Please do the following:
Now run this online scan using Internet Explorer:
Kaspersky WebScanner from http://www.kaspersky.com/virusscanner
Next Click on
Launch Kaspersky Anti-Virus Web Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click
Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information from Kapersky in your next post.
Disable Spyware Doctor: Please disable
Spyware Doctor, as it may interfere with the fix. To disable Spyware Doctor:
Click the Spyware Doctor icon in the System Tray.
Click Settings.
Click Startup Settings under Pick a Category.
Uncheck Run at Windows startup.
Click Apply and Exit Spyware Doctor
Once your log is clean you can re-enable Spyware Doctor.
Disable Ewido: Please disable
Ewido, as it may interfere with the fix.
To disable Ewido:
From the system tray:
Right-click the system tray icon and uncheck real time protection. or From within Ewido -
Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'.
Once your log is clean you can re-enable Ewido.
Please set your system to show all files;
please see here if you're unsure how to do this.
Close all programs leaving only HijackThis running. Place a check against each of the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = O4 - HKCU\..\Run:[Rous] "C:\DOCUME~1\Yen\MYDOCU~1\FNTS~1\services.exe" -vt yazr O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/069acb579c50eb3e1705/netzip/RdxIE601.cab O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\fpjm0311e.dll O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\dmgest.dll (file missing) O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\WWVu\command.exe (file missing) Click on Fix Checked when finished and exit HijackThis.
Reboot into Safe Mode: please
see here if you are not sure how to do this.
Some of these files may not exist.
Using Windows Explorer, locate the following files/folders, and delete them:
C:\Documents and Settings\Yen\My Documents\FNTS~1\services.exe C:\WINDOWS\system32\fpjm0311e.dll C:\WINDOWS\system32\dmgest.dll C:\WINDOWS\WWVu\command.exe
Exit Explorer, and reboot as normal afterwards.
Post back a fresh HijackThis log and we will take another look.
==================================================================
Logfile of HijackThis v1.99.1
Scan saved at 11:27:39 AM, on 25/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
KASPERSKY ON-LINE SCANNER REPORT
Saturday, March 25, 2006 11:10:25 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 25/03/2006
Kaspersky Anti-Virus database records: 172805
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 46257
Number of viruses found 3
Number of infected objects 13
Number of suspicious objects 0
Duration of the scan process 01:16:23
Infected Object Name Virus Name Last Action
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\H5DEB4ZY\Veracruz[1].exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\H5DEB4ZY\Veracruz[1].exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\H5DEB4ZY\Veracruz[1].exe NSIS: infected - 2 skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\VH01Q07T\WinFrgn[1].exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\VH01Q07T\WinFrgn[1].exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP82\A0029376.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP82\A0029376.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP83\A0029437.exe Infected: Trojan-Downloader.Win32.VB.na skipped
C:\Veracruz.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Veracruz.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Veracruz.exe NSIS: infected - 2 skipped
C:\WinFrgn.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WinFrgn.exe NSIS: infected - 1 skipped
Scan process completed.
The first time I ran HJT (directly after running Kaspersky and disabling ewido & spydoctor), I couldnt find the following files to fix:
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\fpjm0311e.dll
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\dmgest.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\WWVu\command.exe (file missing)
Also, regarding the ones I was meant to delete in Windows Explorer whilst in safemode, I couldn't find any of them to delete (I know you said I some might not exist, but I just wanted to let you know).
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click
Exit on the Main menu to close the program.
For
Technical Support, double-click the e-mail address located at the bottom of each menu.
==========
STEP 2.
======
Look2Me
You may receive pop-up asking if you will allow script to run when you perform the following instructions. Please allow the script to run.
Save the file to your desktop and double click
l2mfix.exe. Click the
Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click
l2mfix.bat and select option #
1 for
Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
If you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
Okay I did all you told me to and here the report!
L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
cmdlin~1.dll Sat 11 Mar 2006 19:39:26 A.... 43,520 42.50 K
crbcatex.dll Sat 25 Mar 2006 18:38:06 ..S.R 235,864 230.34 K
gdi32.dll Thu 29 Dec 2005 3:54:36 A.... 280,064 273.50 K
h44m0e~1.dll Sat 25 Mar 2006 11:23:08 ..S.R 235,864 230.34 K
legitc~1.dll Tue 14 Feb 2006 9:20:14 ..... 550,120 537.23 K
msvcp71.dll Thu 23 Mar 2006 10:13:44 A.... 499,712 488.00 K
msvcr71.dll Thu 23 Mar 2006 10:13:44 A.... 348,160 340.00 K
o066la~1.dll Sat 25 Mar 2006 18:38:06 ..S.R 234,078 228.59 K
p4p60e~1.dll Sat 25 Mar 2006 8:56:42 ..S.R 236,538 230.99 K
rnbdyctl.dll Sat 25 Mar 2006 8:56:42 ..S.R 235,864 230.34 K
sirenacm.dll Tue 24 Jan 2006 1:34:24 A.... 118,784 116.00 K
spmsg.dll Mon 13 Feb 2006 19:03:38 ..... 8,632 8.43 K
webclnt.dll Wed 4 Jan 2006 4:35:06 A.... 68,096 66.50 K
13 items found: 13 files (5 H/S), 0 directories.
Total of file sizes: 3,095,296 bytes 2.95 M
Locate .tmp files:
No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 60BC-599B
P.S When I tried to post this reply it came up with this message: "Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied."
I'm not sure exactly what was changed, but let me know if this isn't okay.
Don’t worry about the following message—I get it on Dell all the time.
"Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied."
Close any programs you have open since this step requires a reboot.
From the
l2mfix folder on your desktop, double click
l2mfix.bat and select option
#2 for
Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.
Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so! DO NOT run in safe mode!!
Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder.
After the fix portion is done. Please run the option to restore the winlogon defaults (menu option 4) as most of the notify key is missing. After you do that post an option 1 log again.
Here is the log from l2mfix (when I ran option 2):
L2mfix 032106
Creating Account.
The account already exists.
More help is available by typing NET HELPMSG 2224.
Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Running From:
C:\WINDOWS\system32
Killing Processes!
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1088 'smss.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1248 'winlogon.exe'
Killing PID 1248 'winlogon.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1072 'explorer.exe'
Killing PID 1072 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 448 'rundll32.exe'
Killing PID 1520 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1088 'smss.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1244 'winlogon.exe'
Killing PID 1244 'winlogon.exe'
Killing PID 1244 'winlogon.exe'
Killing PID 1244 'winlogon.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1900 'rundll32.exe'
Killing PID 1900 'rundll32.exe'
Killing PID 1900 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
File not found - C:\WINDOWS\system32\en46l1hs1.dll
File not found - C:\WINDOWS\system32\k8620ijoe8oc0.dll
File not found - C:\WINDOWS\system32\mfxlegih.dll
File not found - C:\WINDOWS\system32\p4p60e7seh.dll
File not found - C:\WINDOWS\system32\p6p6lg7s16.dll
File not found - C:\WINDOWS\system32\rnbdyctl.dll
The system cannot find the file specified.
The system cannot find the file specified.
The system cannot find the file specified.
The system cannot find the file specified.
The system cannot find the file specified.
The system cannot find the file specified.
Deleting: C:\WINDOWS\system32\en46l1hs1.dll
Successfully Deleted: C:\WINDOWS\system32\en46l1hs1.dll
Deleting: C:\WINDOWS\system32\k8620ijoe8oc0.dll
Successfully Deleted: C:\WINDOWS\system32\k8620ijoe8oc0.dll
Deleting: C:\WINDOWS\system32\mfxlegih.dll
Successfully Deleted: C:\WINDOWS\system32\mfxlegih.dll
Deleting: C:\WINDOWS\system32\p4p60e7seh.dll
Successfully Deleted: C:\WINDOWS\system32\p4p60e7seh.dll
Deleting: C:\WINDOWS\system32\p6p6lg7s16.dll
Successfully Deleted: C:\WINDOWS\system32\p6p6lg7s16.dll
Deleting: C:\WINDOWS\system32\rnbdyctl.dll
Successfully Deleted: C:\WINDOWS\system32\rnbdyctl.dll
msg11?.dll
0 file(s) copied.
Restoring Windows Update Certificates.:
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\en46l1hs1.dll
C:\WINDOWS\system32\k8620ijoe8oc0.dll
C:\WINDOWS\system32\mfxlegih.dll
C:\WINDOWS\system32\p4p60e7seh.dll
C:\WINDOWS\system32\p6p6lg7s16.dll
C:\WINDOWS\system32\rnbdyctl.dll
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00
Okay after that I ran Option 4 in l2mfix (batch file) - I wasn't sure if that was what you meant, but I guessed? And it came up with this:
The user name could not be found.
More help is available by typing NET HELPMSG 2221.
The system cannot find the file specified.
Checking for L2MFix account(0=no 1=yes):
0
Okay and THEN i ran option 1 and here is the report:
L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{E3575A69-CBCB-42D4-89F1-49CF96A26654}"="Samsung Screen Manager"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
cmdlin~1.dll Sat 11 Mar 2006 20:39:26 A.... 43,520 42.50 K
gdi32.dll Thu 29 Dec 2005 4:54:36 A.... 280,064 273.50 K
legitc~1.dll Tue 14 Feb 2006 10:20:14 ..... 550,120 537.23 K
msvcp71.dll Thu 23 Mar 2006 11:13:44 A.... 499,712 488.00 K
msvcr71.dll Thu 23 Mar 2006 11:13:44 A.... 348,160 340.00 K
sirenacm.dll Tue 24 Jan 2006 2:34:24 A.... 118,784 116.00 K
spmsg.dll Mon 13 Feb 2006 20:03:38 ..... 8,632 8.43 K
webclnt.dll Wed 4 Jan 2006 5:35:06 A.... 68,096 66.50 K
8 items found: 8 files, 0 directories.
Total of file sizes: 1,917,088 bytes 1.83 M
Locate .tmp files:
No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 60BC-599B
Logfile of HijackThis v1.99.1
Scan saved at 8:45:03 PM, on 26/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Please do the following:
==========
Step 1
==========
Disable Spyware Doctor: Please disable
Spyware Doctor, as it may interfere with the fix. To disable Spyware Doctor:
Click the Spyware Doctor icon in the System Tray.
Click Settings.
Click Startup Settings under Pick a Category.
Uncheck Run at Windows startup.
Click Apply and Exit Spyware Doctor
Once your log is clean you can re-enable Spyware Doctor.
Disable Ewido: Please disable
Ewido, as it may interfere with the fix.
To disable Ewido:
From the system tray:
Right-click the system tray icon and uncheck real time protection. or From within Ewido -
Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'.
Once your log is clean you can re-enable Ewido.
Please set your system to show all files;
please see here if you're unsure how to do this.
Close all programs leaving only HijackThis running. Place a check against each of the following:
O4 - HKCU\..\Run: C:\Documents and Settings\Yen\My Documents\?ystem32\w?wexec.exe O4 - HKCU\..\Run: "C:\DOCUME~1\Yen\MYDOCU~1\FNTS~1\services.exe" -vt yazr O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\p6p6lg7s16.dll (file missing) Click on Fix Checked when finished and exit HijackThis.
==========
Step 2
==========
Delete Files with Killbox
Download Pocket Killbox from http://www.downloads.subratam.org/KillBox.zip and unzip it; save it to your Desktop. DO NOT RUN IT YET.
==========
Double-click on KillBox.exe to launch the program. It is the
red circle with a large white X in it
- Highlight the files in bold
RED below and press the Ctrl key and the C key at the same time to copy them to the clipboard
C:\Veracruz.exe/data0002/data0006 C:\Veracruz.exe/data0002 C:\Veracruz.exe C:\WinFrgn.exe/data0002 C:\WinFrgn.exe
In Killbox click on the
File menu and then the
Paste from Clipboard item
in the
Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
(Please note that the tool checks your computer for the presence of the files pasted into the box so if files are not present, it is possible that you might not see all files you pasted into the box.) Click the option to
Delete on Reboot - If not greyed out click the checkbox for
Unregister .dll Before Deleting - click
End Explorer Shell while Killing File - Now click on the
red button with a white 'X' in the middle to delete the files
- Click
Yes when it says all files will be deleted on the next reboot
- Click
Yes when it asks if you want to reboot now
(Note: If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually)
Note: Killbox will let you know if a file does not exist. If that happens, just continue on.
If you have any issues with this method you can copy and paste the lines
one at a time into the killbox top box. Then click the "
Single File" button. Then click the Red
X ...and for the confirmation message that will appear, you will need to click
Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.
==========
Step 2
==========
Reboot into Safe Mode: please
see here if you are not sure how to do this.
Using Windows Explorer, locate the following files/folders, and delete them:
Let me explain about these file which need to be deleted here.
I cannot tell you what the ? is. So you need to match all the letters here in the file name and to find the file to be deleted since I cannot tell you what character you will see for the ?. If you have any questions about this—please post back what file names you find first.
C:\Documents and Settings\Yen\My Documents\?ystem32\w?wexec.exe
The following file is in a folder which starts with FNTS C:\Documents and Settings\Yen\My Documents\FNTS~1\services.exe==file
Exit Explorer, and reboot as normal afterwards.
Please run Kapersky again and post the results.
Post back a fresh HijackThis log and we will take another look.
=================================================
Unfortunately (when in safe mode) I couldn't find this file to delete:
The following file is in a folder which starts with FNTS
C:\Documents and Settings\Yen\My Documents\FNTS~1\services.exe==file
- there was no folder starting with FNTS (sorry!)
Here are the results from the Kaspersky scan:
KASPERSKY ON-LINE SCANNER REPORT
Monday, March 27, 2006 6:08:14 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 27/03/2006
Kaspersky Anti-Virus database records: 173159
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 46751
Number of viruses found 5
Number of infected objects 22
Number of suspicious objects 0
Duration of the scan process 00:51:36
Infected Object Name Virus Name Last Action
C:\!KillBox\Veracruz.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\!KillBox\Veracruz.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\!KillBox\Veracruz.exe NSIS: infected - 2 skipped
C:\!KillBox\WinFrgn.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\!KillBox\WinFrgn.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Yen\Local Settings\Temp\Temporary Internet Files\Content.IE5\GQXV5LOB\!update-3595[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.bw skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\7X4SIRVL\!update-3595[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.bw skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\H5DEB4ZY\!update-3620[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.w skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\H5DEB4ZY\Veracruz[1].exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\H5DEB4ZY\Veracruz[1].exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\H5DEB4ZY\Veracruz[1].exe NSIS: infected - 2 skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\VH01Q07T\WinFrgn[1].exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\VH01Q07T\WinFrgn[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Yen\My Documents\Fоnts\services.exe Infected: Trojan-Downloader.Win32.PurityScan.w skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP82\A0029376.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP82\A0029376.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP83\A0029437.exe Infected: Trojan-Downloader.Win32.VB.na skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP87\A0034015.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP87\A0034015.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP87\A0034015.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP87\A0034016.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP87\A0034016.exe NSIS: infected - 1 skipped
Scan process completed.
And here is my hew HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 6:09:28 PM, on 27/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Glad that it is running better. Let's get a clean Kapersky log though.
Show Hidden Files Please
show all files for your system.
You will need to reverse this process when all steps are done.
Delete Files and Folders Please delete the following files/folders:
C:\
!KillBox\<==folder
If you have any problem deleting these items, reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter') and try again.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click
Exit on the Main menu to close the program.
For
Technical Support, double-click the e-mail address located at the bottom of each menu.
To delete the files in the Temporary Internet Files folder, follow these steps:.
. Quit Internet Explorer and quit any instances of Windows Explorer.
. Click Start, click Control Panel and then double-click Internet Options
. On the General tab, click Delete Files under Temporary Internet Files.
. In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
. Click OK.
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Yen\Local Settings\Temp\{133D7035-8F79-463B-8A34-50CDCD3DD867}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe Click on Fix Checked when finished and exit HijackThis.
Reboot
Please run Kapersky and post another hijackthis log.
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, March 28, 2006 12:17:59 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 27/03/2006
Kaspersky Anti-Virus database records: 173204
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 42880
Number of viruses found 2
Number of infected objects 2
Number of suspicious objects 0
Duration of the scan process 01:08:42
Infected Object Name Virus Name Last Action
C:\Documents and Settings\Yen\Local Settings\Temp\Temporary Internet Files\Content.IE5\GQXV5LOB\!update-3595[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.bw skipped
C:\Documents and Settings\Yen\My Documents\Fоnts\services.exe Infected: Trojan-Downloader.Win32.PurityScan.w skipped
Scan process completed.
And here is my new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:19:57 AM, on 28/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Also I have tiny problem I was wondering you could help me out with (in addition to all the help you've given me already). I seem to still have the program Sophos anti-virus on my computer even though I deleted it through my control panel about a week ago. I tried to install it previously and it wouldn't install properly; it kept on stuffing up. So basically I want to get rid of it once and for all but it still seems to be on my computer. Thanks!
Let’s try to finish cleaning up this Kapersky log. Repeat the steps above for cleaning files off with the ATF Cleaner and the deletion of Temporary Internet Files folders. For some reason, doing these steps don’t always work.
Show Hidden Files Please
show all files for your system.
You will need to reverse this process when all steps are done.
Now I want you to find the files and delete them. Maybe this one will have been deleted with the above but let’s make sure.
Start => Search => All Files and Folders =>
GQXV5LOB for file name
Then try to locate the file within GQXV5LOB and delete it if it still exists.
C:\Documents and Settings\Yen\Local Settings\Temp\Temporary Internet Files\Content.IE5\GQXV5LOB\!update-3595[1].0000 <==file
Delete Files and Folders Please delete the following files/folders:
C:\Documents and Settings\Yen\My Documents\Fоnts\>
services.exe <==file
If you have any problem deleting these items, reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter') and try again.
Be sure the recycle bin is empty and reboot.
Please run Kapersky again and post the log. Meanwhile I will try to find information on Sophos.
ALgal
1.2K Posts
0
March 25th, 2006 00:00
Please do the following:
Now run this online scan using Internet Explorer:
Kaspersky WebScanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Anti-Virus Web Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
Copy and paste that information from Kapersky in your next post.
Disable Spyware Doctor:
Please disable Spyware Doctor, as it may interfere with the fix. To disable Spyware Doctor:
Once your log is clean you can re-enable Spyware Doctor.
Disable Ewido:
Please disable Ewido, as it may interfere with the fix.
To disable Ewido:
From the system tray:
or From within Ewido -
Once your log is clean you can re-enable Ewido.
Please set your system to show all files; please see here if you're unsure how to do this.
Close all programs leaving only HijackThis running. Place a check against each of the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKCU\..\Run:[Rous] "C:\DOCUME~1\Yen\MYDOCU~1\FNTS~1\services.exe" -vt yazr
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/069acb579c50eb3e1705/netzip/RdxIE601.cab
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\fpjm0311e.dll
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\dmgest.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\WWVu\command.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.
Reboot into Safe Mode: please see here if you are not sure how to do this.
Some of these files may not exist.
Using Windows Explorer, locate the following files/folders, and delete them:
C:\Documents and Settings\Yen\My Documents\FNTS~1\services.exe
C:\WINDOWS\system32\fpjm0311e.dll
C:\WINDOWS\system32\dmgest.dll
C:\WINDOWS\WWVu\command.exe
Exit Explorer, and reboot as normal afterwards.
Post back a fresh HijackThis log and we will take another look.
==================================================================
yenmls
11 Posts
0
March 25th, 2006 08:00
Here is my new hijackthis logfile:
Logfile of HijackThis v1.99.1
Scan saved at 11:27:39 AM, on 25/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\Yen\My Documents\?ystem32\w?wexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.monash.edu.au/proxy.pac
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SENS Keyboard V4 Launcher] "C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Oyvo] C:\Documents and Settings\Yen\My Documents\?ystem32\w?wexec.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Yen\Local Settings\Temp\{133D7035-8F79-463B-8A34-50CDCD3DD867}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\ktlul7391.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
And here are the results from the kaspersky scan:
KASPERSKY ON-LINE SCANNER REPORT
Saturday, March 25, 2006 11:10:25 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 25/03/2006
Kaspersky Anti-Virus database records: 172805
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 46257
Number of viruses found 3
Number of infected objects 13
Number of suspicious objects 0
Duration of the scan process 01:16:23
Infected Object Name Virus Name Last Action
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\H5DEB4ZY\Veracruz[1].exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\H5DEB4ZY\Veracruz[1].exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\H5DEB4ZY\Veracruz[1].exe NSIS: infected - 2 skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\VH01Q07T\WinFrgn[1].exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\VH01Q07T\WinFrgn[1].exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP82\A0029376.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP82\A0029376.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP83\A0029437.exe Infected: Trojan-Downloader.Win32.VB.na skipped
C:\Veracruz.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Veracruz.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Veracruz.exe NSIS: infected - 2 skipped
C:\WinFrgn.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WinFrgn.exe NSIS: infected - 1 skipped
Scan process completed.
The first time I ran HJT (directly after running Kaspersky and disabling ewido & spydoctor), I couldnt find the following files to fix:
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\fpjm0311e.dll
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\dmgest.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\WWVu\command.exe (file missing)
Also, regarding the ones I was meant to delete in Windows Explorer whilst in safemode, I couldn't find any of them to delete (I know you said I some might not exist, but I just wanted to let you know).
Thanks!
ALgal
1.2K Posts
0
March 25th, 2006 11:00
It's looking better. Please do the following:
STEP 1.
======
ATF Cleaner
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
If you use Firefox browser
If you use Opera browser
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==========
STEP 2.
======
Look2Me
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
You may receive pop-up asking if you will allow script to run when you perform the following instructions. Please allow the script to run.
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option # 1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
If you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
yenmls
11 Posts
0
March 25th, 2006 16:00
L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\h44m0eh1eh4.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{10B93F37-560B-1ABB-842A-4375836B17AE}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{E3575A69-CBCB-42D4-89F1-49CF96A26654}"="Samsung Screen Manager"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{BE8E986B-75A7-47E9-8768-325085EBA4EE}"=""
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{94ECF7F0-E838-42A6-B2A0-F5330B933786}"=""
"{427A571D-9586-4FA7-A937-097786EB56A4}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{279A8594-D63D-45F2-A9EF-27F3B519FC6E}"=""
"{A37F8296-FD50-4AFB-9AB1-FC6BE5BD027F}"=""
"{6F1BF568-E38C-4A25-BD6F-8180B4318C11}"=""
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{BE8E986B-75A7-47E9-8768-325085EBA4EE}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{BE8E986B-75A7-47E9-8768-325085EBA4EE}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{BE8E986B-75A7-47E9-8768-325085EBA4EE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{BE8E986B-75A7-47E9-8768-325085EBA4EE}\InprocServer32]
@="C:\\WINDOWS\\system32\\marclr40.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{94ECF7F0-E838-42A6-B2A0-F5330B933786}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{94ECF7F0-E838-42A6-B2A0-F5330B933786}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{94ECF7F0-E838-42A6-B2A0-F5330B933786}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{94ECF7F0-E838-42A6-B2A0-F5330B933786}\InprocServer32]
@="C:\\WINDOWS\\system32\\dmgest.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{427A571D-9586-4FA7-A937-097786EB56A4}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{427A571D-9586-4FA7-A937-097786EB56A4}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{427A571D-9586-4FA7-A937-097786EB56A4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{427A571D-9586-4FA7-A937-097786EB56A4}\InprocServer32]
@="C:\\WINDOWS\\system32\\ejent97.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{279A8594-D63D-45F2-A9EF-27F3B519FC6E}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{279A8594-D63D-45F2-A9EF-27F3B519FC6E}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{279A8594-D63D-45F2-A9EF-27F3B519FC6E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{279A8594-D63D-45F2-A9EF-27F3B519FC6E}\InprocServer32]
@="C:\\WINDOWS\\system32\\wfsdmod.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{A37F8296-FD50-4AFB-9AB1-FC6BE5BD027F}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A37F8296-FD50-4AFB-9AB1-FC6BE5BD027F}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A37F8296-FD50-4AFB-9AB1-FC6BE5BD027F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A37F8296-FD50-4AFB-9AB1-FC6BE5BD027F}\InprocServer32]
@="C:\\WINDOWS\\system32\\crbcatex.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{6F1BF568-E38C-4A25-BD6F-8180B4318C11}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{6F1BF568-E38C-4A25-BD6F-8180B4318C11}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{6F1BF568-E38C-4A25-BD6F-8180B4318C11}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{6F1BF568-E38C-4A25-BD6F-8180B4318C11}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
cmdlin~1.dll Sat 11 Mar 2006 19:39:26 A.... 43,520 42.50 K
crbcatex.dll Sat 25 Mar 2006 18:38:06 ..S.R 235,864 230.34 K
gdi32.dll Thu 29 Dec 2005 3:54:36 A.... 280,064 273.50 K
h44m0e~1.dll Sat 25 Mar 2006 11:23:08 ..S.R 235,864 230.34 K
legitc~1.dll Tue 14 Feb 2006 9:20:14 ..... 550,120 537.23 K
msvcp71.dll Thu 23 Mar 2006 10:13:44 A.... 499,712 488.00 K
msvcr71.dll Thu 23 Mar 2006 10:13:44 A.... 348,160 340.00 K
o066la~1.dll Sat 25 Mar 2006 18:38:06 ..S.R 234,078 228.59 K
p4p60e~1.dll Sat 25 Mar 2006 8:56:42 ..S.R 236,538 230.99 K
rnbdyctl.dll Sat 25 Mar 2006 8:56:42 ..S.R 235,864 230.34 K
sirenacm.dll Tue 24 Jan 2006 1:34:24 A.... 118,784 116.00 K
spmsg.dll Mon 13 Feb 2006 19:03:38 ..... 8,632 8.43 K
webclnt.dll Wed 4 Jan 2006 4:35:06 A.... 68,096 66.50 K
13 items found: 13 files (5 H/S), 0 directories.
Total of file sizes: 3,095,296 bytes 2.95 M
Locate .tmp files:
No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 60BC-599B
Directory of C:\WINDOWS\System32
25/03/2006 06:52 PM..
25/03/2006 06:52 PM.
25/03/2006 06:38 PM 235,864 crbcatex.dll
25/03/2006 06:38 PM 234,078 o066lajs1do6.dll
25/03/2006 11:23 AM 235,864 h44m0eh1eh4.dll
25/03/2006 08:56 AM 235,864 rnbdyctl.dll
25/03/2006 08:56 AM 236,538 p4p60e7seh.dll
23/03/2006 06:34 PMdllcache
24/08/2004 11:35 PMMicrosoft
5 File(s) 1,178,208 bytes
4 Dir(s) 15,001,473,024 bytes free
Thanks!
Yen
P.S When I tried to post this reply it came up with this message: "Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied."
I'm not sure exactly what was changed, but let me know if this isn't okay.
ALgal
1.2K Posts
0
March 26th, 2006 00:00
Don’t worry about the following message—I get it on Dell all the time.
"Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied."
Close any programs you have open since this step requires a reboot.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so! DO NOT run in safe mode!!
Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder.
After the fix portion is done. Please run the option to restore the winlogon defaults (menu option 4) as most of the notify key is missing. After you do that post an option 1 log again.
Message Edited by ALgal on 03-25-2006 08:39 PM
yenmls
11 Posts
0
March 26th, 2006 17:00
Here is the log from l2mfix (when I ran option 2):
L2mfix 032106
Creating Account.
The account already exists.
More help is available by typing NET HELPMSG 2224.
Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Running From:
C:\WINDOWS\system32
Killing Processes!
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1088 'smss.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1248 'winlogon.exe'
Killing PID 1248 'winlogon.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1072 'explorer.exe'
Killing PID 1072 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 448 'rundll32.exe'
Killing PID 1520 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\en46l1hs1.dll
Successfully Deleted: C:\WINDOWS\system32\en46l1hs1.dll
Deleting: C:\WINDOWS\system32\k8620ijoe8oc0.dll
Successfully Deleted: C:\WINDOWS\system32\k8620ijoe8oc0.dll
Deleting: C:\WINDOWS\system32\mfxlegih.dll
Successfully Deleted: C:\WINDOWS\system32\mfxlegih.dll
Deleting: C:\WINDOWS\system32\p4p60e7seh.dll
Successfully Deleted: C:\WINDOWS\system32\p4p60e7seh.dll
Deleting: C:\WINDOWS\system32\p6p6lg7s16.dll
Successfully Deleted: C:\WINDOWS\system32\p6p6lg7s16.dll
Deleting: C:\WINDOWS\system32\rnbdyctl.dll
Successfully Deleted: C:\WINDOWS\system32\rnbdyctl.dll
msg11?.dll
0 file(s) copied.
Restoring Windows Update Certificates.:
Running From:
C:\WINDOWS\system32
Killing Processes!
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1088 'smss.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1244 'winlogon.exe'
Killing PID 1244 'winlogon.exe'
Killing PID 1244 'winlogon.exe'
Killing PID 1244 'winlogon.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 852 'explorer.exe'
Killing PID 852 'explorer.exe'
Killing PID 852 'explorer.exe'
Killing PID 852 'explorer.exe'
Killing PID 852 'explorer.exe'
Killing PID 852 'explorer.exe'
Killing PID 852 'explorer.exe'
Killing PID 852 'explorer.exe'
Killing PID 852 'explorer.exe'
Killing PID 852 'explorer.exe'
Killing PID 852 'explorer.exe'
Killing PID 852 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1900 'rundll32.exe'
Killing PID 1900 'rundll32.exe'
Killing PID 1900 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
File not found - C:\WINDOWS\system32\en46l1hs1.dll
File not found - C:\WINDOWS\system32\k8620ijoe8oc0.dll
File not found - C:\WINDOWS\system32\mfxlegih.dll
File not found - C:\WINDOWS\system32\p4p60e7seh.dll
File not found - C:\WINDOWS\system32\p6p6lg7s16.dll
File not found - C:\WINDOWS\system32\rnbdyctl.dll
The system cannot find the file specified.
The system cannot find the file specified.
The system cannot find the file specified.
The system cannot find the file specified.
The system cannot find the file specified.
The system cannot find the file specified.
Deleting: C:\WINDOWS\system32\en46l1hs1.dll
Successfully Deleted: C:\WINDOWS\system32\en46l1hs1.dll
Deleting: C:\WINDOWS\system32\k8620ijoe8oc0.dll
Successfully Deleted: C:\WINDOWS\system32\k8620ijoe8oc0.dll
Deleting: C:\WINDOWS\system32\mfxlegih.dll
Successfully Deleted: C:\WINDOWS\system32\mfxlegih.dll
Deleting: C:\WINDOWS\system32\p4p60e7seh.dll
Successfully Deleted: C:\WINDOWS\system32\p4p60e7seh.dll
Deleting: C:\WINDOWS\system32\p6p6lg7s16.dll
Successfully Deleted: C:\WINDOWS\system32\p6p6lg7s16.dll
Deleting: C:\WINDOWS\system32\rnbdyctl.dll
Successfully Deleted: C:\WINDOWS\system32\rnbdyctl.dll
msg11?.dll
0 file(s) copied.
Restoring Windows Update Certificates.:
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\p6p6lg7s16.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\en46l1hs1.dll
C:\WINDOWS\system32\k8620ijoe8oc0.dll
C:\WINDOWS\system32\mfxlegih.dll
C:\WINDOWS\system32\p4p60e7seh.dll
C:\WINDOWS\system32\p6p6lg7s16.dll
C:\WINDOWS\system32\rnbdyctl.dll
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{BE8E986B-75A7-47E9-8768-325085EBA4EE}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{BE8E986B-75A7-47E9-8768-325085EBA4EE}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{BE8E986B-75A7-47E9-8768-325085EBA4EE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{BE8E986B-75A7-47E9-8768-325085EBA4EE}\InprocServer32]
@="C:\\WINDOWS\\system32\\marclr40.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{94ECF7F0-E838-42A6-B2A0-F5330B933786}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{94ECF7F0-E838-42A6-B2A0-F5330B933786}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{94ECF7F0-E838-42A6-B2A0-F5330B933786}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{94ECF7F0-E838-42A6-B2A0-F5330B933786}\InprocServer32]
@="C:\\WINDOWS\\system32\\dmgest.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{427A571D-9586-4FA7-A937-097786EB56A4}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{427A571D-9586-4FA7-A937-097786EB56A4}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{427A571D-9586-4FA7-A937-097786EB56A4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{427A571D-9586-4FA7-A937-097786EB56A4}\InprocServer32]
@="C:\\WINDOWS\\system32\\ejent97.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{279A8594-D63D-45F2-A9EF-27F3B519FC6E}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{279A8594-D63D-45F2-A9EF-27F3B519FC6E}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{279A8594-D63D-45F2-A9EF-27F3B519FC6E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{279A8594-D63D-45F2-A9EF-27F3B519FC6E}\InprocServer32]
@="C:\\WINDOWS\\system32\\wfsdmod.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{A37F8296-FD50-4AFB-9AB1-FC6BE5BD027F}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A37F8296-FD50-4AFB-9AB1-FC6BE5BD027F}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A37F8296-FD50-4AFB-9AB1-FC6BE5BD027F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A37F8296-FD50-4AFB-9AB1-FC6BE5BD027F}\InprocServer32]
@="C:\\WINDOWS\\system32\\mfxlegih.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{6F1BF568-E38C-4A25-BD6F-8180B4318C11}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{6F1BF568-E38C-4A25-BD6F-8180B4318C11}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{6F1BF568-E38C-4A25-BD6F-8180B4318C11}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{6F1BF568-E38C-4A25-BD6F-8180B4318C11}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/en46l1hs1.dll (164 bytes security) (deflated 4%)
adding: dlls/k8620ijoe8oc0.dll (164 bytes security) (deflated 5%)
adding: dlls/mfxlegih.dll (164 bytes security) (deflated 5%)
adding: dlls/p4p60e7seh.dll (164 bytes security) (deflated 5%)
adding: dlls/p6p6lg7s16.dll (164 bytes security) (deflated 5%)
adding: dlls/rnbdyctl.dll (164 bytes security) (deflated 5%)
adding: backregs/279A8594-D63D-45F2-A9EF-27F3B519FC6E.reg (188 bytes security) (deflated 70%)
adding: backregs/427A571D-9586-4FA7-A937-097786EB56A4.reg (188 bytes security) (deflated 70%)
adding: backregs/6F1BF568-E38C-4A25-BD6F-8180B4318C11.reg (188 bytes security) (deflated 70%)
adding: backregs/94ECF7F0-E838-42A6-B2A0-F5330B933786.reg (188 bytes security) (deflated 70%)
adding: backregs/A37F8296-FD50-4AFB-9AB1-FC6BE5BD027F.reg (188 bytes security) (deflated 70%)
adding: backregs/BE8E986B-75A7-47E9-8768-325085EBA4EE.reg (188 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)
Okay it told me my message was too long so I've split it into two... look below for what unfolded next ...
yenmls
11 Posts
0
March 26th, 2006 17:00
The user name could not be found.
More help is available by typing NET HELPMSG 2221.
The system cannot find the file specified.
Checking for L2MFix account(0=no 1=yes):
0
Okay and THEN i ran option 1 and here is the report:
L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\p6p6lg7s16.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{E3575A69-CBCB-42D4-89F1-49CF96A26654}"="Samsung Screen Manager"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
cmdlin~1.dll Sat 11 Mar 2006 20:39:26 A.... 43,520 42.50 K
gdi32.dll Thu 29 Dec 2005 4:54:36 A.... 280,064 273.50 K
legitc~1.dll Tue 14 Feb 2006 10:20:14 ..... 550,120 537.23 K
msvcp71.dll Thu 23 Mar 2006 11:13:44 A.... 499,712 488.00 K
msvcr71.dll Thu 23 Mar 2006 11:13:44 A.... 348,160 340.00 K
sirenacm.dll Tue 24 Jan 2006 2:34:24 A.... 118,784 116.00 K
spmsg.dll Mon 13 Feb 2006 20:03:38 ..... 8,632 8.43 K
webclnt.dll Wed 4 Jan 2006 5:35:06 A.... 68,096 66.50 K
8 items found: 8 files, 0 directories.
Total of file sizes: 1,917,088 bytes 1.83 M
Locate .tmp files:
No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 60BC-599B
Directory of C:\WINDOWS\System32
26/03/2006 08:45 PM..
26/03/2006 08:45 PM.
23/03/2006 07:34 PMdllcache
25/08/2004 12:35 AMMicrosoft
0 File(s) 0 bytes
4 Dir(s) 14,953,611,264 bytes free
Whew!
Hope this helps!
Thanks very much,
Yen
yenmls
11 Posts
0
March 26th, 2006 17:00
And here is my HJT log after that:
Logfile of HijackThis v1.99.1
Scan saved at 8:45:03 PM, on 26/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\Yen\My Documents\?ystem32\w?wexec.exe
C:\DOCUME~1\Yen\MYDOCU~1\FNTS~1\services.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.monash.edu.au/proxy.pac
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SENS Keyboard V4 Launcher] "C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Oyvo] C:\Documents and Settings\Yen\My Documents\?ystem32\w?wexec.exe
O4 - HKCU\..\Run: [Rous] "C:\DOCUME~1\Yen\MYDOCU~1\FNTS~1\services.exe" -vt yazr
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Yen\Local Settings\Temp\{133D7035-8F79-463B-8A34-50CDCD3DD867}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\p6p6lg7s16.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
BLAH and again, look to the next message!
Thanks heaps!
ALgal
1.2K Posts
0
March 27th, 2006 11:00
Please do the following:
==========
Step 1
==========
Disable Spyware Doctor:
Please disable Spyware Doctor, as it may interfere with the fix. To disable Spyware Doctor:
Once your log is clean you can re-enable Spyware Doctor.
Disable Ewido:
Please disable Ewido, as it may interfere with the fix.
To disable Ewido:
From the system tray:
or From within Ewido -
Once your log is clean you can re-enable Ewido.
Please set your system to show all files; please see here if you're unsure how to do this.
Close all programs leaving only HijackThis running. Place a check against each of the following:
O4 - HKCU\..\Run: C:\Documents and Settings\Yen\My Documents\?ystem32\w?wexec.exe
O4 - HKCU\..\Run: "C:\DOCUME~1\Yen\MYDOCU~1\FNTS~1\services.exe" -vt yazr
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\p6p6lg7s16.dll (file missing)
Click on Fix Checked when finished and exit HijackThis.
==========
Step 2
==========
Delete Files with Killbox
Download Pocket Killbox from http://www.downloads.subratam.org/KillBox.zip and unzip it; save it to your Desktop. DO NOT RUN IT YET.
==========
Double-click on KillBox.exe to launch the program. It is the red circle with a large white X in it
- Highlight the files in bold RED below and press the Ctrl key and the C key at the same time to copy them to the clipboard
C:\Veracruz.exe/data0002/data0006
C:\Veracruz.exe/data0002
C:\Veracruz.exe
C:\WinFrgn.exe/data0002
C:\WinFrgn.exe
In Killbox click on the File menu and then the Paste from Clipboard item
in the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
(Please note that the tool checks your computer for the presence of the files pasted into the box so if files are not present, it is possible that you might not see all files you pasted into the box.)
Click the option to Delete on Reboot
- If not greyed out click the checkbox for Unregister .dll Before Deleting
- click End Explorer Shell while Killing File
- Now click on the red button with a white 'X' in the middle to delete the files
- Click Yes when it says all files will be deleted on the next reboot
- Click Yes when it asks if you want to reboot now
(Note: If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually)
Note: Killbox will let you know if a file does not exist. If that happens, just continue on.
If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the " Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.
==========
Step 2
==========
Reboot into Safe Mode: please see here if you are not sure how to do this.
Using Windows Explorer, locate the following files/folders, and delete them:
Let me explain about these file which need to be deleted here.
I cannot tell you what the ? is. So you need to match all the letters here in the file name and to find the file to be deleted since I cannot tell you what character you will see for the ?. If you have any questions about this—please post back what file names you find first.
C:\Documents and Settings\Yen\My Documents\?ystem32\w?wexec.exe
The following file is in a folder which starts with FNTS
C:\Documents and Settings\Yen\My Documents\FNTS~1\services.exe==file
Exit Explorer, and reboot as normal afterwards.
Please run Kapersky again and post the results.
Post back a fresh HijackThis log and we will take another look.
=================================================
yenmls
11 Posts
0
March 27th, 2006 14:00
Unfortunately (when in safe mode) I couldn't find this file to delete:
The following file is in a folder which starts with FNTS
C:\Documents and Settings\Yen\My Documents\FNTS~1\services.exe==file
- there was no folder starting with FNTS (sorry!)
Here are the results from the Kaspersky scan:
KASPERSKY ON-LINE SCANNER REPORT
Monday, March 27, 2006 6:08:14 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 27/03/2006
Kaspersky Anti-Virus database records: 173159
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 46751
Number of viruses found 5
Number of infected objects 22
Number of suspicious objects 0
Duration of the scan process 00:51:36
Infected Object Name Virus Name Last Action
C:\!KillBox\Veracruz.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\!KillBox\Veracruz.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\!KillBox\Veracruz.exe NSIS: infected - 2 skipped
C:\!KillBox\WinFrgn.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\!KillBox\WinFrgn.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Yen\Local Settings\Temp\Temporary Internet Files\Content.IE5\GQXV5LOB\!update-3595[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.bw skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\7X4SIRVL\!update-3595[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.bw skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\H5DEB4ZY\!update-3620[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.w skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\H5DEB4ZY\Veracruz[1].exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\H5DEB4ZY\Veracruz[1].exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\H5DEB4ZY\Veracruz[1].exe NSIS: infected - 2 skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\VH01Q07T\WinFrgn[1].exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Yen\Local Settings\Temporary Internet Files\Content.IE5\VH01Q07T\WinFrgn[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Yen\My Documents\Fоnts\services.exe Infected: Trojan-Downloader.Win32.PurityScan.w skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP82\A0029376.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP82\A0029376.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP83\A0029437.exe Infected: Trojan-Downloader.Win32.VB.na skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP87\A0034015.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP87\A0034015.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP87\A0034015.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP87\A0034016.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{084F8944-3CD6-4F69-A495-DF2BB64F7B6F}\RP87\A0034016.exe NSIS: infected - 1 skipped
Scan process completed.
And here is my hew HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 6:09:28 PM, on 27/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.monash.edu.au/proxy.pac
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SENS Keyboard V4 Launcher] "C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Yen\Local Settings\Temp\{133D7035-8F79-463B-8A34-50CDCD3DD867}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
Thanks!!
Yen
yenmls
11 Posts
0
March 27th, 2006 15:00
ALgal
1.2K Posts
0
March 27th, 2006 17:00
Glad that it is running better. Let's get a clean Kapersky log though.
Show Hidden Files
Please show all files for your system.
You will need to reverse this process when all steps are done.
Delete Files and Folders
Please delete the following files/folders:
C:\ !KillBox\<==folder
If you have any problem deleting these items, reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter') and try again.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
If you use Firefox browser
If you use Opera browser
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
To delete the files in the Temporary Internet Files folder, follow these steps:.
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
Turn off System Restore.
Reboot.
Turn ON System Restore.
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Yen\Local Settings\Temp\{133D7035-8F79-463B-8A34-50CDCD3DD867}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
Click on Fix Checked when finished and exit HijackThis.
Reboot
Please run Kapersky and post another hijackthis log.
yenmls
11 Posts
0
March 27th, 2006 20:00
Here is my Kaspersky report:
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, March 28, 2006 12:17:59 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 27/03/2006
Kaspersky Anti-Virus database records: 173204
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 42880
Number of viruses found 2
Number of infected objects 2
Number of suspicious objects 0
Duration of the scan process 01:08:42
Infected Object Name Virus Name Last Action
C:\Documents and Settings\Yen\Local Settings\Temp\Temporary Internet Files\Content.IE5\GQXV5LOB\!update-3595[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.bw skipped
C:\Documents and Settings\Yen\My Documents\Fоnts\services.exe Infected: Trojan-Downloader.Win32.PurityScan.w skipped
Scan process completed.
And here is my new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:19:57 AM, on 28/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.monash.edu.au/proxy.pac
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SENS Keyboard V4 Launcher] "C:\Program Files\SAMSUNG\SENS Keyboard V4 Launcher\SENSKBD.EXE"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
Also I have tiny problem I was wondering you could help me out with (in addition to all the help you've given me already). I seem to still have the program Sophos anti-virus on my computer even though I deleted it through my control panel about a week ago. I tried to install it previously and it wouldn't install properly; it kept on stuffing up. So basically I want to get rid of it once and for all but it still seems to be on my computer. Thanks!
Yen
ALgal
1.2K Posts
0
March 28th, 2006 10:00
Let’s try to finish cleaning up this Kapersky log. Repeat the steps above for cleaning files off with the ATF Cleaner and the deletion of Temporary Internet Files folders. For some reason, doing these steps don’t always work.
Show Hidden Files
Please show all files for your system.
You will need to reverse this process when all steps are done.
Now I want you to find the files and delete them. Maybe this one will have been deleted with the above but let’s make sure.
Start => Search => All Files and Folders => GQXV5LOB for file name
Then try to locate the file within GQXV5LOB and delete it if it still exists.
C:\Documents and Settings\Yen\Local Settings\Temp\Temporary Internet Files\Content.IE5\GQXV5LOB\!update-3595[1].0000 <==file
Delete Files and Folders
Please delete the following files/folders:
C:\Documents and Settings\Yen\My Documents\Fоnts\> services.exe <==file
If you have any problem deleting these items, reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter') and try again.
Be sure the recycle bin is empty and reboot.
Please run Kapersky again and post the log. Meanwhile I will try to find information on Sophos.
yenmls
11 Posts
0
March 28th, 2006 14:00
Thank you so much!