Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lots Of Popups


  • Please log in to reply
10 replies to this topic

#1 lorenzo_CA

lorenzo_CA

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 07 February 2006 - 04:44 AM

My computer has become almost unusable due to the amount of popups I am continually getting. I have tried using Ad-Aware with the latest updates as well as AVG Free Edition with the latest updates and it has not really helped.

I am getting normal popups in IE (new windows) and in FireFox it is giving me multiple tabs and auto resizing my Firefox window as needed. It is also poping up graphical browserless popups. Actually they look pretty cool, but they are annoying to say the least.

I am using Windows XP Professional, service Pack 1 with recent updates from windowsupdate.com.

I don't know what to do next, but here is my Hijackthis log. Hopefully my problems are easily identifiable and fixable.

Thanks in advance.

Lorenzo_CA


Log follows:

Logfile of HijackThis v1.99.1
Scan saved at 1:24:59 AM, on 2/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Bill\Desktop\Virus Software\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\System32\WLTRAY
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\yaypwo.exe reg_run
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O4 - HKLM\..\Run: [Microsoft Configure 32] msoftconf.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\RunServices: [Microsoft Configure 32] msoftconf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Configure 32] msoftconf.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135194008918
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138640582141
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://www.mnlife.com/ACEUpdate/isetup.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.quotit.net/Viewers/ActiveXViewe...tiveXViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66A893D4-E393-4D42-9959-4E681ABCF555}: NameServer = 64.105.132.250 64.105.166.122
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\t0r8la9u1d.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: windows network (network services) - Unknown owner - C:\WINDOWS\svbhost.exe (file missing)
O23 - Service: norton (nortons) - Unknown owner - C:\WINDOWS\nvsnav.exe (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:54 AM

Posted 09 February 2006 - 01:40 PM

Hi There! :thumbsup:

I am currently working on your log and am checking it with a teacher.

I will get back to you as soon as possible.

David :flowers:

#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:54 AM

Posted 09 February 2006 - 01:51 PM

Hi and :thumbsup: to Posted Image :flowers:

My name is David Posted Image

*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :huh:
______________________________________

:huh: First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following (if present):

New.Net Applications or New.Net Domains (anything that says New.Net)
webHancer
AltnetPointsManager


If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.
______________________________________

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
______________________________________

Make sure that you can see hidden files (Windows XP).
-Click "Start".
-Click "My Computer".
-Select the "Tools" menu and click "Folder Options".
-Select the "View" tab.
-Under the "Hidden files and folders" heading, select "Show hidden files and folders".
-Uncheck the "Hide protected operating system files (recommended)" option.
-Click "Yes" to confirm.
-Uncheck the "Hide file extensions for known file types".
-Click "OK".
______________________________________

Open notepad and copy and paste next in it:

sc stop nortons
sc delete nortons
sc stop "network services"
sc delete "network services"

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat.
______________________________________

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
______________________________________

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\yaypwo.exe reg_run
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O4 - HKLM\..\Run: [Microsoft Configure 32] msoftconf.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 - HKLM\..\RunServices: [Microsoft Configure 32] msoftconf.exe
O4 - HKCU\..\Run: [Microsoft Configure 32] msoftconf.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\t0r8la9u1d.dll
O23 - Service: windows network (network services) - Unknown owner - C:\WINDOWS\svbhost.exe (file missing)
O23 - Service: norton (nortons) - Unknown owner - C:\WINDOWS\nvsnav.exe (file missing)


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.
______________________________________

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\System32\yaypwo.exe --> file
C:\Program Files\webHancer --> folder
C:\Program Files\Altnet --> folder
C:\WINDOWS\System32\msoftconf.exe --> file
C:\Program Files\Newdotnet --> folder
C:\WINDOWS\system32\t0r8la9u1d.dll --> file
C:\WINDOWS\svbhost.exe --> file
C:\WINDOWS\nvsnav.exe --> file
______________________________________

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido
______________________________________

Please reboot back to normal mode.
______________________________________

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
______________________________________

Please post back with:
  • A new HijackThis log
  • The L2me Fix log
  • The Ewido log
David :huh:

#4 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 10 February 2006 - 04:36 PM

David,

Thank you so much for the response. I did everything that you said and I will post the logs below.

Thanks again.

Lorenzo_CA

Here is the HiJackThis log after everything was completed...

Logfile of HijackThis v1.99.1
Scan saved at 1:19:52 PM, on 2/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Bill\Desktop\Virus Software\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\System32\WLTRAY
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135194008918
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138640582141
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://www.mnlife.com/ACEUpdate/isetup.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.quotit.net/Viewers/ActiveXViewe...tiveXViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66A893D4-E393-4D42-9959-4E681ABCF555}: NameServer = 64.105.132.250 64.105.166.122
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\p6p6lg7s16.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe




Here is the L2M Fix Log...

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\p6p6lg7s16.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Sebring]
"Asynchronous"=dword:00000000
"Dllname"="C:\\WINDOWS\\System32\\LgNotify.dll"
"Impersonate"=dword:00000000
"Logon"="SebringUserLogon"
"Logoff"="SebringUserLogoff"
"Shutdown"="SebringShutDown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C22C0CC9-D5B6-8784-768C-01157500300E}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{6bc1bb05-ba15-415d-8c62-093a7f312fd2}"="eFax Messenger - Shell Extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{B988C8B2-373B-11CF-B6E0-00AA00BBBA9E}"="ICCompPropPage"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{C2E9598F-B0F2-4873-964F-68A5696CE9C0}"=""
"{455FAEDC-AB0C-4C62-90A9-168077B5F0AA}"=""
"{0BFE208A-4006-43BD-8633-91C2D2C5E716}"=""
"{95BB3837-0FAE-4AAD-9623-A2CE2BC1CBBA}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C2E9598F-B0F2-4873-964F-68A5696CE9C0}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{C2E9598F-B0F2-4873-964F-68A5696CE9C0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C2E9598F-B0F2-4873-964F-68A5696CE9C0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C2E9598F-B0F2-4873-964F-68A5696CE9C0}\InprocServer32]
@="C:\\WINDOWS\\system32\\cStsrvps.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{455FAEDC-AB0C-4C62-90A9-168077B5F0AA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{455FAEDC-AB0C-4C62-90A9-168077B5F0AA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{455FAEDC-AB0C-4C62-90A9-168077B5F0AA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{455FAEDC-AB0C-4C62-90A9-168077B5F0AA}\InprocServer32]
@="C:\\WINDOWS\\system32\\ncdsapi.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0BFE208A-4006-43BD-8633-91C2D2C5E716}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0BFE208A-4006-43BD-8633-91C2D2C5E716}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0BFE208A-4006-43BD-8633-91C2D2C5E716}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0BFE208A-4006-43BD-8633-91C2D2C5E716}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{95BB3837-0FAE-4AAD-9623-A2CE2BC1CBBA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{95BB3837-0FAE-4AAD-9623-A2CE2BC1CBBA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{95BB3837-0FAE-4AAD-9623-A2CE2BC1CBBA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{95BB3837-0FAE-4AAD-9623-A2CE2BC1CBBA}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
002kla3c.dll Thu Jan 19 2006 7:35:26a A.... 44,544 43.50 K
gdi32.dll Mon Jan 2 2006 2:38:04p A.... 260,608 254.50 K
mshtml.dll Tue Nov 22 2005 4:49:10p A.... 2,700,288 2.57 M
ncdsapi.dll Fri Feb 10 2006 1:14:26p ..S.R 234,220 228.73 K
p6p6lg~1.dll Fri Feb 10 2006 12:13:30p ..S.R 234,220 228.73 K
q4860e~1.dll Fri Feb 10 2006 1:13:30p ..S.R 237,158 231.60 K
sporder.dll Tue Jan 24 2006 9:29:44a A.... 8,464 8.27 K

7 items found: 7 files (3 H/S), 0 directories.
Total of file sizes: 3,719,502 bytes 3.55 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
lat11.tmp Tue Jan 17 2006 2:06:38p A.... 0 0.00 K
lat12.tmp Tue Jan 17 2006 2:07:40p A.... 0 0.00 K
lat13.tmp Tue Jan 17 2006 2:08:42p A.... 0 0.00 K

3 items found: 3 files, 0 directories.
Total of file sizes: 0 bytes 0.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 7897-699C

Directory of C:\WINDOWS\System32

02/10/2006 01:14 PM 234,220 ncdsapi.dll
02/10/2006 01:13 PM 237,158 q4860elsehq60.dll
02/10/2006 12:13 PM 234,220 p6p6lg7s16.dll
01/30/2006 09:31 AM <DIR> dllcache
12/20/2005 10:39 AM <DIR> Microsoft
08/29/2002 02:41 AM 569,344 oleaut32.dll
08/29/2002 02:41 AM 401,462 msvcp60.dll
08/23/2001 04:00 AM 995,383 mfc42.dll
08/23/2001 04:00 AM 9,728 regsvr32.exe
08/23/2001 04:00 AM 106,496 olepro32.dll
8 File(s) 2,788,011 bytes
2 Dir(s) 21,129,678,848 bytes free





Here is the Ewido Log ...


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:12:05 PM, 2/10/2006
+ Report-Checksum: E36D8AF2

+ Scan result:

[640] C:\WINDOWS\system32\iwv6mon.dll -> Adware.Look2Me : Ignored
[776] C:\WINDOWS\system32\iwv6mon.dll -> Adware.Look2Me : Error during cleaning
C:\WINDOWS\system32\wrcsapi.dll -> Adware.Look2Me : Cleaned with backup


::Report End


The only issue with the Ewido was Adaware came up a few times. I really didn;t know if that was a problem or not. Let me know if I got everything.

Thx.

Lorenzo_CA

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:54 AM

Posted 11 February 2006 - 03:54 AM

Hi lorenzo_CA

You did a good job there, however we are not yet finished.

*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :thumbsup:

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

RXToolBar

*Boot into Safe Mode (without networking support!)
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe

* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\RXToolBar <--folder

Please now reboot back to normal mode,

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder.

David

#6 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 11 February 2006 - 01:29 PM

Hi David,

Everything went well, other than the RXToolbar program didn't show in the "remove programs" list, but I guess that is ok accodring to your instructions.

Here is the L2mfix log. It wasn't necessary to run the second bat file.

Thanks again...

Lorenzo_CA



L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 772 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 876 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1216 'explorer.exe'
Killing PID 1216 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 392 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\i060lajm1doa.dll
Successfully Deleted: C:\WINDOWS\system32\i060lajm1doa.dll
Deleting: C:\WINDOWS\system32\iOshlpr.dll
Successfully Deleted: C:\WINDOWS\system32\iOshlpr.dll
Deleting: C:\WINDOWS\system32\r06u0aj9edo.dll
Successfully Deleted: C:\WINDOWS\system32\r06u0aj9edo.dll
Deleting: C:\WINDOWS\system32\sgndmail.dll
Successfully Deleted: C:\WINDOWS\system32\sgndmail.dll

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\i060lajm1doa.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Sebring]
"Asynchronous"=dword:00000000
"Dllname"="C:\\WINDOWS\\System32\\LgNotify.dll"
"Impersonate"=dword:00000000
"Logon"="SebringUserLogon"
"Logoff"="SebringUserLogoff"
"Shutdown"="SebringShutDown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\i060lajm1doa.dll
C:\WINDOWS\system32\iOshlpr.dll
C:\WINDOWS\system32\r06u0aj9edo.dll
C:\WINDOWS\system32\sgndmail.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C2E9598F-B0F2-4873-964F-68A5696CE9C0}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{C2E9598F-B0F2-4873-964F-68A5696CE9C0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C2E9598F-B0F2-4873-964F-68A5696CE9C0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C2E9598F-B0F2-4873-964F-68A5696CE9C0}\InprocServer32]
@="C:\\WINDOWS\\system32\\cStsrvps.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{455FAEDC-AB0C-4C62-90A9-168077B5F0AA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{455FAEDC-AB0C-4C62-90A9-168077B5F0AA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{455FAEDC-AB0C-4C62-90A9-168077B5F0AA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{455FAEDC-AB0C-4C62-90A9-168077B5F0AA}\InprocServer32]
@="C:\\WINDOWS\\system32\\sgndmail.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0BFE208A-4006-43BD-8633-91C2D2C5E716}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0BFE208A-4006-43BD-8633-91C2D2C5E716}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0BFE208A-4006-43BD-8633-91C2D2C5E716}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0BFE208A-4006-43BD-8633-91C2D2C5E716}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{95BB3837-0FAE-4AAD-9623-A2CE2BC1CBBA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{95BB3837-0FAE-4AAD-9623-A2CE2BC1CBBA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{95BB3837-0FAE-4AAD-9623-A2CE2BC1CBBA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{95BB3837-0FAE-4AAD-9623-A2CE2BC1CBBA}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{C2E9598F-B0F2-4873-964F-68A5696CE9C0}"=-
"{455FAEDC-AB0C-4C62-90A9-168077B5F0AA}"=-
"{0BFE208A-4006-43BD-8633-91C2D2C5E716}"=-
"{95BB3837-0FAE-4AAD-9623-A2CE2BC1CBBA}"=-
[-HKEY_CLASSES_ROOT\CLSID\{C2E9598F-B0F2-4873-964F-68A5696CE9C0}]
[-HKEY_CLASSES_ROOT\CLSID\{455FAEDC-AB0C-4C62-90A9-168077B5F0AA}]
[-HKEY_CLASSES_ROOT\CLSID\{0BFE208A-4006-43BD-8633-91C2D2C5E716}]
[-HKEY_CLASSES_ROOT\CLSID\{95BB3837-0FAE-4AAD-9623-A2CE2BC1CBBA}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/i060lajm1doa.dll (164 bytes security) (deflated 5%)
adding: dlls/iOshlpr.dll (164 bytes security) (deflated 6%)
adding: dlls/r06u0aj9edo.dll (164 bytes security) (deflated 4%)
adding: dlls/sgndmail.dll (164 bytes security) (deflated 5%)
adding: backregs/0BFE208A-4006-43BD-8633-91C2D2C5E716.reg (212 bytes security) (deflated 70%)
adding: backregs/455FAEDC-AB0C-4C62-90A9-168077B5F0AA.reg (212 bytes security) (deflated 70%)
adding: backregs/95BB3837-0FAE-4AAD-9623-A2CE2BC1CBBA.reg (212 bytes security) (deflated 70%)
adding: backregs/C2E9598F-B0F2-4873-964F-68A5696CE9C0.reg (212 bytes security) (deflated 69%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:54 AM

Posted 11 February 2006 - 01:31 PM

Please can I have a new HijackThis log also :thumbsup:
David

#8 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 12 February 2006 - 01:27 PM

Here you go...

So far no popups!

Thanks again!

Lorenzo_CA

Logfile of HijackThis v1.99.1
Scan saved at 10:25:17 AM, on 2/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Bill\Desktop\Virus Software\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\System32\WLTRAY
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135194008918
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138640582141
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://www.mnlife.com/ACEUpdate/isetup.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.quotit.net/Viewers/ActiveXViewe...tiveXViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66A893D4-E393-4D42-9959-4E681ABCF555}: NameServer = 64.105.132.250 64.105.166.122
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\i060lajm1doa.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:54 AM

Posted 13 February 2006 - 12:52 PM

Hello lorenzo_CA

I think the L2me infection is now gone. We've just got a bit of cleaning to do and then I think you'll be good to go.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\i060lajm1doa.dll (file missing)

* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Please post back with the Pandascan log and a new HijackThis log. If you have any questions just ask.
David

#10 lorenzo_CA

lorenzo_CA
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 14 February 2006 - 10:09 AM

Hi David,

OK, here is the HJT log, followed by the PandaScan log.

Thanks.

Lorenzo


Logfile of HijackThis v1.99.1
Scan saved at 11:31:32 PM, on 2/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Bill\Desktop\Virus Software\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\System32\WLTRAY
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135194008918
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138640582141
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://www.mnlife.com/ACEUpdate/isetup.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.quotit.net/Viewers/ActiveXViewe...tiveXViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66A893D4-E393-4D42-9959-4E681ABCF555}: NameServer = 64.105.132.250 64.105.166.122
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


Here is the Panda Log:



Incident Status Location

Adware:adware/p2pnetworking Not disinfected C:\Documents and Settings\Bill\Local Settings\Temp\p2psetup.exe
Adware:adware program Not disinfected C:\WINDOWS\SYSTEM32\data.~
Adware:adware/swimsuitnetwork Not disinfected C:\WINDOWS\SYSTEM32\MYDLL.dll
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\drsmartload.dat
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32a.sys
Potentially unwanted tool:application/need2find Not disinfected C:\PROGRAM FILES\Need2Find
Adware:adware/searchresults Not disinfected C:\PROGRAM FILES\QL
Spyware:spyware/rxtoolbar Not disinfected Windows Registry
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Bill\Cookies\bill@2o7[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Bill\Cookies\bill@adopt.hbmediapro[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Bill\Cookies\bill@ads.pointroll[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Bill\Cookies\bill@ask[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Bill\Cookies\bill@atdmt[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Bill\Cookies\bill@azjmp[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bill\Cookies\bill@belnk[1].txt
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\Bill\Cookies\bill@btg.btgrab[2].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Bill\Cookies\bill@data.coremetrics[1].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\Bill\Cookies\bill@desktop.kazaa[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bill\Cookies\bill@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Bill\Cookies\bill@doubleclick[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Bill\Cookies\bill@go[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Bill\Cookies\bill@maxserving[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Bill\Cookies\bill@offeroptimizer[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Bill\Cookies\bill@rn11[2].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Bill\Cookies\bill@tucows[2].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Bill\Cookies\bill@www.advnt01[1].txt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.go.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[c5.zedo.com/jsc/c5/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[as1.falkag.de/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.targetnet.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Date Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.date.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[hc2.humanclick.com/hc/50881381]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[hc2.humanclick.com/]
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.ask.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.888.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.winfixer.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.rn11.com/]
Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.peel.com/]
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.entrepreneur.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/DelfinMedia Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.delfinproject.com/]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[.i.screensavers.com/]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[50881381]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\9esetm28.default\cookies.txt[]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Bill\Cookies\bill@2o7[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Bill\Cookies\bill@adopt.hbmediapro[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Bill\Cookies\bill@ads.pointroll[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Bill\Cookies\bill@ask[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Bill\Cookies\bill@atdmt[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Bill\Cookies\bill@azjmp[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bill\Cookies\bill@belnk[1].txt
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\Bill\Cookies\bill@btg.btgrab[2].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Bill\Cookies\bill@data.coremetrics[1].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\Bill\Cookies\bill@desktop.kazaa[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bill\Cookies\bill@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Bill\Cookies\bill@doubleclick[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Bill\Cookies\bill@go[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Bill\Cookies\bill@maxserving[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Bill\Cookies\bill@offeroptimizer[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Bill\Cookies\bill@rn11[2].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Bill\Cookies\bill@tucows[2].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Bill\Cookies\bill@www.advnt01[1].txt
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Bill\Desktop\l2mfix\backup.zip[i060lajm1doa.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Bill\Desktop\l2mfix\backup.zip[iOshlpr.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Bill\Desktop\l2mfix\backup.zip[r06u0aj9edo.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Bill\Desktop\l2mfix\backup.zip[sgndmail.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Bill\Desktop\l2mfix\dlls\i060lajm1doa.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Bill\Desktop\l2mfix\dlls\iOshlpr.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Bill\Desktop\l2mfix\dlls\r06u0aj9edo.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Bill\Desktop\l2mfix\dlls\sgndmail.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Bill\Desktop\l2mfix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Bill\Desktop\l2mfix.exe[Process.exe]
Virus:W32/Bagle.DZ.worm Not disinfected Personal Folders\Deleted Items\Increase_in_the_tax.zip[Taxes.exe]
Virus:Trj/Mitglieder.FK Not disinfected Personal Folders\Deleted Items\sms_text.zip[t_535475.exe]
Virus:Trj/Mitglieder.FK Not disinfected Personal Folders\Deleted Items\Business.zip[text.exe]
Virus:Trj/Mitglieder.FN Not disinfected Personal Folders\Deleted Items\Info_prices.zip[1.exe]
Virus:Trj/Mitglieder.FN Not disinfected Personal Folders\Deleted Items\sms_text.zip[1.exe]
Virus:Trj/Mitglieder.FL Not disinfected Personal Folders\Deleted Items\Business.zip[Text5546.exe]
Virus:W32/Sober.AH.worm!CME-681 Not disinfected Personal Folders\Deleted Items\smtp mail failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm!CME-681 Not disinfected Personal Folders\Deleted Items\hi, ive a new mail address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm!CME-681 Not disinfected Personal Folders\Deleted Items\Returned mail: see transcript for details\Registration Confirmation\reg_pass.zip[File-packed_dataInfo.exe]
Virus:Trj/Mitglieder.GK Not disinfected Personal Folders\Deleted Items\Sybell\Bennett.zip[S3700020.exe]
Virus:Trj/Mitglieder.GO Not disinfected Personal Folders\Deleted Items\Susan\Samuell.zip[S3700026.exe]
Virus:W32/Bagle.DX.worm Not disinfected Personal Folders\Inbox\To_reduce_the_tax.rar[Taxes.exe]
Virus:W32/Sober.AH.worm!CME-681 Not disinfected Personal Folders\Inbox\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:Trj/Mitglieder.GB Not disinfected Personal Folders\Inbox\Isabel\Katherine.zip[12.exe]
Virus:W32/Mytob.LR.worm Not disinfected Personal Folders\Inbox\Your Account is Suspended For Security Reasons\account-info.zip[account-info.txt .exe]
Virus:W32/Mytob.LR.worm Not disinfected Personal Folders\Inbox\Email Account Suspension\document.zip[document.txt .exe]
Virus:W32/Mytob.LR.worm Not disinfected Personal Folders\Inbox\Your Account is Suspended For Security Reasons\account-report.zip[account-report.htm .exe]
Adware:Adware/P2PNetworking Not disinfected C:\Documents and Settings\Bill\Local Settings\Temp\p2psetup.exe
Adware:Adware/QoolAid Not disinfected C:\Documents and Settings\Bill\Local Settings\Temp\tm15253.exe
Virus:W32/Bagle.DZ.worm Not disinfected Personal Folders\Deleted Items\Increase_in_the_tax.zip[Taxes.exe]
Virus:Trj/Mitglieder.FK Not disinfected Personal Folders\Deleted Items\sms_text.zip[t_535475.exe]
Virus:Trj/Mitglieder.FK Not disinfected Personal Folders\Deleted Items\Business.zip[text.exe]
Virus:Trj/Mitglieder.FN Not disinfected Personal Folders\Deleted Items\Info_prices.zip[1.exe]
Virus:Trj/Mitglieder.FN Not disinfected Personal Folders\Deleted Items\sms_text.zip[1.exe]
Virus:Trj/Mitglieder.FL Not disinfected Personal Folders\Deleted Items\Business.zip[Text5546.exe]
Virus:W32/Sober.AH.worm!CME-681 Not disinfected Personal Folders\Deleted Items\smtp mail failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm!CME-681 Not disinfected Personal Folders\Deleted Items\hi, ive a new mail address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm!CME-681 Not disinfected Personal Folders\Deleted Items\Returned mail: see transcript for details\Registration Confirmation\reg_pass.zip[File-packed_dataInfo.exe]
Virus:Trj/Mitglieder.GK Not disinfected Personal Folders\Deleted Items\Sybell\Bennett.zip[S3700020.exe]
Virus:W32/Bagle.DX.worm Not disinfected Personal Folders\Inbox\To_reduce_the_tax.rar[Taxes.exe]
Virus:W32/Sober.AH.worm!CME-681 Not disinfected Personal Folders\Inbox\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:Trj/Mitglieder.GB Not disinfected Personal Folders\Inbox\Isabel\Katherine.zip[12.exe]
Virus:W32/Mytob.LR.worm Not disinfected Personal Folders\Inbox\Your Account is Suspended For Security Reasons\account-info.zip[account-info.txt .exe]
Virus:W32/Mytob.LR.worm Not disinfected Personal Folders\Inbox\Email Account Suspension\document.zip[document.txt .exe]
Virus:W32/Mytob.LR.worm Not disinfected Personal Folders\Inbox\Your Account is Suspended For Security Reasons\account-report.zip[account-report.htm .exe]
Virus:W32/Bagle.DZ.worm Not disinfected Personal Folders\Deleted Items\Increase_in_the_tax.zip[Taxes.exe]
Virus:Trj/Mitglieder.FK Not disinfected Personal Folders\Deleted Items\sms_text.zip[t_535475.exe]
Virus:Trj/Mitglieder.FK Not disinfected Personal Folders&#

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:54 AM

Posted 14 February 2006 - 01:53 PM

Hi Lorenzo

Well done on the Panda scan, lots of baddies have been unearthed. Many of the entries are harmles cookies we can delete in a sec. Firstly i want you to navigate to the email client you use. I'm pretty sure that it is Outlook. The files in the Panda log that i am concerned about all the infected emails. Is AVG set to scan incoming emails?
Please open your email client (i imagine Outlook) and delete the messages in your Inbox that are not from known soucres and your Deleted items folder. Have a read through that panda log and look at all the infected emails in the "Personal Folders". If i went you i would go into the email client and save the emails that you need, and then completely clear all others.
_____________________________

To use RootKit Revealer please make sure you are logged in as an Administrator to the computer.
  • Please download and unzip Rootkit Revealer to your desktop.
  • Please leave the defaults set as they are to:
    • Hide NTFS Metadata Files: this option is on by default
    • Scan Registry: this option is on by default.
  • Launch rootkit revealer on the system and press the Scan button.
    RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
  • The log can be very large please edit out the items in the following folders in the log : C:\RECYCLER\NPROTECT and C:\System Volume Information, if in the log, before posting it.
  • Please post the balance of the log here in this thread using Add Reply (please double check that it has all been posted as it may be too long for one post)]
_____________________________

Then Download and Save blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
leave [X]scan through windows explorer checked,
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe"
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste this log along with the rootkit revealer log.
_____________________________

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.]
_____________________________

*Boot into Safe Mode (without networking support!)
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.
_____________________________

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\SYSTEM32\data.~ <--file
C:\WINDOWS\SYSTEM32\MYDLL.dll <--file
C:\WINDOWS\drsmartload.dat <--file
C:\WINDOWS\smdat32a.sys <--file
C:\PROGRAM FILES\Need2Find <--folder
C:\PROGRAM FILES\QL <--folder
_____________________________

Reboot back to normal mode and post a new Panda log and a new HijackThis log, along with the Blacklight and rookit revealer logs.
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users