Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Prutec! / Qoologic / Shorty.b / Flashtrck.e Surfkick.r


  • This topic is locked This topic is locked
22 replies to this topic

#1 TammyRene

TammyRene

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 05 December 2005 - 02:21 PM

That's not the complete list. There are lots of adware/malware/spybots/trojans/and infections and I've tried and tried to remove them using the help on this website, and just when I think I've managed, some or one or all of them come back.

I've followed all the steps EXCEPT ad-aware hasn't ever removed and cleaned everything. I've been trying since November 27th, and now am at my wits end. The other thing that won't work is the Windows Updater. I can't get it to give me the newest updates as it says the page is unavailable.

*sigh*

I've pasted my hjtlog, any help would be greatly appreciated.

Tammy


Logfile of HijackThis v1.99.1
Scan saved at 1:11:15 PM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\system32\yiac\ekidxuc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [ekidxuc] C:\WINNT\system32\yiac\ekidxuc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: MediaContentIndex - C:\WINNT\system32\s4pule791h.dll (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ekidxucyiac - Unknown owner - C:\WINNT\system32\yiac\ekidxuc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:49 AM

Posted 06 December 2005 - 08:32 AM

Hello,

Download Reglook to your desktop.
Unzip it!
Read here how to unzip properly.

Open the reglook-folder and doubleclick runme.bat
Notepad will open with some txt in in (reglook.log)
Copy and paste the contents in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 TammyRene

TammyRene
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 06 December 2005 - 09:25 AM

Thank you, in advance, for your help.

Here's what popped up in notepad:

A reg_look by IMM
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(key has 0 subkeys and 7 value entries - last modified 14:54(UTC) 29/11/2005)
[AppInit_DLLs] = "" (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
(key has 4 subkeys and 31 value entries - last modified 14:13(UTC) 06/12/2005)
[Userinit] = "userinit.exe" (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot
(key has 0 subkeys and 5 value entries - last modified 08:42(UTC) 09/01/2003)
[Shell] = "SYS:Microsoft\Windows NT\CurrentVersion\Winlogon" (REG_SZ)
----------------------------------------

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:49 AM

Posted 06 December 2005 - 10:25 AM

Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Please set your system to show all files; please see here if you're unsure how to do this.

* Download and install CCleaner
Do not use it yet.

Please download ewido security suite; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [ekidxuc] C:\WINNT\system32\yiac\ekidxuc.exe
O20 - Winlogon Notify: MediaContentIndex - C:\WINNT\system32\s4pule791h.dll (file missing)
O23 - Service: ekidxucyiac - Unknown owner - C:\WINNT\system32\yiac\ekidxuc.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINNT\system32\yiac <== folder

* Still in safe mode Start Ccleaner
click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right)

* Open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the Panda scan report together with a new hijackthislog and the log from ewido.

Extra question, did you use L2Mfix before?
We'll deal with windows update afterwards. Do you get any error while accessing the Windows update page? Or is it just blank?
Please let me know in your next reply also.

Edited by miekiemoes, 06 December 2005 - 10:27 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 TammyRene

TammyRene
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 06 December 2005 - 01:25 PM

I don't think I ran the L2Mfix before because that's the one that scared me bad enough to actually ask for help.

I went to windows update just to copy and paste the error message and I actually got past that page to the install page, I didn't go past that page because I didn't want to mess anything up in the middle of getting help.

Here are the three reports requested:

Panda:

Incident Status Location

Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0J23YB01\!update-2554[1].0000
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8D6NWLUV\!update-2564[1].0000
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9VCV5593\!update-2514[1].0000
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QLATUPE9\!update-2504[1].0000
Adware:adware/maxifiles Not disinfected C:\Program Files\Common Files\system32.dll
Adware:Adware/DelFinMedia Not disinfected C:\Program Files\Common Files\Uninstall Information\RemoveWebDP.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\076EF66E-91FA-44B5-A93F-412426\558B7C85-42B6-4007-A161-53944C
Spyware:Spyware/SurfSideKick Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\076EF66E-91FA-44B5-A93F-412426\D8866293-BF13-451A-8956-E932EA
Spyware:Spyware/SurfSideKick Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\233E1321-9D9B-4E10-B4A6-8134CF\783D15C3-D88E-4B76-A3E1-A07556
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4EBD3B3C-D0A1-4767-8D91-05F894\1432FB90-5D70-4C57-9748-37A6DA
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4EBD3B3C-D0A1-4767-8D91-05F894\69D0A068-BC16-4271-9131-746627
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4EBD3B3C-D0A1-4767-8D91-05F894\B490BE07-2681-4CF1-A21C-D86906
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4EBD3B3C-D0A1-4767-8D91-05F894\B99DFBF5-8FC2-4EAC-B867-0F0FAF
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4EBD3B3C-D0A1-4767-8D91-05F894\ECCF51D9-A1B3-43A2-90F2-37A01D
Spyware:Spyware/LZIO-Media Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\88A2AC63-92E0-4CCC-8C49-A52E5F\83939BC9-FE14-4D6B-ADDC-2C11DD
Spyware:Spyware/LZIO-Media Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E7379A3E-6F48-4EE4-8B01-C812DB\03614E7D-8671-4597-945F-412E39
Spyware:Spyware/LZIO-Media Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E7379A3E-6F48-4EE4-8B01-C812DB\1AD05D0C-5C1A-48E1-BD5A-485C84
Spyware:Spyware/LZIO-Media Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E7379A3E-6F48-4EE4-8B01-C812DB\E07367DF-60FA-442D-B421-949028
Adware:Adware/SearchFast Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\FB7087A7-6824-48CC-8FE1-EA3A36\FCA9CF21-765A-4435-8841-5521E2
Adware:Adware/Exact.BargainBuddyNot disinfected C:\Program Files\Sifasoft\Cache\0000401d_4330ba79_00090f56
Adware:Adware/Exact.BargainBuddyNot disinfected C:\Program Files\Sifasoft\Cache\000071f0_4330ba7a_00098968
Possible Virus. Not disinfected C:\RECYCLER\S-1-5-21-2029001170-151117984-1464724769-500\Dc1\ekidxuc.exe
Adware:adware/ncase Not disinfected C:\WINNT\msbb.exe.temp
Adware:adware/adblaster Not disinfected C:\WINNT\system32\adprot.exe
Adware:adware program Not disinfected C:\WINNT\system32\data.~
Spyware:Spyware/LZIO-Media Not disinfected C:\WINNT\system32\lgesxoeu\hqiq.exe
Spyware:Spyware/LZIO-Media Not disinfected C:\WINNT\system32\mnbaedmw\vwlhhvur.exe
Adware:adware/iedriver Not disinfected C:\WINNT\system32\Searchx.htm
Adware:adware/ezula Not disinfected C:\WINNT\woinstall.exe


New HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:12:22 PM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: App Management - C:\WINNT\system32\mv84l9lq1.dll (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:52:54 AM, 12/6/2005
+ Report-Checksum: 5468C4C2

+ Scan result:

HKLM\SOFTWARE\Classes\WEBInstaller.CExecute -> Spyware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Classes\WEBInstaller.CExecute\CurVer -> Spyware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Classes\WEBInstaller.CExecute.1 -> Spyware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreenSaver Manager -> Spyware.LZIO : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer -> Spyware.Look2Me : Cleaned with backup
HKLM\SOFTWARE\SecureWin -> Spyware.Adlogix : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000277A3-7D84-406A-9799-D12A81594693} -> Spyware.SearchFast : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-2029001170-151117984-1464724769-1003\Software\DNS -> Adware.Shorty : Cleaned with backup
HKU\S-1-5-21-2029001170-151117984-1464724769-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{000277A3-7D84-406A-9799-D12A81594693} -> Spyware.SearchFast : Cleaned with backup
HKU\S-1-5-21-2029001170-151117984-1464724769-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKU\S-1-5-21-2029001170-151117984-1464724769-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000277A3-7D84-406A-9799-D12A81594693} -> Spyware.SearchFast : Cleaned with backup
HKU\S-1-5-21-2029001170-151117984-1464724769-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKU\S-1-5-21-2029001170-151117984-1464724769-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000277A3-7D84-406A-9799-D12A81594693} -> Spyware.SearchFast : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
[656] C:\WINNT\system32\diuiext.dll -> Spyware.Look2Me : Error during cleaning
[732] C:\WINNT\system32\diuiext.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@cityclub.gamingpromo[1].txt -> Spyware.Cookie.Gamingpromo : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@goldenpalace[1].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@hypertracker[2].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@linkbuddies[2].txt -> Spyware.Cookie.Linkbuddies : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@paypopup[3].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@rotator.adjuggler[2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@www.epilot[2].txt -> Spyware.Cookie.Epilot : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9VCV5593\!update-2534[1].0000 -> Downloader.PurityScan.an : Cleaned with backup
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QLATUPE9\!update-2524[1].0000 -> Downloader.PurityScan.an : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\076EF66E-91FA-44B5-A93F-412426\0AA76E04-16CF-4745-9786-D75E20 -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\076EF66E-91FA-44B5-A93F-412426\95E9EC5C-A8AD-48A5-8A4D-9C5637 -> Adware.SurfSide : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3F8A1DE7-0DDC-4E0A-98A9-E91E63\D24BB0D8-EF5C-40B2-AB8B-547A07 -> Downloader.IstBar.gi : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\66BF4714-B6B1-491F-A2FF-29BC87\2CCA9719-62B9-4C84-8485-6E831B -> Spyware.FlashEnhancer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\957E1159-C984-4E43-A393-43AB30\37F23034-38B3-4D9C-906F-94997C -> Spyware.CASClient : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E30AF40A-536D-44A2-B879-EDF56F\956A2E99-26C2-46A1-B5C5-130126 -> Downloader.IstBar.gi : Cleaned with backup
C:\WINNT\icont.exe -> Spyware.AdURL : Cleaned with backup
C:\WINNT\system32\4irx0dk.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\WINNT\system32\5lex0vy.dll -> Trojan.Kolweb.a : Cleaned with backup
C:\WINNT\system32\813c.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\WINNT\system32\abtapi.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\All.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\WINNT\system32\All.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\WINNT\system32\ctgmgr32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\cvprops.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\dnnq0155e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\en40l1hm1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\enjsl1171.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\fpr8039ue.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\fprs0397e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\gpjsl3171.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\GUFSPidGen.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\h84mlih1184.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\hrn8055ue.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\i0lola331d.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\i2060cdsef060.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\i2lo0c33ef.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\iblogmsg.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\iduv_32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\iragehlp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\j0l40a3qed.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\jt4q07h5e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\jt6q07j5e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\jt8207loe.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\k680lglm16qa.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\k6pm0g71e6.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\kt46l7hs1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\ktnql7551.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\l20u0cd9ef0.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\l66o0gj3e6o.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\l6p20g7oe6.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\LCBFPMNT.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\m0ju0a19ed.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\mdcorier.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\mv2ql9f51.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\mv68l9ju1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\mv8ul9l91.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\mvrol9931.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\MWRio300.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\n0l80a3ued.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\n2b.exe -> Trojan.Delf.cf : Cleaned with backup
C:\WINNT\system32\NNSCAA638.EXE -> Spyware.NewDotNet : Cleaned with backup
C:\WINNT\system32\o6rolg9316.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\p4p6le7s1h.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\pi1_71.exe -> Downloader.Small.aal : Cleaned with backup
C:\WINNT\system32\q4680ejueho80.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\r66ulgj916o.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\rcicpx.exe -> Logger.VB.eh : Cleaned with backup
C:\WINNT\system32\rimps.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\rjng.dll -> Trojan.Kolweb.d : Cleaned with backup
C:\WINNT\system32\rk.bin -> Spyware.RK : Cleaned with backup
C:\WINNT\system32\s0rsla971d.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\sHfrslv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\shreamci.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\slclient.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\slrstr.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\szccs.dll -> Spyware.Adstart : Cleaned with backup
C:\WINNT\system32\szccsd.exe -> Spyware.Adstart : Cleaned with backup
C:\WINNT\system32\szcpack.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\tnkft.dll -> Spyware.Adstart : Cleaned with backup
C:\WINNT\system32\tnkftd.exe -> Spyware.Adstart : Cleaned with backup
C:\WINNT\system32\ucmore.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\WINNT\system32\ucmore.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\WINNT\system32\uervpa.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\wqps2.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\WіnSxS\msconfig.exe -> Spyware.PurityScan : Cleaned with backup
C:\WINNT\Temp\bw2.com -> Spyware.AdURL : Cleaned with backup
C:\WINNT\Temp\Cookies\owner@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\WINNT\Temp\Cookies\owner@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup


::Report End

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:49 AM

Posted 06 December 2005 - 01:34 PM

I have a question..
Did you run the Panda online scan with networking support in safe mode?
It is really important I know this...
Can you please answer that first?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 TammyRene

TammyRene
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 06 December 2005 - 01:53 PM

No, I'm sorry. I rebooted back to normal with my firewall and antivirus in place before I ran the panda scan.

Do you want me to do it again from safe mode?

Tammy

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:49 AM

Posted 06 December 2005 - 01:53 PM

Anyway,

can you check something for me?
Can you search if next folder is viewable in normal mode?

C:\Program Files\Sifasoft <== folder

If so, can you tell me what's inside that folder?
Do you know the program sisasoft?

Also, did you run Ccleaner as I asked you in safe mode?

Edited by miekiemoes, 06 December 2005 - 01:54 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 TammyRene

TammyRene
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 06 December 2005 - 02:07 PM

I lost my response somewhere. I was typing and it disappeared.

Yes the folder is viewable in normal mode. There is another folder under it called Cache, it has a bunch of files in it that I don't recognize and don't have real names.

I have no idea what sisasoft is or what it is used for.

I did run the Ccleaner from safe mode without network support.


I'm not sure how to get those long file names without typing them out, and I'm not sure I would type them correctly but will try here:


00000a4a_433f1ef4_000a7d8c 48 KB 10/1/2005 5:42
00000a2f_43275472_000d1cef 73 KB 09/14/2005 7:38am

they pretty much all look like that with the letters and numbers, etc.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:49 AM

Posted 06 December 2005 - 02:18 PM

Ok,

I already asked you before to show hidden files and folders.
Please delete next manually:

C:\Program Files\Common Files\system32.dll
C:\Program Files\Common Files\Uninstall Information\RemoveWebDP.exe
C:\Program Files\Sifasoft <== folder
C:\WINNT\msbb.exe.temp
C:\WINNT\system32\adprot.exe
C:\WINNT\system32\data.~
C:\WINNT\system32\lgesxoeu <== folder
C:\WINNT\system32\mnbaedmw <== folder
C:\WINNT\system32\Searchx.htm
C:\WINNT\woinstall.exe

If you're having problems with deleting them, try it in safe mode.

Scan with CCleaner
1. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
2. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.


In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

3. Click the "Run Cleaner" button.
4. A pop up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done.

Then,

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application..".
Then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.


PLEASE DO NOT RUN THIS IN SAFE MODE!!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 TammyRene

TammyRene
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 06 December 2005 - 02:54 PM

Here are the contents of that box that popped up.

NOTE: I did get that error message but I didn't run number 5 because the instructions before it say do not run anything else in this folder until told to do so.

Tammy
----


L2MFIX find log 120305
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\mv84l9lq1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{EF6A2801-7B2A-22AD-7783-02C65C4BF7A1}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{06595B5E-A1E3-4BCF-AA62-9A38B642CF3F}"=""
"{5E36CCED-4D45-4E7D-BC08-DF935C3673B1}"=""
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{8B1C5412-508F-44FC-83C4-32099CCFE5B5}"=""
"{D2A4071D-A09B-4304-89A9-FCFD2B315E49}"=""
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{9AF8CB93-9775-4A4F-B92A-42C1FAE5AECC}"=""
"{A8D5CD4F-E947-4CFA-8C55-C770AF3DFF77}"=""
"{3FE08C4D-EA29-4119-9540-55A4E57A9957}"=""
"{1CE2AA40-1317-11D3-9922-00104B0AD431}"="CA_AntiVirus"
"{87B2C5D1-B479-471F-96D4-21A728129F8D}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5E36CCED-4D45-4E7D-BC08-DF935C3673B1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5E36CCED-4D45-4E7D-BC08-DF935C3673B1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5E36CCED-4D45-4E7D-BC08-DF935C3673B1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5E36CCED-4D45-4E7D-BC08-DF935C3673B1}\InprocServer32]
@="C:\\WINNT\\system32\\iblogmsg.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A8D5CD4F-E947-4CFA-8C55-C770AF3DFF77}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A8D5CD4F-E947-4CFA-8C55-C770AF3DFF77}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A8D5CD4F-E947-4CFA-8C55-C770AF3DFF77}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A8D5CD4F-E947-4CFA-8C55-C770AF3DFF77}\InprocServer32]
@="C:\\WINNT\\system32\\wsapi.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3FE08C4D-EA29-4119-9540-55A4E57A9957}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3FE08C4D-EA29-4119-9540-55A4E57A9957}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3FE08C4D-EA29-4119-9540-55A4E57A9957}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3FE08C4D-EA29-4119-9540-55A4E57A9957}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{87B2C5D1-B479-471F-96D4-21A728129F8D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87B2C5D1-B479-471F-96D4-21A728129F8D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87B2C5D1-B479-471F-96D4-21A728129F8D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87B2C5D1-B479-471F-96D4-21A728129F8D}\InprocServer32]
@="C:\\WINNT\\system32\\diuiext.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 7C98-F6F1

Directory of C:\WINNT\System32

11/28/2005 12:29 PM <DIR> dllcache
01/09/2003 09:00 AM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 33,434,537,984 bytes free

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:49 AM

Posted 06 December 2005 - 03:15 PM

Please use option 5 BEFORE performing my next steps.
This will open a webpage where you have to choose the right fix for your system (XP professional or XP Home)
Download the fix to your desktop and run it.

This will restore the autoexec.nt error.

Then,

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. The fix will start. Please don't use your keyboard while the fix is running! Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. When asked, Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the log does not open double click on it in the l2mfix folder.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 TammyRene

TammyRene
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 06 December 2005 - 03:44 PM

I ran option 5 and chose the XP home, saved it to my destop and then ran it. It extracted 3 files to the system32 directory without prompting for overwrite.

Here's where I panic. I ran option 2 and the same error box that I received when I ran option 1 popped up.

Do I ignore? or cancel?

or leave it alone completely?

The original DOS like box thingy says: Enter password

and I decided to come post from another computer before I make the mess worse

Tammy

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:49 AM

Posted 06 December 2005 - 03:49 PM

Hmm, normally you don't have to enter a password, it does it automatically.

Can you reboot first and then run option 2 again for 'run fix'
If you're still getting the same error, then leave it alone so we'll deal with the leftovers manually.

Just let me know in your next reply. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 TammyRene

TammyRene
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 06 December 2005 - 04:03 PM

I rebooted and when the windows login screen comes up it has that program name l2mfix as a user name.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users