Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

infected - project1.exe, MTE3NDI6ODoxNg and others

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

infected - project1.exe, MTE3NDI6ODoxNg and others

Unread postby seney » July 13th, 2006, 2:35 am

Hello
My name is Seney and I use Windows XP. Recently, I realised my computer has been slowing down. When I clicked on Windows Task Manager, I saw "project1.exe" running in the applications tab. Sometimes, there would be 5 or 6 of them as well. When I clicked on the processes tab, I'd see "dr.exe", "drsmartload1", "MTE3NDI6ODoxNg" and "dfndre_5".
There are a lot of infections located in C:\. Every time I delete them, they come back. I used ad-aware, spybot and ewido as instructed and deleted all infections. Now they're back again. It's gotten to a point where I have to refresh webpages 10 times before it displays anything. Also, Window's firewall keeps turning off by itself. Please help, I'd really appreciate it.

I have print screened the infections located in C:\ that keep coming back.
Mendoza1 was identified as a virus/trojan I think.

<Image removed because of the recent issues with ImageShack and the WinAntiVirus infection - 'KG>

Also, here's my HijackThis log. (Yes, I've installed it in Program Files in a folder of its own).

Logfile of HijackThis v1.99.1
Scan saved at 4:31:39 PM, on 13/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\smsc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
c:\dr.exe
C:\Program Files\HijackThis\HijackThis.exe
c:\windows\drsl.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.5\THGuard.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41F76C69-A270-442C-BC66-1495B805F235}: NameServer = 203.8.183.1 192.189.54.33
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\lhcalsec.dll (file missing)
O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\macat32.dll (file missing)
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\clrsrv.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Microsoft DLL System - Unknown owner - C:\WINDOWS\system32\smsc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Thanks again.
seney
Regular Member
 
Posts: 29
Joined: July 12th, 2006, 7:16 am
Advertisement
Register to Remove

Unread postby whisperer » July 13th, 2006, 10:18 am

Hi seney and welcome to the Malware Removal University. My name is Whisperer and I will be helping you with your problem. Although I am experienced with computers, I am currently a Trainee in Malware removal and, as such, ALL of my replies will be vetted by malware experts.

It will take a little while before I can get back to you so bear with me. There are a couple of things you can do to assist me.

  1. First, because of the recent issues with ImageShack and the WinAntiVirus infection, the image that you included has had to be removed so would you please be so good as to summarise the content and post the summary in your reply.
  2. Next I would like you to produce a list of installed programs to assist me in any cleanup.
    1. To do this open your HijackThis
      • Click on Open the Misc Tools section or Config… button, depending on how you are set up.
      • If you used the Config... option then click the Misc Tools tab
      • Select Open Uninstall Manager , a list of your installed programs will be displayed.
      • Select the Save List… button and save the file to your desktop.
    2. Please post a copy of this list in your reply

GT ;)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby seney » July 13th, 2006, 12:45 pm

Hello Whisperer,

I've got more symptoms now. Some RUNDLL error pops up saying "error loading <some weird symbols here> The specified module could not be found". I can provide some images on a different host - photobucket. Before I do so, I'd like to know whether it's okay.

Also, my virus scanner has some files in quarantine. "Mendoza1.exe" has been classified as a Trojan.Dropper and eraseme_02767.exe located in C:/windows/system32 is a W32.Spybot.Worm.

Here's a summary of the picture (I've added more content due to more files appearing).
I took a screenshot of C:/ where I found these strange files.

type of file below: _E_X_E_File
__delete_on_reboot__M_T_E_3_N_D_I_6_O_D_o_x_N_g_._e_x_e_
__delete_on_reboot__M_T_E_3_N_D_I_6_O_D_o_x_N_g_n_e_w_._e_x_e_

type of files below: application
dfndrad_5.exe
dr.exe
drsmartload1.exe
drsmartload849a.exe
Installer.exe
kybrdad_5.exe
Mendoza1.exe
MTE3NDI6ODoxNg.exe
MTE3NDI6ODoxNgnew.exe
nwnmad_5.exe
SS1001new.exe
stub_113_4_0_4_0new.exe
toislf.exe
warebundle2.exe
warebundlenew.exe
windowl.exe


Here's my list of installed programs:

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0.5
BitComet 0.60
Counter-strike
eMule
ewido anti-spyware 4.0
FlashGet(JetCar)
FLV Player 1.3.2
Google Toolbar for Internet Explorer
Hamachi 1.0.0.56
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 3
K-Lite Codec Pack 2.54 Full
LimeWire PRO 4.10.0
LiveUpdate 1.80 (Symantec Corporation)
Messenger Plus! 3
Microsoft DirectX 9.0b - KB830363
Microsoft Office XP Professional with FrontPage
Microsoft Windows Journal Viewer
Motorola SM56 Modem uninstall
Mozilla Firefox (1.0.7)
MSN Messenger 7.5
Nero 6 Ultra Edition
RealPlayer
SiS Audio Driver
Sound Blaster Live!
Spybot - Search & Destroy 1.3
Symantec AntiVirus Client
Total Video Converter 2.52
TrojanHunter 4.5
TSA
Video Stream Driver for Panasonic DVC
VideoLAN VLC media player 0.8.2
Win AVI HelixSDK
WinAVIVideoConverter
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB842787
Windows XP Hotfix - KB916281
WinRAR archiver
WinZip

lol I really hope I can fix this problem soon, because I need the internet to do homework as school holidays are ending soon. I also don't want to format, because I've already formatted earlier this month. Now I've got myself into this mess, oh dear. lol.

Thanks for the help and guidance Whisperer. :)
seney
Regular Member
 
Posts: 29
Joined: July 12th, 2006, 7:16 am

Unread postby seney » July 13th, 2006, 1:01 pm

oh sorry, I forgot to add that I have extra weird processes running in the task manager.
I noticed:
cidaemon.exe
cisvc.exe
toislf.exe

They keep coming back after I end them.
seney
Regular Member
 
Posts: 29
Joined: July 12th, 2006, 7:16 am

Unread postby whisperer » July 13th, 2006, 2:29 pm

Thanks for the additional information. Do not worry about extra symptoms at the moment. I will get back to you soon with a starter fix for you that will probably solve your extra processes problem.

Sleep well

GT ;)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby whisperer » July 13th, 2006, 3:19 pm

Hi seney,
  1. You do not appear to have a Firewall installed. If you are relying on the Microsoft Firewall then be advised that this is a one-way firewall, it does not prevent anything already on your computer from dialling out. I would suggest that you install the following free program
    • Zone Labs ZoneAlarm.Go straight to the download
    • Once downloaded, disconnect from the internet, remove the Microsoft firewall then install ZoneAlarm. It is not a good idea to have 2 Firewalls (or AntiVirus) solutions running at the same time.
  2. You have the latest version of VX2.
    1. Download L2mfix from here or here
      • Save the file to your desktop and then double click l2mfix.exe.
      • Click the Install button to extract the files and follow the prompts
    2. Open the newly added l2mfix folder on your desktop.
      • Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter.
      • This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.
      • Copy the contents of that log and paste it into this thread.
      IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  3. I note that you use the Flashget downloader, if this is the paid version then no problem, if however it is the free one then it can come bundled with malware, please advise me when you post your L2M log.

GT ;)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby seney » July 14th, 2006, 4:12 am

You have the latest version of VX2.


Hi whisperer, what's VX2??

As for my FlashGet, I downloaded a cracked version because in the "about" section, it's liscensed.

Here's my l2mfix log

L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebcb]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\System32\\gebcb.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lhcalsec.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntlRun]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\macat32.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MediaContentIndex]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\clrsrv.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"StartShell"="NavStartShellEvent"
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrpnlj]
"Asynchronous"=dword:00000001
"DllName"="rqrpnlj.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{A1237535-F0EF-4A7A-9E95-AAD3D24BDF36}"=""
"{5109E445-35E1-481D-B7E5-DAF571440E70}"=""
"{80780345-0955-4611-A9F3-C299591397B0}"=""
"{91F1C174-AB6F-45F9-8D97-8A4A36A9E25B}"=""
"{8476435E-1BDD-4611-8A68-B6CBF6CA57BD}"=""
"{90AF5286-E7A1-4098-9B15-52DCE85CE6AF}"=""
"{CD95AD46-82B2-455B-AA1A-23BFA06EE97C}"=""
"{DBEB5CB4-05DA-45AF-A530-1C9CE47DD2FA}"=""
"{FA1CB8DB-6D39-4401-B936-67044A3C5D78}"=""
"{FFAD10D7-7B38-42A7-BCA6-C927C3B536D3}"=""
"{E855CAED-F6A1-44D2-B499-FF531B6BEC87}"=""
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A1237535-F0EF-4A7A-9E95-AAD3D24BDF36}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{A1237535-F0EF-4A7A-9E95-AAD3D24BDF36}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A1237535-F0EF-4A7A-9E95-AAD3D24BDF36}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A1237535-F0EF-4A7A-9E95-AAD3D24BDF36}\InprocServer32]
@="C:\\WINDOWS\\system32\\lhcalsec.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5109E445-35E1-481D-B7E5-DAF571440E70}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{5109E445-35E1-481D-B7E5-DAF571440E70}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5109E445-35E1-481D-B7E5-DAF571440E70}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5109E445-35E1-481D-B7E5-DAF571440E70}\InprocServer32]
@="C:\\WINDOWS\\system32\\macat32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{80780345-0955-4611-A9F3-C299591397B0}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{80780345-0955-4611-A9F3-C299591397B0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{80780345-0955-4611-A9F3-C299591397B0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{80780345-0955-4611-A9F3-C299591397B0}\InprocServer32]
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{91F1C174-AB6F-45F9-8D97-8A4A36A9E25B}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{91F1C174-AB6F-45F9-8D97-8A4A36A9E25B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{91F1C174-AB6F-45F9-8D97-8A4A36A9E25B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{91F1C174-AB6F-45F9-8D97-8A4A36A9E25B}\InprocServer32]
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
awturpq.dll Fri 14 Jul 2006 4:36:32 ..SH. 38,925 38.01 K
bassmod.dll Thu 13 Jul 2006 13:25:52 A.... 34,308 33.50 K
byxwuvt.dll Thu 13 Jul 2006 23:49:36 ..SH. 38,925 38.01 K
byxyxxw.dll Fri 14 Jul 2006 2:26:22 ..SH. 38,925 38.01 K
downen~1.dll Thu 4 May 2006 1:02:20 A...R 131,072 128.00 K
dxtmsft.dll Fri 28 Apr 2006 10:57:16 A.... 351,744 343.50 K
gebcb.dll Fri 14 Jul 2006 16:20:28 ..SH. 573,492 560.05 K
gebxuur.dll Thu 13 Jul 2006 23:32:54 ..SH. 38,925 38.01 K
iifccaw.dll Thu 13 Jul 2006 23:36:14 ..SH. 38,925 38.01 K
imocra.dll Tue 4 Jul 2006 3:23:30 A.... 23 0.02 K
jsproxy.dll Fri 28 Apr 2006 10:58:48 A.... 12,288 12.00 K
mljhfcc.dll Fri 14 Jul 2006 1:56:08 ..SH. 38,925 38.01 K
mshtml.dll Fri 19 May 2006 15:52:28 A.... 2,702,848 2.57 M
pncrt.dll Wed 5 Jul 2006 14:42:58 A.... 278,528 272.00 K
pndx5016.dll Wed 5 Jul 2006 14:42:58 A.... 6,656 6.50 K
pndx5032.dll Wed 5 Jul 2006 14:42:58 A.... 5,632 5.50 K
rmoc3260.dll Wed 5 Jul 2006 14:43:08 A.... 176,167 172.04 K
s32evnt1.dll Sun 2 Jul 2006 16:24:32 A.... 83,208 81.26 K
shdocvw.dll Fri 26 May 2006 15:40:58 A.... 1,339,904 1.28 M
ssqppml.dll Thu 13 Jul 2006 23:46:38 ..SH. 38,925 38.01 K
stream~1.dll Thu 13 Jul 2006 14:57:52 ....R 59,392 58.00 K
urlmon.dll Mon 8 May 2006 10:50:58 A.... 461,824 451.00 K
urqqoon.dll Fri 14 Jul 2006 4:19:48 ..SH. 38,925 38.01 K
vtuvvus.dll Fri 14 Jul 2006 5:36:32 ..SH. 38,925 38.01 K
wininet.dll Fri 28 Apr 2006 10:58:58 A.... 575,488 562.00 K
yabab.dll Thu 13 Jul 2006 23:39:54 A.... 10,583 10.33 K

26 items found: 26 files (10 H/S), 0 directories.
Total of file sizes: 7,153,482 bytes 6.82 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
fscage~1.tmp Wed 12 Jul 2006 0:50:00 A.... 78 0.07 K
fscfli~1.tmp Wed 12 Jul 2006 1:25:54 A.... 265 0.26 K

2 items found: 2 files, 0 directories.
Total of file sizes: 343 bytes 0.33 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 0085-7DF8

Directory of C:\WINDOWS\System32

14/07/2006 05:22 PM 716,948 bcbeg.ini
14/07/2006 04:23 PM 714,572 bcbeg.bak1
14/07/2006 04:20 PM 573,492 gebcb.dll
14/07/2006 05:36 AM 38,925 vtuvvus.dll
14/07/2006 04:36 AM 38,925 awturpq.dll
14/07/2006 04:19 AM 38,925 urqqoon.dll
14/07/2006 02:26 AM 38,925 byxyxxw.dll
14/07/2006 01:56 AM 38,925 mljhfcc.dll
13/07/2006 11:49 PM 38,925 byxwuvt.dll
13/07/2006 11:46 PM 38,925 ssqppml.dll
13/07/2006 11:36 PM 38,925 iifccaw.dll
13/07/2006 11:32 PM 38,925 gebxuur.dll
13/07/2006 09:27 PM 38,912 smsc.exe
12/07/2006 02:31 PM <DIR> dllcache
03/07/2006 04:06 AM <DIR> Microsoft
13 File(s) 2,394,249 bytes
2 Dir(s) 42,326,753,280 bytes free
seney
Regular Member
 
Posts: 29
Joined: July 12th, 2006, 7:16 am

Unread postby whisperer » July 14th, 2006, 2:35 pm

Hi seney,

Thank you for the information on Flashget, you are strongly recommended not to use 'Crack' facilities as, apart from piracy, they are notorious for the introduction of malware to a system and could have been instrumental in your current problems. VX2 is a later variant of a Look2Me infection.

  1. Close any programs you have open since this step requires a reboot.
    1. From the l2mfix folder on your desktop,
      • Click to open l2mfix.bat
      • Select option #2 for Run Fix by typing 2 and then pressing enter
      • Press any key to reboot your computer
    2. After a reboot, your desktop and icons will appear, then disappear (this is normal).
    3. L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.
    4. Copy the contents of that log and paste it back into this thread.
    IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

    Note : Once the pc has restarted if a log does not appear or the icons did not disappear, run the second.bat located inside the L2mfix folder.
  2. Please post
    • The contents of the log
    • A new HijackThis log

GT ;)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby seney » July 15th, 2006, 2:22 am

Hi whisperer,

When I was running the L2mfix, my anti-virus software detected some viruses. They were all .dll files and I was wondering whether I should be worried. Here's what I saw when I clicked on one of the files' properties.

File: urqqoon.dll
Location: C:\WINDOWS\system32\
Virus name: Downloader
Computer: COM
User: L2MFIX
Action taken: Quarantined
Status: Infected
Current location: Quarantine

I'll list all the files, just to note, all their properties are the same as above, the only difference is the file name. They are:
urqqoon.dll
mljhfcc.dll
gebxuur.dll
byxyxxw.dll
awturpq.dll
vtuvvus.dll
ssqppml.dll
iifccaw.dll
byxwuvt.dll

After the l2mfix finished its job, it said something about file 020 should be fixed with HijackThis.

Here's the l2mfix log:

L2mfix 051206
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!
Killing 'smss.exe'
\SystemRoot\System32\smss.exe (384)
Killing 'winlogon.exe'
winlogon.exe (472)
Killing 'explorer.exe'
C:\WINDOWS\Explorer.EXE (1756)
Killing 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebcb]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\System32\\gebcb.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lhcalsec.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntlRun]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\macat32.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MediaContentIndex]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\clrsrv.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"StartShell"="NavStartShellEvent"
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrpnlj]
"Asynchronous"=dword:00000001
"DllName"="rqrpnlj.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A1237535-F0EF-4A7A-9E95-AAD3D24BDF36}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{A1237535-F0EF-4A7A-9E95-AAD3D24BDF36}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A1237535-F0EF-4A7A-9E95-AAD3D24BDF36}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A1237535-F0EF-4A7A-9E95-AAD3D24BDF36}\InprocServer32]
@="C:\\WINDOWS\\system32\\lhcalsec.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5109E445-35E1-481D-B7E5-DAF571440E70}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{5109E445-35E1-481D-B7E5-DAF571440E70}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5109E445-35E1-481D-B7E5-DAF571440E70}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5109E445-35E1-481D-B7E5-DAF571440E70}\InprocServer32]
@="C:\\WINDOWS\\system32\\macat32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{80780345-0955-4611-A9F3-C299591397B0}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{80780345-0955-4611-A9F3-C299591397B0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{80780345-0955-4611-A9F3-C299591397B0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{80780345-0955-4611-A9F3-C299591397B0}\InprocServer32]
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{91F1C174-AB6F-45F9-8D97-8A4A36A9E25B}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{91F1C174-AB6F-45F9-8D97-8A4A36A9E25B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{91F1C174-AB6F-45F9-8D97-8A4A36A9E25B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{91F1C174-AB6F-45F9-8D97-8A4A36A9E25B}\InprocServer32]
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A1237535-F0EF-4A7A-9E95-AAD3D24BDF36}"=-
"{5109E445-35E1-481D-B7E5-DAF571440E70}"=-
"{80780345-0955-4611-A9F3-C299591397B0}"=-
"{91F1C174-AB6F-45F9-8D97-8A4A36A9E25B}"=-
"{8476435E-1BDD-4611-8A68-B6CBF6CA57BD}"=-
"{90AF5286-E7A1-4098-9B15-52DCE85CE6AF}"=-
"{CD95AD46-82B2-455B-AA1A-23BFA06EE97C}"=-
"{DBEB5CB4-05DA-45AF-A530-1C9CE47DD2FA}"=-
"{FA1CB8DB-6D39-4401-B936-67044A3C5D78}"=-
"{FFAD10D7-7B38-42A7-BCA6-C927C3B536D3}"=-
"{E855CAED-F6A1-44D2-B499-FF531B6BEC87}"=-
[-HKEY_CLASSES_ROOT\CLSID\{A1237535-F0EF-4A7A-9E95-AAD3D24BDF36}]
[-HKEY_CLASSES_ROOT\CLSID\{5109E445-35E1-481D-B7E5-DAF571440E70}]
[-HKEY_CLASSES_ROOT\CLSID\{80780345-0955-4611-A9F3-C299591397B0}]
[-HKEY_CLASSES_ROOT\CLSID\{91F1C174-AB6F-45F9-8D97-8A4A36A9E25B}]
[-HKEY_CLASSES_ROOT\CLSID\{8476435E-1BDD-4611-8A68-B6CBF6CA57BD}]
[-HKEY_CLASSES_ROOT\CLSID\{90AF5286-E7A1-4098-9B15-52DCE85CE6AF}]
[-HKEY_CLASSES_ROOT\CLSID\{CD95AD46-82B2-455B-AA1A-23BFA06EE97C}]
[-HKEY_CLASSES_ROOT\CLSID\{DBEB5CB4-05DA-45AF-A530-1C9CE47DD2FA}]
[-HKEY_CLASSES_ROOT\CLSID\{FA1CB8DB-6D39-4401-B936-67044A3C5D78}]
[-HKEY_CLASSES_ROOT\CLSID\{FFAD10D7-7B38-42A7-BCA6-C927C3B536D3}]
[-HKEY_CLASSES_ROOT\CLSID\{E855CAED-F6A1-44D2-B499-FF531B6BEC87}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/5109E445-35E1-481D-B7E5-DAF571440E70.reg (212 bytes security) (deflated 69%)
adding: backregs/80780345-0955-4611-A9F3-C299591397B0.reg (212 bytes security) (deflated 70%)
adding: backregs/91F1C174-AB6F-45F9-8D97-8A4A36A9E25B.reg (212 bytes security) (deflated 70%)
adding: backregs/A1237535-F0EF-4A7A-9E95-AAD3D24BDF36.reg (212 bytes security) (deflated 69%)
adding: backregs/notibac.reg (140 bytes security) (deflated 89%)


My new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:22:17 PM, on 15/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\smsc.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41F76C69-A270-442C-BC66-1495B805F235}: NameServer = 203.8.183.1 192.189.54.33
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Window DLL Services - Unknown owner - C:\WINDOWS\system32\smsc.exe
seney
Regular Member
 
Posts: 29
Joined: July 12th, 2006, 7:16 am

Unread postby seney » July 15th, 2006, 6:12 am

hi whisperer,

I've got an update. I must admit that ZoneAlarm is good, but it's blocking everything? My internet connection is very slow and sometimes, downloads don't work. Also, MSN messenger keeps getting disconnected. When I turned off ZoneAlarm, the initial problem or the viruses I had in the beginning came back. Then my internet stops working altogether and I have to reconnect. I've turned on ZoneAlarm again and I'm leaving it that way. I'm beginning to think the symptoms are quite severe.

Thanks for your help.
seney
Regular Member
 
Posts: 29
Joined: July 12th, 2006, 7:16 am

Unread postby whisperer » July 15th, 2006, 6:58 am

Seney,

You do indeed have more than one infection, so please do exactly as you are advised, and never ever leave yourself unprotected by being on the internet without a good antivirus or a good firewall.

I am afraid that we will have to start again so please post an up-to-date HijackThis log and we will take it from there. Do not use any self-help or good guesses, let my expert advisor and I sort it out properly. In the long run it will be the shortest route even though you are down-under and my advisor is in Canada and I in the UK.

GT ;)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby whisperer » July 15th, 2006, 5:03 pm

Hi Seney,

It appears that ZoneAlarm is a bit buggy in version 6.5 so we will try and sort you out a more stable version if that is the case

  1. Please right-click the ZoneAlarm icon in the systray and select Restore ZoneAlarm Control Centre
    1. Click Overview on the left and select the Product Info tab
    2. If the version is not 6.5 etc then ignore the rest of this post, if it is 6.5 then you can go back to 6.1 which is a proven stable firewall.
    3. Go to this link , download 6.1 and save it to your desktop
    4. Disconnect physically from the internet whilst we effect the changeover
    5. Remove ZoneAlarm 6.5 using Add or Remove programs,, you can ignore the request for a reason for the uninstall
    6. Now install the 6.1 version that you downloaded
  2. That should give you a more stable –platform. Once done give me the new HijackThis log

GT ;)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby seney » July 15th, 2006, 10:38 pm

Hi whisperer

Sorry about the late reply, the page wouldn't load. =____=
Just before I created this thread, I downloaded ZoneAlarm already. When you suggested I download ZoneAlarm in your second post, I did so again. I got an error message about being unable to locate the specified .dll file and something about the file being corrupt. Therefore, I installed the version I previously downloaded, which is 6.0. Do I still need to change it to 6.1 though?

As for the HijackThis log, here it is:

Logfile of HijackThis v1.99.1
Scan saved at 12:32:43 PM, on 16/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\smsc.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mqtgsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41F76C69-A270-442C-BC66-1495B805F235}: NameServer = 203.8.183.1 192.189.54.33
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Window DLL Services - Unknown owner - C:\WINDOWS\system32\smsc.exe
seney
Regular Member
 
Posts: 29
Joined: July 12th, 2006, 7:16 am

Unread postby whisperer » July 16th, 2006, 3:40 am

You could try this link to 6.1, but 6 is better than nothing.

http://www.cnet.com.au/downloads/info.htm?swid=10532258

Thanks for the new log, I will have a look at it now.

Have you applied any of the previous fixes that were posted earlier since your venture onto the internet without a firewall, this is very important to know as it affects where we start.

GT ;)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby whisperer » July 16th, 2006, 1:24 pm

If you still have L2Mfix then ignore the download.
  1. Download L2mfix from here or here
    1. Save the file to your desktop and then double click l2mfix.exe.
    2. Click the Install button to extract the files and follow the prompts
  2. Open the l2mfix folder on your desktop.
    • Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter.
    • This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.
    • Copy the contents of that log and paste it into this thread.
    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 301 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware