Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can't get rid of the popups plz help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Can't get rid of the popups plz help

Unread postby garruz » October 26th, 2005, 6:02 pm

Im having some trouble with popups!
there are some popups that just won't stop coming even though i have tried to remove them several times
So recently used the symantec online scanner and it didn't find anything!
Im all out of options so i came here :)

Here my hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 22:02:19, on 26.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VNC4\WinVNC4.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
G:\PROGRAMS\OPERA\OPERA.EXE
C:\WINDOWS\explorer.exe
G:\Programs\mIRC\mirc.exe
G:\Programs\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\jkhhi.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0363959812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O20 - Winlogon Notify: jkhhi - C:\WINDOWS\system32\jkhhi.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\gp66l3js1.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: RTT CRC Service (RTT_CRC_Service) - Unknown owner - C:\Program Files\R-Firewall\Service\RTT_CRC_Service.exe
garruz
Active Member
 
Posts: 9
Joined: October 26th, 2005, 3:22 pm
Advertisement
Register to Remove

Unread postby Jaswarbrick » October 26th, 2005, 6:13 pm

Welcome :)

Please stay patient while your log is researched. Thanks. :)
Jaswarbrick
Regular Member
 
Posts: 219
Joined: September 24th, 2005, 12:59 pm

Unread postby Jaswarbrick » October 27th, 2005, 5:25 am

Welcome :)

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this
    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:
    Please Type in the filepath as instructed by the forum staff
    and then press enter:
  • At this point please type the following file path (make sure to enter it exactly as below!):
      C:\WINDOWS\system32\jkhhi.dll
  • Press Enter to continue with the fix.
  • Next you will see:
    Please type in the second filepath as instructed by the forum
    staff then press enter:
  • At this point please type the following file path (make sure to enter it exactly as below!):
      C:\WINDOWS\system32\ihhkj.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:
      O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\jkhhi.dll
      O20 - Winlogon Notify: jkhhi - C:\WINDOWS\system32\jkhhi.dll
      O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\gp66l3js1.dll

      Unless Spybot S + D or a computer administrator put in the following restrictions, have Hijackthis fix them:

      O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program.
  • Still in safe mode, delete the following:

    C:\WINDOWS\system32\gp66l3js1.dll <- File
  • Then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.


Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
Jaswarbrick
Regular Member
 
Posts: 219
Joined: September 24th, 2005, 12:59 pm

Rebooted

Unread postby garruz » October 27th, 2005, 8:10 am

Still in safe mode, delete the following:

C:\WINDOWS\system32\gp66l3js1.dll <- File

when i used cmd to del C:\WINDOWS\system32\gp66l3js1.dll it came up with "file not found"

and here is my hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 12:06:05, on 27.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VNC4\WinVNC4.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
G:\Programs\opera\Opera.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\jkhhi.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0363959812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - Winlogon Notify: jkhhi - C:\WINDOWS\system32\jkhhi.dll
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\q668lgju16o8.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: RTT CRC Service (RTT_CRC_Service) - Unknown owner - C:\Program Files\R-Firewall\Service\RTT_CRC_Service.exe

here is my vundofix log:
--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\jkhhi.dll

The second filepath entered was C:\WINDOWS\system32\ihhkj.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 144 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 736 'explorer.exe'

Killing PID 660 'rundll32.exe'

Killing PID 216 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINDOWS\system32\jkhhi.dll.
C:\WINDOWS\system32\ihhkj.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

and this is from active scan:
Detected Disinfected
Virus 0 0
Spyware 0 0
Hacking Tools 0 0
Dialers 0 0
Security Risks 0 0
Suspicious files 0 0
garruz
Active Member
 
Posts: 9
Joined: October 26th, 2005, 3:22 pm

No effect

Unread postby garruz » October 27th, 2005, 6:10 pm

As the hj log should show that didn't work and the popups keep coming, i can't really do anything while these keep popping up so i hope you can still help me
garruz
Active Member
 
Posts: 9
Joined: October 26th, 2005, 3:22 pm

Unread postby Jaswarbrick » October 27th, 2005, 6:55 pm

Don't worry garruz, i am still helping you, i have to consult my guru about your log and you are being dealt with. You will have a response as soon as possible. :)
Jaswarbrick
Regular Member
 
Posts: 219
Joined: September 24th, 2005, 12:59 pm

Unread postby Jaswarbrick » October 28th, 2005, 5:53 am

Ok sorry for the delay. You also have a look2me infection which may be interupting us trying to fix your Winfixer infection.

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.


Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

Then post the Spysweeper log, the l2mfix log, and a fresh Hijackthis log please. We still have more work to do after this.
Jaswarbrick
Regular Member
 
Posts: 219
Joined: September 24th, 2005, 12:59 pm

Unread postby garruz » October 28th, 2005, 9:13 am

Hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 13:16:01, on 28.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\VNC4\WinVNC4.exe
G:\Programs\opera\Opera.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O1 - Hosts: .0.1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0363959812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - Winlogon Notify: jkhhi - C:\WINDOWS\system32\jkhhi.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: RTT CRC Service (RTT_CRC_Service) - Unknown owner - C:\Program Files\R-Firewall\Service\RTT_CRC_Service.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



l2mfix log:
L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkhhi]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\jkhhi.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{21A373C6-13BC-9BD3-E377-4440AF55939A}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{afc638f0-e8a4-11ce-9ade-00aa00a42d2e}"="MST TrueType File Properties"
"{51131DA7-1D24-40e5-AE07-5E3750F5DE3C}"="ContextMenuExt Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{516EC4D3-4AD9-11D5-AA6A-00E0189008B3}"="The Core Media Player Shell Extension"
"{63542C48-9552-494A-84F7-73AA6A7C99C1}"="OpenOffice Property Sheet Handler"
"{70B28949-EC23-4D00-A411-AD8A1B3A8A5A}"="awxDTools - ContextMenu ShellExtension"
"{7A5117B0-B594-4DA8-829D-D15BF11996F2}"="awxDTools - ColumnHandler ShellExtension"
"{D7C3180D-83AA-464B-9154-6BD0B4E34FBD}"="awxDTools - PropertySheetHandler ShellExtension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{39576854-8B61-45BB-AF96-D07CFF00C271}"=""
"{A06BBD23-723D-418A-80E4-DC39101E9FB5}"=""
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"="UnlockerShellExtension"
"{605673DF-53F0-4B54-ABE3-7ABB76E61DF5}"=""
"{6DC3D379-54B2-4342-87F6-2C6A4D238E65}"=""
"{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"="BitDefender Antivirus v8"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{39576854-8B61-45BB-AF96-D07CFF00C271}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{39576854-8B61-45BB-AF96-D07CFF00C271}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39576854-8B61-45BB-AF96-D07CFF00C271}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{39576854-8B61-45BB-AF96-D07CFF00C271}\InprocServer32]
@="C:\\WINDOWS\\system32\\veajet32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A06BBD23-723D-418A-80E4-DC39101E9FB5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A06BBD23-723D-418A-80E4-DC39101E9FB5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A06BBD23-723D-418A-80E4-DC39101E9FB5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A06BBD23-723D-418A-80E4-DC39101E9FB5}\InprocServer32]
@="C:\\WINDOWS\\system32\\wsnhttp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{605673DF-53F0-4B54-ABE3-7ABB76E61DF5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{605673DF-53F0-4B54-ABE3-7ABB76E61DF5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{605673DF-53F0-4B54-ABE3-7ABB76E61DF5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{605673DF-53F0-4B54-ABE3-7ABB76E61DF5}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
bassmod.dll Tue 2005-10-25 21:14:30 A.... 34 308 33,50 K
cmdlin~1.dll Sun 2005-10-09 12:29:36 A.... 98 304 96,00 K
en2ml1~1.dll Fri 2005-10-28 12:53:06 ..S.R 236 847 231,29 K
geeda.dll Tue 2005-10-25 21:15:28 ..SH. 28 173 27,51 K
hrp405~1.dll Thu 2005-10-27 11:53:02 ..... 235 726 230,20 K
islzma.dll Fri 2005-10-21 15:50:14 A.... 102 912 100,50 K
ljrmonui.dll Wed 2005-10-26 19:43:10 ..S.R 235 726 230,20 K
nv4_disp.dll Tue 2005-08-02 15:35:00 A.... 3 908 864 3,73 M
nvcod.dll Tue 2005-08-02 15:35:00 A.... 32 768 32,00 K
nvcodins.dll Tue 2005-08-02 15:35:00 A.... 32 768 32,00 K
nvcpl.dll Tue 2005-08-02 15:35:00 A.... 7 110 656 6,78 M
nvhwvid.dll Tue 2005-08-02 15:35:00 A.... 540 672 528,00 K
nview.dll Tue 2005-08-02 15:35:00 A.... 1 466 368 1,40 M
nvmctray.dll Tue 2005-08-02 15:35:00 A.... 86 016 84,00 K
nvnt4cpl.dll Tue 2005-08-02 15:35:00 A.... 286 720 280,00 K
nvoglnt.dll Tue 2005-08-02 15:35:00 A.... 5 140 480 4,90 M
nvshell.dll Tue 2005-08-02 15:35:00 A.... 466 944 456,00 K
nvwddi.dll Tue 2005-08-02 15:35:00 A.... 81 920 80,00 K
nvwdmcpl.dll Tue 2005-08-02 15:35:00 A.... 1 662 976 1,59 M
nvwimg.dll Tue 2005-08-02 15:35:00 A.... 1 019 904 996,00 K
pmnll.dll Tue 2005-10-25 21:59:28 ..SH. 28 173 27,51 K
sirenacm.dll Sun 2005-09-18 23:00:34 A.... 119 856 117,05 K
t88uli~1.dll Thu 2005-10-27 11:51:02 ..S.R 234 242 228,75 K
wpssvc.dll Thu 2005-10-27 11:51:02 ..S.R 235 726 230,20 K
wrlogo~1.dll Mon 2005-10-24 12:20:36 A.... 492 544 481,00 K
wrlzma.dll Mon 2005-10-24 12:20:32 A.... 17 920 17,50 K

26 items found: 26 files (6 H/S), 0 directories.
Total of file sizes: 23 937 513 bytes 22,83 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
mcrh.tmp Wed 2005-10-26 12:21:18 A.... 143 0,14 K

1 item found: 1 file, 0 directories.
Total of file sizes: 143 bytes 0,14 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C is Win
Volume Serial Number is 5898-A5D9

Directory of C:\WINDOWS\System32

28.10.2005 12:53 236.847 en2ml1f11.dll
28.10.2005 12:49 162.233 ihhkj.ini
27.10.2005 14:55 161.893 ihhkj.bak2
27.10.2005 11:51 235.726 wpssvc.dll
27.10.2005 11:51 234.242 t88ulil918q.dll
26.10.2005 19:43 235.726 ljrmonui.dll
25.10.2005 21:59 28.173 pmnll.dll
25.10.2005 21:15 28.173 geeda.dll
05.10.2005 19:19 <DIR> dllcache
05.10.2005 18:39 <DIR> Microsoft
8 File(s) 1.323.013 bytes
2 Dir(s) 14.490.804.224 bytes free

*Edit* Managed to remove that icannnews took another reboot or two
here is the log of the scan:
********
13:01: | Start of Session, 28. október 2005 |
13:01: Spy Sweeper started
13:01: Sweep initiated using definitions version 564
13:01: Starting Memory Sweep
13:01: Found Adware: icannnews
13:01: Detected running threat: C:\WINDOWS\system32\hrp4057qe.dll (ID = 83)
13:02: Memory Sweep Complete, Elapsed Time: 00:01:09
13:02: Starting Registry Sweep
13:02: Registry Sweep Complete, Elapsed Time:00:00:07
13:02: Starting Cookie Sweep
13:02: Cookie Sweep Complete, Elapsed Time: 00:00:00
13:02: Starting File Sweep
13:03: File Sweep Complete, Elapsed Time: 00:00:51
13:03: Full Sweep has completed. Elapsed time 00:02:09
13:03: Traces Found: 1
13:04: Removal process initiated
13:04: Quarantining All Traces: icannnews
13:04: icannnews is in use. It will be removed on reboot.
13:04: C:\WINDOWS\system32\hrp4057qe.dll is in use. It will be removed on reboot.
13:04: Removal process completed. Elapsed time 00:00:25
********
12:53: | Start of Session, 28. október 2005 |
12:53: Spy Sweeper started
12:53: Sweep initiated using definitions version 564
12:53: Starting Memory Sweep
12:54: Found Adware: icannnews
12:54: Detected running threat: C:\WINDOWS\system32\hrp4057qe.dll (ID = 83)
12:54: Detected running threat: C:\WINDOWS\system32\lirhelp.dll (ID = 83)
12:55: Memory Sweep Complete, Elapsed Time: 00:01:11
12:55: Starting Registry Sweep
12:55: Registry Sweep Complete, Elapsed Time:00:00:07
12:55: Starting Cookie Sweep
12:55: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:55: Starting File Sweep
12:56: File Sweep Complete, Elapsed Time: 00:01:35
12:56: Full Sweep has completed. Elapsed time 00:02:56
12:56: Traces Found: 2
12:56: Removal process initiated
12:56: Quarantining All Traces: icannnews
12:56: icannnews is in use. It will be removed on reboot.
12:56: C:\WINDOWS\system32\hrp4057qe.dll is in use. It will be removed on reboot.
12:56: C:\WINDOWS\system32\lirhelp.dll is in use. It will be removed on reboot.
12:56: Warning: Launched explorer.exe
12:56: Warning: Quarantine process could not restart Explorer.
12:57: Removal process completed. Elapsed time 00:00:07
********
12:44: | Start of Session, 28. október 2005 |
12:44: Spy Sweeper started
12:44: Sweep initiated using definitions version 564
12:44: Starting Memory Sweep
12:44: Found Adware: virtumonde
12:44: Detected running threat: C:\WINDOWS\system32\jkhhi.dll (ID = 77)
12:44: Found Adware: icannnews
12:44: Detected running threat: C:\WINDOWS\system32\q668lgju16o8.dll (ID = 83)
12:45: Detected running threat: C:\WINDOWS\system32\nitmsg.dll (ID = 83)
12:46: Memory Sweep Complete, Elapsed Time: 00:02:00
12:46: Starting Registry Sweep
12:46: Found Adware: winantispyware 2005
12:46: HKCR\checkproduct2.checkproduct\ (5 subtraces) (ID = 527503)
12:46: HKCR\checkproduct2.checkproduct.1\ (3 subtraces) (ID = 527509)
12:46: HKCR\appid\checkproduct2.dll\ (1 subtraces) (ID = 527632)
12:46: HKCR\appid\{8c65aef6-e413-4314-815b-82717a3f1603}\ (1 subtraces) (ID = 527648)
12:46: HKCR\clsid\{c427b3e3-28dc-4001-9590-d99b6776119b}\ (15 subtraces) (ID = 527829)
12:46: HKCR\interface\{4f79d1c5-24f9-4e59-8022-604d4b41d5ca}\ (8 subtraces) (ID = 527937)
12:46: HKCR\typelib\{30ed49a5-ca6c-4918-b5f3-5e6818c91d8b}\ (9 subtraces) (ID = 528091)
12:46: HKLM\software\classes\checkproduct2.checkproduct\ (5 subtraces) (ID = 528199)
12:46: HKLM\software\classes\checkproduct2.checkproduct.1\ (3 subtraces) (ID = 528205)
12:46: HKLM\software\classes\appid\checkproduct2.dll\ (1 subtraces) (ID = 528341)
12:46: HKLM\software\classes\appid\{8c65aef6-e413-4314-815b-82717a3f1603}\ (1 subtraces) (ID = 528357)
12:46: HKLM\software\classes\clsid\{c427b3e3-28dc-4001-9590-d99b6776119b}\ (15 subtraces) (ID = 528538)
12:46: HKLM\software\classes\typelib\{30ed49a5-ca6c-4918-b5f3-5e6818c91d8b}\ (9 subtraces) (ID = 528800)
12:46: HKLM\software\classes\appid\{8c65aef6-e413-4314-815b-82717a3f1603}\ (1 subtraces) (ID = 543259)
12:46: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
12:46: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
12:46: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
12:46: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
12:46: HKCR\appid\{4d05a335-1a1c-46b3-bcff-7f25b326895c}\ (1 subtraces) (ID = 795173)
12:46: HKCR\clsid\{328ba26a-1619-47ee-a37d-7d7a6ab1b000}\ (12 subtraces) (ID = 795177)
12:46: HKCR\typelib\{4d05a335-1a1c-46b3-bcff-7f25b326895c}\ (9 subtraces) (ID = 795242)
12:46: HKLM\software\classes\appid\filecreationfilter.dll\ (1 subtraces) (ID = 795298)
12:46: HKLM\software\classes\appid\{4d05a335-1a1c-46b3-bcff-7f25b326895c}\ (1 subtraces) (ID = 795302)
12:46: HKLM\software\classes\clsid\{328ba26a-1619-47ee-a37d-7d7a6ab1b000}\ (12 subtraces) (ID = 795306)
12:46: HKLM\software\classes\typelib\{4d05a335-1a1c-46b3-bcff-7f25b326895c}\ (9 subtraces) (ID = 795371)
12:46: HKLM\system\currentcontrolset\control\class\{29ae0e04-08b8-4d2f-bfbe-83fb0ec73bb7}\ (3 subtraces) (ID = 795420)
12:46: Registry Sweep Complete, Elapsed Time:00:00:08
12:46: Starting Cookie Sweep
12:46: Found Spy Cookie: reliablestats cookie
12:46: administrator@stats1.reliablestats[2].txt (ID = 3254)
12:46: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:46: Starting File Sweep
12:46: c:\program files\common files\winsoftware (2 subtraces) (ID = -2147476682)
12:46: Found Adware: look2me
12:46: iconu.exe (ID = 65721)
12:46: icont.exe (ID = 65722)
12:46: bw2.com (ID = 65721)
12:46: appwrap[1].exe (ID = 65721)
12:46: appwrap[1].exe (ID = 65739)
12:46: appwrap[1].exe (ID = 65722)
12:47: pcheck.dll (ID = 146309)
12:47: wff.sys (ID = 150595)
12:47: File Sweep Complete, Elapsed Time: 00:01:44
12:47: Full Sweep has completed. Elapsed time 00:03:53
12:47: Traces Found: 182
12:48: Removal process initiated
12:49: Quarantining All Traces: look2me
12:49: Quarantining All Traces: icannnews
12:49: icannnews is in use. It will be removed on reboot.
12:49: C:\WINDOWS\system32\q668lgju16o8.dll is in use. It will be removed on reboot.
12:49: C:\WINDOWS\system32\nitmsg.dll is in use. It will be removed on reboot.
12:49: Quarantining All Traces: virtumonde
12:49: virtumonde is in use. It will be removed on reboot.
12:49: C:\WINDOWS\system32\jkhhi.dll is in use. It will be removed on reboot.
12:49: Quarantining All Traces: winantispyware 2005
12:49: Quarantining All Traces: reliablestats cookie
12:49: Preparing to restart your computer. Please wait...
12:49: Removal process completed. Elapsed time 00:01:06
********
12:42: | Start of Session, 28. október 2005 |
12:42: Spy Sweeper started
12:43: Your spyware definitions have been updated.
12:44: | End of Session, 28. október 2005 |
garruz
Active Member
 
Posts: 9
Joined: October 26th, 2005, 3:22 pm

Unread postby Jaswarbrick » October 30th, 2005, 10:47 am

I apologize for the delay.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder.

Save the log to the desktop.

Then run Spysweeper again and save the log to the desktop.

Then reboot and post the l2m #2 fix log, the spysweeper log, and a fresh Hijackthis log please.
Jaswarbrick
Regular Member
 
Posts: 219
Joined: September 24th, 2005, 12:59 pm

logs

Unread postby garruz » October 31st, 2005, 9:08 am

I was out of town came sunday evening so no problem :)

Here is the l2mfix log:
Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1724 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1768 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\en2ml1f11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ljrmonui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\t88ulil918q.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wpssvc.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\en2ml1f11.dll
Successfully Deleted: C:\WINDOWS\system32\en2ml1f11.dll
deleting: C:\WINDOWS\system32\ljrmonui.dll
Successfully Deleted: C:\WINDOWS\system32\ljrmonui.dll
deleting: C:\WINDOWS\system32\t88ulil918q.dll
Successfully Deleted: C:\WINDOWS\system32\t88ulil918q.dll
deleting: C:\WINDOWS\system32\wpssvc.dll
Successfully Deleted: C:\WINDOWS\system32\wpssvc.dll


Zipping up files for submission:
adding: en2ml1f11.dll (188 bytes security) (deflated 5%)
adding: ljrmonui.dll (188 bytes security) (deflated 5%)
adding: t88ulil918q.dll (188 bytes security) (deflated 4%)
adding: wpssvc.dll (188 bytes security) (deflated 5%)
adding: clear.reg (188 bytes security) (deflated 52%)
adding: itouch_config_crash_info.txt (188 bytes security) (stored 0%)
adding: itouch_crash_info.txt (188 bytes security) (deflated 77%)
adding: lo2.txt (188 bytes security) (deflated 69%)
adding: test.txt (188 bytes security) (deflated 55%)
adding: test2.txt (188 bytes security) (deflated 33%)
adding: test3.txt (188 bytes security) (deflated 33%)
adding: test5.txt (188 bytes security) (deflated 33%)
adding: Unlocker-log-handles.txt (188 bytes security) (deflated 94%)
adding: xfind.txt (188 bytes security) (deflated 49%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: en2ml1f11.dll
deleting local copy: ljrmonui.dll
deleting local copy: t88ulil918q.dll
deleting local copy: wpssvc.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkhhi]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\jkhhi.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\en2ml1f11.dll
C:\WINDOWS\system32\ljrmonui.dll
C:\WINDOWS\system32\t88ulil918q.dll
C:\WINDOWS\system32\wpssvc.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{39576854-8B61-45BB-AF96-D07CFF00C271}"=-
"{A06BBD23-723D-418A-80E4-DC39101E9FB5}"=-
"{605673DF-53F0-4B54-ABE3-7ABB76E61DF5}"=-
"{6DC3D379-54B2-4342-87F6-2C6A4D238E65}"=-
[-HKEY_CLASSES_ROOT\CLSID\{39576854-8B61-45BB-AF96-D07CFF00C271}]
[-HKEY_CLASSES_ROOT\CLSID\{A06BBD23-723D-418A-80E4-DC39101E9FB5}]
[-HKEY_CLASSES_ROOT\CLSID\{605673DF-53F0-4B54-ABE3-7ABB76E61DF5}]
[-HKEY_CLASSES_ROOT\CLSID\{6DC3D379-54B2-4342-87F6-2C6A4D238E65}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Hjt Log:
Logfile of HijackThis v1.99.1
Scan saved at 13:07:45, on 31.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\VNC4\WinVNC4.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
G:\Programs\opera\Opera.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Azureus] G:\Programs\Azureus\Azureus.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0363959812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89DC6534-A366-4316-9036-8E71B667DE79}: NameServer = 192.168.1.1
O20 - Winlogon Notify: jkhhi - C:\WINDOWS\system32\jkhhi.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RTT CRC Service (RTT_CRC_Service) - Unknown owner - C:\Program Files\R-Firewall\Service\RTT_CRC_Service.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Spysweeper log:
Nothing detected
garruz
Active Member
 
Posts: 9
Joined: October 26th, 2005, 3:22 pm

Unread postby Jaswarbrick » November 2nd, 2005, 12:23 pm

Hi sorry for the delay my modem stopped working so had to wait for ISP to send a new one. Again i apologize for the delay. :oops:
Jaswarbrick
Regular Member
 
Posts: 219
Joined: September 24th, 2005, 12:59 pm

Unread postby garruz » November 2nd, 2005, 5:44 pm

Modem stopped working, i feel sorry for you my isp gave me 2 crap routers crashed frequently but the third is working perfectly :)
and i havent been waiting that long, and my computer is working faster thaks to you and your "guru" :) so i'll wait as long as i have to to get you to help me (as long as i don't have to wait more than a week or two :P)
garruz
Active Member
 
Posts: 9
Joined: October 26th, 2005, 3:22 pm

Unread postby Nellie2 » November 13th, 2005, 3:33 pm

garruz, I'm so sorry for the delay... Jaswarbrick has lost his connection completely it seems. Could you post a fresh hijack log please and then we'll take it from there.
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK

Unread postby garruz » November 13th, 2005, 8:59 pm

Too bad he lost his connection My computer is working much better after he helped me but anyways here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 01:03:13, on 14.11.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\D-Tools\daemon.exe
G:\Programs\mIRC\mirc.exe
G:\Programs\Azureus\Azureus.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\games\steam\steam.exe
G:\Programs\ServerDoc\serverdoc.exe
C:\Apache\Apache2\bin\ApacheMonitor.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe
G:\Programs\Ventrilo 2.1.2 Server\ventrilo_srv.exe
C:\Apache\Apache2\bin\Apache.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Apache\Apache2\bin\Apache.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\VNC4\WinVNC4.exe
G:\Programs\Ventrilo\Ventrilo.exe
g:\programs\winamp\winamp.exe
G:\Programs\opera\Opera.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Azureus] G:\Programs\Azureus\Azureus.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Ventrilo serverdoc] G:\Programs\ServerDoc\serverdoc.exe G:\Programs\Ventrilo 2.1.2 Server\ventrilo_srv.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache\Apache2\bin\ApacheMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0363959812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89DC6534-A366-4316-9036-8E71B667DE79}: NameServer = 192.168.1.1
O20 - Winlogon Notify: jkhhi - C:\WINDOWS\system32\jkhhi.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Apache\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RTT CRC Service (RTT_CRC_Service) - Unknown owner - C:\Program Files\R-Firewall\Service\RTT_CRC_Service.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

I haven't noticed anything going wrong recently so i think there shouldn't be much of a problem here if any :)
garruz
Active Member
 
Posts: 9
Joined: October 26th, 2005, 3:22 pm

Unread postby Nellie2 » November 14th, 2005, 4:35 pm

  1. Please download the Killbox.
  2. Unzip it to the desktop but do NOT run it yet.
  3. Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
  4. Once in Safe Mode, please run Killbox.
  5. Click "Delete on Reboot".
  6. Paste the following into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\jkhhi.dll
  7. Click the red-and-white "Delete File".
  8. Click "Yes" at the Delete on Reboot prompt.
  9. Click "No" at the Pending Operations prompt.


Then open notepad and copy the contents of the quote box below and 'Save as'
Type - all files
File name - fixme.reg

Save this file to your desktop.

Double click on fixme.reg and allow it to merge with the registry.

Reboot once more

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. Copy the contents of that log that is generated and paste it into this thread Along with a fresh hijack log
Do not run any of the other options.
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 298 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware