Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Look2Me Found on my Laptop...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Look2Me Found on my Laptop...

Unread postby starsky » April 8th, 2006, 6:35 pm

Hi,

Everytime I connect to the internet I get loads of IE window pop-ups. I have ran Pest Patrol 4.4 and it has found and removed Look2Me files and some other pests but this does not remove the problem as Look2Me is found everytime I run a scan. I have ran all the standard Spybot, PocketKillbox etc to no avail. Any info/advise you can give would be greatly appreciated. Attached now is my HijackThis log...thanking you in advance....


Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\PROGRA~1\NavNT\DefWatch.exe
c:\winnt\system32\domtimec.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\PROGRA~1\NavNT\NavRoam.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\PROGRA~1\NavNT\Rtvscan.exe
C:\Program Files\Fiberlink\Mobile Access Services\ServiceMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://flagscape.bankofamerica.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://flagscape.bankofamerica.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://flagscape.bankofamerica.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://sydpcs1.asia.bankofamerica.com:8080/sydney
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SwdisUsrPCN.B001422B6D523] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\swdis\wdusrpcn.envB001422B6D523"
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [zzwu] C:\PROGRA~1\COMMON~1\zzwu\zzwum.exe
O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Startup: Launch Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://insite.bankofamerica.com
O15 - Trusted Zone: *.bankofamerica.com
O15 - Trusted Zone: *.bigpond.com
O15 - Trusted Zone: *.knowledgenet.com
O15 - Trusted Zone: *.bankofamerica.com (HKLM)
O15 - Trusted Zone: *.knowledgenet.com (HKLM)
O16 - DPF: Ulster Bank AnyTime - https://www.anytime.ulsterbank.com/asp/AnyTime.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/module/npx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\Software\..\Telephony: DomainName = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O20 - Winlogon Notify: IntlRun - C:\WINNT\system32\en48l1hu1.dll
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: CyberGatekeeper Agent (CGAgent) - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - c:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Domain Time Client - Greyware Automation Products, Inc. - c:\winnt\system32\domtimec.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: NAVRoam - symantec - C:\PROGRA~1\NavNT\NavRoam.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - c:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Mobile Access Services\ServiceMgr.exe
O23 - Service: Software Distribution Updater (SwdisRestart) - Unknown owner - C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\swdres.exe
starsky
Active Member
 
Posts: 7
Joined: April 8th, 2006, 6:19 pm
Advertisement
Register to Remove

Unread postby agrarianmonk » April 8th, 2006, 7:42 pm

Hi starsky

Welcome to the Malware Removal forums. I will be more than happy to help you work on your problems.
Please give me some time to review your log as this can be a lengthy process. As soon as a MR Staff Expert reviews my fix, I will post it for you.
In the mean time, if any problems occur. Please let me know.
Please only use this topic to reply to. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.
If you’re unsure of anything at all please stop and ask!
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby agrarianmonk » April 8th, 2006, 8:49 pm

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

If you receive, while running option #1, an error similar to:
''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt
the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."
...then please use option 5 or the web page link in the l2mfix folder to solve this error condition.
Then rerun option 1 to be sure it will run without errors.

IMPORTANT: Do NOT run option #2 OR any other options in the l2mfix folder until you are asked to do so!

********************************

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

********************************

In your next post, please include:
  • l2mfix log
  • new HijackThis log
  • uninstall list


*please remember to include all parts (including the header with the your windows version) of your HijackThis log.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby starsky » April 11th, 2006, 4:05 am

Hi,

Here are the logs you requested...

L2M Scan...

L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\n4n60e5seh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D90016A0-EC6A-3E57-79A6-166F2BC405D1}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{68651C87-06E1-4A90-98C2-DB26025C2906}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{68651C87-06E1-4A90-98C2-DB26025C2906}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{68651C87-06E1-4A90-98C2-DB26025C2906}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{68651C87-06E1-4A90-98C2-DB26025C2906}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{68651C87-06E1-4A90-98C2-DB26025C2906}\InprocServer32]
@="C:\\WINNT\\system32\\FD20.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
dklay.dll Fri 31 Mar 2006 10:30:40 ..S.R 235,226 229.71 K
dvime.dll Sat 8 Apr 2006 16:24:34 ..S.R 235,719 230.19 K
en88l1~1.dll Sun 9 Apr 2006 8:03:04 ..S.R 235,719 230.19 K
enrul1~1.dll Sat 1 Apr 2006 11:45:00 ..S.R 236,217 230.68 K
fd20.dll Tue 11 Apr 2006 17:33:40 ..S.R 235,719 230.19 K
gqiplus.dll Wed 29 Mar 2006 12:45:26 ..S.R 234,701 229.20 K
ijxpromn.dll Thu 30 Mar 2006 6:08:04 ..S.R 234,701 229.20 K
irmui.dll Wed 29 Mar 2006 7:43:02 ..S.R 235,617 230.09 K
jeproxy.dll Mon 3 Apr 2006 4:53:18 ..S.R 234,640 229.14 K
kqd106.dll Tue 28 Mar 2006 17:34:22 ..S.R 235,487 229.96 K
legitc~1.dll Tue 14 Feb 2006 8:20:14 A.... 550,120 537.23 K
lqk.dll Mon 3 Apr 2006 7:33:06 ..S.R 235,719 230.19 K
msrt.dll Thu 6 Apr 2006 7:21:54 ..S.R 235,719 230.19 K
mv28l9~1.dll Wed 5 Apr 2006 7:19:42 ..S.R 236,096 230.56 K
n4n60e~1.dll Sat 8 Apr 2006 21:40:12 ..S.R 235,719 230.19 K
nkapi16.dll Sat 8 Apr 2006 21:09:12 ..S.R 235,719 230.19 K
oaesvr32.dll Tue 4 Apr 2006 7:20:08 ..S.R 236,096 230.56 K
oee2nls.dll Wed 5 Apr 2006 7:17:42 ..S.R 236,096 230.56 K
s8pu0i~1.dll Wed 29 Mar 2006 11:26:34 ..S.R 235,617 230.09 K
syrrun.dll Thu 6 Apr 2006 8:43:48 ..S.R 235,719 230.19 K
wafeman.dll Fri 7 Apr 2006 8:30:04 ..S.R 235,719 230.19 K
wfn32spl.dll Fri 7 Apr 2006 7:22:46 ..S.R 235,719 230.19 K
whv8dmod.dll Wed 29 Mar 2006 8:19:32 ..S.R 235,617 230.09 K

23 items found: 23 files (22 H/S), 0 directories.
Total of file sizes: 5,733,421 bytes 5.46 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
atmtdd~1.tmp Wed 29 Mar 2006 8:19:06 A.... 0 0.00 K
guard.tmp Tue 11 Apr 2006 17:35:40 ..S.R 235,719 230.19 K

2 items found: 2 files (1 H/S), 0 directories.
Total of file sizes: 235,719 bytes 230.19 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C is Double Standards
Volume Serial Number is FCD2-BAD0

Directory of C:\WINNT\System32

11/04/2006 05:35 PM 235,719 guard.tmp
11/04/2006 05:33 PM 235,719 FD20.DLL
09/04/2006 08:03 AM 235,719 en88l1lu1.dll
08/04/2006 09:40 PM 235,719 n4n60e5seh.dll
08/04/2006 09:14 PM <DIR> dllcache
08/04/2006 09:09 PM 235,719 nkapi16.dll
08/04/2006 04:24 PM 235,719 dvime.dll
07/04/2006 08:30 AM 235,719 wafeman.dll
07/04/2006 07:22 AM 235,719 wfn32spl.dll
06/04/2006 08:43 AM 235,719 syrrun.dll
06/04/2006 07:21 AM 235,719 msrt.dll
05/04/2006 07:19 AM 236,096 mv28l9fu1.dll
05/04/2006 07:17 AM 236,096 oee2nls.dll
04/04/2006 07:20 AM 236,096 oaesvr32.dll
03/04/2006 07:33 AM 235,719 lqk.dll
03/04/2006 04:53 AM 234,640 jeproxy.dll
01/04/2006 11:44 AM 236,217 enrul1991.dll
31/03/2006 10:30 AM 235,226 dklay.dll
30/03/2006 06:08 AM 234,701 ijxpromn.dll
29/03/2006 12:45 PM 234,701 gqiplus.dll
29/03/2006 11:26 AM 235,617 s8pu0i79e8.dll
29/03/2006 08:19 AM 235,617 whv8dmod.dll
29/03/2006 07:43 AM 235,617 irmui.dll
28/03/2006 05:34 PM 235,487 kqd106.dll
17/03/2005 08:27 AM <DIR> Microsoft
23 File(s) 5,419,020 bytes
2 Dir(s) 26,134,331,392 bytes free

HijackThis Log...

Logfile of HijackThis v1.99.1
Scan saved at 6:01:05 PM, on 11/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\PROGRA~1\NavNT\DefWatch.exe
c:\winnt\system32\domtimec.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\PROGRA~1\NavNT\NavRoam.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\PROGRA~1\NavNT\Rtvscan.exe
C:\Program Files\Fiberlink\Mobile Access Services\ServiceMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\CYBERG~1\cgahelp.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://flagscape.bankofamerica.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://flagscape.bankofamerica.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://flagscape.bankofamerica.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://sydpcs1.asia.bankofamerica.com:8080/sydney
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SwdisUsrPCN.B001422B6D523] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\swdis\wdusrpcn.envB001422B6D523"
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [zzwu] C:\PROGRA~1\COMMON~1\zzwu\zzwum.exe
O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Startup: Launch Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://insite.bankofamerica.com
O15 - Trusted Zone: *.bankofamerica.com
O15 - Trusted Zone: *.bigpond.com
O15 - Trusted Zone: *.knowledgenet.com
O15 - Trusted Zone: *.bankofamerica.com (HKLM)
O15 - Trusted Zone: *.knowledgenet.com (HKLM)
O16 - DPF: Ulster Bank AnyTime - https://www.anytime.ulsterbank.com/asp/AnyTime.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/module/npx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\Software\..\Telephony: DomainName = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O20 - Winlogon Notify: ShellCompatibility - C:\WINNT\system32\n4n60e5seh.dll
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: CyberGatekeeper Agent (CGAgent) - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - c:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Domain Time Client - Greyware Automation Products, Inc. - c:\winnt\system32\domtimec.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: NAVRoam - symantec - C:\PROGRA~1\NavNT\NavRoam.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - c:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Mobile Access Services\ServiceMgr.exe
O23 - Service: Software Distribution Updater (SwdisRestart) - Unknown owner - C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\swdres.exe

Uninstall List...

Active Directory Tools
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.7
Adobe Reader Chinese Simplified Fonts
Adobe Reader Chinese Traditional Fonts
Adobe Reader Japanese Fonts
Adobe Reader Korean Fonts
ALPS Touch Pad Driver
Bank of America Global Routing Directory
Bulk Tools
Conexant D110 MDC V.9x Modem
CyberGatekeeper Agent
Domain Time Client
GetHelp Agent for Bank of America
HijackThis 1.99.1
Intel(R) Graphics Media Accelerator Driver for Mobile
Internal Network Card Power Management
Java 2 Runtime Environment Standard Edition v1.3.1_01
Java 2 Runtime Environment, SE v1.4.2_04
Lexmark Printer Software Uninstall
LiveUpdate 1.7 (Symantec Corporation)
Lotus Notes 5.06 for Bank of America
Macromedia Flash Player 8
MetaSound Audio Codec
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office Communicator 2005
Microsoft Office Professional Edition 2003
Microsoft Visio Viewer 2002
Microsoft Visio Viewer 2002 [Bank of America]
Mobile Access Services
MSXML 4.0 SP2 Parser and SDK
NETGEAR WG511 54 Mbps Wireless PC Card
NetManage
Network Monitor
OutsideView32 7.0
PestPatrol4.4
PowerDVD 5.1
QuickSet
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB902400)
Shockwave Player
Symantec AntiVirus Client
Tivoli Disconnected Endpoint
Tivoli EndPoint
VPN Client
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player 9 Series
Windows Media Player Hotfix [See KB832353 for more information]
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB810217
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824151
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826942
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q330227
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811114
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q814995
Windows XP Hotfix (SP2) Q817287
Windows XP Hotfix (SP2) Q817606
Winzip 9.0

Thanks,

Eddie
starsky
Active Member
 
Posts: 7
Joined: April 8th, 2006, 6:19 pm

Unread postby agrarianmonk » April 11th, 2006, 11:14 am

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder.

********************************

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Java 2 Runtime Environment Standard Edition v1.3.1_01

If you or someone else did not intentionally install Windows Network Monitor, also remove:

Network Monitor

Finally, I did not recognize the following program. If you or someone did not intentionally install this, also remove this:

Bulk Tools


********************************

In your next post, please include:
  • l2mfix log
  • new HijackThis log
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby starsky » April 11th, 2006, 6:21 pm

Hi,

I have removed the Java 2 program but Network Monitor will not remove as I get the following error message:

"Can not find the script file “C:\WINNT\uninstall_nmon.vbs".

I have not removed Bulk Tools as this is fine.

I ran the L2MFIX.bat option 2 and the machine rebooted as expected, however, the desktop icons did not disappear. I then ran the second.bat but I got the following message:

"Second.bat is Not intended to be run on its own"

I ran a another L2M scan and the log is:

L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\lv4209hoe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D90016A0-EC6A-3E57-79A6-166F2BC405D1}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{68651C87-06E1-4A90-98C2-DB26025C2906}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{68651C87-06E1-4A90-98C2-DB26025C2906}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{68651C87-06E1-4A90-98C2-DB26025C2906}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{68651C87-06E1-4A90-98C2-DB26025C2906}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{68651C87-06E1-4A90-98C2-DB26025C2906}\InprocServer32]
@="C:\\WINNT\\system32\\MGC71CHS.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
dklay.dll Fri 31 Mar 2006 10:30:40 ..S.R 235,226 229.71 K
dvime.dll Sat 8 Apr 2006 16:24:34 ..S.R 235,719 230.19 K
enrul1~1.dll Sat 1 Apr 2006 11:45:00 ..S.R 236,217 230.68 K
gqiplus.dll Wed 29 Mar 2006 12:45:26 ..S.R 234,701 229.20 K
ijxpromn.dll Thu 30 Mar 2006 6:08:04 ..S.R 234,701 229.20 K
irmui.dll Wed 29 Mar 2006 7:43:02 ..S.R 235,617 230.09 K
jeproxy.dll Mon 3 Apr 2006 4:53:18 ..S.R 234,640 229.14 K
kqd106.dll Tue 28 Mar 2006 17:34:22 ..S.R 235,487 229.96 K
legitc~1.dll Tue 14 Feb 2006 8:20:14 A.... 550,120 537.23 K
lqk.dll Mon 3 Apr 2006 7:33:06 ..S.R 235,719 230.19 K
lv4209~1.dll Tue 11 Apr 2006 17:35:40 ..S.R 235,719 230.19 K
m628lg~1.dll Wed 12 Apr 2006 8:11:50 ..S.R 234,161 228.67 K
mgc71chs.dll Wed 12 Apr 2006 8:11:50 ..S.R 235,719 230.19 K
msrt.dll Thu 6 Apr 2006 7:21:54 ..S.R 235,719 230.19 K
mv28l9~1.dll Wed 5 Apr 2006 7:19:42 ..S.R 236,096 230.56 K
nkapi16.dll Sat 8 Apr 2006 21:09:12 ..S.R 235,719 230.19 K
oaesvr32.dll Tue 4 Apr 2006 7:20:08 ..S.R 236,096 230.56 K
oee2nls.dll Wed 5 Apr 2006 7:17:42 ..S.R 236,096 230.56 K
r4r60e~1.dll Tue 11 Apr 2006 22:31:56 ..S.R 235,719 230.19 K
s8pu0i~1.dll Wed 29 Mar 2006 11:26:34 ..S.R 235,617 230.09 K
syrrun.dll Thu 6 Apr 2006 8:43:48 ..S.R 235,719 230.19 K
wafeman.dll Fri 7 Apr 2006 8:30:04 ..S.R 235,719 230.19 K
wfn32spl.dll Fri 7 Apr 2006 7:22:46 ..S.R 235,719 230.19 K
whv8dmod.dll Wed 29 Mar 2006 8:19:32 ..S.R 235,617 230.09 K

24 items found: 24 files (23 H/S), 0 directories.
Total of file sizes: 5,967,582 bytes 5.69 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
atmtdd~1.tmp Wed 29 Mar 2006 8:19:06 A.... 0 0.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 0 bytes 0.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C is Double Standards
Volume Serial Number is FCD2-BAD0

Directory of C:\WINNT\System32

12/04/2006 08:11 AM 235,719 MGC71CHS.DLL
12/04/2006 08:11 AM 234,161 m628lgfu1628.dll
11/04/2006 10:31 PM 235,719 r4r60e9seh.dll
11/04/2006 05:35 PM 235,719 lv4209hoe.dll
08/04/2006 09:14 PM <DIR> dllcache
08/04/2006 09:09 PM 235,719 nkapi16.dll
08/04/2006 04:24 PM 235,719 dvime.dll
07/04/2006 08:30 AM 235,719 wafeman.dll
07/04/2006 07:22 AM 235,719 wfn32spl.dll
06/04/2006 08:43 AM 235,719 syrrun.dll
06/04/2006 07:21 AM 235,719 msrt.dll
05/04/2006 07:19 AM 236,096 mv28l9fu1.dll
05/04/2006 07:17 AM 236,096 oee2nls.dll
04/04/2006 07:20 AM 236,096 oaesvr32.dll
03/04/2006 07:33 AM 235,719 lqk.dll
03/04/2006 04:53 AM 234,640 jeproxy.dll
01/04/2006 11:44 AM 236,217 enrul1991.dll
31/03/2006 10:30 AM 235,226 dklay.dll
30/03/2006 06:08 AM 234,701 ijxpromn.dll
29/03/2006 12:45 PM 234,701 gqiplus.dll
29/03/2006 11:26 AM 235,617 s8pu0i79e8.dll
29/03/2006 08:19 AM 235,617 whv8dmod.dll
29/03/2006 07:43 AM 235,617 irmui.dll
28/03/2006 05:34 PM 235,487 kqd106.dll
17/03/2005 08:27 AM <DIR> Microsoft
23 File(s) 5,417,462 bytes
2 Dir(s) 26,440,282,112 bytes free

The HJT log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 8:21:23 AM, on 12/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\PROGRA~1\NavNT\DefWatch.exe
c:\winnt\system32\domtimec.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\PROGRA~1\NavNT\NavRoam.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\PROGRA~1\NavNT\Rtvscan.exe
C:\Program Files\Fiberlink\Mobile Access Services\ServiceMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Ultra Edit\UEDIT32.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://flagscape.bankofamerica.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://flagscape.bankofamerica.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://flagscape.bankofamerica.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://sydpcs1.asia.bankofamerica.com:8080/sydney
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SwdisUsrPCN.B001422B6D523] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\swdis\wdusrpcn.envB001422B6D523"
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [zzwu] C:\PROGRA~1\COMMON~1\zzwu\zzwum.exe
O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Startup: Launch Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://insite.bankofamerica.com
O15 - Trusted Zone: *.bankofamerica.com
O15 - Trusted Zone: *.bigpond.com
O15 - Trusted Zone: *.knowledgenet.com
O15 - Trusted Zone: *.bankofamerica.com (HKLM)
O15 - Trusted Zone: *.knowledgenet.com (HKLM)
O16 - DPF: Ulster Bank AnyTime - https://www.anytime.ulsterbank.com/asp/AnyTime.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/module/npx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\Software\..\Telephony: DomainName = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O20 - Winlogon Notify: Telephony - C:\WINNT\system32\lv4209hoe.dll
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: CyberGatekeeper Agent (CGAgent) - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - c:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Domain Time Client - Greyware Automation Products, Inc. - c:\winnt\system32\domtimec.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: NAVRoam - symantec - C:\PROGRA~1\NavNT\NavRoam.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - c:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Mobile Access Services\ServiceMgr.exe
O23 - Service: Software Distribution Updater (SwdisRestart) - Unknown owner - C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\swdres.exe
starsky
Active Member
 
Posts: 7
Joined: April 8th, 2006, 6:19 pm

Unread postby agrarianmonk » April 11th, 2006, 7:52 pm

I need you to run the l2mfix part 2 again b/c it looks like it didn't clean it entirely the first time:

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder.

********************************

In your next post, please include:
  • l2mfix log
  • new HijackThis log
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby starsky » April 12th, 2006, 6:22 am

Hi,

It seemed to work this time....

L2M logfile....

L2mfix 032106
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINNT\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 804 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 932 'winlogon.exe'
Killing PID 932 'winlogon.exe'
Killing PID 932 'winlogon.exe'
Killing PID 932 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2464 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2184 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINNT\system32\dklay.dll
Successfully Deleted: C:\WINNT\system32\dklay.dll
Deleting: C:\WINNT\system32\dvime.dll
Successfully Deleted: C:\WINNT\system32\dvime.dll
Deleting: C:\WINNT\system32\enrul1991.dll
Successfully Deleted: C:\WINNT\system32\enrul1991.dll
Deleting: C:\WINNT\system32\gqiplus.dll
Successfully Deleted: C:\WINNT\system32\gqiplus.dll
Deleting: C:\WINNT\system32\hrru0599e.dll
Successfully Deleted: C:\WINNT\system32\hrru0599e.dll
Deleting: C:\WINNT\system32\ijxpromn.dll
Successfully Deleted: C:\WINNT\system32\ijxpromn.dll
Deleting: C:\WINNT\system32\irmui.dll
Successfully Deleted: C:\WINNT\system32\irmui.dll
Deleting: C:\WINNT\system32\jeproxy.dll
Successfully Deleted: C:\WINNT\system32\jeproxy.dll
Deleting: C:\WINNT\system32\kqd106.dll
Successfully Deleted: C:\WINNT\system32\kqd106.dll
Deleting: C:\WINNT\system32\lqk.dll
Successfully Deleted: C:\WINNT\system32\lqk.dll
Deleting: C:\WINNT\system32\mrvcr71d.dll
Successfully Deleted: C:\WINNT\system32\mrvcr71d.dll
Deleting: C:\WINNT\system32\msrt.dll
Successfully Deleted: C:\WINNT\system32\msrt.dll
Deleting: C:\WINNT\system32\mv28l9fu1.dll
Successfully Deleted: C:\WINNT\system32\mv28l9fu1.dll
Deleting: C:\WINNT\system32\nkapi16.dll
Successfully Deleted: C:\WINNT\system32\nkapi16.dll
Deleting: C:\WINNT\system32\o684lglq16qe.dll
Successfully Deleted: C:\WINNT\system32\o684lglq16qe.dll
Deleting: C:\WINNT\system32\oaesvr32.dll
Successfully Deleted: C:\WINNT\system32\oaesvr32.dll
Deleting: C:\WINNT\system32\oee2nls.dll
Successfully Deleted: C:\WINNT\system32\oee2nls.dll
Deleting: C:\WINNT\system32\r4r60e9seh.dll
Successfully Deleted: C:\WINNT\system32\r4r60e9seh.dll
Deleting: C:\WINNT\system32\s8pu0i79e8.dll
Successfully Deleted: C:\WINNT\system32\s8pu0i79e8.dll
Deleting: C:\WINNT\system32\syrrun.dll
Successfully Deleted: C:\WINNT\system32\syrrun.dll
Deleting: C:\WINNT\system32\TfvoliAP.dll
Successfully Deleted: C:\WINNT\system32\TfvoliAP.dll
Deleting: C:\WINNT\system32\wafeman.dll
Successfully Deleted: C:\WINNT\system32\wafeman.dll
Deleting: C:\WINNT\system32\wfn32spl.dll
Successfully Deleted: C:\WINNT\system32\wfn32spl.dll
Deleting: C:\WINNT\system32\whv8dmod.dll
Successfully Deleted: C:\WINNT\system32\whv8dmod.dll

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\hrru0599e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINNT\system32\dklay.dll
C:\WINNT\system32\dvime.dll
C:\WINNT\system32\enrul1991.dll
C:\WINNT\system32\gqiplus.dll
C:\WINNT\system32\hrru0599e.dll
C:\WINNT\system32\ijxpromn.dll
C:\WINNT\system32\irmui.dll
C:\WINNT\system32\jeproxy.dll
C:\WINNT\system32\kqd106.dll
C:\WINNT\system32\lqk.dll
C:\WINNT\system32\mrvcr71d.dll
C:\WINNT\system32\msrt.dll
C:\WINNT\system32\mv28l9fu1.dll
C:\WINNT\system32\nkapi16.dll
C:\WINNT\system32\o684lglq16qe.dll
C:\WINNT\system32\oaesvr32.dll
C:\WINNT\system32\oee2nls.dll
C:\WINNT\system32\r4r60e9seh.dll
C:\WINNT\system32\s8pu0i79e8.dll
C:\WINNT\system32\syrrun.dll
C:\WINNT\system32\TfvoliAP.dll
C:\WINNT\system32\wafeman.dll
C:\WINNT\system32\wfn32spl.dll
C:\WINNT\system32\whv8dmod.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{68651C87-06E1-4A90-98C2-DB26025C2906}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{68651C87-06E1-4A90-98C2-DB26025C2906}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{68651C87-06E1-4A90-98C2-DB26025C2906}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{68651C87-06E1-4A90-98C2-DB26025C2906}\InprocServer32]
@="C:\\WINNT\\system32\\TfvoliAP.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{68651C87-06E1-4A90-98C2-DB26025C2906}"=-
[-HKEY_CLASSES_ROOT\CLSID\{68651C87-06E1-4A90-98C2-DB26025C2906}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/dklay.dll (152 bytes security) (deflated 5%)
adding: dlls/dvime.dll (152 bytes security) (deflated 5%)
adding: dlls/enrul1991.dll (152 bytes security) (deflated 5%)
adding: dlls/gqiplus.dll (152 bytes security) (deflated 4%)
adding: dlls/hrru0599e.dll (152 bytes security) (deflated 4%)
adding: dlls/ijxpromn.dll (152 bytes security) (deflated 4%)
adding: dlls/irmui.dll (152 bytes security) (deflated 5%)
adding: dlls/jeproxy.dll (152 bytes security) (deflated 4%)
adding: dlls/kqd106.dll (152 bytes security) (deflated 5%)
adding: dlls/lqk.dll (152 bytes security) (deflated 5%)
adding: dlls/mrvcr71d.dll (152 bytes security) (deflated 4%)
adding: dlls/msrt.dll (152 bytes security) (deflated 5%)
adding: dlls/mv28l9fu1.dll (152 bytes security) (deflated 5%)
adding: dlls/nkapi16.dll (152 bytes security) (deflated 5%)
adding: dlls/o684lglq16qe.dll (152 bytes security) (deflated 5%)
adding: dlls/oaesvr32.dll (152 bytes security) (deflated 5%)
adding: dlls/oee2nls.dll (152 bytes security) (deflated 5%)
adding: dlls/r4r60e9seh.dll (152 bytes security) (deflated 5%)
adding: dlls/s8pu0i79e8.dll (152 bytes security) (deflated 5%)
adding: dlls/syrrun.dll (152 bytes security) (deflated 5%)
adding: dlls/TfvoliAP.dll (152 bytes security) (deflated 4%)
adding: dlls/wafeman.dll (152 bytes security) (deflated 5%)
adding: dlls/wfn32spl.dll (152 bytes security) (deflated 5%)
adding: dlls/whv8dmod.dll (152 bytes security) (deflated 5%)
adding: backregs/68651C87-06E1-4A90-98C2-DB26025C2906.reg (200 bytes security) (deflated 70%)
adding: backregs/notibac.reg (152 bytes security) (deflated 87%)
adding: backregs/shell.reg (152 bytes security) (deflated 74%)

New HJT log file...

Logfile of HijackThis v1.99.1
Scan saved at 8:20:40 PM, on 12/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\PROGRA~1\NavNT\DefWatch.exe
c:\winnt\system32\domtimec.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\PROGRA~1\NavNT\NavRoam.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\PROGRA~1\NavNT\Rtvscan.exe
C:\Program Files\Fiberlink\Mobile Access Services\ServiceMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\system32\userinit.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://flagscape.bankofamerica.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://flagscape.bankofamerica.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://flagscape.bankofamerica.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://sydpcs1.asia.bankofamerica.com:8080/sydney
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SwdisUsrPCN.B001422B6D523] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\swdis\wdusrpcn.envB001422B6D523"
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [zzwu] C:\PROGRA~1\COMMON~1\zzwu\zzwum.exe
O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Startup: Launch Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://insite.bankofamerica.com
O15 - Trusted Zone: *.bankofamerica.com
O15 - Trusted Zone: *.bigpond.com
O15 - Trusted Zone: *.knowledgenet.com
O15 - Trusted Zone: *.bankofamerica.com (HKLM)
O15 - Trusted Zone: *.knowledgenet.com (HKLM)
O16 - DPF: Ulster Bank AnyTime - https://www.anytime.ulsterbank.com/asp/AnyTime.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/module/npx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\Software\..\Telephony: DomainName = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINNT\system32\hrru0599e.dll (file missing)
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: CyberGatekeeper Agent (CGAgent) - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - c:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Domain Time Client - Greyware Automation Products, Inc. - c:\winnt\system32\domtimec.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: NAVRoam - symantec - C:\PROGRA~1\NavNT\NavRoam.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - c:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Mobile Access Services\ServiceMgr.exe
O23 - Service: Software Distribution Updater (SwdisRestart) - Unknown owner - C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\swdres.exe

Thanks,

Eddie....
starsky
Active Member
 
Posts: 7
Joined: April 8th, 2006, 6:19 pm

Unread postby agrarianmonk » April 12th, 2006, 11:19 pm

1. Please download Ewido Anti-Malware
  • Install ewido anti-malware
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

2. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.


5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • In the scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

Reboot into normal mode

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

In your next post, please include
  • ewido log
  • panda log
  • new hijackthis log
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby starsky » April 13th, 2006, 1:56 am

ewido log

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:47:15 PM, 13/04/2006
+ Report-Checksum: B5BCBB26

+ Scan result:

C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@bigpond.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@e-2dj6wfliaoajohq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@e-2dj6wjl4wncpwco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@e-2dj6wjlokkazsgq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@virginmoneyaustralia.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/dklay.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/dvime.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/enrul1991.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/gqiplus.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/hrru0599e.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/ijxpromn.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/irmui.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/jeproxy.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/kqd106.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/lqk.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/mrvcr71d.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/msrt.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/mv28l9fu1.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/nkapi16.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/o684lglq16qe.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/oaesvr32.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/oee2nls.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/r4r60e9seh.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/s8pu0i79e8.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/syrrun.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/TfvoliAP.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/wafeman.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/wfn32spl.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\backup.zip/dlls/whv8dmod.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\dklay.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\dvime.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\enrul1991.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\gqiplus.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\hrru0599e.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\ijxpromn.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\irmui.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\jeproxy.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\kqd106.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\lqk.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\mrvcr71d.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\msrt.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\mv28l9fu1.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\nkapi16.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\o684lglq16qe.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\oaesvr32.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\oee2nls.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\r4r60e9seh.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\s8pu0i79e8.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\syrrun.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\TfvoliAP.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\wafeman.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\wfn32spl.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\dlls\whv8dmod.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Local Settings\Temporary Internet Files\Content.IE5\2RMJUP23\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Local Settings\Temporary Internet Files\Content.IE5\8HEJ4HI3\AppWrap[1].exe -> Adware.Zestyfind : Cleaned with backup
C:\Documents and Settings\nbkt5tb\Local Settings\Temporary Internet Files\Content.IE5\ZUOVFL0P\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup
C:\Program Files\Common Files\VCClient\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
C:\WINNT\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup
C:\WINNT\icont.exe -> Adware.AdURL : Cleaned with backup
C:\WINNT\iconu.exe -> Adware.Zestyfind : Cleaned with backup
C:\WINNT\QmFuayBvZiBBbWVyaWNh\asappsrv.to_be_deleted -> Adware.CommAd : Cleaned with backup
C:\WINNT\system32\20060403075903.zip/WINNT/system32/lpcmgr10.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\20060403075903.zip/WINNT/system32/mvcsubs.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\20060403075903.zip/WINNT/system32/njmsevt.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\Temp\bw2.com -> Adware.Zestyfind : Cleaned with backup


::Report End

panda log


Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\nbkt5tb\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/vaultsearch Not disinfected C:\PROGRAM FILES\COMMON FILES\VCClient
Adware:adware/commad Not disinfected C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\NetMon
Adware:adware/look2me Not disinfected Windows Registry
Dialer:dialer.asl Not disinfected HKEY_CLASSES_ROOT\CLSID\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}
Adware:adware/sqwire Not disinfected Windows Registry
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@ad.sensismediasmart.com[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@apmebf[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@doubleclick[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@rn11[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@ad.sensismediasmart.com[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@apmebf[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@doubleclick[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\nbkt5tb\Cookies\nbkt5tb@rn11[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\nbkt5tb\Desktop\l2mfix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\nbkt5tb\Desktop\l2mfix.exe[Process.exe]
Spyware:Spyware/SurfSideKick Not disinfected C:\Program Files\Common Files\VCClient\vcmain.to_be_deleted
Adware:Adware/CommAd Not disinfected C:\WINNT\QmFuayBvZiBBbWVyaWNh\kAIRuV1St211vqpVuqh1.vbs

new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 3:55:37 PM, on 13/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\PROGRA~1\NavNT\DefWatch.exe
c:\winnt\system32\domtimec.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\PROGRA~1\NavNT\NavRoam.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\PROGRA~1\NavNT\Rtvscan.exe
C:\Program Files\Fiberlink\Mobile Access Services\ServiceMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://flagscape.bankofamerica.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://flagscape.bankofamerica.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://flagscape.bankofamerica.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://sydpcs1.asia.bankofamerica.com:8080/sydney
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SwdisUsrPCN.B001422B6D523] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\swdis\wdusrpcn.envB001422B6D523"
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [zzwu] C:\PROGRA~1\COMMON~1\zzwu\zzwum.exe
O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Startup: Launch Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://insite.bankofamerica.com
O15 - Trusted Zone: *.bankofamerica.com
O15 - Trusted Zone: *.bigpond.com
O15 - Trusted Zone: *.knowledgenet.com
O15 - Trusted Zone: *.bankofamerica.com (HKLM)
O15 - Trusted Zone: *.knowledgenet.com (HKLM)
O16 - DPF: Ulster Bank AnyTime - https://www.anytime.ulsterbank.com/asp/AnyTime.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/module/npx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\Software\..\Telephony: DomainName = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINNT\system32\hrru0599e.dll (file missing)
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: CyberGatekeeper Agent (CGAgent) - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - c:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Domain Time Client - Greyware Automation Products, Inc. - c:\winnt\system32\domtimec.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: NAVRoam - symantec - C:\PROGRA~1\NavNT\NavRoam.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - c:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Mobile Access Services\ServiceMgr.exe
O23 - Service: Software Distribution Updater (SwdisRestart) - Unknown owner - C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\swdres.exe
starsky
Active Member
 
Posts: 7
Joined: April 8th, 2006, 6:19 pm

Unread postby agrarianmonk » April 13th, 2006, 11:08 am

**********************
  • Copy the contents of the Quote Box below to Notepad.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • and Save it on the desktop

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}]



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

*********************

Go to Start > Run and type Services.msc then hit Ok
Scroll down and find the below service:

Network Monitor

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [zzwu] C:\PROGRA~1\COMMON~1\zzwu\zzwum.exe
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINNT\system32\hrru0599e.dll (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)


If you or an administrator did not set these restrictions in Internet Explorer or Spybot Search and destroy, check the following:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


If you don't recognize bigpond.com as your start page, also check the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/
O15 - Trusted Zone: *.bigpond.com

Now close all windows other than HiJackThis, then click Fix Checked.

Still in hijackthis, click on the Config button (bottom right), click on Misc Tools, then click on Delete an NT Service. A window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

Network Monitor

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click NO.

*let me know if you received any error messages.


Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Reboot

Next, we need to Reveal Hidden Files

1. Click Start.
2. Open My Computer.
3. Select Tools menu
4. Click Folder Options.
5. Select the View Tab.
6. Select Show hidden files and folders in the Hidden files and folders section.
7. Uncheck Hide protected operating system files (recommended) option.
8. Uncheck the Hide file extensions for known file types option.
9. Click Yes.
10. Click OK.

Please delete these folders using Windows Explorer(if present):

C:\PROGRAM FILES\COMMON FILES\VCClient
C:\PROGRAM FILES\COMMON FILES\zzwu\
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\NetMon
C:\WINNT\QmFuayBvZiBBbWVyaWNh\
C:\Program Files\Network Monitor\

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot

Then, post a fresh HijackThis log.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby starsky » April 13th, 2006, 9:14 pm

Logfile of HijackThis v1.99.1
Scan saved at 11:12:16 AM, on 14/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\PROGRA~1\NavNT\DefWatch.exe
c:\winnt\system32\domtimec.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\PROGRA~1\NavNT\NavRoam.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\PROGRA~1\NavNT\Rtvscan.exe
C:\Program Files\Fiberlink\Mobile Access Services\ServiceMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\system32\userinit.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://flagscape.bankofamerica.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://flagscape.bankofamerica.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://flagscape.bankofamerica.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://sydpcs1.asia.bankofamerica.com:8080/sydney
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SwdisUsrPCN.B001422B6D523] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\swdis\wdusrpcn.envB001422B6D523"
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Startup: Launch Microsoft Office Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://insite.bankofamerica.com
O15 - Trusted Zone: *.bankofamerica.com
O15 - Trusted Zone: *.bigpond.com
O15 - Trusted Zone: *.knowledgenet.com
O15 - Trusted Zone: *.bankofamerica.com (HKLM)
O15 - Trusted Zone: *.knowledgenet.com (HKLM)
O16 - DPF: Ulster Bank AnyTime - https://www.anytime.ulsterbank.com/asp/AnyTime.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/module/npx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\Software\..\Telephony: DomainName = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ASIA.BANKOFAMERICA.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = asia.bankofamerica.com,emea.bankofamerica.com,bankofamerica.com
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: CyberGatekeeper Agent (CGAgent) - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - c:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Domain Time Client - Greyware Automation Products, Inc. - c:\winnt\system32\domtimec.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: NAVRoam - symantec - C:\PROGRA~1\NavNT\NavRoam.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - c:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Mobile Access Services\ServiceMgr.exe
O23 - Service: Software Distribution Updater (SwdisRestart) - Unknown owner - C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\swdres.exe
starsky
Active Member
 
Posts: 7
Joined: April 8th, 2006, 6:19 pm

Unread postby agrarianmonk » April 13th, 2006, 10:19 pm

Congratulations, your log looks clean!

First, Lets reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis

Let's also rehide hidden files:

To hide Hidden Files

1. Click Start.
2. Open My Computer.
3. SelectTools menu
4. Click Folder Options.
5. Select the View Tab.
6. Select Do not show hidden files and folders in the Hidden files and folders section.
7. Check Hide protected operating system files (recommended) option.
8. Check the Hide file extensions for known file types option.
9. Click Yes.
10. Click OK.

You are running an out-of-date Java. An out-of-date Java is extremely prone to exploitation by malware and viruses. Therefore, for security purposes, please update to the latest version here

*be sure to remove all older versions of Java via Add/remove programs.

There are a few other very important things you should follow to avoid getting reinfected:

Update your Anti Virus Software - It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

  1. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  2. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  3. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  4. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  5. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  6. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  7. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

-Agrarianmonk
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby starsky » April 13th, 2006, 11:04 pm

Thank you so much! My machine is now back to perfect working order...you are a true professional!
starsky
Active Member
 
Posts: 7
Joined: April 8th, 2006, 6:19 pm

Unread postby NonSuch » April 14th, 2006, 3:00 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 296 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware