Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

ABI Aurora infection--Pls help with my scan logs

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

ABI Aurora infection--Pls help with my scan logs

Unread postby GeniusMagic » June 20th, 2005, 11:43 pm

Hi,

I am new to this site.

My laptop has been infected by ABI Aurora spywares and it keeps popping thousands of annoying bpop ups besides doing a lot of stupid things ( System Shutdown box appears and disappears on its won, IE windows get closed on their own etc etc. )

I scanned through a lot of existing posts and did the following:

1.Downloaded Hoster.exe and restored original hosts
2. Installed Hijackthis, Nailfix and Ewido setup suite
3. Booted in safe mode and rain nailfix.cmd
4. ran ewido scan...it caught a lot of infected files and cleaned them
5. Ran Hijack this and saved the log
6. Rebooted the system in normal mode and ran hijack this again and saved the log.

Initially it appeared that the condition has improved and there were few pop ups but after a few reboots, i m facing similar problem again altho to a lesser extent than before. I have the Ewido security suite - guard active tool running and keeps on catching infected files and prompting me to clean them. I say yes to it but there seems no end to it.

Following is the ewido scan results :


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:46:47 PM, 6/20/2005
+ Report-Checksum: 7DD478EA

+ Date of database: 6/20/2005
+ Version of scan engine: v3.0

+ Duration: 31 min
+ Scanned Files: 75224
+ Speed: 40.37 Files/Second
+ Infected files: 43
+ Removed files: 43
+ Files put in quarantine: 43
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\installer_MARKETING14.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\WINDOWS\system32\asms.exe -> TrojanDropper.Agent.kd -> Cleaned with backup
C:\WINDOWS\system32\auto_update_uninstall.exe -> Spyware.Apropos -> Cleaned with backup
C:\WINDOWS\system32\bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\WINDOWS\system32\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\WINDOWS\system32\eliteaer32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitejxa32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\eliteohy32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\eliteutp32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\exclean.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\WINDOWS\system32\exdl.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\WINDOWS\system32\exdl1.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\WINDOWS\system32\exdl2.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\WINDOWS\system32\exdl3.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\WINDOWS\system32\exul.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\WINDOWS\system32\exul1.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\WINDOWS\system32\exul3.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\WINDOWS\system32\ide21201.vxd -> Spyware.MediaPass -> Cleaned with backup
C:\WINDOWS\system32\instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\WINDOWS\system32\javexulm.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\WINDOWS\system32\kmupu.dll -> TrojanDownloader.Qoologic.q -> Cleaned with backup
C:\WINDOWS\system32\mqexdlm.srg -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\WINDOWS\system32\namrmbx.exe -> TrojanDownloader.Qoologic.q -> Cleaned with backup
C:\WINDOWS\system32\nso52.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\WINDOWS\system32\PopOops.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\WINDOWS\system32\PopOops2.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\WINDOWS\system32\redit.cpl -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\WINDOWS\system32\SWLAD1.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\WINDOWS\system32\SWLAD2.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\uci.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\WINDOWS\system32\UPD\cxstuaxndu.dll -> Spyware.SmartPops -> Cleaned with backup
C:\WINDOWS\system32\UPD\cxstuaxndu.exe -> Spyware.SmartPops -> Cleaned with backup
C:\WINDOWS\system32\wrapperouter.exe -> TrojanDropper.Agent.hl -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\Temp\Cookies\administrator@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\Temp\Cookies\administrator@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\Temp\LeisureBoxInst_ppi1.exe -> TrojanDownloader.VB.ft -> Cleaned with backup
C:\WINDOWS\wtmvajll.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup


::Report End


Here is the Hijack this results after booting in normal mode:

Logfile of HijackThis v1.99.1
Scan saved at 9:54:26 PM, on 6/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.248.208.1
R3 - Default URLSearchHook is missing
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll (file missing)
O2 - BHO: (no name) - {C370527A-24A7-4583-BE01-72E59000EB17} - C:\WINDOWS\system32\n.dll (file missing)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [a0q5RiKpT] w32log.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://hindi.india-today.com/tdserver.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/downl ... TING14.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {95EEE69E-27B4-4D13-BD32-766617A16909} (NDTVVideo.MPlayer) - http://www.ndtv.com/video/NDTVseekvideo.CAB
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0008.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.infosys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.infosys.com
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\kgdur.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe

Pls help me out and suggest some remedies. I shall be grateful.

Regards,

[/b]
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm
Advertisement
Register to Remove

Unread postby 'KotaGuy » June 21st, 2005, 4:24 pm

Hi GeniusMagic. I'm 'KotaGuy. Welcome to Malware Removal!

You've done good so far... still some things that need to be cleaned up though.

Download L2MFix.

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby GeniusMagic » June 21st, 2005, 11:39 pm

Hi KotaGuy,

Thank you for your reply. You guys are doing an amazing job here.
I did what you said. However after I selected option # 1 (for Run Find log)and pressed enter, it came up with an error message that read:

16 bit MS-DOS Subsystem

C:\Windows\system32\cmd.exe
C:\windows\system32\Autoexec.nt. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose Close to terminate the application.


After I hit close or ignore, it came up with a report. I dont know if it helps but I am pasting the report here :

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Group Policy]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\kgdur.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F4F64377-AE4A-FE5C-5221-8F9157CC5C06}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{87BA2167-DAA8-4E59-BF46-4AC8883BB21E}"=""
"{3C42408B-350A-456D-88EC-51ABF5E66162}"=""
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{87BA2167-DAA8-4E59-BF46-4AC8883BB21E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87BA2167-DAA8-4E59-BF46-4AC8883BB21E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87BA2167-DAA8-4E59-BF46-4AC8883BB21E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87BA2167-DAA8-4E59-BF46-4AC8883BB21E}\InprocServer32]
@="C:\\WINDOWS\\system32\\plgfilt.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3C42408B-350A-456D-88EC-51ABF5E66162}]
@=""
"IDEx"="ST004"

[HKEY_CLASSES_ROOT\CLSID\{3C42408B-350A-456D-88EC-51ABF5E66162}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3C42408B-350A-456D-88EC-51ABF5E66162}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3C42408B-350A-456D-88EC-51ABF5E66162}\InprocServer32]
@="C:\\WINDOWS\\system32\\wocsvc.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C is S3A1979D001
Volume Serial Number is 2436-CFF5

Directory of C:\WINDOWS\System32

06/21/2005 10:51 PM 417,792 plgfilt.dll
06/20/2005 11:34 PM 417,792 kedru.dll
06/20/2005 09:52 PM 417,792 pbrfts.dll
06/20/2005 08:25 PM 417,792 aosldpc.dll
06/20/2005 08:15 PM 417,792 kgdur.dll
06/20/2005 08:04 PM 417,792 sdeio.dll
06/20/2005 07:48 PM 417,792 iddkcs32.dll
06/20/2005 07:39 PM 417,792 vms_ps.dll
06/20/2005 06:39 PM 417,792 nqxpnt.dll
06/19/2005 09:08 AM 417,792 wppencen.dll
06/19/2005 08:52 AM 417,792 mvdemui.dll
06/19/2005 08:47 AM 417,792 PkpOops2.dll
06/19/2005 08:11 AM 417,792 dzscript.dll
06/18/2005 11:56 PM 417,792 ipm32.dll
06/18/2005 05:33 PM 417,792 mxhtmled.dll
06/18/2005 05:14 PM 417,792 nutui1.dll
06/18/2005 03:03 PM 417,792 guard.tmp
06/18/2005 02:48 PM 417,792 wocsvc.dll
06/18/2005 02:36 PM 417,792 bzowselc.dll
04/10/2005 10:30 AM <DIR> dllcache
09/15/2004 01:11 AM <DIR> Microsoft
08/12/2004 12:44 PM 5,120 Thumbs.db
20 File(s) 7,943,168 bytes
2 Dir(s) 5,748,461,568 bytes free


Let me also mention that whenver I start my laptop, I get an error message like :
Toshiba : A Fatal error has occurred. This program will be terminated. code: 0x2.

It started the day I started getting these pop-ups.

Pls guide me.
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Unread postby 'KotaGuy » June 22nd, 2005, 1:51 am

OK... not sure if that worked because of the error.

Do this to try and fix the error. Copy cmd.exe and autoexec.nt from the C:\Windows\repair folder to the C:\Windows\System32 folder.

Overwrite the files if asked.

Try the previous steps for running L2MFix again and post the log please.

Thanks!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby GeniusMagic » June 22nd, 2005, 8:31 pm

Hi KotaGuy,

I copied autoexec.nt from C:\windows\repair to C:\windows\system32. I
couldnt find cmd.exe in my c:\windows\repair.It was already there in
c:\windows\system32.

After copying autoexec.nt, I ran L2MFiX and selected option # 1. It scanned the system for abt 5-10 seconds and then there was a brief message on the console that read something like "Could not find..". I couldnt even read the whole thing as it lasted for only a split second and then the notepad popped up with the report.

I dont kno if it worked correctly this time but there was not any error message box like last time. I am pasting the report below.

I noticed that there is an option 5 in L2MFIX tool which is "Fix autoexec.nt/cmd.exe error". Shouldnt I be running this first ?

My PC is in quite a bad shape. Some of the annoying symptoms:
1. IE window automatically disappears. Like I am writing this and I am abt
to submit,all of a sudden the whole window disappears.

2. System shutdown box appears from nowhere and disappears on its own.

3. When I boot my Pc I get a couple of errors like "Toshiba : A Fatal error
has occurred. This program will be terminated. code: 0x2". It started the
day I started getting these pop ups

4. Ewido security suite active guard keps on cathing infected files and
asking me what would I like to do with it. Whne I say clean, it asks me to
reboot the PC to performthe clean. The same cycle continues when I reboot.

5. Not to mention loads of annoying pop ups. I sure need some help.

Anyway here is the report:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDlls]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\kgdur.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D99F8884-B41B-BC28-72FB-0AB2DF65F14C}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{87BA2167-DAA8-4E59-BF46-4AC8883BB21E}"=""
"{3C42408B-350A-456D-88EC-51ABF5E66162}"=""
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{87BA2167-DAA8-4E59-BF46-4AC8883BB21E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87BA2167-DAA8-4E59-BF46-4AC8883BB21E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87BA2167-DAA8-4E59-BF46-4AC8883BB21E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{87BA2167-DAA8-4E59-BF46-4AC8883BB21E}\InprocServer32]
@="C:\\WINDOWS\\system32\\ubrfaxa.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3C42408B-350A-456D-88EC-51ABF5E66162}]
@=""
"IDEx"="ST004"

[HKEY_CLASSES_ROOT\CLSID\{3C42408B-350A-456D-88EC-51ABF5E66162}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3C42408B-350A-456D-88EC-51ABF5E66162}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3C42408B-350A-456D-88EC-51ABF5E66162}\InprocServer32]
@="C:\\WINDOWS\\system32\\wocsvc.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
aosldpc.dll Mon Jun 20 2005 8:25:48p ..S.R 417,792 408.00 K
azrtl30.dll Sat Jun 18 2005 2:36:12p ..... 417,792 408.00 K
browseui.dll Tue May 3 2005 2:22:34a A.... 1,019,904 996.00 K
bzowselc.dll Sat Jun 18 2005 2:36:12p ..S.R 417,792 408.00 K
cdfview.dll Tue May 3 2005 2:22:34a A.... 151,040 147.50 K
dzscript.dll Sun Jun 19 2005 8:11:30a ..S.R 417,792 408.00 K
hhsetup.dll Fri May 27 2005 7:34:28a A.... 41,472 40.50 K
iddkcs32.dll Mon Jun 20 2005 7:48:42p ..S.R 417,792 408.00 K
iepeers.dll Tue May 3 2005 2:22:34a A.... 250,880 245.00 K
inseng.dll Tue May 3 2005 2:22:34a A.... 96,256 94.00 K
ipm32.dll Sat Jun 18 2005 11:56:48p ..S.R 417,792 408.00 K
itircl.dll Fri May 27 2005 7:34:28a A.... 155,136 151.50 K
itss.dll Fri May 27 2005 7:34:28a A.... 137,216 134.00 K
kedru.dll Mon Jun 20 2005 11:34:34p ..S.R 417,792 408.00 K
kgdur.dll Mon Jun 20 2005 8:15:40p ..S.R 417,792 408.00 K
mshtml.dll Tue May 3 2005 2:22:36a A.... 3,012,608 2.87 M
mshtmled.dll Tue May 3 2005 2:22:36a A.... 448,512 438.00 K
msi.dll Wed May 4 2005 2:45:32p A.... 2,890,240 2.75 M
msrating.dll Tue May 3 2005 2:22:36a A.... 146,432 143.00 K
multus40.dll Wed Jun 22 2005 6:53:40p ..S.R 417,792 408.00 K
mvdemui.dll Sun Jun 19 2005 8:52:16a ..S.R 417,792 408.00 K
mxhtmled.dll Sat Jun 18 2005 5:33:04p ..S.R 417,792 408.00 K
nqxpnt.dll Mon Jun 20 2005 6:39:12p ..S.R 417,792 408.00 K
nutui1.dll Sat Jun 18 2005 5:14:14p ..S.R 417,792 408.00 K
pbrfts.dll Mon Jun 20 2005 9:52:50p ..S.R 417,792 408.00 K
pkioiry.dll Sat Jun 18 2005 9:57:08a A.... 27,648 27.00 K
pkpoops2.dll Sun Jun 19 2005 8:47:10a ..S.R 417,792 408.00 K
pncrt.dll Tue May 10 2005 9:49:54p A.... 278,528 272.00 K
pndx5016.dll Tue May 10 2005 9:49:54p A.... 6,656 6.50 K
pndx5032.dll Tue May 10 2005 9:49:54p A.... 5,632 5.50 K
pngfilt.dll Tue May 3 2005 2:22:36a A.... 39,424 38.50 K
rmoc3260.dll Tue May 10 2005 9:50:02p A.... 176,167 172.04 K
sdeio.dll Mon Jun 20 2005 8:04:52p ..S.R 417,792 408.00 K
shdocvw.dll Tue May 3 2005 2:22:36a A.... 1,483,776 1.41 M
shfrcdlg.dll Wed Jun 22 2005 6:55:06p ..S.R 417,792 408.00 K
shlwapi.dll Tue May 3 2005 2:22:36a A.... 473,600 462.50 K
ubrfaxa.dll Wed Jun 22 2005 7:34:56p ..S.R 417,792 408.00 K
urlmon.dll Tue May 3 2005 2:22:36a A.... 607,744 593.50 K
vms_ps.dll Mon Jun 20 2005 7:39:40p ..S.R 417,792 408.00 K
wininet.dll Tue May 3 2005 2:22:36a A.... 657,920 642.50 K
wksqs.dll Sat Jun 18 2005 9:57:08a A.... 9,728 9.50 K
wocsvc.dll Sat Jun 18 2005 2:48:56p ..S.R 417,792 408.00 K
wppencen.dll Sun Jun 19 2005 9:08:26a ..S.R 417,792 408.00 K
wwbhits.dll Mon Jun 20 2005 7:46:18p A.... 417,792 408.00 K
xpsp3res.dll Tue May 17 2005 5:55:36a ..... 15,360 15.00 K

45 items found: 45 files (20 H/S), 0 directories.
Total of file sizes: 21,323,303 bytes 20.33 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Sat Jun 18 2005 3:03:20p ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C is S3A1979D001
Volume Serial Number is 2436-CFF5

Directory of C:\WINDOWS\System32

06/22/2005 07:34 PM 417,792 ubrfaxa.dll
06/22/2005 06:55 PM 417,792 sHfrcdlg.dll
06/22/2005 06:53 PM 417,792 multus40.dll
06/20/2005 11:34 PM 417,792 kedru.dll
06/20/2005 09:52 PM 417,792 pbrfts.dll
06/20/2005 08:25 PM 417,792 aosldpc.dll
06/20/2005 08:15 PM 417,792 kgdur.dll
06/20/2005 08:04 PM 417,792 sdeio.dll
06/20/2005 07:48 PM 417,792 iddkcs32.dll
06/20/2005 07:39 PM 417,792 vms_ps.dll
06/20/2005 06:39 PM 417,792 nqxpnt.dll
06/19/2005 09:08 AM 417,792 wppencen.dll
06/19/2005 08:52 AM 417,792 mvdemui.dll
06/19/2005 08:47 AM 417,792 PkpOops2.dll
06/19/2005 08:11 AM 417,792 dzscript.dll
06/18/2005 11:56 PM 417,792 ipm32.dll
06/18/2005 05:33 PM 417,792 mxhtmled.dll
06/18/2005 05:14 PM 417,792 nutui1.dll
06/18/2005 03:03 PM 417,792 guard.tmp
06/18/2005 02:48 PM 417,792 wocsvc.dll
06/18/2005 02:36 PM 417,792 bzowselc.dll
04/10/2005 10:30 AM <DIR> dllcache
09/15/2004 01:11 AM <DIR> Microsoft
08/12/2004 12:44 PM 5,120 Thumbs.db
22 File(s) 8,778,752 bytes
2 Dir(s) 5,741,887,488 bytes free
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Unread postby 'KotaGuy » June 22nd, 2005, 8:58 pm

Thanks for posting the log!

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby GeniusMagic » June 22nd, 2005, 9:18 pm

Hey KotaGuy,

Did what you said. Here is the L2MFIX log :

L2Mfix 1.03

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Administrator\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2032 'explorer.exe'
Killing PID 2032 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 612 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\aosldpc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aosldpc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\azrtl30.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\azrtl30.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\bzowselc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\bzowselc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dzscript.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dzscript.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iddkcs32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iddkcs32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ipm32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ipm32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kedru.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kedru.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kgdur.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kgdur.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\multus40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\multus40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvdemui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvdemui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mxhtmled.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mxhtmled.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nqxpnt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nqxpnt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nutui1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nutui1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pbrfts.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pbrfts.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\PkpOops2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\PkpOops2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\reoc3260.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\reoc3260.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rRsmontr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rRsmontr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sdeio.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sdeio.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sHfrcdlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sHfrcdlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vms_ps.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vms_ps.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wocsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wocsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wppencen.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wppencen.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wwbhits.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wwbhits.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\aosldpc.dll
Successfully Deleted: C:\WINDOWS\system32\aosldpc.dll
deleting: C:\WINDOWS\system32\aosldpc.dll
Successfully Deleted: C:\WINDOWS\system32\aosldpc.dll
deleting: C:\WINDOWS\system32\azrtl30.dll
Successfully Deleted: C:\WINDOWS\system32\azrtl30.dll
deleting: C:\WINDOWS\system32\azrtl30.dll
Successfully Deleted: C:\WINDOWS\system32\azrtl30.dll
deleting: C:\WINDOWS\system32\bzowselc.dll
Successfully Deleted: C:\WINDOWS\system32\bzowselc.dll
deleting: C:\WINDOWS\system32\bzowselc.dll
Successfully Deleted: C:\WINDOWS\system32\bzowselc.dll
deleting: C:\WINDOWS\system32\dzscript.dll
Successfully Deleted: C:\WINDOWS\system32\dzscript.dll
deleting: C:\WINDOWS\system32\dzscript.dll
Successfully Deleted: C:\WINDOWS\system32\dzscript.dll
deleting: C:\WINDOWS\system32\iddkcs32.dll
Successfully Deleted: C:\WINDOWS\system32\iddkcs32.dll
deleting: C:\WINDOWS\system32\iddkcs32.dll
Successfully Deleted: C:\WINDOWS\system32\iddkcs32.dll
deleting: C:\WINDOWS\system32\ipm32.dll
Successfully Deleted: C:\WINDOWS\system32\ipm32.dll
deleting: C:\WINDOWS\system32\ipm32.dll
Successfully Deleted: C:\WINDOWS\system32\ipm32.dll
deleting: C:\WINDOWS\system32\kedru.dll
Successfully Deleted: C:\WINDOWS\system32\kedru.dll
deleting: C:\WINDOWS\system32\kedru.dll
Successfully Deleted: C:\WINDOWS\system32\kedru.dll
deleting: C:\WINDOWS\system32\kgdur.dll
Successfully Deleted: C:\WINDOWS\system32\kgdur.dll
deleting: C:\WINDOWS\system32\kgdur.dll
Successfully Deleted: C:\WINDOWS\system32\kgdur.dll
deleting: C:\WINDOWS\system32\multus40.dll
Successfully Deleted: C:\WINDOWS\system32\multus40.dll
deleting: C:\WINDOWS\system32\multus40.dll
Successfully Deleted: C:\WINDOWS\system32\multus40.dll
deleting: C:\WINDOWS\system32\mvdemui.dll
Successfully Deleted: C:\WINDOWS\system32\mvdemui.dll
deleting: C:\WINDOWS\system32\mvdemui.dll
Successfully Deleted: C:\WINDOWS\system32\mvdemui.dll
deleting: C:\WINDOWS\system32\mxhtmled.dll
Successfully Deleted: C:\WINDOWS\system32\mxhtmled.dll
deleting: C:\WINDOWS\system32\mxhtmled.dll
Successfully Deleted: C:\WINDOWS\system32\mxhtmled.dll
deleting: C:\WINDOWS\system32\nqxpnt.dll
Successfully Deleted: C:\WINDOWS\system32\nqxpnt.dll
deleting: C:\WINDOWS\system32\nqxpnt.dll
Successfully Deleted: C:\WINDOWS\system32\nqxpnt.dll
deleting: C:\WINDOWS\system32\nutui1.dll
Successfully Deleted: C:\WINDOWS\system32\nutui1.dll
deleting: C:\WINDOWS\system32\nutui1.dll
Successfully Deleted: C:\WINDOWS\system32\nutui1.dll
deleting: C:\WINDOWS\system32\pbrfts.dll
Successfully Deleted: C:\WINDOWS\system32\pbrfts.dll
deleting: C:\WINDOWS\system32\pbrfts.dll
Successfully Deleted: C:\WINDOWS\system32\pbrfts.dll
deleting: C:\WINDOWS\system32\PkpOops2.dll
Successfully Deleted: C:\WINDOWS\system32\PkpOops2.dll
deleting: C:\WINDOWS\system32\PkpOops2.dll
Successfully Deleted: C:\WINDOWS\system32\PkpOops2.dll
deleting: C:\WINDOWS\system32\reoc3260.dll
Successfully Deleted: C:\WINDOWS\system32\reoc3260.dll
deleting: C:\WINDOWS\system32\reoc3260.dll
Successfully Deleted: C:\WINDOWS\system32\reoc3260.dll
deleting: C:\WINDOWS\system32\rRsmontr.dll
Successfully Deleted: C:\WINDOWS\system32\rRsmontr.dll
deleting: C:\WINDOWS\system32\rRsmontr.dll
Successfully Deleted: C:\WINDOWS\system32\rRsmontr.dll
deleting: C:\WINDOWS\system32\sdeio.dll
Successfully Deleted: C:\WINDOWS\system32\sdeio.dll
deleting: C:\WINDOWS\system32\sdeio.dll
Successfully Deleted: C:\WINDOWS\system32\sdeio.dll
deleting: C:\WINDOWS\system32\sHfrcdlg.dll
Successfully Deleted: C:\WINDOWS\system32\sHfrcdlg.dll
deleting: C:\WINDOWS\system32\sHfrcdlg.dll
Successfully Deleted: C:\WINDOWS\system32\sHfrcdlg.dll
deleting: C:\WINDOWS\system32\vms_ps.dll
Successfully Deleted: C:\WINDOWS\system32\vms_ps.dll
deleting: C:\WINDOWS\system32\vms_ps.dll
Successfully Deleted: C:\WINDOWS\system32\vms_ps.dll
deleting: C:\WINDOWS\system32\wocsvc.dll
Successfully Deleted: C:\WINDOWS\system32\wocsvc.dll
deleting: C:\WINDOWS\system32\wocsvc.dll
Successfully Deleted: C:\WINDOWS\system32\wocsvc.dll
deleting: C:\WINDOWS\system32\wppencen.dll
Successfully Deleted: C:\WINDOWS\system32\wppencen.dll
deleting: C:\WINDOWS\system32\wppencen.dll
Successfully Deleted: C:\WINDOWS\system32\wppencen.dll
deleting: C:\WINDOWS\system32\wwbhits.dll
Successfully Deleted: C:\WINDOWS\system32\wwbhits.dll
deleting: C:\WINDOWS\system32\wwbhits.dll
Successfully Deleted: C:\WINDOWS\system32\wwbhits.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: aosldpc.dll (164 bytes security) (deflated 48%)
adding: azrtl30.dll (164 bytes security) (deflated 48%)
adding: bzowselc.dll (164 bytes security) (deflated 48%)
adding: dzscript.dll (164 bytes security) (deflated 48%)
adding: iddkcs32.dll (164 bytes security) (deflated 48%)
adding: ipm32.dll (164 bytes security) (deflated 48%)
adding: kedru.dll (164 bytes security) (deflated 48%)
adding: kgdur.dll (164 bytes security) (deflated 48%)
adding: multus40.dll (164 bytes security) (deflated 48%)
adding: mvdemui.dll (164 bytes security) (deflated 48%)
adding: mxhtmled.dll (164 bytes security) (deflated 48%)
adding: nqxpnt.dll (164 bytes security) (deflated 48%)
adding: nutui1.dll (164 bytes security) (deflated 48%)
adding: pbrfts.dll (164 bytes security) (deflated 48%)
adding: PkpOops2.dll (164 bytes security) (deflated 48%)
adding: reoc3260.dll (164 bytes security) (deflated 48%)
adding: rRsmontr.dll (164 bytes security) (deflated 48%)
adding: sdeio.dll (164 bytes security) (deflated 48%)
adding: sHfrcdlg.dll (164 bytes security) (deflated 48%)
adding: vms_ps.dll (164 bytes security) (deflated 48%)
adding: wocsvc.dll (164 bytes security) (deflated 48%)
adding: wppencen.dll (164 bytes security) (deflated 48%)
adding: wwbhits.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 37%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 89%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 72%)
adding: test.txt (164 bytes security) (deflated 89%)
adding: test2.txt (164 bytes security) (deflated 17%)
adding: test3.txt (164 bytes security) (deflated 17%)
adding: test5.txt (164 bytes security) (deflated 17%)
adding: xfind.txt (164 bytes security) (deflated 86%)
adding: backregs/3C42408B-350A-456D-88EC-51ABF5E66162.reg (164 bytes security) (deflated 69%)
adding: backregs/87BA2167-DAA8-4E59-BF46-4AC8883BB21E.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 66%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: aosldpc.dll
deleting local copy: aosldpc.dll
deleting local copy: azrtl30.dll
deleting local copy: azrtl30.dll
deleting local copy: bzowselc.dll
deleting local copy: bzowselc.dll
deleting local copy: dzscript.dll
deleting local copy: dzscript.dll
deleting local copy: iddkcs32.dll
deleting local copy: iddkcs32.dll
deleting local copy: ipm32.dll
deleting local copy: ipm32.dll
deleting local copy: kedru.dll
deleting local copy: kedru.dll
deleting local copy: kgdur.dll
deleting local copy: kgdur.dll
deleting local copy: multus40.dll
deleting local copy: multus40.dll
deleting local copy: mvdemui.dll
deleting local copy: mvdemui.dll
deleting local copy: mxhtmled.dll
deleting local copy: mxhtmled.dll
deleting local copy: nqxpnt.dll
deleting local copy: nqxpnt.dll
deleting local copy: nutui1.dll
deleting local copy: nutui1.dll
deleting local copy: pbrfts.dll
deleting local copy: pbrfts.dll
deleting local copy: PkpOops2.dll
deleting local copy: PkpOops2.dll
deleting local copy: reoc3260.dll
deleting local copy: reoc3260.dll
deleting local copy: rRsmontr.dll
deleting local copy: rRsmontr.dll
deleting local copy: sdeio.dll
deleting local copy: sdeio.dll
deleting local copy: sHfrcdlg.dll
deleting local copy: sHfrcdlg.dll
deleting local copy: vms_ps.dll
deleting local copy: vms_ps.dll
deleting local copy: wocsvc.dll
deleting local copy: wocsvc.dll
deleting local copy: wppencen.dll
deleting local copy: wppencen.dll
deleting local copy: wwbhits.dll
deleting local copy: wwbhits.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\aosldpc.dll
C:\WINDOWS\system32\aosldpc.dll
C:\WINDOWS\system32\azrtl30.dll
C:\WINDOWS\system32\azrtl30.dll
C:\WINDOWS\system32\bzowselc.dll
C:\WINDOWS\system32\bzowselc.dll
C:\WINDOWS\system32\dzscript.dll
C:\WINDOWS\system32\dzscript.dll
C:\WINDOWS\system32\iddkcs32.dll
C:\WINDOWS\system32\iddkcs32.dll
C:\WINDOWS\system32\ipm32.dll
C:\WINDOWS\system32\ipm32.dll
C:\WINDOWS\system32\kedru.dll
C:\WINDOWS\system32\kedru.dll
C:\WINDOWS\system32\kgdur.dll
C:\WINDOWS\system32\kgdur.dll
C:\WINDOWS\system32\multus40.dll
C:\WINDOWS\system32\multus40.dll
C:\WINDOWS\system32\mvdemui.dll
C:\WINDOWS\system32\mvdemui.dll
C:\WINDOWS\system32\mxhtmled.dll
C:\WINDOWS\system32\mxhtmled.dll
C:\WINDOWS\system32\nqxpnt.dll
C:\WINDOWS\system32\nqxpnt.dll
C:\WINDOWS\system32\nutui1.dll
C:\WINDOWS\system32\nutui1.dll
C:\WINDOWS\system32\pbrfts.dll
C:\WINDOWS\system32\pbrfts.dll
C:\WINDOWS\system32\PkpOops2.dll
C:\WINDOWS\system32\PkpOops2.dll
C:\WINDOWS\system32\reoc3260.dll
C:\WINDOWS\system32\reoc3260.dll
C:\WINDOWS\system32\rRsmontr.dll
C:\WINDOWS\system32\rRsmontr.dll
C:\WINDOWS\system32\sdeio.dll
C:\WINDOWS\system32\sdeio.dll
C:\WINDOWS\system32\sHfrcdlg.dll
C:\WINDOWS\system32\sHfrcdlg.dll
C:\WINDOWS\system32\vms_ps.dll
C:\WINDOWS\system32\vms_ps.dll
C:\WINDOWS\system32\wocsvc.dll
C:\WINDOWS\system32\wocsvc.dll
C:\WINDOWS\system32\wppencen.dll
C:\WINDOWS\system32\wppencen.dll
C:\WINDOWS\system32\wwbhits.dll
C:\WINDOWS\system32\wwbhits.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{87BA2167-DAA8-4E59-BF46-4AC8883BB21E}"=-
"{3C42408B-350A-456D-88EC-51ABF5E66162}"=-
[-HKEY_CLASSES_ROOT\CLSID\{87BA2167-DAA8-4E59-BF46-4AC8883BB21E}]
[-HKEY_CLASSES_ROOT\CLSID\{3C42408B-350A-456D-88EC-51ABF5E66162}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************



and the Hijack this log


Logfile of HijackThis v1.99.1
Scan saved at 9:17:49 PM, on 6/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system\cudurhhqj.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.248.208.1
R3 - Default URLSearchHook is missing
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll (file missing)
O2 - BHO: (no name) - {C370527A-24A7-4583-BE01-72E59000EB17} - C:\WINDOWS\system32\n.dll (file missing)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [a0q5RiKpT] w32log.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://hindi.india-today.com/tdserver.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/downl ... TING14.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {95EEE69E-27B4-4D13-BD32-766617A16909} (NDTVVideo.MPlayer) - http://www.ndtv.com/video/NDTVseekvideo.CAB
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0008.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.infosys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.infosys.com
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Unread postby 'KotaGuy » June 23rd, 2005, 12:22 am

Download and install CCleaner. Don't run it yet.

If you don't have them, download and install Ad-Aware and Spybot. Run the both. Update them. Visit this page for proper configuration. Don't scan with them yet.

Download Killbox. Extract(unzip) it to a folder. Don't run it yet.

Download CWShredder. Run the program. Update it. Close it.

Download About:Buster. Extract(unzip) it to C:\aboutbuster. Run AboutBuster. Update it. Close it.

Copy/paste this into notepad or wordpad for reference during the fix.

Go to Add/Remove Programs. Uninstall BullsEye Network, CashBack and Windows AFA Internet Enhancement if found.

Make sure no files are hidden. To do this:

1. Click Start.
2. Open My Computer.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide protected operating system files (recommended) option.
7. Click Yes to confirm.
8. Click OK.

Boot into Safe Mode. To do this:

1. Reboot your computer.
2. Tap the F8 button as your computer is booting to bring you to the Advanced Options Menu.
3. Select Safe Mode and press Enter.

Run and scan with HijackThis. With all browsers and windows closed, place a check beside the following and fix:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll (file missing)
O2 - BHO: (no name) - {C370527A-24A7-4583-BE01-72E59000EB17} - C:\WINDOWS\system32\n.dll (file missing)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKCU\..\Run: [a0q5RiKpT] w32log.exe
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/downl ... TING14.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0008.exe


Run CWShredder.

Run About:Buster. Click Begin Removal to allow About:Buster to scan. When it has finished, About:Buster will open a 'Scan Completed' window. Click OK. Another information window will open. Click on Exit. About:Buster will inform you that a log has been created. Click OK.

Close all open windows and programs, then start Killbox. Put a check next to "Delete on Reboot", put a check next to "Use Dummy", then copy this line in "Full Path of File to Delete" box:

C:\WINDOWS\system32\aosldpc.dll

Click the red and white "Delete File" button.
Click "Yes" at the first prompt .
Click "No" at the second.

Do the same for each of the following files:

C:\WINDOWS\system32\azrtl30.dll
C:\WINDOWS\system32\bzowselc.dll
C:\WINDOWS\system32\dzscript.dll
C:\WINDOWS\system32\iddkcs32.dll
C:\WINDOWS\system32\ipm32.dll
C:\WINDOWS\system32\kedru.dll
C:\WINDOWS\system32\kgdur.dll
C:\WINDOWS\system32\multus40.dll
C:\WINDOWS\system32\mvdemui.dll
C:\WINDOWS\system32\mxhtmled.dll
C:\WINDOWS\system32\nqxpnt.dll
C:\WINDOWS\system32\nutui1.dll
C:\WINDOWS\system32\pbrfts.dll
C:\WINDOWS\system32\PkpOops2.dll
C:\WINDOWS\system32\reoc3260.dll
C:\WINDOWS\system32\rRsmontr.dll
C:\WINDOWS\system32\sdeio.dll
C:\WINDOWS\system32\sHfrcdlg.dll
C:\WINDOWS\system32\vms_ps.dll
C:\WINDOWS\system32\wocsvc.dll
C:\WINDOWS\system32\wppencen.dll
C:\WINDOWS\system32\wwbhits.dll
C:\WINDOWS\system32\guard.tmp


Exit when done.

Search for and delete these folders:

C:\Program Files\BullsEye Network
C:\Program Files\CashBack
C:\WINDOWS\EliteToolBar

Search for and delete these files:

C:\WINDOWS\system32\PSof1.exe
C:\WINDOWS\VCMnet11.exe
C:\WINDOWS\logon.exe
w32log.exe


Do scans with both Ad-Aware and Spybot. Let them fix anything they find.

Browse to your C:\WINDOWS\Prefetch folder. Delete all files in the folder, do not delete the folder itself. Empty your Recycle Bin. Run CCleaner.

Reboot Windows normally and post a new HijackThis log please along with the About:Buster log.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby GeniusMagic » June 23rd, 2005, 11:00 pm

Did the following :

1. Downloaded and installed , CCleaner, SpyBot, Ad-Aware, KillBox, CWShredder; About:Buster

2. Uninstalled CashbackBuddy and Bulls eye network from Add/remove Programs. Windows AFA Internet Enhancement was also present but it did not let me uninstall it. Nothing seemed to happen on clicking Change/Remove. I also saw "The ABI network - A division of direct revenue" listed there but it never uninstalls. Other suspicious programs I saw (but did not try uninstalling) : NaviSearch, Search Assistant Uninstall.

3. Could not find cashback.exe in the Hijack this log. Checked and fixed all else mentioned by you.

4. CWShredder made me reboot the comp(which I did before carrying on the next steps)

5. Ran about buster--Successfully

6. Started Killbox. On putting a check against "Delete on reboot", the use dummy option was still disabled, hence I couldnt check it. It was enabled if I selected "Replace on reboot" but I stuck to "Delete on reboot". Killed all the files you mentioned.

7. Couldnt find Bulls eye network and cashback folder but found some bullseye files.Deleted them all. Deleted C:\windows\elitetoolbar.

8. Deleted PSof1.exe, VCMNet11.exe and logon.exe. Could not find w32log.exe

9. Did Adaware and Spybot scans...both found a number of enteries, deleted all of them.

10.Emptied Windows\Prefetch and ran CCleaner.


Heres the new Hijack log :

Logfile of HijackThis v1.99.1
Scan saved at 10:44:02 PM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.248.208.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://hindi.india-today.com/tdserver.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by10fd.bay10.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) -

http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {95EEE69E-27B4-4D13-BD32-766617A16909} (NDTVVideo.MPlayer) - http://www.ndtv.com/video/NDTVseekvideo.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.infosys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.infosys.com
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program

Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program

Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program

Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog

Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program

Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program

Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe



and heres the About:Buster Log

AboutBuster 5.0 reference file 30
Scan started on [6/23/2005] at [8:10:07 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:10:28 PM


AboutBuster 5.0 reference file 30
Scan started on [6/23/2005] at [10:53:30 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:53:56 PM
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Unread postby 'KotaGuy » June 25th, 2005, 1:44 am

Excellent!

Do you recognize this domain?

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.infosys.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.infosys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.infosys.com
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby GeniusMagic » June 25th, 2005, 10:49 am

Hi KotaGuy,

Yes I recognize that domain. That one is not a nuisance for sure.

There is a noticeable decline in the number of pop ups I get now(almost none). However I still see my IE windows getting closed all of a sudden and I continue to get the fatal error when I boot my PC. I am not sure if it has got to do with these malwares but it started to happen around the same time.

Shall i scan my PC online for any viruses ?

Thanks again for your help.
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Unread postby 'KotaGuy » June 25th, 2005, 11:50 am

Might be an idea as your HijackThis log is now clean... do an online scan or two. A couple good ones are Panda ActiveScan and TrendMicro HouseCall. Let them fix anything they find. Reboot between each scan.

Also, download Silent Runners(right click on the link, choose Save As). Double click on Silent Runners.vbs. Post the log it creates.

Thanks!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby GeniusMagic » June 26th, 2005, 7:59 pm

Hi KotaGuy, scanned my hard drive with both Housecall and panda active scan. Also ran Silent runner.

I am appending the scan results from Housecall and Silent Runner below:

also, can i delete this file :
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AbetterInternet.zip
looks like its a leftover of ABI.


Results from Housecall scan and recover :

Virus Scan 0 virus cleaned, 2 viruses deleted

Results:
We have detected 3 infected file(s) with 3 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 2 virus(es) deleted, 1 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
C:\WINDOWS\system32\InstallAPS.exe TROJ_DROPPER.CP Deletion successful
C:\WINDOWS\system32\installer_MARKETING30.exe TROJ_DLOADER.MG Deletion successful
C:\WINDOWS\system32\__delete_on_reboot__AUNPS2.DLL TROJ_CLICKER.AD Undeletable




Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken




Spyware Check 10 spyware programs removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 30 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 20 spyware(s) passed, 0 spyware(s) no action available
- 10 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken
ADW_BKDSPACE.A Adware Removal successful
COOKIE_169 Cookie Pass
COOKIE_222 Cookie Pass
COOKIE_281 Cookie Pass
COOKIE_611 Cookie Pass
COOKIE_650 Cookie Pass
COOKIE_1020 Cookie Pass
COOKIE_1198 Cookie Pass
COOKIE_1738 Cookie Pass
COOKIE_1802 Cookie Pass
COOKIE_2136 Cookie Pass
COOKIE_2281 Cookie Pass
COOKIE_2817 Cookie Pass
COOKIE_2842 Cookie Pass
COOKIE_2897 Cookie Pass
COOKIE_3130 Cookie Pass
COOKIE_3163 Cookie Pass
ADW_BROWSERAID.A Adware Removal successful
COOKIE_3195 Cookie Pass
COOKIE_3201 Cookie Pass
COOKIE_6853 Cookie Pass
SPYW_VTBOUNCER.A Spyware Removal successful (Please reboot your machine)
COOKIE_3235 Cookie Pass
ADW_ADDESTROY.A Adware Removal successful
ADW_ADDESTROY.B Adware Removal successful
SPYW_VBOUNCE.B Spyware Removal successful (Please reboot your machine)
SPYW_VTBOUNCER.B Spyware Removal successful (Please reboot your machine)
ADW_BROWSERAID.G Adware Removal successful
ADW_BROWSERAID.E Adware Removal successful
ADW_APROPOS.O Adware Removal successful




Microsoft Vulnerability Check 2 vulnerabilities detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 2 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix
Important This remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.;The vulnerability is caused by an unchecked buffer in the Microsoft Office WordPerfect Converter. MS04-027
Critical A remote code execution vulnerability exists in MSN Messenger that could allow an attacker who successfully exploited this vulnerable to take complete control of the affected system. MS05-022





and here are the Silent Runner scan results :


"Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"taangdhr.exe" = "C:\WINDOWS\system\taangdhr.exe" [file not found]
"grox.exe" = "C:\WINDOWS\system\grox.exe" [file not found]
"fxwtgktj.exe" = "C:\WINDOWS\system\fxwtgktj.exe" [file not found]
"rpvsqmlgja.exe" = "C:\WINDOWS\system\rpvsqmlgja.exe" [file not found]
"lftn.exe" = "C:\WINDOWS\system\lftn.exe" [file not found]
"dbavkhqcnt.exe" = "C:\WINDOWS\system\dbavkhqcnt.exe" [file not found]
"ngcws.exe" = "C:\WINDOWS\system\ngcws.exe" [file not found]
"wwvlrajmjs.exe" = "C:\WINDOWS\system\wwvlrajmjs.exe" [file not found]
"sxjjafcu.exe" = "C:\WINDOWS\system\sxjjafcu.exe" [file not found]
"hwcgfd.exe" = "C:\WINDOWS\system\hwcgfd.exe" [file not found]
"vjfqphrlo.exe" = "C:\WINDOWS\system\vjfqphrlo.exe" [file not found]
"jrnohgxm.exe" = "C:\WINDOWS\system\jrnohgxm.exe" [file not found]
"cmdpvn.exe" = "C:\WINDOWS\system\cmdpvn.exe" [file not found]
"cudurhhqj.exe" = "C:\WINDOWS\system\cudurhhqj.exe" [file not found]
"rtcbmv.exe" = "C:\WINDOWS\system\rtcbmv.exe" [file not found]
"wcspsjrcas.exe" = "C:\WINDOWS\system\wcspsjrcas.exe" [file not found]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TOSCDSPD" = "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" ["TOSHIBA"]
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" [null data]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [null data]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"TFNF5" = "TFNF5.exe" ["TOSHIBA Corp."]
"SmoothView" = "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" ["TOSHIBA Corporation"]
"TPSMain" = "TPSMain.exe" ["TOSHIBA Corporation"]
"TFncKy" = "TFncKy.exe" ["TOSHIBA Corporation"]
"TouchED" = "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" ["TOSHIBA Corporation"]
"NDSTray.exe" = "NDSTray.exe" ["TOSHIBA CORPORATION"]
"SoundMAXPnP" = "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]
"SoundMAX" = "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray" ["Analog Devices, Inc."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"Realtime Monitor" = ""C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"" ["Computer Associates International, Inc."]
"STOPzilla" = "C:\Program Files\STOPzilla!\Stopzilla.exe /autostart" [file not found]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{5F41ED8A-5A36-4C9A-96AE-589A4F353879}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\TRSMainCtl.dll" [null data]
"{12D2D9F5-0B9D-40F0-AAB8-ECC2FB5B4C54}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\wqnsock.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! SharedDlls\DLLName = "C:\WINDOWS\system32\kwdcz2.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"RAMASST" -> shortcut to: "C:\WINDOWS\system32\RAMASST.exe" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 02, 28
%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 08 - 27
%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Check Point SecuRemote Service, SR_Service, ""C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"" ["Check Point Software Technologies"]
Check Point SecuRemote WatchDog, SR_WatchDog, ""C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe"" ["Check Point Software Technologies"]
ConfigFree Service, CFSvcs, "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" ["TOSHIBA CORPORATION"]
DVD-RAM_Service, DVD-RAM_Service, "C:\WINDOWS\system32\DVDRAMSV.exe" ["Matsushita Electric Industrial Co., Ltd."]
eTrust InoculateIT Job Server, InoTask, ""C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe"" ["Computer Associates International, Inc."]
eTrust InoculateIT Realtime Server, InoRT, ""C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe"" ["Computer Associates International, Inc."]
eTrust InoculateIT RPC Server, InoRPC, ""C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe"" ["Computer Associates International, Inc."]
Event Log Watch, LogWatch, "C:\WINDOWS\LogWatNT.exe" [null data]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Unread postby 'KotaGuy » June 26th, 2005, 9:39 pm

Thanks for posting the logs.

Copy/paste the following quotebox into a new notepad document

REGEDIT4

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"taangdhr.exe"=-
"grox.exe"=-
"fxwtgktj.exe"=-
"rpvsqmlgja.exe"=-
"lftn.exe"=-
"dbavkhqcnt.exe"=-
"ngcws.exe"=-
"wwvlrajmjs.exe"=-
"sxjjafcu.exe"=-
"hwcgfd.exe"=-
"vjfqphrlo.exe"=-
"jrnohgxm.exe"=-
"cmdpvn.exe"=-
"cudurhhqj.exe"=-
"rtcbmv.exe"=-
"wcspsjrcas.exe"=-

[HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{5F41ED8A-5A36-4C9A-96AE-589A4F353879}"=-
"{12D2D9F5-0B9D-40F0-AAB8-ECC2FB5B4C54}"=-

[-HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDlls]

[HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Filter\text/xml]
"CLSID"=-


Save it to your Desktop as fixme.reg. Save as File Type All Files(not as a text document or it wont work). Double click fixme.reg and merge it into the registry when asked.

Boot into Safe Mode. Search for and delete:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AbetterInternet.zip
C:\WINDOWS\system32\kwdcz2.dll
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
C:\WINDOWS\system32\TRSMainCtl.dll
C:\WINDOWS\system32\wqnsock.dll

Browse to your C:\WINDOWS\Prefetch folder. Delete all files in the folder, do not delete the folder itself. Empty your Recycle Bin. Run CCleaner.

Reboot Windows normally and post a new Silent Runners log please.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby GeniusMagic » June 27th, 2005, 11:19 pm

Did what you said except that it did not let me delete C:\WINDOWS\system32\kwdcz2.dll. The file appeared to be in use by another program or person. Also I could not find C:\WINDOWS\system32\wqnsock.dll on my system. Deleted all other files u mentioned.


The new silent runners log follows(after booting in normal mode) :

"Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"taangdhr.exe" = "C:\WINDOWS\system\taangdhr.exe" [file not found]
"grox.exe" = "C:\WINDOWS\system\grox.exe" [file not found]
"fxwtgktj.exe" = "C:\WINDOWS\system\fxwtgktj.exe" [file not found]
"rpvsqmlgja.exe" = "C:\WINDOWS\system\rpvsqmlgja.exe" [file not found]
"lftn.exe" = "C:\WINDOWS\system\lftn.exe" [file not found]
"dbavkhqcnt.exe" = "C:\WINDOWS\system\dbavkhqcnt.exe" [file not found]
"ngcws.exe" = "C:\WINDOWS\system\ngcws.exe" [file not found]
"wwvlrajmjs.exe" = "C:\WINDOWS\system\wwvlrajmjs.exe" [file not found]
"sxjjafcu.exe" = "C:\WINDOWS\system\sxjjafcu.exe" [file not found]
"hwcgfd.exe" = "C:\WINDOWS\system\hwcgfd.exe" [file not found]
"vjfqphrlo.exe" = "C:\WINDOWS\system\vjfqphrlo.exe" [file not found]
"jrnohgxm.exe" = "C:\WINDOWS\system\jrnohgxm.exe" [file not found]
"cmdpvn.exe" = "C:\WINDOWS\system\cmdpvn.exe" [file not found]
"cudurhhqj.exe" = "C:\WINDOWS\system\cudurhhqj.exe" [file not found]
"rtcbmv.exe" = "C:\WINDOWS\system\rtcbmv.exe" [file not found]
"wcspsjrcas.exe" = "C:\WINDOWS\system\wcspsjrcas.exe" [file not found]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TOSCDSPD" = "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" ["TOSHIBA"]
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" [null data]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [null data]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"TFNF5" = "TFNF5.exe" ["TOSHIBA Corp."]
"SmoothView" = "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" ["TOSHIBA Corporation"]
"TPSMain" = "TPSMain.exe" ["TOSHIBA Corporation"]
"TFncKy" = "TFncKy.exe" ["TOSHIBA Corporation"]
"TouchED" = "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" ["TOSHIBA Corporation"]
"NDSTray.exe" = "NDSTray.exe" ["TOSHIBA CORPORATION"]
"SoundMAXPnP" = "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]
"SoundMAX" = "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray" ["Analog Devices, Inc."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"Realtime Monitor" = ""C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"" ["Computer Associates International, Inc."]
"STOPzilla" = "C:\Program Files\STOPzilla!\Stopzilla.exe /autostart" [file not found]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"VBouncer" = "C:\PROGRA~1\VBouncer\VirtualBouncer.exe" [file not found]
"KavSvc" = "C:\WINDOWS\system32\japnpr.exe reg_run" [null data]
"scain" = "C:\WINDOWS\TEMP\s030109.Stub.exe" [file not found]
"98D0CE0C16B1" = "rundll32.exe D0CE0C16B1,D0CE0C16B1" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{12EE7A5E-0674-42f9-A76A-000000004D00}\(Default) = "SearchToolbarBHOObject" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\stlb2.dll" [file not found]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{5F41ED8A-5A36-4C9A-96AE-589A4F353879}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\TRSMainCtl.dll" [file not found]
"{12D2D9F5-0B9D-40F0-AAB8-ECC2FB5B4C54}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ahcups.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! ShellServiceObjectDelayLoad\DLLName = "C:\WINDOWS\system32\kwdcz2.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"AdDestroyer" -> shortcut to: "C:\Program Files\AdDestroyer\AdDestroyer.exe" [file not found]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"RAMASST" -> shortcut to: "C:\WINDOWS\system32\RAMASST.exe" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 02, 28
%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 08 - 27
%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{12EE7A5E-0674-42F9-A76B-000000004D00}" = "Search" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\stlb2.dll" [file not found]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{12EE7A5E-0674-42F9-A76B-000000004D00}\ = "Search" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\stlb2.dll" [file not found]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Check Point SecuRemote Service, SR_Service, ""C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"" ["Check Point Software Technologies"]
Check Point SecuRemote WatchDog, SR_WatchDog, ""C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe"" ["Check Point Software Technologies"]
ConfigFree Service, CFSvcs, "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" ["TOSHIBA CORPORATION"]
DVD-RAM_Service, DVD-RAM_Service, "C:\WINDOWS\system32\DVDRAMSV.exe" ["Matsushita Electric Industrial Co., Ltd."]
eTrust InoculateIT Job Server, InoTask, ""C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe"" ["Computer Associates International, Inc."]
eTrust InoculateIT Realtime Server, InoRT, ""C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe"" ["Computer Associates International, Inc."]
eTrust InoculateIT RPC Server, InoRPC, ""C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe"" ["Computer Associates International, Inc."]
Event Log Watch, LogWatch, "C:\WINDOWS\LogWatNT.exe" [null data]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Thanks
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware