C:\WINDOWS\system32\guhhz.dll (file missing)
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [SystemService] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Erik\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [mqmomqe] C:\WINDOWS\system32\bfyovok\mqmomqe.exe
O4 - HKLM\..\Run: [kquhgv] C:\WINDOWS\system32\ucrldd\kquhgv.exe
O4 - HKLM\..\Run: [xkvwhp] C:\WINDOWS\system32\jyrjrt\xkvwhp.exe
O4 - HKLM\..\Run: [win32086516126202] C:\WINDOWS\win32086516126202.exe
O4 - HKLM\..\Run: [TagASaurus] C:\Program Files\TagASaurus\TagASaurus
O4 - HKLM\..\Run: [isauszq] C:\WINDOWS\isauszq.exe
O4 - HKLM\..\Run: [isdfs] C:\WINDOWS\system32\trpdjq\isdfs.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [yykdmnu] C:\WINDOWS\system32\icby\yykdmnu.exe
O4 - HKLM\..\Run: [xfsrbpnm] C:\WINDOWS\system32\cgmgjkfs\xfsrbpnm.exe
O4 - HKLM\..\Run: [nnepnkex] C:\WINDOWS\system32\ugujgfl\nnepnkex.exe
O4 - HKLM\..\Run: [rvct] C:\WINDOWS\system32\mnijmtf\rvct.exe
O4 - HKLM\..\Run: [uatwgdtb] C:\WINDOWS\system32\dccnatd\uatwgdtb.exe
O4 - HKLM\..\Run: [hfvypoyd] C:\WINDOWS\system32\tlleil\hfvypoyd.exe
O4 - HKLM\..\Run: [rdjemw] C:\WINDOWS\system32\vsyhuuay\rdjemw.exe
O4 - HKLM\..\Run: [oiemdq] C:\WINDOWS\system32\vdcxvit\oiemdq.exe
O4 - HKLM\..\Run: [spmkocgy] C:\WINDOWS\system32\utgp\spmkocgy.exe
O4 - HKLM\..\Run: [hfdsbny] C:\WINDOWS\system32\xofkve\hfdsbny.exe
O4 - HKLM\..\Run: [dxdyaqrb] C:\WINDOWS\system32\bkxktp\dxdyaqrb.exe
O4 - HKLM\..\Run: [cdgvmgf] C:\WINDOWS\system32\rfcchceo\cdgvmgf.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [win32095161262026] C:\WINDOWS\win32095161262026.exe
O4 - HKLM\..\Run: [tftyrd] C:\WINDOWS\system32\upytecnk\tftyrd.exe
O4 - HKLM\..\Run: [lmhqqpf] C:\WINDOWS\system32\ytte\lmhqqpf.exe
O4 - HKLM\..\Run: [mfqgnvl] C:\WINDOWS\system32\sdwtrdmd\mfqgnvl.exe
O4 - HKLM\..\Run: [xdfnp] C:\WINDOWS\system32\yvesidin\xdfnp.exe
O4 - HKLM\..\Run: [fksw] C:\WINDOWS\system32\qheumcy\fksw.exe
O4 - HKLM\..\Run: [gjvvgsn] C:\WINDOWS\system32\eskbq\gjvvgsn.exe
O4 - HKLM\..\Run: [jqcs] C:\WINDOWS\system32\bcasbyj\jqcs.exe
O4 - HKLM\..\Run: [bkntau] C:\WINDOWS\system32\fdbre\bkntau.exe
O4 - HKLM\..\Run: [ihguxsn] C:\WINDOWS\system32\gpxkpvsu\ihguxsn.exe
O4 - HKLM\..\Run: [kqiaswjt] C:\WINDOWS\system32\puqb\kqiaswjt.exe
O4 - HKLM\..\Run: [pkfcg] C:\WINDOWS\system32\xwph\pkfcg.exe
O4 - HKLM\..\Run: [gkxvc] C:\WINDOWS\system32\ulmsbj\gkxvc.exe
O4 - HKLM\..\Run: [qbgmtep] C:\WINDOWS\system32\nhcrrbep\qbgmtep.exe
O4 - HKLM\..\Run: [lryg] C:\WINDOWS\system32\mdxmkn\lryg.exe
O4 - HKLM\..\Run: [seli] C:\WINDOWS\seli.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [xbjkopr] C:\WINDOWS\system32\fvoweuk\xbjkopr.exe
O4 - HKLM\..\Run: [hnhseoop] C:\WINDOWS\system32\hbhiubw\hnhseoop.exe
O4 - HKLM\..\Run: [moqkagdv] C:\WINDOWS\system32\nloabgdc\moqkagdv.exe
O4 - HKLM\..\Run: [pxkmbxj] C:\WINDOWS\system32\npncbfr\pxkmbxj.exe
O4 - HKLM\..\Run: [yyjdacfp] C:\WINDOWS\system32\fcsjvf\yyjdacfp.exe
O4 - HKLM\..\Run: [ooirxyc] C:\WINDOWS\system32\exottdg\ooirxyc.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Gzrbcu] C:\WINDOWS\system32\??ool32.exe
O4 - HKCU\..\Run: [System Support] syscfg.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [SysCheck32] C:\WINDOWS\SysCheckBop32.exe
O4 - HKCU\..\Run: [Sen] C:\Program Files\bama\tlii.exe
O4 - HKCU\..\Run: [Sys98] C:\WINDOWS\Sys98.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rsysuw2d.exe
O4 - Startup: Zstart.lnk = C:\Documents and Settings\Erik\Local Settings\Temp\zxinst12.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Crazy Poker - {8A8A3162-B5FA-4c54-A862-4E62CBE8A255} - C:\Program Files\crazyvegasMPP\MPPoker.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...aa6a2/enter.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...tall_bm1002.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.micro...n7/dlhelper.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/...ner/WFXScan.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O20 - AppInit_DLLs: repairs.dll
O23 - Service: bkntaufdbre - Unknown owner - C:\WINDOWS\system32\fdbre\bkntau.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RXJpawAA\command.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: hfdsbnyxofkve - Unknown owner - C:\WINDOWS\system32\xofkve\hfdsbny.exe
O23 - Service: ihguxsngpxkpvsu - Unknown owner - C:\WINDOWS\system32\gpxkpvsu\ihguxsn.exe
O23 - Service: jqcsbcasbyj - Unknown owner - C:\WINDOWS\system32\bcasbyj\jqcs.exe
O23 - Service: mqmomqebfyovok - Unknown owner - C:\WINDOWS\system32\bfyovok\mqmomqe.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: spmkocgyutgp - Unknown owner - C:\WINDOWS\system32\utgp\spmkocgy.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: uatwgdtbdccnatd - Unknown owner - C:\WINDOWS\system32\dccnatd\uatwgdtb.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\fkiwvoh.exe (file missing)
O23 - Service: xbjkoprfvoweuk - Unknown owner - C:\WINDOWS\system32\fvoweuk\xbjkopr.exe
O23 - Service: xfsrbpnmcgmgjkfs - Unknown owner - C:\WINDOWS\system32\cgmgjkfs\xfsrbpnm.exe
O23 - Service: xkvwhpjyrjrt - Unknown owner - C:\WINDOWS\system32\jyrjrt\xkvwhp.exe
O23 - Service: yykdmnuicby - Unknown owner - C:\WINDOWS\system32\icby\yykdmnu.exe
  • 0

#10
andydf

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi krazygrenade

Did you have the a² scanner set to delete everything it finds? If not please run it again in safe mode and delete all it finds.
I would like you to setup adaware as follows and install the VX2cleaner.

Run Ad-Aware with the latest update.
  • Download the latest version of Ad-Aware (Ad-Aware SE Build 1.06r1) from here.
  • If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
  • After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
  • Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
  • Once the definitions have been updated:
  • Reconfigure Ad-Aware for Full Scan as per the following instructions:
    • Launch the program, and click on the Gear at the top of the start screen.
    • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
      • "Automatically save logfile"
      • Automatically quarantine objects prior to removal"
      • Safe Mode (always request confirmation)
      • Prompt to update outdated confirmation) - Change to 7 days.
    • Click the "Scanning" button (On the left side).
    • Under Drives & Folders, select "Scan within Archives"
    • Click "Click here to select Drives + folders" and select your installed hard drives.
    • Under Memory & Registry, select all options.
    • Click the "Advanced" button (On the left hand side).
    • Under "Shell Integration", select "Move deleted files to Recycle Bin".
    • Under "Log-file detail", select all options.
    • Click on the "Defaults" button on the left.
    • Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
    • Click the "Tweak" button (Again, on the left hand side).
    • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
      • "Unload recognized processes during scanning."
      • "Obtain command line of scanned processes"
      • "Scan registry for all users instead of current user only"
    • Under "Cleaning Engine", select the following:
      • "Automatically try to unregister objects prior to deletion."
      • "During removal, unload explorer and IE if necessary"
      • "Let Windows remove files in use at next reboot."
      • "Delete quarrantined objects after restoring"
    • Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
    • Click on "Proceed" to save these Preferences.
    • Click on the "Scan Now" button on the left.
    • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
  • Close all programs except ad-aware.
  • Click on "Next" in the bottom right corner to start the scan.
  • Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
  • After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Plug-Ins for Ad-Aware (VX2 Cleaner)


*Close Ad-Aware, if it is currently open.

* Download the VX2 Cleaner 2.0 Plug-in Here.

* After installing, restart Ad-Aware before running the VX2 Cleaner.

*Using VX2 Cleaner 2.0

*NOTE: If you have earlier attempted to run Ad-Aware to remove VX2, you may need to run the VX2 Cleaner several times to remove possible VX2 remains.

*If you have already attempted to remove VX2 with Ad-Aware, do the following:

* Before running the VX2 Cleaner, make sure other anti-virus or anti-spyware applications are closed.

* Run the VX2 Cleaner. If you computer is infected with VX2, a dialog box with text such as “New VX2 variant found” or “VX2 variant 1 found” will appear.

* Press "Clean" and a dialog box with text “The first phase completed. Please reboot and perform a Smart Scan" will appear. After saving your work, reboot your system manually.

* Repeat this until the VX2 Cleaner reports "System clean". Press "Close” to exit.

* Run Ad-Aware one more time and scan your computer to make sure VX2 has been found and removed.


  • Manually download Latest definition file: Here
  • Please Note Version SE Build 1.06 is now available! This download is for use with Ad-Aware SE versions only.
  • Manual Installation: Unzip the archive, replace the existing file and restart Ad-Aware\Ad-Watch.
  • You can also use the webupdate component implemented in Ad-Aware to install this update.

Please do an online virus scan with Panda ActiveScan Here. You need to use Internet Explorer for this scan.
  • Once you get to the Panda site, scroll down a bit and click on Scan your PC
  • A new window will appear; click on Check Now!
  • A new window will appear; fill in the boxes (Country, State, email addy)
  • Click on Scan Now! >
    If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
  • From "Select a device to scan...", choose "My Computer"
  • Allow the scan to run. It'll take a while.
  • When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
  • I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here.
If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :)

Andy :tazz:
  • 0

#11
andydf

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP