Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Pop Ups and More! [CLOSED]

Started by npiatt , Mar 29 2006 11:21 PM

  • This topic is locked This topic is locked

#1
npiatt
Posted 29 March 2006 - 11:21 PM

npiatt

    Member

  • Member
  • PipPip
  • 18 posts
Hey, I've got a bunch of pop ups flooding my screen every minute or so (well just one at a time, but adds up), and for some reason all my folders on my computer are set to read only. And no, I cannot unclick the read only on their properties, it keep rechecking it for me when I look again.

Logfile of HijackThis v1.99.1
Scan saved at 9:18:22 PM, on 3/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\Me\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blackwolf...r_newsflash.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128489076576
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: 1_32bean32_1reg - C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\j24olch31f4.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

I ran all the virus scans, spybot finds new.net but can't get rid of it, AVG comes up clean. Can't update trojanhunter because it says it doesn't have access to move files during the update process (think that has something to do with my computer being set to read only?). If I forgot something, let me know, thank you.

Nick

Also, when I'm in safe mofe, Iexplorer keeps reloading itself forever, causing my computer to run slow as molasses.

Edited by npiatt, 29 March 2006 - 11:53 PM.

  • 0

Advertisements

#2
Buckeye_Sam
Posted 31 March 2006 - 09:37 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :whistling:

Before we can get started on fixing your problem you must change the location of Hijackthis. It should not run directly from your desktop or a temp directory.
  • Download and run the HijackThis autoinstall program
  • Please choose the default location of C:\Program Files as the destination.
  • Run the program only from that location from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.
Once you have Hijackthis running from this folder, please reboot and post a new hijackthis log as a reply in this thread.
  • 0

#3
npiatt
Posted 31 March 2006 - 06:22 PM

npiatt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:21:21 PM, on 3/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blackwolf...r_newsflash.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128489076576
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: 1_32bean32_1reg - C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\enpml1711.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#4
Buckeye_Sam
Posted 01 April 2006 - 11:07 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please download Look2Me-Remover.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Remover.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Remover will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Remover.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX
  • 0

#5
npiatt
Posted 01 April 2006 - 11:41 PM

npiatt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
The link you gave was for a program called Look2Me-Destroyer, not Look2Me-Remover, but I'm assuming they are the same program. I ran Look2Me-Destroyer and it ran as described, but there is no new .txt file in my C:\ drive, which is my hard drive. However, there is a new file on my desktop called Look2Me-Destroyer.txt. This is what it says, hopefully it is the file you were asking for.


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/1/2006 9:16:03 PM

Infected! C:\WINDOWS\system32\q4860elsehq60.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP199\A0063891.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP199\A0065906.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP199\A0065964.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP199\A0065968.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP200\A0066004.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP200\A0066010.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP201\A0067007.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP201\A0067018.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067153.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067162.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067168.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067180.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067184.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067192.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067200.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP206\A0067472.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP206\A0067473.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP206\A0067474.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP206\A0067478.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP206\A0067485.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP207\A0068485.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP207\A0068493.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP207\A0068497.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP208\A0068506.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP208\A0068510.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP208\A0068522.dll
Infected! C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP208\A0068526.dll
Infected! C:\WINDOWS\system32\dadskres.dll
Infected! C:\WINDOWS\system32\e8202ifmg82a2.dll
Infected! C:\WINDOWS\system32\fpju0319e.dll
Infected! C:\WINDOWS\system32\hrn8055ue.dll
Infected! C:\WINDOWS\system32\ijmp.dll
Infected! C:\WINDOWS\system32\kldgr1.dll
Infected! C:\WINDOWS\system32\kt04l7dq1.dll
Infected! C:\WINDOWS\system32\mar2cenu.dll
Infected! C:\WINDOWS\system32\mygsvc.dll
Infected! C:\WINDOWS\system32\piwrprof.dll
Infected! C:\WINDOWS\system32\q4860elsehq60.dll
Infected! C:\WINDOWS\system32\rppsnd.dll
Infected! C:\WINDOWS\system32\wad_ci.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\q4860elsehq60.dll
C:\WINDOWS\system32\q4860elsehq60.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP199\A0063891.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP199\A0063891.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP199\A0065906.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP199\A0065906.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP199\A0065964.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP199\A0065964.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP199\A0065968.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP199\A0065968.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP200\A0066004.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP200\A0066004.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP200\A0066010.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP200\A0066010.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP201\A0067007.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP201\A0067007.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP201\A0067018.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP201\A0067018.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067153.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067153.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067162.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067162.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067168.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067168.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067180.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067180.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067184.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067184.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067192.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067192.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067200.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP204\A0067200.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP206\A0067472.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP206\A0067472.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP206\A0067473.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP206\A0067473.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP206\A0067474.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP206\A0067474.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP206\A0067478.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP206\A0067478.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP206\A0067485.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP206\A0067485.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP207\A0068485.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP207\A0068485.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP207\A0068493.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP207\A0068493.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP207\A0068497.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP207\A0068497.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP208\A0068506.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP208\A0068506.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP208\A0068510.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP208\A0068510.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP208\A0068522.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP208\A0068522.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP208\A0068526.dll
C:\System Volume Information\_restore{775AA5AF-CBFE-44BE-8F03-557FAF86D8B8}\RP208\A0068526.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dadskres.dll
C:\WINDOWS\system32\dadskres.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\e8202ifmg82a2.dll
C:\WINDOWS\system32\e8202ifmg82a2.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fpju0319e.dll
C:\WINDOWS\system32\fpju0319e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hrn8055ue.dll
C:\WINDOWS\system32\hrn8055ue.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ijmp.dll
C:\WINDOWS\system32\ijmp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kldgr1.dll
C:\WINDOWS\system32\kldgr1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kt04l7dq1.dll
C:\WINDOWS\system32\kt04l7dq1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mar2cenu.dll
C:\WINDOWS\system32\mar2cenu.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mygsvc.dll
C:\WINDOWS\system32\mygsvc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\piwrprof.dll
C:\WINDOWS\system32\piwrprof.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\q4860elsehq60.dll
C:\WINDOWS\system32\q4860elsehq60.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rppsnd.dll
C:\WINDOWS\system32\rppsnd.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wad_ci.dll
C:\WINDOWS\system32\wad_ci.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MediaContentIndex

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3D12845D-B397-4641-9CE6-2E5C21907365}"
HKCR\Clsid\{3D12845D-B397-4641-9CE6-2E5C21907365}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9C797EDE-99E7-4D15-8A5C-D68DAE42C7DF}"
HKCR\Clsid\{9C797EDE-99E7-4D15-8A5C-D68DAE42C7DF}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{600A6558-CFB4-4F5B-B35D-D3796EC43407}"
HKCR\Clsid\{600A6558-CFB4-4F5B-B35D-D3796EC43407}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4C5516D1-0006-44B5-BCB4-9C9F08C770C1}"
HKCR\Clsid\{4C5516D1-0006-44B5-BCB4-9C9F08C770C1}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5D8368CB-D41A-4965-8B3E-29E89A741FA5}"
HKCR\Clsid\{5D8368CB-D41A-4965-8B3E-29E89A741FA5}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CE37E0DE-8419-4682-9CEE-9548B223410A}"
HKCR\Clsid\{CE37E0DE-8419-4682-9CEE-9548B223410A}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

And now my new HijackThis log...

Logfile of HijackThis v1.99.1
Scan saved at 9:39:17 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blackwolf...r_newsflash.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128489076576
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: 1_32bean32_1reg - C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#6
Buckeye_Sam
Posted 02 April 2006 - 07:09 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I'm suspicious of a file that shows up in your log. Let's see what we can find out.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:

    • C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll
  • Disable your firewall if you are using one.
  • Click on the submit button
  • Reenable your firewall as soon as you get results.
  • Please post the results in your next reply.

  • 0

#7
npiatt
Posted 02 April 2006 - 05:41 PM

npiatt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I went to the link, and tried to upload the file, but it would not upload. I tried to disable my firewall, but when I clicked on Windows Firewall in the Control Panel folder, I got the following message.

Due to an unidentified problem, Windows cannot display Windows Firewall settings.

I checked the path, and I do not have a folder called Documents in my All Users folder. I then tried searching my computer for the file 1_32bean32_1.dll, but it could not find it.
  • 0

#8
Buckeye_Sam
Posted 02 April 2006 - 08:34 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
It may be there, but just hidden. Even more reason for me to suspect that it's malicious.

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O20 - Winlogon Notify: 1_32bean32_1reg - C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll


Now let's see if it's really there or not.
Open notepad and copy and paste this text in it:

cd\
cd C:\Documents and Settings\All Users\Documents
DIR  /s /o:d > log.txt
start log.txt
cls
exit

Save this as find.bat , choose to save it as *all files and place it on your desktop.
Doubleclick on find.bat. A log will open up. Please copy the text and paste it here in your next reply.

Also post a new hijackthis log.

Edited by Buckeye_Sam, 02 April 2006 - 08:34 PM.

  • 0

#9
npiatt
Posted 02 April 2006 - 09:01 PM

npiatt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Volume in drive C has no label.
Volume Serial Number is D0F2-3BC9

Directory of C:\Documents and Settings\All Users\Documents

09/10/2005 03:06 PM <DIR> My Pictures
09/19/2005 12:30 PM <DIR> AppVerifierLogs
09/26/2005 09:08 PM <DIR> My Videos
10/03/2005 08:54 PM <DIR> My Music
11/25/2005 12:21 PM <DIR> AOL Downloads
04/02/2006 07:58 PM 0 log.txt
04/02/2006 07:58 PM <DIR> ..
04/02/2006 07:58 PM <DIR> .
1 File(s) 0 bytes

Directory of C:\Documents and Settings\All Users\Documents\AOL Downloads

11/25/2005 12:21 PM <DIR> ..
11/25/2005 12:21 PM <DIR> .
0 File(s) 0 bytes

Directory of C:\Documents and Settings\All Users\Documents\AppVerifierLogs

09/19/2005 12:30 PM <DIR> ..
09/19/2005 12:30 PM <DIR> .
09/19/2005 12:30 PM 0 session.log
1 File(s) 0 bytes

Directory of C:\Documents and Settings\All Users\Documents\My Music

08/23/2001 05:00 AM 3,492,199 music.wma
08/23/2001 05:00 AM 18,488 music.bmp
09/10/2005 03:07 PM <DIR> Sample Music
09/26/2005 09:07 PM <DIR> My Playlists
09/26/2005 09:07 PM <DIR> Sample Playlists
09/26/2005 09:07 PM <DIR> Sync Playlists
10/03/2005 08:54 PM <DIR> ..
10/03/2005 08:54 PM <DIR> .
2 File(s) 3,510,687 bytes

Directory of C:\Documents and Settings\All Users\Documents\My Music\My Playlists

09/26/2005 09:07 PM 1,858 Final Fantasy XI.wpl
09/26/2005 09:07 PM <DIR> ..
09/26/2005 09:07 PM <DIR> .
11/14/2005 04:57 PM 2,337 Music.wpl
2 File(s) 4,195 bytes

Directory of C:\Documents and Settings\All Users\Documents\My Music\Sample Music

08/23/2001 05:00 AM 613,638 Beethoven's Symphony No. 9 (Scherzo).wma
08/23/2001 05:00 AM 760,748 New Stories (Highway Blues).wma
09/10/2005 03:07 PM <DIR> ..
09/10/2005 03:07 PM <DIR> .
2 File(s) 1,374,386 bytes

Directory of C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists

09/26/2005 09:07 PM <DIR> 0C3B730F
09/26/2005 09:07 PM <DIR> ..
09/26/2005 09:07 PM <DIR> .
0 File(s) 0 bytes

Directory of C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0C3B730F

09/22/2004 06:45 PM 1,250 Favorites -- 4 and 5 star rated.wpl
09/22/2004 06:45 PM 787 High bitrate media in my library.wpl
09/22/2004 06:45 PM 775 Music tracks I dislike.wpl
09/22/2004 06:45 PM 789 Low bitrate media in my library.wpl
09/22/2004 06:45 PM 783 Music tracks I have not rated.wpl
09/22/2004 06:45 PM 1,451 Favorites -- One Data CD-R worth.wpl
09/22/2004 06:45 PM 733 Music tracks with content protection.wpl
09/22/2004 06:46 PM 1,448 Favorites -- One Audio CD worth.wpl
09/22/2004 06:46 PM 1,477 Favorites -- Listen to on Weekends.wpl
09/22/2004 06:46 PM 1,049 Favorites -- Have not heard recently.wpl
09/22/2004 06:46 PM 1,474 Favorites -- Listen to late at night.wpl
09/22/2004 06:46 PM 1,477 Favorites -- Listen to on Weekdays.wpl
09/22/2004 06:46 PM 1,036 Fresh tracks -- yet to be rated.wpl
09/22/2004 06:46 PM 1,046 Fresh tracks -- yet to be played.wpl
09/22/2004 06:46 PM 784 Fresh tracks.wpl
09/26/2005 09:07 PM <DIR> .
09/26/2005 09:07 PM <DIR> ..
15 File(s) 16,359 bytes

Directory of C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists

09/26/2005 09:07 PM <DIR> 0C3B732F
09/26/2005 09:07 PM <DIR> ..
09/26/2005 09:07 PM <DIR> .
0 File(s) 0 bytes

Directory of C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0C3B732F

09/22/2004 06:46 PM 795 01_Music_auto_rated_at_5_stars.wpl
09/22/2004 06:46 PM 802 02_Music_added_in_the_last_month.wpl
09/22/2004 06:46 PM 1,033 09_Music_played_the_most.wpl
09/22/2004 06:46 PM 785 06_Pictures_rated_4_or_5_stars.wpl
09/22/2004 06:46 PM 790 03_Music_rated_at_4_or_5_stars.wpl
09/22/2004 06:46 PM 807 04_Music_played_in_the_last_month.wpl
09/22/2004 06:46 PM 797 05_Pictures_taken_in_the_last_month.wpl
09/22/2004 06:46 PM 782 08_Video_rated_at_4_or_5_stars.wpl
09/22/2004 06:46 PM 794 07_TV_recorded_in_the_last_week.wpl
09/22/2004 06:46 PM 648 10_All_Music.wpl
09/22/2004 06:46 PM 654 11_All_Pictures.wpl
09/22/2004 06:46 PM 908 12_All_Video.wpl
09/26/2005 09:07 PM <DIR> .
09/26/2005 09:07 PM <DIR> ..
12 File(s) 9,595 bytes

Directory of C:\Documents and Settings\All Users\Documents\My Pictures

09/10/2005 03:06 PM <DIR> ..
09/10/2005 03:06 PM <DIR> .
01/31/2006 07:53 PM <DIR> Sample Pictures
0 File(s) 0 bytes

Directory of C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures

08/23/2001 05:00 AM 83,794 Water lilies.jpg
08/23/2001 05:00 AM 28,521 Blue hills.jpg
08/23/2001 05:00 AM 71,189 Sunset.jpg
08/23/2001 05:00 AM 105,542 Winter.jpg
01/31/2006 07:53 PM <DIR> ..
01/31/2006 07:53 PM <DIR> .
4 File(s) 289,046 bytes

Directory of C:\Documents and Settings\All Users\Documents\My Videos

09/26/2005 09:08 PM <DIR> ..
09/26/2005 09:08 PM <DIR> .
0 File(s) 0 bytes

Total Files Listed:
39 File(s) 5,204,268 bytes
38 Dir(s) 5,879,607,296 bytes free




Logfile of HijackThis v1.99.1
Scan saved at 8:00:04 PM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blackwolf...r_newsflash.htm
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128489076576
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: 1_32bean32_1reg - C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


And yes, I did check and try to fix

O20 - Winlogon Notify: 1_32bean32_1reg - C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll

But it did not go away, not even in safe mode.
  • 0

#10
Buckeye_Sam
Posted 03 April 2006 - 06:15 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
  • 0

Advertisements

#11
npiatt
Posted 03 April 2006 - 10:15 PM

npiatt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Items found in C:\WINDOWS\hosts

UPX! 3/28/2006 5:27:02 PM 24296 C:\WINDOWS\icont.exe.tcf
UPX! 3/28/2006 4:09:16 AM 69120 C:\WINDOWS\kl1.exe
UPX! 3/28/2006 4:09:02 AM 7049 C:\WINDOWS\sc.exe
FSG! 3/28/2006 4:10:14 AM 11920 C:\WINDOWS\tool3.exe

Checking %System% folder...
UPX! 5/25/2005 7:41:00 PM 36864 C:\WINDOWS\SYSTEM32\azesearch4.ocx.tcf
aspack 3/18/2005 6:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
aspack 5/26/2005 4:34:52 PM 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll
PEC2 8/23/2001 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 8/9/2005 3:14:00 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 8/9/2005 3:14:00 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
UPX! 3/28/2006 4:08:10 AM 10240 C:\WINDOWS\SYSTEM32\iasada.dll.tcf
PTech 8/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
WinShutDown 3/28/2006 1:19:12 PM 234272 C:\WINDOWS\SYSTEM32\lv8809lue.dll.tcf
ad-w-a-r-e.com 3/28/2006 1:19:12 PM 234272 C:\WINDOWS\SYSTEM32\lv8809lue.dll.tcf
PECompact2 3/9/2006 5:21:10 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/9/2006 5:21:10 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 12:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 3/28/2006 4:09:12 AM 51070 C:\WINDOWS\SYSTEM32\parad.raw.exe
WinShutDown 3/28/2006 4:09:52 AM 234272 C:\WINDOWS\SYSTEM32\pxdgen.dll.tcf
ad-w-a-r-e.com 3/28/2006 4:09:52 AM 234272 C:\WINDOWS\SYSTEM32\pxdgen.dll.tcf
Umonitor 8/4/2004 12:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
FSG! 3/28/2006 4:10:14 AM 11920 C:\WINDOWS\SYSTEM32\shellbn.exe
UPX! 3/28/2006 4:09:12 AM 51070 C:\WINDOWS\SYSTEM32\taskdir.exe
WinShutDown 3/28/2006 4:24:10 AM 234272 C:\WINDOWS\SYSTEM32\ulrlbva.dll.tcf
ad-w-a-r-e.com 3/28/2006 4:24:10 AM 234272 C:\WINDOWS\SYSTEM32\ulrlbva.dll.tcf
winsync 8/23/2001 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 2/7/2006 9:10:26 AM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 2/7/2006 9:10:26 AM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 2/7/2006 9:10:26 AM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 2/7/2006 9:10:26 AM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
4/3/2006 8:58:28 PM S 2048 C:\WINDOWS\bootstat.dat
4/3/2006 8:58:20 PM H 8192 C:\WINDOWS\system32\config\default.LOG
4/3/2006 8:58:46 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
4/3/2006 8:58:30 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
4/3/2006 8:59:18 PM H 65536 C:\WINDOWS\system32\config\software.LOG
4/3/2006 8:58:34 PM H 1036288 C:\WINDOWS\system32\config\system.LOG
3/28/2006 9:42:44 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
3/28/2006 5:12:04 PM S 21761 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
3/28/2006 5:12:02 PM S 408 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
3/28/2006 5:12:04 PM S 120 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
3/28/2006 5:12:02 PM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
4/3/2006 8:56:56 PM H 6 C:\WINDOWS\Tasks\SA.DAT
3/28/2006 4:24:12 AM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
3/30/2006 9:29:08 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
3/30/2006 9:29:08 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0DQR05Q7\desktop.ini
3/31/2006 12:01:16 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\18WBTDST\desktop.ini
4/1/2006 12:17:32 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\2RAJMTQZ\desktop.ini
3/31/2006 12:01:18 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4JZN2S5X\desktop.ini
3/31/2006 12:13:40 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8PMFS5AB\desktop.ini
3/31/2006 12:01:16 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CDGXY34L\desktop.ini
3/31/2006 12:13:40 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GDQRC1YN\desktop.ini
4/1/2006 12:17:32 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GP6741Q7\desktop.ini
3/31/2006 12:13:40 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GPYVKD2R\desktop.ini
3/30/2006 9:29:08 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IB9VHQ5Z\desktop.ini
3/30/2006 9:29:08 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K6IKE5EK\desktop.ini
3/31/2006 12:01:18 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\MLG72TQ1\desktop.ini
4/1/2006 12:17:32 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\O16VWH6V\desktop.ini
4/1/2006 12:17:32 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OTUB49YN\desktop.ini
3/30/2006 9:29:08 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\QR5KB1CP\desktop.ini
3/31/2006 12:13:40 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WLY7852N\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 3:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 10/29/2004 5:50:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 11/25/2005 12:22:34 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
NVIDIA Corporation 12/4/2002 9:22:20 PM R 73728 C:\WINDOWS\SYSTEM32\sscpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/10/2005 3:08:52 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
1/1/2002 2:22:40 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
9/10/2005 3:08:52 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
1/1/2002 2:22:40 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{CE3A44D8-BC88-4D62-A890-42D96245F8D6}
= C:\WINDOWS\system32\dmonwv.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
Anti-Blaxx Manager C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
WinPatrol C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
Adobe Photo Downloader "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
C-Media Mixer Mixer.exe /startup
THGuard "C:\Program Files\TrojanHunter 4.5\THGuard.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
hqudo C:\WINDOWS\system32\ldjkny.exe reg_run

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
iPodService 3
IDriverT 3
AOL TopSpeedMonitor 2
AOL ACS 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AOL Spyware Protection
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLSP Scheduler
hkey HKLM
command "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLSP Scheduler
hkey HKLM
command "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AOLDialer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLDial
hkey HKLM
command C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLDial
hkey HKLM
command C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HostManager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLHostManager
hkey HKLM
command C:\Program Files\Common Files\AOL\1132946470\EE\AOLHostManager.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLHostManager
hkey HKLM
command C:\Program Files\Common Files\AOL\1132946470\EE\AOLHostManager.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nForce Tray Options
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sstray
hkey HKLM
command sstray.exe /r
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sstray
hkey HKLM
command sstray.exe /r
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 2
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\Userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\1_32bean32_1reg
= C:\Documents and Settings\All Users\Documents\Settings\1_32bean32_1.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 4/3/2006 9:09:48 PM
  • 0

#12
Buckeye_Sam
Posted 04 April 2006 - 02:48 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as fix.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\1_32bean32_1reg]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hqudo"=-

Now Locate and DoubleClick fix.reg-> Allow it to merge into the Registry!


===========


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\ldjkny.exe
    C:\WINDOWS\SYSTEM32\azesearch4.ocx.tcf
    C:\WINDOWS\SYSTEM32\iasada.dll.tcf
    C:\WINDOWS\SYSTEM32\lv8809lue.dll.tcf
    C:\WINDOWS\SYSTEM32\parad.raw.exe
    C:\WINDOWS\SYSTEM32\pxdgen.dll.tcf
    C:\WINDOWS\SYSTEM32\shellbn.exe
    C:\WINDOWS\SYSTEM32\taskdir.exe
    C:\WINDOWS\SYSTEM32\ulrlbva.dll.tcf
    C:\WINDOWS\icont.exe.tcf
    C:\WINDOWS\kl1.exe
    C:\WINDOWS\sc.exe
    C:\WINDOWS\tool3.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.



===========


Please download FindQool by LonnyRJones
  • Extract the files and place the FindQool folder in root. Usually C:\
  • Open the folder and run Qlocate.bat.
  • Post the contents of the txt.log which will open.
===============

Download F-Secure Blacklight(blbeta.exe) to your C:\ drive.
  • Open a command window. (Start>Run and type: cmd)
  • Copy paste or type the following in the command window:

    C:\blbeta.exe /expert

  • Accept the user agreement.
  • Click Scan.
  • After the scan finishes, click on Next, then Exit.
BlackLight will create a log in your C:\ drive with the name "fsbl-xxxxxxx.log". Please post that log also.
  • 0

#13
npiatt
Posted 04 April 2006 - 07:18 PM

npiatt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Report =

Tue 04/04/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.
Files found with locate com.

C:\WINDOWS\SYSTEM32\QAXNY.DAT
C:\WINDOWS\JXPRE.DLL
C:\WINDOWS\UNWN.EXE
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
...

HKEY_LOCAL_MACHINE\software\qstat
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webnexus
HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}
[-HKEY_CLASSES_ROOT\CLSID\{incert HKCR\*\shellex csdl above here if present}]

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
HKCU
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe
userinit REG_SZ C:\WINDOWS\system32\Userinit.exe,
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 3/26/2006



fsbl =

04/04/06 18:15:28 [Info]: BlackLight Engine 1.0.35 initialized
04/04/06 18:15:28 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/04/06 18:15:28 [Note]: 7019 4
04/04/06 18:15:28 [Note]: 7005 0
04/04/06 18:15:44 [Note]: 7006 0
04/04/06 18:15:44 [Note]: 7011 1492
04/04/06 18:15:44 [Note]: 7026 0
04/04/06 18:15:44 [Note]: 7026 0
04/04/06 18:15:44 [Note]: FSRAW library version 1.7.1015
04/04/06 18:17:23 [Note]: 7007 0
  • 0

#14
Buckeye_Sam
Posted 05 April 2006 - 02:06 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as fix2.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\qstat]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webnexus]

[-HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}]

[-HKEY_CLASSES_ROOT\CLSID\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}]

Now Locate and DoubleClick fix2.reg-> Allow it to merge into the Registry!



Use Killbox as you did before to delete these files.

C:\WINDOWS\SYSTEM32\QAXNY.DAT
C:\WINDOWS\JXPRE.DLL
C:\WINDOWS\UNWN.EXE


Please post a new log from FindQool.
  • 0

#15
npiatt
Posted 06 April 2006 - 10:56 PM

npiatt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thu 04/06/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.
Files found with locate com.

Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
...

[-HKEY_CLASSES_ROOT\CLSID\{incert HKCR\*\shellex csdl above here if present}]

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
HKCU
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe
userinit REG_SZ C:\WINDOWS\system32\Userinit.exe,
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 3/26/2006
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP