Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

smells like look2me

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

smells like look2me

Unread postby bobl » April 15th, 2006, 10:29 pm

My wife's computer has been hijacked. Appears to be look2me. Ran S&D and AAW, as well as Ewido and NAV. Several .dll's and a suspect file called "group.tmp" that won't go away. Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:07:47 PM, on 4/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,bjeiixw.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [w291a03b.dll] RUNDLL32.EXE w291a03b.dll,I2 00064ff20291a03b
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [vsrsy] C:\WINDOWS\system32\aegaxr.exe reg_run
O4 - HKCU\..\Run: [Tncu] "C:\PROGRA~1\COMMON~1\DOBE~1\taskmgr.exe" -vt yazr
O4 - HKCU\..\Run: [zmfw] C:\PROGRA~1\COMMON~1\zmfw\zmfwm.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0844264190
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\l4r00e9meh.dll (file missing)
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\guard.tmp
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Please help if you can

Thanks in advance
bobl
Regular Member
 
Posts: 22
Joined: June 13th, 2005, 12:07 pm
Advertisement
Register to Remove

Unread postby askey127 » April 16th, 2006, 6:19 am

Bobl,
As you suspected, this looks like the Look2Me infection.

Download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.
Copy the contents of that log and paste it here as a reply.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

If you receive, while running option #1, an error similar to:
"C:\windows\system32\cmd.exe C:\windows\system32\autoexec.nt
The system file is not suitable for running ms-dos and microsoft windows applications. Choose close to terminate the application.."

...then please Use option 5 or the web page link in the l2mfix folder to solve this error condition.

Please Do NOT run the fix portion (option 2) until we review the Notepad log.
As soon as I see the notepad file contents, we can probably run the Fix portion, but we need to check the file list first.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby bobl » April 16th, 2006, 9:38 am

here you go:

L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l4r00e9meh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{56BC062C-F493-6E9D-8E1E-278225759BE0}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{218C2E08-89C4-47E5-8E6F-42B0FD0E028C}"=""
"{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}"=""
"{E89F0035-F7F5-4801-A104-0B7C334EB781}"=""
"{39F9A38F-24C3-4EE1-80B8-53F7035229C0}"=""
"{1AB41F03-492C-42C4-872A-947B340B7FEB}"=""
"{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}"=""
"{69ACD0D5-1E66-4A21-8108-A4648D508820}"=""
"{74EF24C5-88A8-4A12-B5CD-0C003912A860}"=""
"{C316D543-2930-4EDF-9ACB-11F189BFE73B}"=""
"{094B9130-7B63-44A9-ABE7-39854B14AA19}"=""
"{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}"=""
"{264E4598-8084-471E-96D4-7B702071A3CF}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}\InprocServer32]
@="C:\\WINDOWS\\system32\\ctnsole.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E89F0035-F7F5-4801-A104-0B7C334EB781}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E89F0035-F7F5-4801-A104-0B7C334EB781}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E89F0035-F7F5-4801-A104-0B7C334EB781}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E89F0035-F7F5-4801-A104-0B7C334EB781}\InprocServer32]
@="C:\\WINDOWS\\system32\\sQfrdm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{39F9A38F-24C3-4EE1-80B8-53F7035229C0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39F9A38F-24C3-4EE1-80B8-53F7035229C0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39F9A38F-24C3-4EE1-80B8-53F7035229C0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39F9A38F-24C3-4EE1-80B8-53F7035229C0}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1AB41F03-492C-42C4-872A-947B340B7FEB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AB41F03-492C-42C4-872A-947B340B7FEB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AB41F03-492C-42C4-872A-947B340B7FEB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AB41F03-492C-42C4-872A-947B340B7FEB}\InprocServer32]
@="C:\\WINDOWS\\system32\\sjorage.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}\InprocServer32]
@="C:\\WINDOWS\\system32\\pLpgraph.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{69ACD0D5-1E66-4A21-8108-A4648D508820}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69ACD0D5-1E66-4A21-8108-A4648D508820}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69ACD0D5-1E66-4A21-8108-A4648D508820}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69ACD0D5-1E66-4A21-8108-A4648D508820}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{74EF24C5-88A8-4A12-B5CD-0C003912A860}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{74EF24C5-88A8-4A12-B5CD-0C003912A860}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{74EF24C5-88A8-4A12-B5CD-0C003912A860}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{74EF24C5-88A8-4A12-B5CD-0C003912A860}\InprocServer32]
@="C:\\WINDOWS\\system32\\svorder.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C316D543-2930-4EDF-9ACB-11F189BFE73B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C316D543-2930-4EDF-9ACB-11F189BFE73B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C316D543-2930-4EDF-9ACB-11F189BFE73B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C316D543-2930-4EDF-9ACB-11F189BFE73B}\InprocServer32]
@="C:\\WINDOWS\\system32\\nblanman.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{094B9130-7B63-44A9-ABE7-39854B14AA19}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{094B9130-7B63-44A9-ABE7-39854B14AA19}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{094B9130-7B63-44A9-ABE7-39854B14AA19}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{094B9130-7B63-44A9-ABE7-39854B14AA19}\InprocServer32]
@="C:\\WINDOWS\\system32\\wbnntbbu.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{264E4598-8084-471E-96D4-7B702071A3CF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{264E4598-8084-471E-96D4-7B702071A3CF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{264E4598-8084-471E-96D4-7B702071A3CF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{264E4598-8084-471E-96D4-7B702071A3CF}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
j04o0a~1.dll Sat Apr 15 2006 6:47:30p ..S.R 237,054 231.50 K
k0no0a~1.dll Sat Apr 15 2006 6:51:30p ..S.R 236,714 231.16 K
pdf995~1.dll Sun Jan 22 2006 10:19:54p A.... 51,716 50.50 K
pdfmona.dll Sun Jan 22 2006 10:19:54p A.... 118,784 116.00 K
__dele~1.dll Sat Apr 15 2006 8:43:54p A.... 236,714 231.16 K
__dele~2.dll Sat Apr 15 2006 8:45:34p A.... 236,714 231.16 K
__dele~3.dll Sat Apr 15 2006 8:54:10p A.... 236,714 231.16 K

7 items found: 7 files (2 H/S), 0 directories.
Total of file sizes: 1,354,410 bytes 1.29 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is CC54-F0AD

Directory of C:\WINDOWS\System32

04/15/2006 08:32 PM <DIR> dllcache
04/15/2006 06:51 PM 236,714 k0no0a53ed.dll
04/15/2006 06:47 PM 237,054 j04o0ah3ed4.dll
04/30/2005 10:11 PM 32 {0AB5150F-5923-4C2D-B515-0C68148A3F7A}.dat
04/30/2005 09:10 PM <DIR> Microsoft
3 File(s) 473,800 bytes
2 Dir(s) 55,016,120,320 bytes free


Thanks
bobl
Regular Member
 
Posts: 22
Joined: June 13th, 2005, 12:07 pm

Unread postby askey127 » April 16th, 2006, 10:09 am

Bobl,
-----------------------------------------------------------
Close any programs you have open since this step requires a reboot.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the desktop icons don't disappear or the log does not pop up, then double click the second.bat file in the l2mfix folder to continue with the fix.
-----------------------------------------------------------
File Deletion.
In Windows Explorer (My Computer) , select View, Details. Then navigate to these files and Delete, if present:
C:\Windows\System32\k0no0a53ed.dll
C:\Windows\System32\j04o0ah3ed4.dll
If you have any problem deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
Note the name and location of any file you cannot delete.
-----------------------------------------------------------
Post a New HJT Log
Reboot your computer. Start HijackThis. Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the HijackThis log contents in a reply, along with the log from L2MFix.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby bobl » April 16th, 2006, 11:10 am

OK, here goes:

Logfile of HijackThis v1.99.1
Scan saved at 10:07:07 AM, on 4/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,bjeiixw.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [w291a03b.dll] RUNDLL32.EXE w291a03b.dll,I2 00064ff20291a03b
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [vsrsy] C:\WINDOWS\system32\aegaxr.exe reg_run
O4 - HKCU\..\Run: [Tncu] "C:\PROGRA~1\COMMON~1\DOBE~1\taskmgr.exe" -vt yazr
O4 - HKCU\..\Run: [zmfw] C:\PROGRA~1\COMMON~1\zmfw\zmfwm.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0844264190
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\l4r00e9meh.dll (file missing)
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\guard.tmp (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



L2mfix 032106
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 432 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 524 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1280 'explorer.exe'
Killing PID 1280 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\__delete_on_reboot__aipmgmts.dll
Successfully Deleted: C:\WINDOWS\system32\__delete_on_reboot__aipmgmts.dll
Deleting: C:\WINDOWS\system32\__delete_on_reboot__kydcz2.dll
Successfully Deleted: C:\WINDOWS\system32\__delete_on_reboot__kydcz2.dll
Deleting: C:\WINDOWS\system32\__delete_on_reboot__nvlanui.dll
Successfully Deleted: C:\WINDOWS\system32\__delete_on_reboot__nvlanui.dll
Deleting: C:\WINDOWS\system32\j04o0ah3ed4.dll
Successfully Deleted: C:\WINDOWS\system32\j04o0ah3ed4.dll
Deleting: C:\WINDOWS\system32\k0no0a53ed.dll
Successfully Deleted: C:\WINDOWS\system32\k0no0a53ed.dll

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l4r00e9meh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\__delete_on_reboot__aipmgmts.dll
C:\WINDOWS\system32\__delete_on_reboot__kydcz2.dll
C:\WINDOWS\system32\__delete_on_reboot__nvlanui.dll
C:\WINDOWS\system32\j04o0ah3ed4.dll
C:\WINDOWS\system32\k0no0a53ed.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}\InprocServer32]
@="C:\\WINDOWS\\system32\\ctnsole.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E89F0035-F7F5-4801-A104-0B7C334EB781}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E89F0035-F7F5-4801-A104-0B7C334EB781}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E89F0035-F7F5-4801-A104-0B7C334EB781}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E89F0035-F7F5-4801-A104-0B7C334EB781}\InprocServer32]
@="C:\\WINDOWS\\system32\\sQfrdm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{39F9A38F-24C3-4EE1-80B8-53F7035229C0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39F9A38F-24C3-4EE1-80B8-53F7035229C0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39F9A38F-24C3-4EE1-80B8-53F7035229C0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39F9A38F-24C3-4EE1-80B8-53F7035229C0}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1AB41F03-492C-42C4-872A-947B340B7FEB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AB41F03-492C-42C4-872A-947B340B7FEB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AB41F03-492C-42C4-872A-947B340B7FEB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AB41F03-492C-42C4-872A-947B340B7FEB}\InprocServer32]
@="C:\\WINDOWS\\system32\\sjorage.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}\InprocServer32]
@="C:\\WINDOWS\\system32\\pLpgraph.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{69ACD0D5-1E66-4A21-8108-A4648D508820}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69ACD0D5-1E66-4A21-8108-A4648D508820}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69ACD0D5-1E66-4A21-8108-A4648D508820}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69ACD0D5-1E66-4A21-8108-A4648D508820}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{74EF24C5-88A8-4A12-B5CD-0C003912A860}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{74EF24C5-88A8-4A12-B5CD-0C003912A860}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{74EF24C5-88A8-4A12-B5CD-0C003912A860}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{74EF24C5-88A8-4A12-B5CD-0C003912A860}\InprocServer32]
@="C:\\WINDOWS\\system32\\svorder.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C316D543-2930-4EDF-9ACB-11F189BFE73B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C316D543-2930-4EDF-9ACB-11F189BFE73B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C316D543-2930-4EDF-9ACB-11F189BFE73B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C316D543-2930-4EDF-9ACB-11F189BFE73B}\InprocServer32]
@="C:\\WINDOWS\\system32\\nblanman.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{094B9130-7B63-44A9-ABE7-39854B14AA19}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{094B9130-7B63-44A9-ABE7-39854B14AA19}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{094B9130-7B63-44A9-ABE7-39854B14AA19}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{094B9130-7B63-44A9-ABE7-39854B14AA19}\InprocServer32]
@="C:\\WINDOWS\\system32\\wbnntbbu.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{264E4598-8084-471E-96D4-7B702071A3CF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{264E4598-8084-471E-96D4-7B702071A3CF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{264E4598-8084-471E-96D4-7B702071A3CF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{264E4598-8084-471E-96D4-7B702071A3CF}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{218C2E08-89C4-47E5-8E6F-42B0FD0E028C}"=-
"{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}"=-
"{E89F0035-F7F5-4801-A104-0B7C334EB781}"=-
"{39F9A38F-24C3-4EE1-80B8-53F7035229C0}"=-
"{1AB41F03-492C-42C4-872A-947B340B7FEB}"=-
"{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}"=-
"{69ACD0D5-1E66-4A21-8108-A4648D508820}"=-
"{74EF24C5-88A8-4A12-B5CD-0C003912A860}"=-
"{C316D543-2930-4EDF-9ACB-11F189BFE73B}"=-
"{094B9130-7B63-44A9-ABE7-39854B14AA19}"=-
"{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}"=-
"{264E4598-8084-471E-96D4-7B702071A3CF}"=-
[-HKEY_CLASSES_ROOT\CLSID\{218C2E08-89C4-47E5-8E6F-42B0FD0E028C}]
[-HKEY_CLASSES_ROOT\CLSID\{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}]
[-HKEY_CLASSES_ROOT\CLSID\{E89F0035-F7F5-4801-A104-0B7C334EB781}]
[-HKEY_CLASSES_ROOT\CLSID\{39F9A38F-24C3-4EE1-80B8-53F7035229C0}]
[-HKEY_CLASSES_ROOT\CLSID\{1AB41F03-492C-42C4-872A-947B340B7FEB}]
[-HKEY_CLASSES_ROOT\CLSID\{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}]
[-HKEY_CLASSES_ROOT\CLSID\{69ACD0D5-1E66-4A21-8108-A4648D508820}]
[-HKEY_CLASSES_ROOT\CLSID\{74EF24C5-88A8-4A12-B5CD-0C003912A860}]
[-HKEY_CLASSES_ROOT\CLSID\{C316D543-2930-4EDF-9ACB-11F189BFE73B}]
[-HKEY_CLASSES_ROOT\CLSID\{094B9130-7B63-44A9-ABE7-39854B14AA19}]
[-HKEY_CLASSES_ROOT\CLSID\{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}]
[-HKEY_CLASSES_ROOT\CLSID\{264E4598-8084-471E-96D4-7B702071A3CF}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/j04o0ah3ed4.dll (164 bytes security) (deflated 6%)
adding: dlls/k0no0a53ed.dll (164 bytes security) (deflated 5%)
adding: dlls/__delete_on_reboot__aipmgmts.dll (164 bytes security) (deflated 5%)
adding: dlls/__delete_on_reboot__kydcz2.dll (164 bytes security) (deflated 5%)
adding: dlls/__delete_on_reboot__nvlanui.dll (164 bytes security) (deflated 5%)
adding: backregs/0917EFCC-884B-4B1E-8B9B-FBA18A31C11E.reg (212 bytes security) (deflated 70%)
adding: backregs/094B9130-7B63-44A9-ABE7-39854B14AA19.reg (212 bytes security) (deflated 70%)
adding: backregs/1AB41F03-492C-42C4-872A-947B340B7FEB.reg (212 bytes security) (deflated 70%)
adding: backregs/264E4598-8084-471E-96D4-7B702071A3CF.reg (212 bytes security) (deflated 70%)
adding: backregs/39F9A38F-24C3-4EE1-80B8-53F7035229C0.reg (212 bytes security) (deflated 70%)
adding: backregs/3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0.reg (212 bytes security) (deflated 70%)
adding: backregs/69ACD0D5-1E66-4A21-8108-A4648D508820.reg (212 bytes security) (deflated 70%)
adding: backregs/74EF24C5-88A8-4A12-B5CD-0C003912A860.reg (212 bytes security) (deflated 70%)
adding: backregs/A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8.reg (212 bytes security) (deflated 70%)
adding: backregs/C316D543-2930-4EDF-9ACB-11F189BFE73B.reg (212 bytes security) (deflated 70%)
adding: backregs/E89F0035-F7F5-4801-A104-0B7C334EB781.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 88%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)


Thanks again.
bobl
Regular Member
 
Posts: 22
Joined: June 13th, 2005, 12:07 pm

Unread postby askey127 » April 16th, 2006, 1:10 pm

Bobl,
You may want to print this out, or save it as a Notepad document on your Desktop, since you won't have Internet access in Safe Mode.
This is kind of long, but you can handle it. Please be patient. We are making progress.
------------------------------------------------------------
Please download LSPFix from here and save it to a location you can find later if necessary

-----------------------------------------------------------
Download ATF Cleaner by Atribune © from here : http://www.atribune.org/ccount/click.php?id=1
It is a stand-alone program that does not need to be "installed". Save it to a convenient location and make a shortcut on your desktop.
-----------------------------------------------------------
Use Add/Remove Programs In Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :
WebHancer
Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Scan. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,bjeiixw.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [w291a03b.dll] RUNDLL32.EXE w291a03b.dll,I2 00064ff20291a03b
O4 - HKCU\..\Run: [vsrsy] C:\WINDOWS\system32\aegaxr.exe reg_run
O4 - HKCU\..\Run: [Tncu] "C:\PROGRA~1\COMMON~1\DOBE~1\taskmgr.exe" -vt yazr
O4 - HKCU\..\Run: [zmfw] C:\PROGRA~1\COMMON~1\zmfw\zmfwm.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\l4r00e9meh.dll (file missing)
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\guard.tmp (file missing)

If you aren't tied into a network that needs administrator messages, check these two also:

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list. In some systems, this may be the F5 key, so try that if F8 doesn't work. Additional Info is here: http://www.computerhope.com/issues/chsafe.htm
-----------------------------------------------------------
File Deletion.
In Windows Explorer (My Computer) , select View, Details. Then navigate to these files. Use Find (F3) or Start, Search if the folder is not shown; then Delete these files, if present:
w291a03b.dll
C:\Windows\System32\aegaxr.exe
C:\Windows\System32\bjeiixw.exe
C:\Program Files\WebHancer\ <== this entire folder
C:\Program Files\Common Files\zmfw\ <== this entire folder
C:\Windows\Program Files\DOBExxxx\taskmgr.exe <== Look for folder starting with DOBE... (NOT the legit taskmgr.exe in \System32\)
C:\Windows\System32\dmonwv.dll
C:\Windows\System32\guard.tmp

If you have any problem deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the filename is in there, highlight it and click End Process, then retry Delete. Note the name and location of any file you cannot delete.
-----------------------------------------------------------
If you cannot connect to the Internet after removing Webhancer, please run the LSP-Fix program we downloaded earlier, and click on the finish button.
Reboot and you should be able to get back on.
-----------------------------------------------------------
Double-click ATF-Cleaner.exe to run the program.
Under Main, choose Select All
Click Empty Selected

If you use Firefox browser,
Click Firefox at the top and choose Select All
Click on Empty Selected
NOTE: If you would like to keep any saved passwords, please click No at the prompt.
Click Exit to close.
-----------------------------------------------------------
Post a New HJT Log
Reboot your computer. Start HijackThis. Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby bobl » April 16th, 2006, 2:16 pm

Here goes:

L2mfix 032106
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 432 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 524 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1280 'explorer.exe'
Killing PID 1280 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\__delete_on_reboot__aipmgmts.dll
Successfully Deleted: C:\WINDOWS\system32\__delete_on_reboot__aipmgmts.dll
Deleting: C:\WINDOWS\system32\__delete_on_reboot__kydcz2.dll
Successfully Deleted: C:\WINDOWS\system32\__delete_on_reboot__kydcz2.dll
Deleting: C:\WINDOWS\system32\__delete_on_reboot__nvlanui.dll
Successfully Deleted: C:\WINDOWS\system32\__delete_on_reboot__nvlanui.dll
Deleting: C:\WINDOWS\system32\j04o0ah3ed4.dll
Successfully Deleted: C:\WINDOWS\system32\j04o0ah3ed4.dll
Deleting: C:\WINDOWS\system32\k0no0a53ed.dll
Successfully Deleted: C:\WINDOWS\system32\k0no0a53ed.dll

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l4r00e9meh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\__delete_on_reboot__aipmgmts.dll
C:\WINDOWS\system32\__delete_on_reboot__kydcz2.dll
C:\WINDOWS\system32\__delete_on_reboot__nvlanui.dll
C:\WINDOWS\system32\j04o0ah3ed4.dll
C:\WINDOWS\system32\k0no0a53ed.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}\InprocServer32]
@="C:\\WINDOWS\\system32\\ctnsole.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E89F0035-F7F5-4801-A104-0B7C334EB781}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E89F0035-F7F5-4801-A104-0B7C334EB781}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E89F0035-F7F5-4801-A104-0B7C334EB781}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E89F0035-F7F5-4801-A104-0B7C334EB781}\InprocServer32]
@="C:\\WINDOWS\\system32\\sQfrdm.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{39F9A38F-24C3-4EE1-80B8-53F7035229C0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39F9A38F-24C3-4EE1-80B8-53F7035229C0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39F9A38F-24C3-4EE1-80B8-53F7035229C0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39F9A38F-24C3-4EE1-80B8-53F7035229C0}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1AB41F03-492C-42C4-872A-947B340B7FEB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AB41F03-492C-42C4-872A-947B340B7FEB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AB41F03-492C-42C4-872A-947B340B7FEB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AB41F03-492C-42C4-872A-947B340B7FEB}\InprocServer32]
@="C:\\WINDOWS\\system32\\sjorage.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}\InprocServer32]
@="C:\\WINDOWS\\system32\\pLpgraph.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{69ACD0D5-1E66-4A21-8108-A4648D508820}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69ACD0D5-1E66-4A21-8108-A4648D508820}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69ACD0D5-1E66-4A21-8108-A4648D508820}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69ACD0D5-1E66-4A21-8108-A4648D508820}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{74EF24C5-88A8-4A12-B5CD-0C003912A860}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{74EF24C5-88A8-4A12-B5CD-0C003912A860}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{74EF24C5-88A8-4A12-B5CD-0C003912A860}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{74EF24C5-88A8-4A12-B5CD-0C003912A860}\InprocServer32]
@="C:\\WINDOWS\\system32\\svorder.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C316D543-2930-4EDF-9ACB-11F189BFE73B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C316D543-2930-4EDF-9ACB-11F189BFE73B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C316D543-2930-4EDF-9ACB-11F189BFE73B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C316D543-2930-4EDF-9ACB-11F189BFE73B}\InprocServer32]
@="C:\\WINDOWS\\system32\\nblanman.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{094B9130-7B63-44A9-ABE7-39854B14AA19}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{094B9130-7B63-44A9-ABE7-39854B14AA19}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{094B9130-7B63-44A9-ABE7-39854B14AA19}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{094B9130-7B63-44A9-ABE7-39854B14AA19}\InprocServer32]
@="C:\\WINDOWS\\system32\\wbnntbbu.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{264E4598-8084-471E-96D4-7B702071A3CF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{264E4598-8084-471E-96D4-7B702071A3CF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{264E4598-8084-471E-96D4-7B702071A3CF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{264E4598-8084-471E-96D4-7B702071A3CF}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{218C2E08-89C4-47E5-8E6F-42B0FD0E028C}"=-
"{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}"=-
"{E89F0035-F7F5-4801-A104-0B7C334EB781}"=-
"{39F9A38F-24C3-4EE1-80B8-53F7035229C0}"=-
"{1AB41F03-492C-42C4-872A-947B340B7FEB}"=-
"{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}"=-
"{69ACD0D5-1E66-4A21-8108-A4648D508820}"=-
"{74EF24C5-88A8-4A12-B5CD-0C003912A860}"=-
"{C316D543-2930-4EDF-9ACB-11F189BFE73B}"=-
"{094B9130-7B63-44A9-ABE7-39854B14AA19}"=-
"{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}"=-
"{264E4598-8084-471E-96D4-7B702071A3CF}"=-
[-HKEY_CLASSES_ROOT\CLSID\{218C2E08-89C4-47E5-8E6F-42B0FD0E028C}]
[-HKEY_CLASSES_ROOT\CLSID\{A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8}]
[-HKEY_CLASSES_ROOT\CLSID\{E89F0035-F7F5-4801-A104-0B7C334EB781}]
[-HKEY_CLASSES_ROOT\CLSID\{39F9A38F-24C3-4EE1-80B8-53F7035229C0}]
[-HKEY_CLASSES_ROOT\CLSID\{1AB41F03-492C-42C4-872A-947B340B7FEB}]
[-HKEY_CLASSES_ROOT\CLSID\{3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0}]
[-HKEY_CLASSES_ROOT\CLSID\{69ACD0D5-1E66-4A21-8108-A4648D508820}]
[-HKEY_CLASSES_ROOT\CLSID\{74EF24C5-88A8-4A12-B5CD-0C003912A860}]
[-HKEY_CLASSES_ROOT\CLSID\{C316D543-2930-4EDF-9ACB-11F189BFE73B}]
[-HKEY_CLASSES_ROOT\CLSID\{094B9130-7B63-44A9-ABE7-39854B14AA19}]
[-HKEY_CLASSES_ROOT\CLSID\{0917EFCC-884B-4B1E-8B9B-FBA18A31C11E}]
[-HKEY_CLASSES_ROOT\CLSID\{264E4598-8084-471E-96D4-7B702071A3CF}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/j04o0ah3ed4.dll (164 bytes security) (deflated 6%)
adding: dlls/k0no0a53ed.dll (164 bytes security) (deflated 5%)
adding: dlls/__delete_on_reboot__aipmgmts.dll (164 bytes security) (deflated 5%)
adding: dlls/__delete_on_reboot__kydcz2.dll (164 bytes security) (deflated 5%)
adding: dlls/__delete_on_reboot__nvlanui.dll (164 bytes security) (deflated 5%)
adding: backregs/0917EFCC-884B-4B1E-8B9B-FBA18A31C11E.reg (212 bytes security) (deflated 70%)
adding: backregs/094B9130-7B63-44A9-ABE7-39854B14AA19.reg (212 bytes security) (deflated 70%)
adding: backregs/1AB41F03-492C-42C4-872A-947B340B7FEB.reg (212 bytes security) (deflated 70%)
adding: backregs/264E4598-8084-471E-96D4-7B702071A3CF.reg (212 bytes security) (deflated 70%)
adding: backregs/39F9A38F-24C3-4EE1-80B8-53F7035229C0.reg (212 bytes security) (deflated 70%)
adding: backregs/3DCEC74B-8B7E-4D5B-9AE0-249BC0014CA0.reg (212 bytes security) (deflated 70%)
adding: backregs/69ACD0D5-1E66-4A21-8108-A4648D508820.reg (212 bytes security) (deflated 70%)
adding: backregs/74EF24C5-88A8-4A12-B5CD-0C003912A860.reg (212 bytes security) (deflated 70%)
adding: backregs/A1F26CE4-68AC-4F45-BC06-C68F76A1D9C8.reg (212 bytes security) (deflated 70%)
adding: backregs/C316D543-2930-4EDF-9ACB-11F189BFE73B.reg (212 bytes security) (deflated 70%)
adding: backregs/E89F0035-F7F5-4801-A104-0B7C334EB781.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 88%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)


One other thing: I can't access the control panel applet to reactivate my firewall. Is this a byproduct of the infection?
bobl
Regular Member
 
Posts: 22
Joined: June 13th, 2005, 12:07 pm

Unread postby bobl » April 16th, 2006, 2:18 pm

Oops sorry, I think I posted the wrong log. Here's the HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 1:05:05 PM, on 4/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0844264190
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

As I mentioned, I can't get into control panel to reactivate the firewall.
bobl
Regular Member
 
Posts: 22
Joined: June 13th, 2005, 12:07 pm

Unread postby askey127 » April 16th, 2006, 11:17 pm

bobl,
-----------------------------------------------------------
Download WinPFind from here: http://www.bleepingcomputer.com/files/winpfind.php and extract it to your C:\ folder.
This will create a folder called WinPFind on the C:\ drive.
Inside c:\WinPFind\ is a file called WinPFind.exe.
Double-click on this file to launch the program.
Once it is launched, click on the Start Scan button and wait for it to finish.
This program will scan large amounts of files on your computer for known patterns,
so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan.
Click on the Copy to Clipboard button and then paste the contents of the log in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby bobl » April 17th, 2006, 9:28 pm

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 4/17/2006 8:21:52 PM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 9/16/2005 9:14:10 PM 197120 C:\WINDOWS\SYSTEM32\biogems2005.scr
PEC2 3/31/2003 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PECompact2 4/6/2006 2:48:38 PM 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 4/6/2006 2:48:38 PM 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 3/31/2003 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 http://www.qoologic.com
127.0.0.1 http://www.urllogic.com


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
4/4/2006 11:15:24 PM H 4 C:\WINDOWS\a3kebook.ini
4/4/2006 11:15:24 PM H 20 C:\WINDOWS\akebook.ini
4/17/2006 8:19:30 PM S 2048 C:\WINDOWS\bootstat.dat
4/17/2006 8:19:36 PM H 54156 C:\WINDOWS\QTFont.qfn
3/22/2006 6:17:30 PM S 14054 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB908531.cat
3/23/2006 1:15:38 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911562.cat
3/17/2006 4:24:26 AM S 12455 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911567.cat
3/30/2006 5:03:56 AM S 22339 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912812.cat
4/17/2006 8:20:40 PM H 1024 C:\WINDOWS\system32\config\default.LOG
4/17/2006 8:19:32 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
4/17/2006 8:20:06 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
4/17/2006 8:24:44 PM H 1024 C:\WINDOWS\system32\config\software.LOG
4/17/2006 8:20:54 PM H 1024 C:\WINDOWS\system32\config\system.LOG
4/17/2006 1:42:40 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
3/26/2006 1:47:14 PM S 7652 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E891C648621A40AC7F773694A17FE76C
3/26/2006 1:47:14 PM S 134 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E891C648621A40AC7F773694A17FE76C
4/17/2006 8:19:32 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 10/3/2003 3:14:30 PM 314880 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/1/2005 7:18:54 PM 890 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
5/10/2005 11:05:22 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
4/30/2005 8:38:04 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/30/2005 3:21:18 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
4/30/2005 8:38:04 PM HS 84 C:\Documents and Settings\Sharon\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
5/10/2005 11:02:38 AM 877 C:\Documents and Settings\Sharon\Application Data\AdobeDLM.log
4/30/2005 3:21:18 PM HS 62 C:\Documents and Settings\Sharon\Application Data\desktop.ini
5/10/2005 11:02:38 AM 0 C:\Documents and Settings\Sharon\Application Data\dm.ini
4/14/2006 11:26:24 PM 103 C:\Documents and Settings\Sharon\Application Data\Sskdmns.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{CE3A44D8-BC88-4D62-A890-42D96245F8D6}
= C:\WINDOWS\system32\dmonwv.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
UpdReg C:\WINDOWS\UpdReg.EXE
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 4/17/2006 8:26:39 PM
bobl
Regular Member
 
Posts: 22
Joined: June 13th, 2005, 12:07 pm

Unread postby askey127 » April 18th, 2006, 7:12 am

Bobl,

I want to see if you have a viable Control Panel applet.

Go to Start, Run and type control, click OK.
Does the control panel come up?

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby bobl » April 18th, 2006, 12:37 pm

The control panel did come up, but will not let me click the applet to enable the firewall. The message comes up " an unexplained system problem prevents this action", or words to that effect.

Bob
bobl
Regular Member
 
Posts: 22
Joined: June 13th, 2005, 12:07 pm

Unread postby askey127 » April 18th, 2006, 5:12 pm

Bobl,

From Start, Run type in firewall.cpl then click OK.
Do you get the same message?

If that gives you an error, type in desk.cpl and see if you get the desktop settings dialog.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby bobl » April 18th, 2006, 6:28 pm

desk ok, firewall gives me ths same message.

On the bright side, we appear to have killed look2me...

Bob
bobl
Regular Member
 
Posts: 22
Joined: June 13th, 2005, 12:07 pm

Unread postby askey127 » April 18th, 2006, 10:11 pm

Bobl
You will need to be in an account with Admin privilege for this:
Go to Start, Run and type in services.msc

When the services list comes up, scroll down to this service :
Windows Firewall/Internet Connection

See whether the service says Started and Automatic
You can click Start if it is not started, and chenge the pull-down arrow next to Startup Type to Automatic.

Let me know what happens.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware