Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need guidance on a HJT logfile


  • Please log in to reply
18 replies to this topic

#1 wingmech

wingmech

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 06 July 2005 - 09:26 PM

Greetings to all, I am new to this forum so hello to everyone.

Could someone please help me with this logfile from HJT. I am trying to clean a neighbors computer.....
This logfile was made while running in safe mode with networking, WinXP-SP2

Logfile of HijackThis v1.99.1
Scan saved at 9:09:26 PM, on 7/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\nhqtpfh.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://install.spywarelabs.com/Tracking/Tracking.html
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hahknh.exe reg_run
O4 - HKLM\..\Run: [33tX3tj] ctftilse.exe
O4 - HKLM\..\Run: [awapai] C:\WINDOWS\System32\awapai.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitesiu32.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [scain] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s030109.Stub.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [nmonlb] c:\windows\system32\nhqtpfh.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: rard.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\iqput.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


I am not sure about several of the entries so any help is really appreciated.

Thanks,
wingmech

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 July 2005 - 11:54 AM

Hi wingmech and Welcome to the Bleeping Computer!

That appears to be the l2m Infection so we will need to see a scan from the l2mfix!

http://www.atribune.org/downloads/l2mfix.exe

http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.


If you recieve any error messages for CMD or Autoexec.bat>> Select Option 5 from the l2mfix and once at the Site,Click on the link that apply to your Operating System!

Double Click the file it downloads and Extract the files to its predetermined System32 folder!

#3 wingmech

wingmech
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 08 July 2005 - 05:04 PM

Thanks for the reply Cretemonster.... here is the log as requested.


L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\iqput.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{27C75F1C-43D4-F33E-6E3E-DA924B162893}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}"="6 Months of AOL Included"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{638A59CE-A146-4CCC-B24A-46FB10855595}"=""
"{5C1B3256-5C24-41DF-80E2-34534058D172}"=""
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{638A59CE-A146-4CCC-B24A-46FB10855595}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{638A59CE-A146-4CCC-B24A-46FB10855595}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{638A59CE-A146-4CCC-B24A-46FB10855595}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{638A59CE-A146-4CCC-B24A-46FB10855595}\InprocServer32]
@="C:\\WINDOWS\\system32\\munsspc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5C1B3256-5C24-41DF-80E2-34534058D172}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5C1B3256-5C24-41DF-80E2-34534058D172}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5C1B3256-5C24-41DF-80E2-34534058D172}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5C1B3256-5C24-41DF-80E2-34534058D172}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
abferror.dll Fri Jul 8 2005 4:23:32p ..S.R 417,792 408.00 K
aunps2.dll Sun Jun 5 2005 6:20:22p A.... 24,576 24.00 K
awapai~1.dll Sun Jun 12 2005 6:16:04p A..H. 31,744 31.00 K
ca2.dll Wed Jun 29 2005 6:22:44p A.... 77,824 76.00 K
d0ce0c~1.dll Sat Jun 11 2005 11:14:08a A.... 204,800 200.00 K
dbsetup.dll Mon Jun 27 2005 9:29:06p ..S.R 417,792 408.00 K
disetup.dll Thu Jun 30 2005 7:10:12p ..S.R 417,792 408.00 K
e6f1873b.dll Sat Jun 11 2005 11:07:58a A.... 147,456 144.00 K
igmontr.dll Sun Jun 26 2005 10:17:12a ..S.R 417,792 408.00 K
ikirq.dll Mon Jul 4 2005 11:28:04a A.... 9,728 9.50 K
iqput.dll Mon Jul 4 2005 9:04:08a ..S.R 417,792 408.00 K
kkdaze.dll Sat Jun 25 2005 2:16:06p ..S.R 417,792 408.00 K
krdne.dll Sat Jun 25 2005 9:55:06a ..S.R 417,792 408.00 K
ktdtuq.dll Wed Jul 6 2005 9:03:34p ..S.R 417,792 408.00 K
kwdmon.dll Sat Jun 25 2005 9:54:58a ..S.R 417,792 408.00 K
msi.dll Wed May 4 2005 2:45:32p A.... 2,890,240 2.75 M
msihnd.dll Wed May 4 2005 2:45:36p A.... 271,360 265.00 K
msimsg.dll Wed May 4 2005 2:45:36p A.... 884,736 864.00 K
msisip.dll Wed May 4 2005 2:45:36p A.... 15,360 15.00 K
munsspc.dll Fri Jul 8 2005 4:32:46p ..S.R 417,792 408.00 K
myimg32.dll Wed Jul 6 2005 10:56:14p ..S.R 417,792 408.00 K
nkneonk.dll Mon Jul 4 2005 11:28:04a A.... 27,648 27.00 K
omocp.dll Sun Jun 12 2005 10:28:56a A.... 17,920 17.50 K
oxophox.dll Sun Jun 12 2005 10:28:56a A.... 23,040 22.50 K
pwdx5032.dll Sat Jun 25 2005 10:52:18p ..S.R 417,792 408.00 K
replac~1.dll Wed Jun 29 2005 6:21:14p A.... 21,563 21.05 K
sfi2.dll Wed Jun 29 2005 6:20:38p A.... 274,432 268.00 K
stns.dll Mon Jul 4 2005 10:15:42a ..S.R 417,792 408.00 K
supdate.dll Sat Jun 25 2005 9:51:52a A.... 18,432 18.00 K
winsta~1.dll Sun Jun 5 2005 6:09:00p A.... 159,024 155.30 K
winsta~2.dll Sun Jun 12 2005 6:16:00p A.... 0 0.00 K

31 items found: 31 files (14 H/S), 0 directories.
Total of file sizes: 10,531,179 bytes 10.04 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Wed Jul 6 2005 10:54:58p ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is B4C0-BCC6

Directory of C:\WINDOWS\System32

07/08/2005 04:32 PM 417,792 munsspc.dll
07/08/2005 04:23 PM 417,792 abferror.dll
07/07/2005 11:25 PM <DIR> DLLCACHE
07/06/2005 10:56 PM 417,792 myimg32.dll
07/06/2005 10:54 PM 417,792 guard.tmp
07/06/2005 09:03 PM 417,792 ktdtuq.dll
07/04/2005 10:15 AM 417,792 stns.dll
07/04/2005 09:04 AM 417,792 iqput.dll
06/30/2005 07:10 PM 417,792 disetup.dll
06/27/2005 09:29 PM 417,792 dbsetup.dll
06/26/2005 10:17 AM 417,792 igmontr.dll
06/25/2005 10:52 PM 417,792 pwdx5032.dll
06/25/2005 02:16 PM 417,792 kkdaze.dll
06/25/2005 09:55 AM 417,792 krdne.dll
06/25/2005 09:54 AM 417,792 kwdmon.dll
06/03/2003 07:22 AM <DIR> Microsoft
14 File(s) 5,849,088 bytes
2 Dir(s) 23,169,404,928 bytes free


Also, just so you know, I have AdAware and Spybot installed and have run them both several times....

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 July 2005 - 07:01 PM

Close any programs you have open since this step requires a reboot.


From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer.

After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.

Copy the contents of that log and paste it back into this thread!

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!



Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download and Install
CleanUp!
Dont use it yet!

Make Sure Ad Aware is Updated!

Download LQfix.zip:
http://users.pandora.be/bluepatchy/LQfix.zip
Unzip it and save it to your desktop, don't use it yet!!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, this is normal.

Run Cleanup,when prompted to log off>> Select No

Scan the PC with Ewido just as described in the link,make sure to Save the Report

Scan the System with Ad Aware,remove everything it finds and delete all quaratine files!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Kaspersky

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates


Post back with a fresh HijackThis log and the reports from Ewido and Kaspersky!

#5 wingmech

wingmech
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 09 July 2005 - 10:19 AM

Here is the L2Mfix log created by option #2

L2Mfix 1.03

Running From:
C:\Documents and Settings\rita\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\rita\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\rita\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 360 'explorer.exe'
Killing PID 360 'explorer.exe'
Killing PID 360 'explorer.exe'
Killing PID 360 'explorer.exe'
Killing PID 360 'explorer.exe'
Killing PID 360 'explorer.exe'
Killing PID 360 'explorer.exe'
Killing PID 360 'explorer.exe'
Killing PID 360 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1340 'rundll32.exe'
Killing PID 1412 'rundll32.exe'
Killing PID 1252 'rundll32.exe'
Killing PID 176 'rundll32.exe'
Killing PID 768 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\abferror.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\abferror.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dbsetup.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dbsetup.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\disetup.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\disetup.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\igmontr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\igmontr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iqput.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iqput.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kkdaze.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kkdaze.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\krdne.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\krdne.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktdtuq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktdtuq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kwdmon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kwdmon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\munsspc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\munsspc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\myimg32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\myimg32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pwdx5032.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pwdx5032.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rNschap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rNschap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\stns.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\stns.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\abferror.dll
Successfully Deleted: C:\WINDOWS\system32\abferror.dll
deleting: C:\WINDOWS\system32\abferror.dll
Successfully Deleted: C:\WINDOWS\system32\abferror.dll
deleting: C:\WINDOWS\system32\dbsetup.dll
Successfully Deleted: C:\WINDOWS\system32\dbsetup.dll
deleting: C:\WINDOWS\system32\dbsetup.dll
Successfully Deleted: C:\WINDOWS\system32\dbsetup.dll
deleting: C:\WINDOWS\system32\disetup.dll
Successfully Deleted: C:\WINDOWS\system32\disetup.dll
deleting: C:\WINDOWS\system32\disetup.dll
Successfully Deleted: C:\WINDOWS\system32\disetup.dll
deleting: C:\WINDOWS\system32\igmontr.dll
Successfully Deleted: C:\WINDOWS\system32\igmontr.dll
deleting: C:\WINDOWS\system32\igmontr.dll
Successfully Deleted: C:\WINDOWS\system32\igmontr.dll
deleting: C:\WINDOWS\system32\iqput.dll
Successfully Deleted: C:\WINDOWS\system32\iqput.dll
deleting: C:\WINDOWS\system32\iqput.dll
Successfully Deleted: C:\WINDOWS\system32\iqput.dll
deleting: C:\WINDOWS\system32\kkdaze.dll
Successfully Deleted: C:\WINDOWS\system32\kkdaze.dll
deleting: C:\WINDOWS\system32\kkdaze.dll
Successfully Deleted: C:\WINDOWS\system32\kkdaze.dll
deleting: C:\WINDOWS\system32\krdne.dll
Successfully Deleted: C:\WINDOWS\system32\krdne.dll
deleting: C:\WINDOWS\system32\krdne.dll
Successfully Deleted: C:\WINDOWS\system32\krdne.dll
deleting: C:\WINDOWS\system32\ktdtuq.dll
Successfully Deleted: C:\WINDOWS\system32\ktdtuq.dll
deleting: C:\WINDOWS\system32\ktdtuq.dll
Successfully Deleted: C:\WINDOWS\system32\ktdtuq.dll
deleting: C:\WINDOWS\system32\kwdmon.dll
Successfully Deleted: C:\WINDOWS\system32\kwdmon.dll
deleting: C:\WINDOWS\system32\kwdmon.dll
Successfully Deleted: C:\WINDOWS\system32\kwdmon.dll
deleting: C:\WINDOWS\system32\munsspc.dll
Successfully Deleted: C:\WINDOWS\system32\munsspc.dll
deleting: C:\WINDOWS\system32\munsspc.dll
Successfully Deleted: C:\WINDOWS\system32\munsspc.dll
deleting: C:\WINDOWS\system32\myimg32.dll
Successfully Deleted: C:\WINDOWS\system32\myimg32.dll
deleting: C:\WINDOWS\system32\myimg32.dll
Successfully Deleted: C:\WINDOWS\system32\myimg32.dll
deleting: C:\WINDOWS\system32\pwdx5032.dll
Successfully Deleted: C:\WINDOWS\system32\pwdx5032.dll
deleting: C:\WINDOWS\system32\pwdx5032.dll
Successfully Deleted: C:\WINDOWS\system32\pwdx5032.dll
deleting: C:\WINDOWS\system32\rNschap.dll
Successfully Deleted: C:\WINDOWS\system32\rNschap.dll
deleting: C:\WINDOWS\system32\rNschap.dll
Successfully Deleted: C:\WINDOWS\system32\rNschap.dll
deleting: C:\WINDOWS\system32\stns.dll
Successfully Deleted: C:\WINDOWS\system32\stns.dll
deleting: C:\WINDOWS\system32\stns.dll
Successfully Deleted: C:\WINDOWS\system32\stns.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: abferror.dll (164 bytes security) (deflated 48%)
adding: dbsetup.dll (164 bytes security) (deflated 48%)
adding: disetup.dll (164 bytes security) (deflated 48%)
adding: igmontr.dll (164 bytes security) (deflated 48%)
adding: iqput.dll (164 bytes security) (deflated 48%)
adding: kkdaze.dll (164 bytes security) (deflated 48%)
adding: krdne.dll (164 bytes security) (deflated 48%)
adding: ktdtuq.dll (164 bytes security) (deflated 48%)
adding: kwdmon.dll (164 bytes security) (deflated 48%)
adding: munsspc.dll (164 bytes security) (deflated 48%)
adding: myimg32.dll (164 bytes security) (deflated 48%)
adding: pwdx5032.dll (164 bytes security) (deflated 48%)
adding: rNschap.dll (164 bytes security) (deflated 48%)
adding: stns.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 36%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 87%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 63%)
adding: test.txt (164 bytes security) (deflated 88%)
adding: test2.txt (164 bytes security) (deflated 17%)
adding: test3.txt (164 bytes security) (deflated 17%)
adding: test5.txt (164 bytes security) (deflated 17%)
adding: xfind.txt (164 bytes security) (deflated 85%)
adding: backregs/5C1B3256-5C24-41DF-80E2-34534058D172.reg (164 bytes security) (deflated 70%)
adding: backregs/638A59CE-A146-4CCC-B24A-46FB10855595.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: abferror.dll
deleting local copy: abferror.dll
deleting local copy: dbsetup.dll
deleting local copy: dbsetup.dll
deleting local copy: disetup.dll
deleting local copy: disetup.dll
deleting local copy: igmontr.dll
deleting local copy: igmontr.dll
deleting local copy: iqput.dll
deleting local copy: iqput.dll
deleting local copy: kkdaze.dll
deleting local copy: kkdaze.dll
deleting local copy: krdne.dll
deleting local copy: krdne.dll
deleting local copy: ktdtuq.dll
deleting local copy: ktdtuq.dll
deleting local copy: kwdmon.dll
deleting local copy: kwdmon.dll
deleting local copy: munsspc.dll
deleting local copy: munsspc.dll
deleting local copy: myimg32.dll
deleting local copy: myimg32.dll
deleting local copy: pwdx5032.dll
deleting local copy: pwdx5032.dll
deleting local copy: rNschap.dll
deleting local copy: rNschap.dll
deleting local copy: stns.dll
deleting local copy: stns.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\abferror.dll
C:\WINDOWS\system32\abferror.dll
C:\WINDOWS\system32\dbsetup.dll
C:\WINDOWS\system32\dbsetup.dll
C:\WINDOWS\system32\disetup.dll
C:\WINDOWS\system32\disetup.dll
C:\WINDOWS\system32\igmontr.dll
C:\WINDOWS\system32\igmontr.dll
C:\WINDOWS\system32\iqput.dll
C:\WINDOWS\system32\iqput.dll
C:\WINDOWS\system32\kkdaze.dll
C:\WINDOWS\system32\kkdaze.dll
C:\WINDOWS\system32\krdne.dll
C:\WINDOWS\system32\krdne.dll
C:\WINDOWS\system32\ktdtuq.dll
C:\WINDOWS\system32\ktdtuq.dll
C:\WINDOWS\system32\kwdmon.dll
C:\WINDOWS\system32\kwdmon.dll
C:\WINDOWS\system32\munsspc.dll
C:\WINDOWS\system32\munsspc.dll
C:\WINDOWS\system32\myimg32.dll
C:\WINDOWS\system32\myimg32.dll
C:\WINDOWS\system32\pwdx5032.dll
C:\WINDOWS\system32\pwdx5032.dll
C:\WINDOWS\system32\rNschap.dll
C:\WINDOWS\system32\rNschap.dll
C:\WINDOWS\system32\stns.dll
C:\WINDOWS\system32\stns.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{638A59CE-A146-4CCC-B24A-46FB10855595}"=-
"{5C1B3256-5C24-41DF-80E2-34534058D172}"=-
[-HKEY_CLASSES_ROOT\CLSID\{638A59CE-A146-4CCC-B24A-46FB10855595}]
[-HKEY_CLASSES_ROOT\CLSID\{5C1B3256-5C24-41DF-80E2-34534058D172}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


I will reply back again once I have complete the other tasks from your last post.

#6 wingmech

wingmech
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 09 July 2005 - 12:57 PM

Here are the latest HJT Log and reports from Ewido and Kaspersky.... btw, Kaspersky said that several files were infected so I ran it twice and will post both logs.

Logfile of HijackThis v1.99.1
Scan saved at 12:48:49 PM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Documents and Settings\rita\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.in-motion.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by In-Motion
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [awapai] C:\WINDOWS\System32\awapai.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hahknh.exe reg_run
O4 - HKLM\..\Run: [dnboher] c:\windows\system32\iitrox.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [glDriver-v1.3] glsupport-v13.exe
O4 - HKCU\..\Run: [itiflo] C:\WINDOWS\System32\itiflo.exe
O4 - HKCU\..\Run: [I027RjHsQ] cscvideo.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:43:15 PM, 7/9/2005
+ Report-Checksum: F89B4A36

+ Scan result:

HKU\S-1-5-21-3981596830-2117129265-3038278485-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKU\S-1-5-21-3981596830-2117129265-3038278485-1005\Software\WinUpdt -> Spyware.SecondThought : Cleaned with backup
HKU\S-1-5-21-3981596830-2117129265-3038278485-1005\Software\{12EE7A5E-0674-42f9-A76B-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__gtenfemp.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__qleeufkz.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__rjvaknoj.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__usklzraa.exe -> Spyware.BookedSpace : Cleaned with backup


::Report End

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Saturday, July 09, 2005 11:42:56
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 9/07/2005
Kaspersky Anti-Virus database records: 137554
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\rita\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 17285
Number of viruses found: 7
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 1032 sec

Infected Object Name - Virus Name
C:\WINDOWS\cfgmgr52.dll Infected: not-a-virus:AdWare.BookedSpace.e
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPXActiveX.ocx Infected: Trojan-Dropper.Win32.Agent.or
C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx Infected: Trojan-Dropper.Win32.Agent.or
C:\WINDOWS\SYSTEM32\Cache\InstallAPS.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\WINDOWS\SYSTEM32\Cache\installer.exe Infected: not-a-virus:AdWare.Look2Me.ag
C:\WINDOWS\SYSTEM32\Cache\weirdontheweb_ventura2.exe/data0002 Infected: not-a-virus:AdWare.WeirWeb.b
C:\WINDOWS\SYSTEM32\Cache\weirdontheweb_ventura2.exe Infected: not-a-virus:AdWare.WeirWeb.b
C:\WINDOWS\SYSTEM32\dadcrda.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\WINDOWS\SYSTEM32\wuwqb.dat Infected: Trojan-Downloader.Win32.Qoologic.o
C:\WINDOWS\__delete_on_reboot__gtenfemp.exe Infected: not-a-virus:AdWare.BookedSpace.e
C:\WINDOWS\__delete_on_reboot__qleeufkz.exe Infected: not-a-virus:AdWare.BookedSpace.e
C:\WINDOWS\__delete_on_reboot__rjvaknoj.exe Infected: not-a-virus:AdWare.BookedSpace.e
C:\WINDOWS\__delete_on_reboot__usklzraa.exe Infected: not-a-virus:AdWare.BookedSpace.e

Scan process completed.


-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Saturday, July 09, 2005 12:20:34
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 9/07/2005
Kaspersky Anti-Virus database records: 137554
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 34076
Number of viruses found: 12
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 1651 sec

Infected Object Name - Virus Name
C:\Documents and Settings\rita\package_NNSTP5.exe/stream/data0001 Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Documents and Settings\rita\package_NNSTP5.exe/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Documents and Settings\rita\package_NNSTP5.exe/stream/data0004/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.y
C:\Documents and Settings\rita\package_NNSTP5.exe/stream/data0004/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.w
C:\Documents and Settings\rita\package_NNSTP5.exe/stream/data0004/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Documents and Settings\rita\package_NNSTP5.exe/stream/data0004/stream/data0007 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Documents and Settings\rita\package_NNSTP5.exe/stream/data0004/stream/data0008 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Documents and Settings\rita\package_NNSTP5.exe/stream/data0004/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Documents and Settings\rita\package_NNSTP5.exe/stream/data0004 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Documents and Settings\rita\package_NNSTP5.exe/stream/data0005/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Documents and Settings\rita\package_NNSTP5.exe/stream/data0005/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Documents and Settings\rita\package_NNSTP5.exe/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Documents and Settings\rita\package_NNSTP5.exe/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Documents and Settings\rita\package_NNSTP5.exe Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Program Files\Aprps\CxtPls.exe Infected: Trojan-Downloader.Win32.Apropo.ad
C:\WINDOWS\cfgmgr52.dll Infected: not-a-virus:AdWare.BookedSpace.e
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\EPXActiveX.ocx Infected: Trojan-Dropper.Win32.Agent.or
C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx Infected: Trojan-Dropper.Win32.Agent.or
C:\WINDOWS\SYSTEM32\Cache\InstallAPS.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\WINDOWS\SYSTEM32\Cache\installer.exe Infected: not-a-virus:AdWare.Look2Me.ag
C:\WINDOWS\SYSTEM32\Cache\weirdontheweb_ventura2.exe/data0002 Infected: not-a-virus:AdWare.WeirWeb.b
C:\WINDOWS\SYSTEM32\Cache\weirdontheweb_ventura2.exe Infected: not-a-virus:AdWare.WeirWeb.b
C:\WINDOWS\SYSTEM32\dadcrda.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\WINDOWS\SYSTEM32\wuwqb.dat Infected: Trojan-Downloader.Win32.Qoologic.o
C:\WINDOWS\__delete_on_reboot__gtenfemp.exe Infected: not-a-virus:AdWare.BookedSpace.e
C:\WINDOWS\__delete_on_reboot__qleeufkz.exe Infected: not-a-virus:AdWare.BookedSpace.e
C:\WINDOWS\__delete_on_reboot__rjvaknoj.exe Infected: not-a-virus:AdWare.BookedSpace.e
C:\WINDOWS\__delete_on_reboot__usklzraa.exe Infected: not-a-virus:AdWare.BookedSpace.e

Scan process completed.


I really appreciate all your help, whats next?

#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 09 July 2005 - 03:24 PM

Open the l2mfix and select Option 4 and lets see that report if it generates one!

Now for 3 more reports and We can give this one last slap in the face!

Download TrackQoo from Here

Download and Right Click the Zip folder and Select "Extract All"

Double Click on "Track qoo.vbs"

If you Antivirus has Script Blocking,you will get a Pop Up Windows asking you what to do

Allow this Entire Script to Run,its harmless!

Wait a few seconds and a notepad page will pop up,Copy&Paste those results in the next post!

Now we need to see a Startup log from HijackThis

Hijackthis StartUp Log:
Open HijackThis,Select Config(Bottom Right)>>>Select Misc Tools>>> Select Generate StartUpList log and make sure that both Boxes beside it are checked:

Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)

It will produce a NotePad Page,I need you to post the entire contents of that page to the next post!


Download Pfind:
http://www.bleepingcomputer.com/files/grinler/pfind-new.zip

Right Click the Zip Folder and Select "Extract All"
So make sure all those files remain in the same folder.

Don't use it yet!

Restart in Safe Mode

Doubleclick pfind.bat
It will scan for a while, so please be patient.
Wait till the doswindow closes.


Post the contents of C:\pfind.txt>> TrackQoo Report and the StartUp log from HijackThis!

#8 wingmech

wingmech
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 09 July 2005 - 10:13 PM

Cretemonster,

Here are the three logfiles you requested. At the end of these I have also posted a couple questions I have.


StartupList report, 7/9/2005, 9:28:08 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\rita\Desktop\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\rita\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\rita\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Digital Line Detect.lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
DwlClient = C:\Program Files\Common Files\Dell\EUSW\Support.exe
AUNPS2 = RUNDLL32 AUNPS2.DLL,_Run@16
A70F6A1D-0195-42a2-934C-D8AC0F7C08EB = rundll32.exe E6F1873B.DLL,D9EBC318C
98D0CE0C16B1 = rundll32.exe D0CE0C16B1,D0CE0C16B1
awapai = C:\WINDOWS\System32\awapai.exe
cfgmgr52 = RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
WinTask driver = C:\WINDOWS\System32\wintask.exe
KavSvc = C:\WINDOWS\System32\hahknh.exe reg_run
dnboher = c:\windows\system32\iitrox.exe r

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
glDriver-v1.3 = glsupport-v13.exe
itiflo = C:\WINDOWS\System32\itiflo.exe
I027RjHsQ = cscvideo.exe
sf = C:\Program Files\sf\sf.exe
sfita = C:\WINDOWS\sfita.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[c7ee74d3-dd0f-40fb-81f8-7e426e0c5a8d] *
StubPath = C:\WINDOWS\System32\dadcrda.exe

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe C:\WINDOWS\Nail.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmyst.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Anti-Virus Web Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8024.2650115741

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

abp480n5: \SystemRoot\System32\DRIVERS\ABP480N5.SYS (disabled)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adpu160m: \SystemRoot\System32\DRIVERS\adpu160m.sys (disabled)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: \SystemRoot\System32\DRIVERS\agp440.sys (disabled)
Compaq AGP Bus Filter: \SystemRoot\System32\DRIVERS\agpCPQ.sys (disabled)
Aha154x: \SystemRoot\System32\DRIVERS\aha154x.sys (disabled)
aic78u2: \SystemRoot\System32\DRIVERS\aic78u2.sys (disabled)
aic78xx: \SystemRoot\System32\DRIVERS\aic78xx.sys (disabled)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: \SystemRoot\System32\DRIVERS\aliide.sys (disabled)
ALI AGP Bus Filter: \SystemRoot\System32\DRIVERS\alim1541.sys (disabled)
AMD AGP Bus Filter Driver: \SystemRoot\System32\DRIVERS\amdagp.sys (disabled)
amsint: \SystemRoot\System32\DRIVERS\amsint.sys (disabled)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
asc: \SystemRoot\System32\DRIVERS\asc.sys (disabled)
asc3350p: \SystemRoot\System32\DRIVERS\asc3350p.sys (disabled)
asc3550: \SystemRoot\System32\DRIVERS\asc3550.sys (disabled)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
ATWPKT2: \??\C:\Program Files\America Online 8.0\ATWPKT2.SYS (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Broadcom 440x 10/100 Integrated Controller XP Driver: System32\DRIVERS\bcm4sbxp.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
cbidf: \SystemRoot\System32\DRIVERS\cbidf2k.sys (disabled)
cd20xrnt: \SystemRoot\System32\DRIVERS\cd20xrnt.sys (disabled)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (autostart)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
CmdIde: \SystemRoot\System32\DRIVERS\cmdide.sys (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: \SystemRoot\System32\DRIVERS\cpqarray.sys (disabled)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
dac2w2k: \SystemRoot\System32\DRIVERS\dac2w2k.sys (disabled)
dac960nt: \SystemRoot\System32\DRIVERS\dac960nt.sys (disabled)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\DRIVERS\dmio.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
dpti2o: \SystemRoot\System32\DRIVERS\dpti2o.sys (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Program Files\ewido\security suite\guard.sys (system)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
hpn: \SystemRoot\System32\DRIVERS\hpn.sys (disabled)
HSFHWBS2: System32\DRIVERS\HSFHWBS2.sys (manual start)
HSF_DP: System32\DRIVERS\HSF_DP.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i2omp: \SystemRoot\System32\DRIVERS\i2omp.sys (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV2: System32\DRIVERS\wATV03nt.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
ini910u: \SystemRoot\System32\DRIVERS\ini910u.sys (disabled)
IntelIde: \SystemRoot\System32\DRIVERS\intelide.sys (disabled)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
mraid35x: \SystemRoot\System32\DRIVERS\mraid35x.sys (disabled)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI WDM Device Driver: System32\DRIVERS\omci.sys (system)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
perc2: \SystemRoot\System32\DRIVERS\perc2.sys (disabled)
perc2hib: \SystemRoot\System32\DRIVERS\perc2hib.sys (disabled)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
ql1080: \SystemRoot\System32\DRIVERS\ql1080.sys (disabled)
Ql10wnt: \SystemRoot\System32\DRIVERS\ql10wnt.sys (disabled)
ql12160: \SystemRoot\System32\DRIVERS\ql12160.sys (disabled)
ql1240: \SystemRoot\System32\DRIVERS\ql1240.sys (disabled)
ql1280: \SystemRoot\System32\DRIVERS\ql1280.sys (disabled)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: \SystemRoot\System32\DRIVERS\sisagp.sys (disabled)
smwdm: system32\drivers\smwdm.sys (manual start)
Sparrow: \SystemRoot\System32\DRIVERS\sparrow.sys (disabled)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
System Startup Service : C:\WINDOWS\svcproc.exe (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{DF350AE6-3B26-4615-A678-6451FBC31AC0} (manual start)
symc810: \SystemRoot\System32\DRIVERS\symc810.sys (disabled)
symc8xx: \SystemRoot\System32\DRIVERS\symc8xx.sys (disabled)
sym_hi: \SystemRoot\System32\DRIVERS\sym_hi.sys (disabled)
sym_u3: \SystemRoot\System32\DRIVERS\sym_u3.sys (disabled)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
TosIde: \SystemRoot\System32\DRIVERS\toside.sys (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: \SystemRoot\System32\DRIVERS\ultra.sys (disabled)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: \SystemRoot\System32\DRIVERS\viaagp.sys (disabled)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
winachsf: System32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Intel® Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel® Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\__delete_on_reboot__gtenfemp.exe||C:\WINDOWS\__delete_on_reboot__rjvaknoj.exe||C:\WINDOWS\__delete_on_reboot__qleeufkz.exe||C:\WINDOWS\__delete_on_reboot__usklzraa.exe


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

itiflo = C:\WINDOWS\System32\itiflo.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

awapai = C:\WINDOWS\System32\awapai.exe

--------------------------------------------------

End of report, 34,765 bytes
Report generated in 0.079 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Here is the Pfind text file:

Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder



Checking the C:\WINDOWS folder

C:\WINDOWS\abiuninst.htm: <!-- saved from url=(0041)http://www.abetterinternet.com/solsssidpeer/ -->
C:\WINDOWS\abiuninst.htm: <td valign=bottom><a href="http://www.abetterinternet.com" class="noa"><span class="abi">ABI Network</span></a></td>
C:\WINDOWS\abiuninst.htm: <a href="http://www.abetterinternet.com/policies.htm" target=_blank>EULA</a>
C:\WINDOWS\mnmah.dll: excl_urls=www2.bigtrafficnetwork.com,www10.paypopup.com,www10.click2begin.com,www10.bigtrafficnetwork.com,www1.paypopup.com,www1.eta.us,www1.click2begin.com,www1.bigtrafficnetwork.com,wwp.icq.com,ww2.weatherbug.com,ws.websearch.com,wisapidata.weatherbug.com,windowsupdate.microsoft.com,windowsmedia.com,whileyousurf.com,whenusearch.com,websearch.drsnsrch.com,websearch.com,webpdp.gator.com,webcruiser.cc,web.tickle.com,web.icq.com,web.adknowledge.com,weatherbug.com,waytofind.com,viewmorepics.myspace.com,view.atdmt.com,v8.alwaysupdatednews.com,v4.windowsupdate.microsoft.com,us.yimg.com,us.update.companion.yahoo.com,us.js1.yimg.com,us.i1.yimg.com,us.ard.yahoo.com,us.a1.yimg.com,updatelaston.myspace.com,update32.searchmiracle.com,update.searchmiracle.com,update.msupdater.net,tv.180solutions.com,trk.pcsecurityshield.com,trk.bestmagsdirect.com,trafficmp.com,trafficadmin.net,track.pointroll.com,toprebates.com,topmoxie.com,topicks.com,top-banners.com,toolbarqueries.google.com,toolbar5.trafficgeneration.biz,toolbar4.trafficgeneration.biz,toolbar.isearch.com,toolbar.desktoptraffic.net,tinkopal.com,thesearchster.com,thegreatestvitaminintheworld.c,target.com,thecoolbar.com,tag.contextweb.com,t.trafficmp.com,switch.atdmt.com,surfenhance.com,stopzilla.com,stech.web-nexus.net,stats.eblocs.com,ssl-hints.netflame.cc,srv.main.ebayrtm.com,srd.yahoo.com,sr.adwave.com,sr.websearch.com,spe.atdmt.com,songsonpage.com,song.musicvideocodes.com,smileycentral.com,show.budsinc.com,service.bfast.com,server2.103092804.com,server.trafficaces.com,server.iad.liveperson.net,server.cpmstar.com,server-us.imrworldwide.com,servedby.valuead.com,servedby.advertising.com,servedby.adscpm.com,secure-us.imrworldwide.com,searchprogress.com,searcheffect.com,search200.com,sc.musicmatch.com,sandboxer.com,s0b.bluestreak.com,rightmedia.net,realcasinoreview.com,radio.launch.yahoo.com,rad.msn.com,qksrv.net,publishers.clickbooth.com,pr.atwola.com,popuptraffic.com,popupsearches.com,popups.ad-logics.com,popuppers.com,popup.msn.com,pops.browseraid.com,playlist.yahoo.com,pipe.aimexpress.aim.com,photobucket.com,pgq.yahoo.com,pc-test.net,paypopup.com,passportimages.com,pan-advert.com,pagead2.googlesyndication.com,oz.valueclick.com,onlinenow.myspace.com,onemoresearch.net,oinadserve.com,odysseusmarketing.com,oascentral.comcast.net,oascentral.cciads.us,oas-central.realmedia.com,notes.blackplanet.com,newupdates.lzio.com,newsrss.bbc.co.uk,networkcollect.realmedia.com,network.realmedia.com,neededware.com,ncontextsearch.com,ncontextmedia.com,n3285ad.doubleclick.net,mydailyhoroscope.net,my-stats.com,musicvideocodes.com,msads.net,microsoft.com,mm.delfinproject.com,mmm.media-motor.net,messenger.zango.com,messenger.msn.com,member-services.blackplanet.com,member-services.blackplanet.co,mediaplex.com,media76.fastclick.net,media.fastclick.net,media.deskwizz.com,media.adrevolver.com,media.admarketplace.net,mds.centrport.net,maxserving.com,maxifiles.com,master.mx-targeting.com,mail.yahoo.com,mail.myspace.com,mads.webshots.com,m2.doubleclick.net,m3.doubleclick.net,lyricsonpage.com,look2me.com,login.yahoo.com,loginnet.passport.com,login.tracking101.com,login.passport.net,loadingwebsite.com,license.hotbar.com,kill-pop-ups.com,jseedcorn.cjt1.net,js1.yimg.com,join1.winhundred.com,jnictech.cjt1.net,jmnad1.com,jicmedia.cjt1.net,jcontent.bns1.net,jbns2.cydoor.com,jbigpops.cjt1.net,j.2004cms.com,isg05.casalemedia.com,iossrc.com,isapi60.weatherbug.com,internet-optimizer.com,insider.msg.yahoo.com,innovationads.directtrack.com,ingdirect.com,indiads.com,imptrk.metareward.com,img2.mailpostdirect.com,images.trafficmp.com,images.brazilwelcomesyou.com,i.emarketresearchgroup.com,hotmail.com,hotmail.msn.com,http300.edge.ru4.com,host239.ipowerweb.com,hop.clickbank.net,home.myspace.com,hits.clickandtrack.net,help.internet-optimizer.com,heavy.com,grandstreetinteractive.net,grandstreetinteractive.com,goldenpalace.com,gd2.mlb.com,global.msads.net,gms1.net,g6publish.videodome.com,games.yahoo.com,fxfeeds.mozilla.org,focusin.ads.targetnet.com,falkag.net,filter.belkin.com,findonpage.com,ezula.com,empnads.com,everyfreegift.com,eliteoffers.net,ekmas.com,ebay.doubleclick.net,edit.xanga.com,eadexchange.com,e.rn11.com,e.spyspotter.com,dw.dailywinner.net,dr.webservicehosts.com,downloads.aaa1screensavers.com,download.websearch.com,download.smileycentral.com,dotexplore.com,download.abetterinternet.com,dist.belnk.com,dist.belnk.com,dist.belnk.com,desk.mspaceads.com,desb.mspaceads.com,demr.mspaceads.com,delfinproject.com,delb.mspaceads.com,dehp.mspaceads.com,defp.mspaceads.com,debr.mspaceads.com,data.coremetrics.com,ctl.twain-tech.com,creatrixads.com,creativeby.viewpoint.com,couponage.com,counters.honesty.com,count.exitexchange.com,comcast.net,context3.kanoodle.com,cmhtml.overture.com,clicktrk.com,clickspring.net,clickserve.cc-dt.com,clicksearchclick.com,clicks.emarketmakers.com,clickit.go2net.com,clickboothlnk.com,click2begin.com,click2.containsitall.com,claxonmedia.com,chatter.flooble.com,cfg.mywebsearch.com,cdn.valueclick.com,cdn.icq.com,cdn.fastclick.net,cdn.comcast.net,cdn.aim.com,cdn-cf.aol.com,cdn-aimtoday.aol.com,cb.icq.com,cache.trafficmp.com,c5.zedo.com,c4.maxserving.com,c1.zedo.com,by.optimost.com,bv.channel.aol.com,burstnet.com,bulletin.myspace.com,bt1.kanoodle.com,bs.serving-sys.com,blog.myspace.com,blackplanet.com,bigtrafficnetwork.com,bigtrafficnetwork.com,begin2search.com,bannerserver.gator.com,banners.searchingbooth.com,banners.pennyweb.com,banners.exitexchange.com,bannerfarm.ace.advertising.com,badurl.grandstreetinteractive.net,badurl.grandstreetinteractive.com,ayb.lop.com,awbeta.net-nucleus.com,atdmt.com,as.casalemedia.com,as.adwave.com,as-us.falkag.net,ar.atwola.com,apps.deskwizz.com,ap2.auctionscan.biz,aol.com,anrdoezrs.net,amch.questionmarket.com,alwaysupdatednews.com,altfarm.mediaplex.com,allfreenetwork.com,allaboutsearching.com,akapp.whenu.com,aim-charts.pf.aol.com,affiliates.4lowrates.com,adverts.lzio.com,advert.runescape.com,advert-web.runescape.com,adv.eblocs.com,adsvr.adknowledge.com,adsv2.delfinproject.com,adserver.sharewareonline.com,adserv1.gruvmedia.com,adserv.internetfuel.com,adserv.680130.net,ads345.com,ads234.com,ads2.revenue.net,ads1.revenue.net,ads.zone-media.com,ads.us.e-planning.net,ads.surfsidekick.com,ads.shizmoo.com,ads.revsci.net,ads.pointroll.com,ads.mydailyhoroscope.net,ads.inet1.com,ads.flashtrack.net,ads.exitexchange.com,ads.delfinproject.com,ads.clickagents.com,ads.centralmedia.ws,ads.bidclix.com,ads.addynamix.com,adopt.specificclick.net,adopt.hbmediapro.com,adlog2.lzio.com,adfarm.mediaplex.com,adacuity.com,ad.yieldmanager.com,ad.trafficmp.com,ad.reunion.com,ad.linksynergy.com,ad.firstadsolution.com,ad.doubleclick.net,ad.admarketplace.net,ad.adlegend.com,ad-w-a-r-e.com,actualdeals.com,aaabesthomepage.com,a425.v8384d.c8384.g.vm.akamais,a420.v8383d.c8383.g.vm.akamais,a248.e.akamai.net,a1.yimg.com,a1.interclick.com,a.xanga.com,a.websponsors.com,a.tribalfusion.com,a.as-us.falkag.net,99search.com,680130.net,404.grandstreetinteractive.com,3.adbrite.com,103092804.com,0dp.com,www2.click2begin.com,www2.paypopup.com,www2.popupsearches.com,www3.bigtrafficnetwork.com,www3.click2begin.com,www3.paypopup.com,www3.popupsearches.com,www4.bigtrafficnetwork.com,www4.click2begin.com,www4.paypopup.com,www4.yesadvertising.com,www5.bigtrafficnetwork.com,www5.click2begin.com,www5.paypopup.com,www6.bigtrafficnetwork.com,www6.click2begin.com,www6.paypopup.com,www7.bigtrafficnetwork.com,www7.click2begin.com,www7.paypopup.com,www8.bigtrafficnetwork.com,www8.click2begin.com,www8.paypopup.com,www9.bigtrafficnetwork.com,www9.click2begin.com,www9.paypopup.com,xadso.offeroptimizer.com,xadsq.offeroptimizer.com,xanga.com,xbloom.com,xlime.offeroptimizer.com,yahoo.com,yazifind.com,yimg.com,yourfreedvds.com,z1.adserver.com,zone.msn.com,qwickclick.com,qwickable.com,www4.popupsearches.com,www5.popupsearches.com,www6.popupsearches.com,www7.popupsearches.com,www8.popupsearches.com,www9.popupsearches.com,www10.popupsearches.com,www11.popupsearches.com,www12.popupsearches.com,xads.offeroptimizer.com,xadsj.offeroptimizer.com,offeroptimizer.com,adshttp.com,dnaads.com,httpwwwads.com,ads.com,www.ads.com,inqwire.com,defb.mspaceads.com,content.yieldmanager.com,yieldmanager.com,newsh.com,69.28.210.251,bigtrafficnetswork.com,www1.bigtrafficnetswork.com,www2.bigtrafficnetswork.com,www3.bigtrafficnetswork.com,www4.bigtrafficnetswork.com,www5.bigtrafficnetswork.com,www6.bigtrafficnetswork.com,www7.bigtrafficnetswork.com,www8.bigtrafficnetswork.com,www9.bigtrafficnetswork.com,www10.bigtrafficnetswork.com,l00000.myspace.com,cgi.ebay.com,shopathomeselect.com,budsinc.com,ads.trekdata.com,img.mediaplex.com,screensavers.com,pbid.pro-market.net,pro-market.net,clicknchoose.com,code.inqwire.com,ww.smableeps.com,wwW.smableeps.com,smableeps.com,venus123.com,editprofile.myspace.com,comments.myspace.com,profile.myspace.com,cb1.msn.com,go.sidebysidesearch.com,sidebysidesearch.com,ehg-communityconnect.hitbox.co,ami.pointroll.com,install.spywarelabs.com,crtv.mate1.com,consumeralertsystem.com,m.2mdn.net,mynetprotector.com,espn.go.com,art.ath.belnk.com,login.passport.com,smableepsusa.com,results.cafefind.net,ehg-shopathome.hitbox.com,linkpositions.com,oascentral.artistdirect.com,oascentral.videodome.com,buycheapadvertising.com,hotdeals.intelenetwireless.com,wildwabbit.com,psc.disney.go.com,ads.realcastmedia.com,launch.adserver.yahoo.com,premiumnetworkrocks.valuead.co,boomspeed.com,pacimedia.com,apsc.disney.go.com,adserver.yahoo.com,pics.ebaystatic.com,thefacebook.com,cdn-startpage.aol.com,partypoker.touchclarity.com,pop.modserv.net,c.qckjmp.com,lovehappens.com,adoutput.com,users.perfhost.com,cnn.dyn.cnn.com,dealsonrealty.com,redir.windowsmedia.com,ww.smableeps.com,music.myspace.com,ads.web.aol.com,runonce.msn.com,log.go.com,newoffer.myfreegiftcards.net,lcplaylist.launch.yahoo.com,beefycomputer.com,mailcenter.comcast.net,ads.realtechnetwork.net,avbj.info,video.rednova.com,certified-safe-downloads.com,as.starware.com,web.checkm8.com,gdx.mlb.com,partypoker.touchclarity.com,xquizit.xangans.com,trackhits.cc,benews.net,server1.103092804.com,server2.103092804.com,server3.103092804.com,server4.103092804.com,server5.103092804.com,server6.103092804.com,server7.103092804.com,server8.103092804.com,server9.103092804.com,server10.103092804.com,tooltips.hotbar.com,ak.imgfarm.com,sidefind.com,srs.targetpoint.com,upload.myspace.com,us.update2.toolbar.yahoo.com,fad-1108.nyc1.targetnet.com,pbid.zenotecnico.com,lc2.bay0.hotmail.passport.com,speed.pointroll.com,64.62.232.32,fad-1107.nyc1.targetnet.com,popunder.paypopup.com,ads.web.aol.com,security-updater.com,cdn.gms1.net,webcrawl.net,fad-1109.nyc1.targetnet.com


Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\dadcrda.exe: .aspack
C:\WINDOWS\SYSTEM32\locate.com: WAUPX!
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\wuwqb.dat: UPX!
C:\WINDOWS\SYSTEM32\wuwqb.dat: KavSvc9.5


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder



Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\Administrator\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Administrator\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
bootstat.dat Sat Jul 9 2005 9:32:34p A.S.. 2,048 2.00 K

C:\WINDOWS\TASKS\
sa.dat Sat Jul 9 2005 9:31:34p A..H. 6 0.00 K

C:\WINDOWS\SYSTEM32\CONFIG\
default.log Sat Jul 9 2005 9:32:22p A..H. 8,192 8.00 K
sam.log Sat Jul 9 2005 9:32:48p A..H. 1,024 1.00 K
security.log Sat Jul 9 2005 9:32:36p A..H. 16,384 16.00 K
software.log Sat Jul 9 2005 9:33:26p A..H. 65,536 64.00 K
system.log Sat Jul 9 2005 9:32:42p A..H. 790,528 772.00 K

C:\WINDOWS\PCHEALTH\HELPCTR\PACKAG~1\
pa0808~1.cab Thu Jul 7 2005 11:21:30p ..SHR 68,327 66.72 K
paf704~1.cab Thu Jul 7 2005 11:15:22p ..SHR 305,145 297.99 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\
ntuser~1.log Sun Jun 26 2005 10:18:40a A..H. 1,024 1.00 K

C:\WINDOWS\TEMP\TEMPOR~1\CONTENT.IE5\0I4RHSNL\
desktop.ini Fri Jul 8 2005 4:23:32p ..SH. 67 0.06 K

C:\WINDOWS\TEMP\TEMPOR~1\CONTENT.IE5\HHJG23E6\
desktop.ini Fri Jul 8 2005 4:23:32p ..SH. 67 0.06 K

C:\WINDOWS\TEMP\TEMPOR~1\CONTENT.IE5\U27URZ8V\
desktop.ini Fri Jul 8 2005 4:23:32p ..SH. 67 0.06 K

C:\WINDOWS\TEMP\TEMPOR~1\CONTENT.IE5\WXJPOPGY\
desktop.ini Fri Jul 8 2005 4:23:32p ..SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\
6f49d0~1 Mon Jul 4 2005 10:05:20p A.SH. 388 0.38 K
prefer~1 Mon Jul 4 2005 10:05:20p A.SH. 24 0.02 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\GHU1Q9YZ\
desktop.ini Fri Jul 8 2005 5:44:48a ..SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\PID6NEOO\
desktop.ini Fri Jul 8 2005 5:44:48a ..SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\U7E94ZUV\
desktop.ini Fri Jul 8 2005 5:44:48a ..SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\WXGN0D89\
desktop.ini Fri Jul 8 2005 5:44:48a ..SH. 67 0.06 K

20 items found: 20 files, 0 directories.
Total of file sizes: 1,259,162 bytes 1.20 M


And the l2mfix text file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


Now, I am getting the following errors when I reboot the machine, are they related to what we are doing and will they be remedied when we are finished?

The errors are:
Rundll
Error loading AUNPS2.DLL
"" "" E6F1873B.DLL
""

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 July 2005 - 09:39 AM

I need to see the results of Track Qoo also!

We wil get those errors fixed up directly!

As for Norton,it may have been trashed by the bugs,hard to say,if it was the product that came with the PC was it even still an Active copy?

There are pleanty of alternatives to that dilema!

Lets see Track Qoo Results and go from there!

#10 wingmech

wingmech
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 10 July 2005 - 09:51 AM

I apologize.... all these reports transfered back and forth I got confused... here is the Track Qoo report

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"AUNPS2"="RUNDLL32 AUNPS2.DLL,_Run@16"
"A70F6A1D-0195-42a2-934C-D8AC0F7C08EB"="rundll32.exe E6F1873B.DLL,D9EBC318C"
"98D0CE0C16B1"="rundll32.exe D0CE0C16B1,D0CE0C16B1"
"awapai"="C:\\WINDOWS\\System32\\awapai.exe"
"cfgmgr52"="RunDLL32.EXE C:\\WINDOWS\\cfgmgr52.dll,DllRun"
"WinTask driver"="C:\\WINDOWS\\System32\\wintask.exe"
"KavSvc"="C:\\WINDOWS\\System32\\hahknh.exe reg_run"
"dnboher"="c:\\windows\\system32\\iitrox.exe r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- mymgtmyf
{5e2efc94-1cfb-416a-bb68-3e2c5e25c4e0}
C:\WINDOWS\System32\ikirq.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

DESKTOP.INI
Digital Line Detect.lnk
Microsoft Office.lnk
==============================
C:\Documents and Settings\rita\Start Menu\Programs\Startup

DESKTOP.INI
Digital Line Detect.lnk
Microsoft Office.lnk
DESKTOP.INI
==============================
C:\WINDOWS\SYSTEM32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
B57exp.cpl Broadcom Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
igfxcpl.cpl Intel Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 July 2005 - 11:35 AM

OK,here we go!

Download the Attach Reg File but dontuse it until I ask,please!

Open HijackThis and fix this one entry

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

All Windows and Browsers Closed,Click "Fix Checked"

Right-Click Here and Click "Save As" to download DelDomains.inf to your desktop.

Right Click DelDomains.inf on your desktop and select "Install"

It will perform a silent process>Give it a minute to run!

Download Pocket KillBox from here:
http://www.bleepingcomputer.com/files/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Use the list of files below and enter each into Killbox and use the Instructions that follow!


C:\WINDOWS\sfita.exe
C:\WINDOWS\abiuninst.htm
C:\WINDOWS\mnmah.dll
C:\WINDOWS\SYSTEM32\wuwqb.dat
C:\WINDOWS\System32\awapai.exe
C:\WINDOWS\System32\dadcrda.exe
C:\WINDOWS\System32\awapai.exe
C:\windows\system32\iitrox.exe
C:\WINDOWS\System32\hahknh.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\itiflo.exe
C:\WINDOWS\System32\ikirq.dll
C:\WINDOWS\SYSTEM32\Cache\InstallAPS.exe
C:\WINDOWS\SYSTEM32\Cache\installer.exe
C:\WINDOWS\__delete_on_reboot__usklzraa.exe
C:\WINDOWS\__delete_on_reboot__qleeufkz.exe
C:\WINDOWS\__delete_on_reboot__rjvaknoj.exe
C:\WINDOWS\__delete_on_reboot__gtenfemp.exe
C:\Program Files\sf



As you paste in each entry,make any of these selections available

"Delete on Reboot"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"


Click the Red Circle with the White X in the Middle to Delete!

Click "Yes" to Confirm

Click "No" to Reboot

Once at the last file

Click "Yes" to Confirm

Click "Yes" to Reboot


If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.


Restart in Safe Mode


Run that list through Killbox again to confirm nothing is left,this time make these selections

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"



Now Double Click on the Reg File you Downloaded and Allow it to Merge into the registry!


Restart Normal and Once last Scan please
http://www.pandasoftware.com/products/acti...n_principal.htm


You can delete Pfind> RegFile> TrackQoo> l2mfix> Any logs created by any of these!


Post back with a fresh HijackThis log and the Report from Panda!

Attached Files


Edited by Cretemonster, 10 July 2005 - 11:36 AM.


#12 wingmech

wingmech
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 11 July 2005 - 04:58 PM

Cretemonster, here is the Panda scan and the hijackthis log you asked for yesterday. Sorry about the delay, panda activescan did a number on my 56K connection :-)



Incident Status Location

Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.008
Adware:Adware/BookedSpace No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps
Adware:Adware/Fizzle No disinfected C:\Program Files\FwBarTemp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\rita\Favorites\Finances & Business
Adware:Adware/PowerSearch No disinfected C:\WINDOWS\system32\stlb2.xml
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\cfgmgr52.dll
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Adware:Adware/Winstat No disinfected C:\WINDOWS\system32\WinStat12.dll
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll
Virus:Trj/Downloader.DHO Disinfected C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx
Adware:Adware/PowerSearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:Adware/Winstat No disinfected C:\WINDOWS\SYSTEM32\WinStat12.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\SYSTEM32\winupdt.008
Adware:Adware/PortalScan No disinfected C:\WINDOWS\SYSTEM32\winupdt.bin
and the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 4:51:07 PM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\rita\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.in-motion.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by In-Motion
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [glDriver-v1.3] glsupport-v13.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#13 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 11 July 2005 - 05:51 PM

Well bleep,looks like I missed some!

Open up Note Pad and Copy&Paste the text below into it!

[B]dir %SystemDrive%\glsupport-v13.exe /a h /s >> look.txt
start notepad look.txt[/B]

Once Copied-> Click File-> Save-> Save it to the Desktop-> Go down to "Save as Type"-> Change it to "All Files"-> Name it "look.bat"-> Click "Save"


Click Start-> Run-> Type in Services.msc and Click OK!

Scroll the list and locate this entry

System Startup Service

Once located-> Click "Stop"-> Go up and Change the "Startup Type" to "Disabled"

Exit the Services Page


Copy the list below into Killbox and USe the Instructions that follow


C:\WINDOWS\svcproc.exeC:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\system32\WinStat12.dll
C:\WINDOWS\system32\winupdt.008
C:\WINDOWS\SYSTEM32\winupdt.bin
C:\WINDOWS\system32\stlb2.xml
C:\Program Files\Aprps\ProxyStub.dll
C:\Program Files\Aprps
C:\Program Files\FwBarTemp
C:\Documents and Settings\rita\Favorites\Finances & Business
C:\WINDOWS\Downloaded Program Files\EPXActiveX.ocx


Place a tick by these Selections before Deleting!

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"


If you have any entries that wont delete,just use the Delete on Reboot option again!


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun

O4 - HKCU\..\Run: [glDriver-v1.3] glsupport-v13.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!


Click Start-> Run-> Copy the Bold Text below into the Open box and Click OK!

sc delete SvcProc


Restart and Post a fresh HijackThis log and the log from the file search!


Install these 2 Utilities for some added security to browsing!

SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Update Immediatly!

IE Spyad:
http://www.bleepingcomputer.com/forums/ind...showtutorial=53
There is a direct download inside and great tutorial also!

#14 wingmech

wingmech
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 11 July 2005 - 08:25 PM

Cretemonster,

What am I supposed to do with the look.bat file you had me create?

At what ponit should I run it?

wingmech

#15 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 July 2005 - 04:38 AM

My bad,I didnt even put the Execute instructions in there!

Go ahead and Double Click look.bat and post those results along with fresh HijackThis log!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users