Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

40+ bad guys already removed...


  • This topic is locked This topic is locked
18 replies to this topic

#1 kwier

kwier

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 19 March 2005 - 01:04 PM

I really need some help here...
Have a laptop here running WindowsXP Pro that was loaded with malware; so far about 40+ have been detected and "fixed" by various programs.
Here's what I have done so far (tried to write everything down, but sometimes got sidetracked).

Ran Ad-Aware several times - it hangs up & locks up the computer. Researched at LavaSoft and did as they suggested: ran in safe mode and canceled before the lockup, fixing only 20 items at a time. Did this till all were fixed.
Ran Spybot and fixed what it found.
Ran CWShredder - not found.
Installed and did a complete scan and fix with NAV 2005.
Did online scans at TrendMicro and Panda. Fixed what they found.
Also installed Microsoft Anti Spyware.

Everything seemed to be getting better... just had one thing that kept popping up in IE - it would go to ip 69.20.61.245 or sites advertising spyware removers. None of the programs i ran found anything else. Did some research and found that only Kapersky found this particular malware. Installed Kapersky and ran that. It found Adware.Kill2Me.ab running in memory in explorer.exe, rundll32.exe and winlogon.exe. When I tried to take the recommended action (delete) the computer rebooted. The memory scan found the same 3 problems but with different file names. The bad thing is now the computer will not open browse. IE opens to the homepage (google.com) but when an address is entered IE just closes.
Your help will be greatly appreciated!

Here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:54:11 PM, on 3/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\AntiSpyware\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} -
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\mvj4l91q1.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:53 AM

Posted 19 March 2005 - 04:00 PM

Hello kwier and welcome to the BC forums. After reviewing your log I see 1 item that needs removing. Please proceed with the following steps in order.

Step #1

Start HijackThis and follow these steps:* Click on Config button
* Click on the Misc Tools button
* Click on the Open Process Manager button
Find the following items and click on each one to select it and then click on the Kill Process button to stop the process.:C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
We need to kill the TeaTimer app because it will interfere with the change below. When you reboot TeaTimer will be active again.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\mvj4l91q1.dll
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #2

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\system32\mvj4l91q1.dll
Next, let's clean up the temporary folders:* Click Start
* Point to Programs
* Point to Accessories
* Point to System Tools
* Click Disk Cleanup
* Select the following items and then click the OK button.* Temp Setup Files
* Downloaded Program Files
* Temp Internet Files
* Debug Dump Files
* Office Setup Files
* old chkdsk files
* Recycle Bin
* Temp Remote Desktop Files
* Setup Log Files
* Temp Files
* WebClient temp files
[/list]OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 kwier

kwier
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 19 March 2005 - 05:09 PM

Thanks for the reply OldTimer (but you're younger than me!)

Having some issues with this system.
Was able to kill TeaTimer and fix the 020 entry.
Already had all hidden files showing, but checked just to make sure.
The .dll was not there but there are some other suspicious looking files that are the same length & dated either yesterday or today at times when the system was turned on. One of them is dospex.dll which is a file that KAV said was a bad guy.
Anyway started Disk Cleanup but it will not finish... hangs just like Ad-Aware did.
Began to manually delete the files, went to search to find some of them. When I clicked on files and folders explorer closed and restarted again. Now Disk Cleanup will not run and I can't search on that computer. Will find where the files are on another system & go back to delete those listed.
Will post a log when I get that done.
Thanks for your patience.

#4 kwier

kwier
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 19 March 2005 - 06:24 PM

Hi OT

Here's the logfile. Unfortunately, as you will see, the 020 line came back with the name of another .dll.
I deleted as many of the temp files as I could find. Got all in the Window\Temp, Temporary Internet Files, Downloaded Program Files, etc. Couldn't find Debug Dump Files, Office Setup Files, Temp Remote Desktop Files, Setup Log Files or WebClient temp files. They weren't on the system I checked on so I didn't know where to find them on the buggy system.

When KAV does the memory scan it finds 3 memory objects:

winlogon.exe\s0rsla971d.dll
rundll32.exe\rKstls.dll
explorer.exe\rKstls.dll

for each of these it says: Is a malicious program not-a-virus Adware.Look2Me.ab

Hope this is helpful.
I will try to run CheckDisk again while I wait for a reply.


Logfile of HijackThis v1.99.1
Scan saved at 5:52:26 PM, on 3/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\AntiSpyware\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} -
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} -
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\s0rsla971d.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:53 AM

Posted 19 March 2005 - 09:16 PM

Hi again kwier. Please download http://downloads.subratam.org/DllCompare.exe
and run it on the problematic computer. Click the Run Locate.com button. When it is finished click the Compare button. When that is finished click the Make a log of what was found button and post that log bake here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 kwier

kwier
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 19 March 2005 - 09:36 PM

Good evening to you...
Glad you're back on. Ran the file and here is the log...


* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\dekquota.dll Sat Mar 19 2005 8:32:22a ..S.R 233,868 228.39 K
C:\WINDOWS\SYSTEM32\dhdlgs.dll Sat Mar 19 2005 8:39:24a ..S.R 233,868 228.39 K
C:\WINDOWS\SYSTEM32\dkiman32.dll Sat Mar 19 2005 4:18:04p ..S.R 235,349 229.83 K
C:\WINDOWS\SYSTEM32\dospex.dll Fri Mar 18 2005 5:31:32p ..S.R 233,868 228.39 K
C:\WINDOWS\SYSTEM32\itc21.dll Sat Mar 19 2005 12:25:04p ..S.R 235,349 229.83 K
C:\WINDOWS\SYSTEM32\j24o0c~1.dll Fri Mar 18 2005 5:29:26p ..S.R 233,636 228.16 K
C:\WINDOWS\SYSTEM32\jtr007~1.dll Sat Mar 19 2005 5:48:46p ..S.R 233,965 228.48 K
C:\WINDOWS\SYSTEM32\m8po0i~1.dll Sat Mar 19 2005 8:37:22a ..S.R 233,868 228.39 K
C:\WINDOWS\SYSTEM32\msstkprp.dll Thu Apr 5 2001 12:43:20p A.S.R 94,208 92.00 K
C:\WINDOWS\SYSTEM32\mv80l9~1.dll Sat Mar 19 2005 8:32:22a ..S.R 234,957 229.45 K
C:\WINDOWS\SYSTEM32\pndlib32.dll Sat Mar 19 2005 1:34:52p ..S.R 233,868 228.39 K
C:\WINDOWS\SYSTEM32\rkstls.dll Sat Mar 19 2005 5:48:46p ..S.R 233,868 228.39 K
C:\WINDOWS\SYSTEM32\s0rsla~1.dll Sat Mar 19 2005 4:15:56p ..S.R 233,868 228.39 K
________________________________________________

1,411 items found: 1,411 files (13 H/S), 0 directories.
Total of file sizes: 312,251,408 bytes 297.79 M

Administrator Account = True

--------------------End log---------------------

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:53 AM

Posted 20 March 2005 - 10:54 AM

Hi kwier. I have 1 other program I want you to get a log from. Please download l2mfix.exe and put it in its own folder. Run l2mfix.exe to extract the files and then double-click on the l2mfix.bat file and choose item 1. Run a find log. Post the contents of the Report.txt file that is created back here as a reply to this topic.

I will review your reply and then we will start on a fix.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 kwier

kwier
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 20 March 2005 - 02:45 PM

Good afternoon Old Timer,
Ran the log and posted below.
Also ran Norton Disk Doctor. It found some bad clusters and moved the data. I will try to run Ad-Aware again to see if runs all the way through now the disk is fixed.
Thanks for all your help!


L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DateTime]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jtr0079me.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BC6365A2-F6AF-299B-0656-06183B28523D}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{8B50FF19-B929-4866-AC2C-CC7D1754845F}"=""
"{B27339E0-B006-485D-A228-B363F255A172}"=""
"{56DAE0E2-F1A0-4DE7-896A-A40C3A68C1F8}"=""
"{E72F858C-54A4-4BC8-B0D4-DB88C46BCFDF}"=""
"{F550FF3B-B595-4392-963D-05605F03B20E}"=""
"{A289B81D-F71C-4AAA-86D9-5C9EF1336C45}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8B50FF19-B929-4866-AC2C-CC7D1754845F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8B50FF19-B929-4866-AC2C-CC7D1754845F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8B50FF19-B929-4866-AC2C-CC7D1754845F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8B50FF19-B929-4866-AC2C-CC7D1754845F}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B27339E0-B006-485D-A228-B363F255A172}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B27339E0-B006-485D-A228-B363F255A172}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B27339E0-B006-485D-A228-B363F255A172}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B27339E0-B006-485D-A228-B363F255A172}\InprocServer32]
@="C:\\WINDOWS\\system32\\rlaenh.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{56DAE0E2-F1A0-4DE7-896A-A40C3A68C1F8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56DAE0E2-F1A0-4DE7-896A-A40C3A68C1F8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56DAE0E2-F1A0-4DE7-896A-A40C3A68C1F8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56DAE0E2-F1A0-4DE7-896A-A40C3A68C1F8}\InprocServer32]
@="C:\\WINDOWS\\system32\\wbnnls.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E72F858C-54A4-4BC8-B0D4-DB88C46BCFDF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E72F858C-54A4-4BC8-B0D4-DB88C46BCFDF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E72F858C-54A4-4BC8-B0D4-DB88C46BCFDF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E72F858C-54A4-4BC8-B0D4-DB88C46BCFDF}\InprocServer32]
@="C:\\WINDOWS\\system32\\mustdfmt.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F550FF3B-B595-4392-963D-05605F03B20E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F550FF3B-B595-4392-963D-05605F03B20E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F550FF3B-B595-4392-963D-05605F03B20E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F550FF3B-B595-4392-963D-05605F03B20E}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A289B81D-F71C-4AAA-86D9-5C9EF1336C45}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A289B81D-F71C-4AAA-86D9-5C9EF1336C45}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A289B81D-F71C-4AAA-86D9-5C9EF1336C45}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A289B81D-F71C-4AAA-86D9-5C9EF1336C45}\InprocServer32]
@="C:\\WINDOWS\\system32\\kwdit142.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 6326-BA6B

Directory of C:\WINDOWS\System32

03/20/2005 02:08 PM 233,965 kwdit142.dll
03/20/2005 10:38 AM 233,868 gppql3751.dll
03/19/2005 05:48 PM 233,868 rKstls.dll
03/19/2005 05:48 PM 233,965 jtr0079me.dll
03/19/2005 04:18 PM 235,349 dkiman32.dll
03/19/2005 01:34 PM 233,868 PNDLIB32.DLL
03/19/2005 12:25 PM 235,349 itc21.dll
03/19/2005 08:39 AM 233,868 dhdlgs.dll
03/19/2005 08:37 AM 233,868 m8po0i73e8.dll
03/19/2005 08:32 AM 233,868 dekquota.dll
03/19/2005 08:32 AM 234,957 mv80l9lm1.dll
03/18/2005 05:31 PM 233,868 dospex.dll
03/18/2005 05:29 PM 233,636 j24o0ch3ef4.dll
03/14/2005 11:35 PM <DIR> dllcache
03/09/2005 10:28 AM 6,144 access.ctl
06/16/2003 02:44 PM <DIR> Microsoft
04/05/2001 12:43 PM 94,208 msstkprp.dll
15 File(s) 3,144,649 bytes
2 Dir(s) 43,035,525,120 bytes free

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:53 AM

Posted 20 March 2005 - 05:25 PM

Hi kwier. It looks like what we have here is known as a VX2 infection. Please follow the directions below to perform the next step in the removal process.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing the Enter key. Now press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

I will review the information when it comes in.

Cheers.

OT

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 kwier

kwier
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 20 March 2005 - 11:16 PM

Hi again Old Timer,
Thanks for your patience. I haven't been working on this problem as much today - have company from Denver in town.
Did as you instructed and here are the results. I see it deleted all those *.dll files that I thought looked suspicious.
I did run Ad-Aware again and it completed successfully, but didn't find anything.


L2Mfix 1.03

Running From:
C:\Documents and Settings\Rafael Castillo\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Rafael Castillo\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Rafael Castillo\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1800 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 220 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\dekquota.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dhdlgs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dkiman32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dknzip32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dospex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gppql3751.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\itc21.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j24o0ch3ef4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kwdit142.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m8po0i73e8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv80l9lm1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\PNDLIB32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rKstls.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\dekquota.dll
Successfully Deleted: C:\WINDOWS\system32\dekquota.dll
deleting: C:\WINDOWS\system32\dhdlgs.dll
Successfully Deleted: C:\WINDOWS\system32\dhdlgs.dll
deleting: C:\WINDOWS\system32\dkiman32.dll
Successfully Deleted: C:\WINDOWS\system32\dkiman32.dll
deleting: C:\WINDOWS\system32\dknzip32.dll
Successfully Deleted: C:\WINDOWS\system32\dknzip32.dll
deleting: C:\WINDOWS\system32\dospex.dll
Successfully Deleted: C:\WINDOWS\system32\dospex.dll
deleting: C:\WINDOWS\system32\gppql3751.dll
Successfully Deleted: C:\WINDOWS\system32\gppql3751.dll
deleting: C:\WINDOWS\system32\itc21.dll
Successfully Deleted: C:\WINDOWS\system32\itc21.dll
deleting: C:\WINDOWS\system32\j24o0ch3ef4.dll
Successfully Deleted: C:\WINDOWS\system32\j24o0ch3ef4.dll
deleting: C:\WINDOWS\system32\kwdit142.dll
Successfully Deleted: C:\WINDOWS\system32\kwdit142.dll
deleting: C:\WINDOWS\system32\m8po0i73e8.dll
Successfully Deleted: C:\WINDOWS\system32\m8po0i73e8.dll
deleting: C:\WINDOWS\system32\mv80l9lm1.dll
Successfully Deleted: C:\WINDOWS\system32\mv80l9lm1.dll
deleting: C:\WINDOWS\system32\PNDLIB32.DLL
Successfully Deleted: C:\WINDOWS\system32\PNDLIB32.DLL
deleting: C:\WINDOWS\system32\rKstls.dll
Successfully Deleted: C:\WINDOWS\system32\rKstls.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: dekquota.dll (164 bytes security) (deflated 5%)
adding: dhdlgs.dll (164 bytes security) (deflated 5%)
adding: dkiman32.dll (164 bytes security) (deflated 5%)
adding: dknzip32.dll (164 bytes security) (deflated 5%)
adding: dospex.dll (164 bytes security) (deflated 5%)
adding: gppql3751.dll (164 bytes security) (deflated 5%)
adding: itc21.dll (164 bytes security) (deflated 5%)
adding: j24o0ch3ef4.dll (164 bytes security) (deflated 4%)
adding: kwdit142.dll (164 bytes security) (deflated 5%)
adding: m8po0i73e8.dll (164 bytes security) (deflated 5%)
adding: mv80l9lm1.dll (164 bytes security) (deflated 5%)
adding: PNDLIB32.DLL (164 bytes security) (deflated 5%)
adding: rKstls.dll (164 bytes security) (deflated 5%)
adding: guard.tmp (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 58%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: Desktop.ini (164 bytes security) (deflated 8%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 81%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 65%)
adding: test.txt (164 bytes security) (deflated 74%)
adding: test2.txt (164 bytes security) (deflated 40%)
adding: test3.txt (164 bytes security) (deflated 40%)
adding: test5.txt (164 bytes security) (deflated 40%)
adding: xfind.txt (164 bytes security) (deflated 67%)
adding: backregs/56DAE0E2-F1A0-4DE7-896A-A40C3A68C1F8.reg (164 bytes security) (deflated 70%)
adding: backregs/8B50FF19-B929-4866-AC2C-CC7D1754845F.reg (164 bytes security) (deflated 70%)
adding: backregs/A289B81D-F71C-4AAA-86D9-5C9EF1336C45.reg (164 bytes security) (deflated 70%)
adding: backregs/B27339E0-B006-485D-A228-B363F255A172.reg (164 bytes security) (deflated 70%)
adding: backregs/E72F858C-54A4-4BC8-B0D4-DB88C46BCFDF.reg (164 bytes security) (deflated 70%)
adding: backregs/F550FF3B-B595-4392-963D-05605F03B20E.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: dekquota.dll
deleting local copy: dhdlgs.dll
deleting local copy: dkiman32.dll
deleting local copy: dknzip32.dll
deleting local copy: dospex.dll
deleting local copy: gppql3751.dll
deleting local copy: itc21.dll
deleting local copy: j24o0ch3ef4.dll
deleting local copy: kwdit142.dll
deleting local copy: m8po0i73e8.dll
deleting local copy: mv80l9lm1.dll
deleting local copy: PNDLIB32.DLL
deleting local copy: rKstls.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dekquota.dll
C:\WINDOWS\system32\dhdlgs.dll
C:\WINDOWS\system32\dkiman32.dll
C:\WINDOWS\system32\dknzip32.dll
C:\WINDOWS\system32\dospex.dll
C:\WINDOWS\system32\gppql3751.dll
C:\WINDOWS\system32\itc21.dll
C:\WINDOWS\system32\j24o0ch3ef4.dll
C:\WINDOWS\system32\kwdit142.dll
C:\WINDOWS\system32\m8po0i73e8.dll
C:\WINDOWS\system32\mv80l9lm1.dll
C:\WINDOWS\system32\PNDLIB32.DLL
C:\WINDOWS\system32\rKstls.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{8B50FF19-B929-4866-AC2C-CC7D1754845F}"=-
"{B27339E0-B006-485D-A228-B363F255A172}"=-
"{56DAE0E2-F1A0-4DE7-896A-A40C3A68C1F8}"=-
"{E72F858C-54A4-4BC8-B0D4-DB88C46BCFDF}"=-
"{F550FF3B-B595-4392-963D-05605F03B20E}"=-
"{A289B81D-F71C-4AAA-86D9-5C9EF1336C45}"=-
[-HKEY_CLASSES_ROOT\CLSID\{8B50FF19-B929-4866-AC2C-CC7D1754845F}]
[-HKEY_CLASSES_ROOT\CLSID\{B27339E0-B006-485D-A228-B363F255A172}]
[-HKEY_CLASSES_ROOT\CLSID\{56DAE0E2-F1A0-4DE7-896A-A40C3A68C1F8}]
[-HKEY_CLASSES_ROOT\CLSID\{E72F858C-54A4-4BC8-B0D4-DB88C46BCFDF}]
[-HKEY_CLASSES_ROOT\CLSID\{F550FF3B-B595-4392-963D-05605F03B20E}]
[-HKEY_CLASSES_ROOT\CLSID\{A289B81D-F71C-4AAA-86D9-5C9EF1336C45}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
IconFile=%SystemRoot%\system32\SHELL32.dll
IconIndex=31
****************************************************************************



Logfile of HijackThis v1.99.1
Scan saved at 10:57:53 PM, on 3/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\explorer.exe
C:\AntiSpyware\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} -
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} -
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#11 kwier

kwier
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 21 March 2005 - 09:18 AM

morning ot,

just wanted to let you know that internet explorer still will not let me browse. when the icon is clicked it opens ie to the homepage (google.com) but when an address is typed or a link clicked it appears that it is starting to load the page but then ie just closes.
do you think it would be safe to install sp2 at this point? it may help with the above issue (or it could make it worse?!?)
let me know what you think and what else i should do.
thanks again.

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:53 AM

Posted 21 March 2005 - 01:19 PM

Hi kwier. The log looks better. We have a few items to clean up and then let's reset your Inernet Explorer.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} -
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} -
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Now reboot your computer normally.

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Open Windows Explorer and navigate to c:\<windows directory>\inf (this is normally c:\windows\inf but can be c:\winnt\inf). in the right-hand pane locate the ie.inf file and right-click on it. Choose Install from the popup menu and answer Yes or Ok to all prompts to install the file.

When the installation completes, reboot your computer and try ie again. I would like to have ie running properly before applying SP2, which will be our next project.

Post back here with your results.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 kwier

kwier
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 21 March 2005 - 04:04 PM

Hi again Old Timer,
Ran HJT and did as suggested. Also installed from the ie.inf file, unfortunately ie still doesn't open. Don't know if this is relevant, but when installing from the .inf file, it said it couldn't find a file in the c:\windows\inf\i386 file on the SP1 cd. There is no i386 folder in the inf folder, so i put in the original windows cd and it seemed like it installed. However, ie still doesn't work, does the same thing - opens to the home page but will not go to another site.
Anyway here is the HJT log - at least those 016 entries are gone.

Logfile of HijackThis v1.99.1
Scan saved at 3:41:20 PM, on 3/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\AntiSpyware\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks for all your help so far & I sure hope we can get this sorted out.

#14 kwier

kwier
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 21 March 2005 - 06:39 PM

Greetings once again...

This IE thing was really driving me nuts! So I was thinking about when it last worked. It seemed to me the last thing I did online was download and install the Kapersky antivirus. Just on a whim I decided to uninstall it (since Norton is already on this system & it was only the 30 day trial). After the uninstall & reboot, IE is working. I know it sounds crazy, but that's how it is. I'm not sure if it was a combination of the 2 antivirus programs that caused the problem but I did not have the Kapersky running on startup. I do think that it was doing something when IE opened though. I noticed a small K flashing near the bar where it shows the progress of the loading of the web page. Decided it wouldn't hurt to uninstall it & now IE is working.

Just wanted to let you know the current status. Will wait for further instructions before installing SP2.

Thanks so much for all your help.

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:53 AM

Posted 22 March 2005 - 12:59 AM

Hi kwier. that sounds great. It is very possible that the problem was between those 2 anti-virus applications. There's an old saying that goes like this: "If a liitle is good more is better". That may be true in some things but it is not in computer software where 2 applications are trying to do the same thing.

Alright. Let's go ahead now and update to SP2. You log is currently clean and now is the time to do it. Once that is done, post a new log back here and let me know if you had any problems doing the upgrade. Then we will finish our cleanup.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users