Free Malware Removal Forum

by **Clockwork Sausage** » June 2nd, 2006, 9:13 pm

Thnaks for your time.

My problem is pop-ups coupled with a really slow system. Only yesterday i
was having no problems. I don't know where this came from, i can only
assume one of my family sownloaded something dodjy.

The popups come in the form of opening a new Firefox tab. All i get is
blank white pages - i assume my "Noscript" firefox plugin is stopping
whatever is on them from loading. The loaded websites include (but not
exclusivley):

Code: Select all

(code tags to prevent people clicking them unknowingly)
http://www.savi-ngs.com/tau.html
http://www.supercoupon-sales.com/tau.html
http://www.announceme-nt.com/muon.html
http://www.redemption-slip.com/tau.html

I also occasionaly get IE popups, though these happen rarely. I have
started receiving an error message on startup of my system -

Code: Select all

Error loading w27cf7d7.dll
The specified module could not be found

Googling this filename returned nothing for me. Also, i could not see my
task manager - i would ctrl+alt+del, and click "task manager, but Limewire
would load for some reason (I've never so much as loaded limewire on
my PC account before this). This task manager problem seems to have
gona away since my scan with "Ewido".

So far i've tried:
- removing a bunch of apps via "Add/remove programs" on windows.
these where all programs that i definatley did not install.
- Running "Spybot - Search & Destroy" in safe mode. Removed all finds
with no error messages.
- Running "ewido anti-malware" in safe mode. Removed all finds.
- General googling for help to little avail

My Hijack this log, after doing all this and rebooting:

Logfile of HijackThis v1.99.1
Scan saved at 02:07:13, on 03/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Documents and Settings\andy\Application Data\?racle\?xplorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\andy\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1 ... kZ1ZZQV3P2
ggrEVEyPyMjX+2YsGWj2IdQbg89NZSUX+vdvNRFWr0AywqR1/1a8RjjH93F5AUExHCKl9+Qp/jn/2AkJOMtIOUU41ZHoTZpvZHvmYWjdxu8+g1rUB9goDZ6IVuQSIZfw==
R3 - URLSearchHook: (no name) - {3835FAF7-6F61-13EA-3584-3246E39DD4B6} - C:\WINNT\system32\zhqmuhfj.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [w27cf7d7.dll] RUNDLL32.EXE w27cf7d7.dll,I2 0012c3c4027cf7d7
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Hahh] "C:\DOCUME~1\andy\APPLIC~1\YMANTE~1\notepad.exe" -vt yazb
O4 - HKCU\..\Run: [Wvvq] C:\Documents and Settings\andy\Application Data\?racle\?xplorer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O20 - AppInit_DLLs: C:\WINNT\system32\dllhost.dll
O20 - Winlogon Notify: AdminDebug - C:\WINNT\system32\m246lchs1f46.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

by **Shaba** » June 3rd, 2006, 4:27 am

Hi Clockwork Sausage

I'll help you, but as an undergraduate my posts must be checked by experts first.
So there might be some delay.

Please keep responding to this topic until I say youÂ´re clean

I'll help you ASAP

by **Shaba** » June 3rd, 2006, 11:53 am

Move HijackThis to own folder -> c:\hjt

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

by **Clockwork Sausage** » June 4th, 2006, 6:27 am

Thanks for your help.

L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\fp2m03f1e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{46E1A453-AA13-2BF7-ADDF-3B1AFA63EB9B}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu"
"{8BE90E5C-AA33-4021-BB87-B1279F5AF56F}"=""
"{BDA8615E-C733-4099-B245-14203C8873A1}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8BE90E5C-AA33-4021-BB87-B1279F5AF56F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8BE90E5C-AA33-4021-BB87-B1279F5AF56F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8BE90E5C-AA33-4021-BB87-B1279F5AF56F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8BE90E5C-AA33-4021-BB87-B1279F5AF56F}\InprocServer32]
@="C:\\WINNT\\system32\\mzrle32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BDA8615E-C733-4099-B245-14203C8873A1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BDA8615E-C733-4099-B245-14203C8873A1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BDA8615E-C733-4099-B245-14203C8873A1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BDA8615E-C733-4099-B245-14203C8873A1}\InprocServer32]
@="C:\\WINNT\\system32\\dyskadp.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
cdral.dll Mon 13 Mar 2006 23:26:52 A.... 45,056 44.00 K
cdrtc.dll Mon 13 Mar 2006 23:26:52 A.... 49,152 48.00 K
dllhost.dll Sat 3 Jun 2006 0:27:10 A.... 81,920 80.00 K
dyskadp.dll Sun 4 Jun 2006 11:18:48 ..S.R 235,710 230.18 K
fp2m03~1.dll Sat 3 Jun 2006 3:08:50 ..S.R 235,710 230.18 K
fprq03~1.dll Sat 3 Jun 2006 12:07:50 ..S.R 235,587 230.06 K
lstyhrx.dll Wed 31 May 2006 14:45:30 A.... 139,264 136.00 K
lv8809~1.dll Fri 2 Jun 2006 15:12:14 ..S.R 236,115 230.58 K
mec71chs.dll Sat 3 Jun 2006 0:41:38 ..S.R 237,232 231.67 K
metask.dll Fri 2 Jun 2006 11:02:00 ..S.R 234,272 228.78 K
mlgsvc.dll Sat 3 Jun 2006 0:58:48 ..S.R 234,621 229.12 K
mv8sl9~1.dll Fri 2 Jun 2006 11:15:22 ..S.R 234,142 228.65 K
mzrle32.dll Fri 2 Jun 2006 21:38:06 ..S.R 236,115 230.58 K
pncrt.dll Mon 27 Mar 2006 13:37:16 A.... 278,528 272.00 K
pndx5016.dll Mon 27 Mar 2006 13:37:18 A.... 6,656 6.50 K
pndx5032.dll Mon 27 Mar 2006 13:37:18 A.... 5,632 5.50 K
px.dll Tue 16 May 2006 21:23:54 ..... 430,080 420.00 K
pxdrv.dll Tue 16 May 2006 21:23:54 ..... 450,560 440.00 K
pxmas.dll Tue 16 May 2006 21:23:54 ..... 176,128 172.00 K
pxsfs.dll Tue 16 May 2006 21:23:54 ..... 1,257,472 1.20 M
pxwave.dll Tue 16 May 2006 21:23:56 ..... 339,968 332.00 K
rmoc3260.dll Mon 27 Mar 2006 13:37:22 A.... 176,167 172.04 K
smss.dll Fri 2 Jun 2006 11:06:40 A.... 81,920 80.00 K
vxblock.dll Tue 16 May 2006 21:23:56 ..... 28,672 28.00 K
zhqmuhfj.dll Wed 31 May 2006 14:42:54 A.... 139,264 136.00 K

25 items found: 25 files (9 H/S), 0 directories.
Total of file sizes: 5,805,943 bytes 5.54 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
setupe~1.tmp Fri 2 Jun 2006 10:59:56 A.... 36,864 36.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 36,864 bytes 36.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is D4A1-E4A1

Directory of C:\WINNT\System32

04/06/2006 11:18 235,710 dyskadp.dll
03/06/2006 12:07 235,587 fprq0395e.dll
03/06/2006 03:08 235,710 fp2m03f1e.dll
03/06/2006 00:58 234,621 mlgsvc.dll
03/06/2006 00:41 237,232 MEC71CHS.DLL
02/06/2006 21:38 236,115 mzrle32.dll
02/06/2006 15:12 236,115 lv8809lue.dll
02/06/2006 11:15 234,142 mv8sl9l71.dll
02/06/2006 11:01 234,272 metask.dll
02/06/2006 11:00 <DIR> dllcache
9 File(s) 2,119,504 bytes
1 Dir(s) 1,276,280,832 bytes free

by **Shaba** » June 4th, 2006, 12:52 pm

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder.

Also, do this:

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

Send:

- a fresh HijackThis log
- l2mfix log
- uninstall list

by **Clockwork Sausage** » June 4th, 2006, 2:51 pm

Thanks for the reply.

L2mfix 051206
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINNT\system32

Killing Processes!
Killing 'smss.exe'
\SystemRoot\System32\smss.exe (160)
Killing 'winlogon.exe'
winlogon.exe (204)
Killing 'explorer.exe'
C:\WINNT\Explorer.EXE (1032)
Killing 'rundll32.exe'
rundll32.exe "C:\WINNT\system32\dyskadp.dll",DllGetVersion (912)
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINNT\system32\dyskadp.dll
Successfully Deleted: C:\WINNT\system32\dyskadp.dll
Deleting: C:\WINNT\system32\fp2m03f1e.dll
Successfully Deleted: C:\WINNT\system32\fp2m03f1e.dll
Deleting: C:\WINNT\system32\fprq0395e.dll
Successfully Deleted: C:\WINNT\system32\fprq0395e.dll
Deleting: C:\WINNT\system32\lv8809lue.dll
Successfully Deleted: C:\WINNT\system32\lv8809lue.dll
Deleting: C:\WINNT\system32\MEC71CHS.DLL
Successfully Deleted: C:\WINNT\system32\MEC71CHS.DLL
Deleting: C:\WINNT\system32\metask.dll
Successfully Deleted: C:\WINNT\system32\metask.dll
Deleting: C:\WINNT\system32\mlgsvc.dll
Successfully Deleted: C:\WINNT\system32\mlgsvc.dll
Deleting: C:\WINNT\system32\mv8sl9l71.dll
Successfully Deleted: C:\WINNT\system32\mv8sl9l71.dll
Deleting: C:\WINNT\system32\mzrle32.dll
Successfully Deleted: C:\WINNT\system32\mzrle32.dll

msg11?.dll
0 file(s) copied.

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\fp2m03f1e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************
C:\WINNT\system32\dyskadp.dll
C:\WINNT\system32\fp2m03f1e.dll
C:\WINNT\system32\fprq0395e.dll
C:\WINNT\system32\lv8809lue.dll
C:\WINNT\system32\MEC71CHS.DLL
C:\WINNT\system32\metask.dll
C:\WINNT\system32\mlgsvc.dll
C:\WINNT\system32\mv8sl9l71.dll
C:\WINNT\system32\mzrle32.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8BE90E5C-AA33-4021-BB87-B1279F5AF56F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8BE90E5C-AA33-4021-BB87-B1279F5AF56F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8BE90E5C-AA33-4021-BB87-B1279F5AF56F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8BE90E5C-AA33-4021-BB87-B1279F5AF56F}\InprocServer32]
@="C:\\WINNT\\system32\\mzrle32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BDA8615E-C733-4099-B245-14203C8873A1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BDA8615E-C733-4099-B245-14203C8873A1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BDA8615E-C733-4099-B245-14203C8873A1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BDA8615E-C733-4099-B245-14203C8873A1}\InprocServer32]
@="C:\\WINNT\\system32\\dyskadp.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{8BE90E5C-AA33-4021-BB87-B1279F5AF56F}"=-
"{BDA8615E-C733-4099-B245-14203C8873A1}"=-
[-HKEY_CLASSES_ROOT\CLSID\{8BE90E5C-AA33-4021-BB87-B1279F5AF56F}]
[-HKEY_CLASSES_ROOT\CLSID\{BDA8615E-C733-4099-B245-14203C8873A1}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/dyskadp.dll (152 bytes security) (deflated 5%)
adding: dlls/fp2m03f1e.dll (152 bytes security) (deflated 5%)
adding: dlls/fprq0395e.dll (152 bytes security) (deflated 5%)
adding: dlls/lv8809lue.dll (152 bytes security) (deflated 5%)
adding: dlls/MEC71CHS.DLL (152 bytes security) (deflated 5%)
adding: dlls/metask.dll (152 bytes security) (deflated 4%)
adding: dlls/mlgsvc.dll (152 bytes security) (deflated 5%)
adding: dlls/mv8sl9l71.dll (152 bytes security) (deflated 4%)
adding: dlls/mzrle32.dll (152 bytes security) (deflated 5%)
adding: backregs/8BE90E5C-AA33-4021-BB87-B1279F5AF56F.reg (164 bytes security) (deflated 70%)
adding: backregs/BDA8615E-C733-4099-B245-14203C8873A1.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (152 bytes security) (deflated 85%)
adding: backregs/shell.reg (152 bytes security) (deflated 74%)

__________________________________________

UNINSTALL LIST

Adobe Acrobat 7.0 - Tryout Professional - English, FranÃ§ais, Deutsch
Adobe Reader 6.0.1
AVS Disc Creator version 2.1
AVS Video Tools 5.1
Carmageddon
Dev-C++ 5 beta 9 release (4.9.9.2)
DivX
DivX Player
DivX Web Player
ewido anti-malware
Fx Video Converter
GSpot Codec Information Appliance
Guitar Pro 5.0
Hackman Hex Editor
Half-Life(R) 2
HijackThis 1.99.1
ImageMixer VCD/DVD2 for OLYMPUS
J2SE Runtime Environment 5.0 Update 3
LimeWire 4.10.9
Microsoft Internet Explorer 6 SP1
Microsoft Office XP Professional with FrontPage
mIRC
Mozilla Firefox (1.5.0.4)
Nero 7 Demo
NVIDIA Drivers
OLYMPUS Master
Power Tab Editor 1.7
QuickTime
RealPlayer
Shareaza version 2.2.1.0
Spybot - Search & Destroy 1.4
Steam(TM)
TeamSpeak 2 RC2
uTorrent
Windows Media Player system update (9 Series)
WinRAR archiver
Wolfenstein - Enemy Territory
Xfire (remove only)
XNote Stopwatch 1.40

___________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 19:50:22, on 04/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\andy\APPLIC~1\RACLE~1\XPLORE~1.EXE
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\andy\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1 ... VuQSIZfw==
R3 - URLSearchHook: (no name) - {3835FAF7-6F61-13EA-3584-3246E39DD4B6} - C:\WINNT\system32\zhqmuhfj.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [w27cf7d7.dll] RUNDLL32.EXE w27cf7d7.dll,I2 0012c3c4027cf7d7
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Hahh] "C:\DOCUME~1\andy\APPLIC~1\YMANTE~1\notepad.exe" -vt ndrv
O4 - HKCU\..\Run: [Wvvq] C:\DOCUME~1\andy\APPLIC~1\RACLE~1\XPLORE~1.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O20 - AppInit_DLLs: C:\WINNT\system32\dllhost.dll
O20 - Winlogon Notify: ShellCompatibility - C:\WINNT\system32\fp2m03f1e.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

by **Shaba** » June 5th, 2006, 12:17 pm

Download and run this uninstaller:
Uninstaller

Tutorial for the uninstaller if needed

Reboot when done.

Download and unzip BFU.zip from here.
Run the program and click the Web button as shown by the blue arrow below:

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

Reboot.

Create a new folder on Desktop, name it eg. HjT and drag/drop HijackThis.exe to this folder.

Open HijackThis, click do a system scan only and checkmark these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://as.starware.com/dp/search?x=wKX1 ... VuQSIZfw==
R3 - URLSearchHook: (no name) - {3835FAF7-6F61-13EA-3584-3246E39DD4B6} - C:\WINNT\system32\zhqmuhfj.dll
O4 - HKLM\..\Run: [w27cf7d7.dll] RUNDLL32.EXE w27cf7d7.dll,I2 0012c3c4027cf7d7
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O20 - AppInit_DLLs: C:\WINNT\system32\dllhost.dll
O20 - Winlogon Notify: ShellCompatibility - C:\WINNT\system32\fp2m03f1e.dll (file missing)

Close all windows, including browser and press fix checked.

Please download ATF Cleaner by Atribune and save
it to desktop. Don't use it yet.

6. You will need to update ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates -> http://download.ewido.net/ewido-signatu ... urrent.exe Make sure to close Ewido before installing the update.

Once the updates are installed do the following:

Reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Delete, if found:

C:\WINNT\system32\zhqmuhfj.dll
C:\WINNT\system32\dllhost.dll
C:\Program Files\PurityScan

Please do a search:
"Run "Start">"Search">"All Files and Folders"> enter w27cf7d7.dll in "All or part of file name". Select "More advanced options". Check-mark "Search System Folders", "Search hidden files and folders", and "Search subfolders". Click "Search". Right click the file and select delete.

NOTE: That file may not exist at all! If it doesn't, just skip the step above.

Empty Recycle Bin

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Then launch ewido:

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* You will be prompted to clean the first infection.
* Select "Perform action on all infections", then proceed.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

Reboot back to normal mode

Send:

- a fresh HjT log
- ewido report

by **Clockwork Sausage** » June 5th, 2006, 2:36 pm

Thanks for the reply.

All worked fine until i clicked "fix checked" on HijackThis, and i got this error message:

http://img370.imageshack.us/my.php?image=error2df.jpg

I then continued everything else. w27cf7d7.dll didn't exist.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 19:24:25, 05/06/2006
+ Report-Checksum: 3A3C3250

+ Scan result:

HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup
C:\Documents and Settings\andy\Local Settings\Temp\WSu.exe -> Adware.PurityScan : Cleaned with backup
C:\Program Files\Shareaza\Downloads\_\Beckystark Iknowyouhadto - Beckystark Iknowyouhadto.mp3.exe -> Dropper.VB.me : Cleaned with backup

::Report End

___________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 19:34:34, on 05/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\andy\Desktop\HjT\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

by **Shaba** » June 6th, 2006, 2:58 am

Looking much better

Open HijackThis, click do a system scan only and checkmark these:

O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe

Close all windows, including browser and press fix checked.

Reboot.

Please run this online scan:

Panda ActiveScan

Once you are on the Panda site, click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log

by **Clockwork Sausage** » June 6th, 2006, 9:21 am

Thanks for your reply, much appreciated =)

Panda log:

Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\xawm2bl8.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\xawm2bl8.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\xawm2bl8.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\xawm2bl8.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\xawm2bl8.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\xawm2bl8.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\xawm2bl8.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\andy\Cookies\andy@adopt.hbmediapro[2].txt
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\andy\Local Settings\Temp\GLF27GLF27.EXE
Adware:Adware/YazzleSudoku Not disinfected C:\Documents and Settings\andy\Local Settings\Temporary Internet Files\Content.IE5\GT6NO5MJ\116[1].avi
Adware:Adware/NewAds Not disinfected C:\Documents and Settings\andy\Local Settings\Temporary Internet Files\Content.IE5\GT6NO5MJ\maxidr[1].avi
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\andy\Local Settings\Temporary Internet Files\Content.IE5\GT6NO5MJ\rmtag3[1].js
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\andy\Local Settings\Temporary Internet Files\Content.IE5\O9QNGTA3\rmtag3[1].js
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\andy\Local Settings\Temporary Internet Files\Content.IE5\WDM7WX6F\rmtag3[1].js
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\andy\Local Settings\Temporary Internet Files\Content.IE5\WDM7WX6F\rmtag3[2].js
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\andy\Local Settings\Temporary Internet Files\Content.IE5\WDM7WX6F\rmtag3[3].js
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\andy\Local Settings\Temporary Internet Files\Ssk.log
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.adviva.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.go.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.adtech.de/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Mr McCormick\Cookies\mr mccormick@adopt.hbmediapro[1].txt
Adware:Adware/CommAd Not disinfected C:\Documents and Settings\Mr McCormick\Local Settings\Temp\cmdinst.exe
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\Mr McCormick\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Mr McCormick\Local Settings\Temporary Internet Files\Content.IE5\6M0FS68O\117[1].avi
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\Mr McCormick\Local Settings\Temporary Internet Files\Content.IE5\6M0FS68O\rmtag3[1].js
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\Mr McCormick\Local Settings\Temporary Internet Files\Content.IE5\6M0FS68O\rmtag3[2].js
Adware:Adware/YazzleSudoku Not disinfected C:\Documents and Settings\Mr McCormick\Local Settings\Temporary Internet Files\Content.IE5\EDL0LO67\116[1].avi
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\Mr McCormick\Local Settings\Temporary Internet Files\Content.IE5\EDL0LO67\rmtag3[1].js
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\Mr McCormick\Local Settings\Temporary Internet Files\Content.IE5\EDL0LO67\rmtag3[2].js
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Mr McCormick\Local Settings\Temporary Internet Files\Content.IE5\OJ1YZIY5\!update-3895[1].0000
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Mr McCormick\Local Settings\Temporary Internet Files\Content.IE5\OJ1YZIY5\117[1].avi
Adware:Adware/NewAds Not disinfected C:\Documents and Settings\Mr McCormick\Local Settings\Temporary Internet Files\Content.IE5\OJ1YZIY5\maxidr[1].avi
Adware:Adware/YieldManager Not disinfected C:\Documents and Settings\Mr McCormick\Local Settings\Temporary Internet Files\Content.IE5\OJ1YZIY5\rmtag3[2].js
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Mr McCormick\My Documents\8495\mark\Cookies\mark@xiti[1].txt
Adware:Adware/NewAds Not disinfected C:\mc-110-12-0000137.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\mc-110-12-0000137.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\services.exe
Adware:Adware/YazzleSudoku Not disinfected C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\DNS\cwebpage.dll

____________________________________

Logfile of HijackThis v1.99.1
Scan saved at 14:20:42, on 06/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\WINNT\system32\divxsm.exe
C:\Documents and Settings\andy\Desktop\HjT\HijackThis.exe

O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

by **Shaba** » June 6th, 2006, 12:18 pm

Follow these instructions -> http://www.nsula.edu/ece/blackboard_hel ... pfiles.htm

Then boot in safe mode

Delete, if found:

C:\Documents and Settings\Mr McCormick\Local Settings\Temp\cmdinst.exe
C:\Documents and Settings\Mr McCormick\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe
C:\Documents and Settings\andy\Local Settings\Temp\GLF27GLF27.EXE
C:\mc-110-12-0000137.exe
C:\Program Files\Common Files\mc-110-12-0000137.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\DNS

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Reboot

Run another panda activescan and send report here along with a fresh HjT log.

How are things running now?

by **Clockwork Sausage** » June 6th, 2006, 1:14 pm

Thanks for the reply.

these files:
C:\Program Files\Common Files\mc-110-12-0000137.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe

didn't exist.
I noticed that the first time you said to, i missed out this step (accidentally):

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

But its done now, apologies for that.

Thanks a huge deal for all this, it seems everything is back to normal now. I oly have 1 problem left, and that is new. Every time i load my system, just after ewido loads it detects an exe file, and asks me wether to clean it or not. i always clean it. then the next time i load my system it detects it again. It is always an .exe file, 1 location of it is:

c:\Program Files\Wolfenstein - Enemy Territory\wETDED.exe

ETDED.exe should be there, but when i look wETDED.exe does not exist.

sometimes it is this file, someitmes a file in my winamp folder, sometimes in my winrar folder (different named files).

This isn't causing me any noticable problems, but it cant be good =(

Thanks again
______________________________________

Panda scan:

Incident Status Location

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\xawm2bl8.default\cookies.txt[.advertising.com/]
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\andy\Local Settings\Temporary Internet Files\Ssk.log
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.adviva.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.go.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.adtech.de/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Mr McCormick\Application Data\Mozilla\Firefox\Profiles\rzxltr4u.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Mr McCormick\Cookies\mr mccormick@adopt.hbmediapro[1].txt

_____________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 18:07:05, on 06/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\WINNT\system32\divxsm.exe
C:\Documents and Settings\andy\Desktop\HjT\HijackThis.exe

O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

by **Shaba** » June 6th, 2006, 1:58 pm

I suggest itÂ´s a false positive from ewido.

Try this:

Disable ewido guard:

1. Open ewido by double-clicking the yellow 'e' icon in the system tray.
2. In the 'Your security status' section, toggle the ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'.
3. When you reboot, ewido will prompt you as to whether you would like to "Restart the guard?".
4. Reply 'no' and set it to 'inactive'.

Do you remember what files were flagged in the WinAmp folder and WinRar folder by ewido?

Also, try to restore wETDED.exe from ewido's backups.
If that is unsuccessful, you may need to re-install wolfenstein.

Open HijackThis, click do a system scan only and checkmark this:

O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)

Close all windows including browser and press fix checked.

Go here and download and install JRE 5.0 Update 7. Click the link that says Download JRE 5.0 Update 7. You will then need to select Accept License Agreement and click the Continue button that is beside it. Then click the link that says Windows Offline Installation, Multi-language. Save it to your Desktop. Then go back to your Desktop and double click jre-1_5_0_07-windows-i586-p.exe to start the install. Once you have it installed, click Start>Run, type in appwiz.cpl and hit Enter. From the list, uninstall J2SE Runtime Environment 5.0 Update 3.

Also delete this:

C:\Documents and Settings\andy\Local Settings\Temporary Internet Files\Ssk.log

Reboot, send a fresh HjT log and tell me, if you keep getting the same warning again.

by **Clockwork Sausage** » June 6th, 2006, 2:37 pm

Thanks for the reply.

I rebooted 5 times to view the filenames, and these came up as "Adware.Agent":

Reboot 1 (only 1 thing detected each time):
C:\Program Files\Windows Filename: wWinUpdate.exe

Reboot 2:
C:\Program Files\Wolfenstein - Enemy Territory Filename: Version.exe

Reboot 3:
C:\Program Files\MSN Messenger Filename: wdw.exe

Reboot 4:
C:\Program Files\Shareaza Filename wskin.exe

Reboot 5:
C:\Program Files\Microsoft Activesync Filename MSCONV97.exe

The Winamp and Winrar ones didnt happen to come up, but i think you get the idea.

I then disabled the agent as instructed, rebooted, and received no messages.

The java update download wouldnt work, i went right through to the download screen, then when iclicked the download link it gave me "Page not found" error (in both FF and IE).

Ssk.log didn't exist.

_____________________________

Logfile of HijackThis v1.99.1
Scan saved at 19:30:28, on 06/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Shareaza\wwskin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\andy\Desktop\HjT\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

by **Shaba** » June 7th, 2006, 3:14 am

Use this link to update java -> http://www.java.com/en/download/manual.jsp
Select Windows (Offline Installation)
Once you have it installed, click Start>Run, type in appwiz.cpl and hit Enter. From the list, uninstall J2SE Runtime Environment 5.0 Update 3.

Those are definitely false positives from ewido. I suggest that you disable ewido guard permanently according to instructions I gave you.

Reboot and send a fresh HjT log. Still problems?

Free Malware Removal Forum

Help please!

Help please!

Who is online