Author Topic: Another Desktop.exe victim (Read 3080 times)

JoeMac · « **on:** March 18, 2005, 06:31:59 PM »

I've seen a number of posts where you've helped people who've had a persistent desktop.exe problem. I'm hoping you can walk me through a similar fix!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />

I've downloaded HJT, Ad Adware, and Spybot, and here's my initial HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:13:06 PM, on 3/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\system32\condll32.exe
C:\Program Files\McAfee.com\Agent\MCAGENT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\camqtz32.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
E:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\hgmx3jbu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CProgram%20Files%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\hgmx3jbu.slt\prefs.js)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.1.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [w3oR3pj] condll32.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\MCAGENT.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [h075RfH9V] camqtz32.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Kodak EasyShare software.lnk = E:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = E:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\hrn6055se.dll
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

Thanks for your help with this!!!

JoeMac

JoeMac · « **Reply #1 on:** March 19, 2005, 02:14:51 PM »

Just bumping back to the top of the list!

Thanks for your help questolo!!!

JoeMac

guestolo · « **Reply #2 on:** March 20, 2005, 02:25:14 AM »

Download and UNZIP to desktop
iSearch.zip
So you will now have iSearch.reg on your desktop
We'll need this later

Download and Unzip to desktop LSPFIX.zip from this link
http://www.cexx.org/lspfix.htm
We'll need this later

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Please copy and paste the rest of this too a Notepad file and save it to your desktop
or Print it out
Also know how to start in safe mode in advanced, if unsure I supplied a link below

Disconnect completely from the Internet
Close down all Browser windows, including this one

Ensure that you unzipped LSP fix earlier and your not running it from within the Zipped file
With ONLY LSP fix open
Check "I know what I'm doing".
Then select all instances of aklsp.dll and dolsp.dll (and nothing else) in the left pane,
click the arrow button to have them moved into the right hand panel.(The Removal Pane) Click Finish <--you may have to scroll down a bit to see it, Finish is NOT the X button at the top

Restart your computer into SAFE MODE

Access your Add/Remove programs and remove if found
Hotbar and/or Web Tools from Hotbar

Stay in safe mode, find and delete these files or folders if found
C:\WINDOWS\system32\condll32.exe <-file
c:\windows\system32\camqtz32.exe
C:\WINDOWS\farmmext.exe

C:\WINDOWS\system32\wsxsvc <-folder
C:\WINDOWS\isrvs <-folder
C:\Program Files\Hotbar <-folder

Again, in safe mode

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.1.0\WeatherOnTray.exe

O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [w3oR3pj] condll32.exe

O4 - HKCU\..\Run: [h075RfH9V] camqtz32.exe
O4 - Startup: PowerReg Scheduler.exe

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Go to START>>RUN>>type in
%temp%
In new window select EDIT>>SELECT ALL
Delete the selected

Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content

Double click on iSearch.reg and allow to merge to the registry

Restart back to Normal mode

Back In Windows, we still have some more cleaning to do
Download L2mfix from here

http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]

Try not too restart your computer again after posting this log

JoeMac · « **Reply #3 on:** March 20, 2005, 03:28:26 AM »

Here's the results of the last scan:

L2MFIX find log 1.03
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv4009hme.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B273BB8C-65AA-2C29-39C6-F8EDF73E57FB}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{acb4a560-3606-11d3-aef4-00104bd0f92d}"="KodakShellExtension"
"{90D8387D-1E19-4A4D-9E8B-13AAC7D6D48C}"=""

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{90D8387D-1E19-4A4D-9E8B-13AAC7D6D48C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{90D8387D-1E19-4A4D-9E8B-13AAC7D6D48C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{90D8387D-1E19-4A4D-9E8B-13AAC7D6D48C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{90D8387D-1E19-4A4D-9E8B-13AAC7D6D48C}\InprocServer32]
@="C:\\WINDOWS\\system32\\iwetmib1.dll"
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
1803.dll Mon Mar 14 2005 2:11:06p A.... 150,528 147.00 K
aklsp.dll Fri Mar 11 2005 9:10:34p A.... 196,608 192.00 K
akrules.dll Fri Mar 11 2005 9:10:34p A.... 110,592 108.00 K
akupd.dll Fri Mar 11 2005 9:10:22p A.... 155,648 152.00 K
aycore.dll Tue Mar 15 2005 5:33:20p ..S.R 233,248 227.78 K
biowsewm.dll Fri Mar 11 2005 9:03:44p ..S.R 232,736 227.28 K
browseui.dll Thu Jan 27 2005 12:13:16p A.... 1,016,832 993.00 K
camsnap.dll Tue Mar 15 2005 8:33:32p ..S.R 233,248 227.78 K
cdfview.dll Thu Jan 27 2005 12:13:16p A.... 151,040 147.50 K
delfin.dll Wed Feb 2 2005 5:44:48a A.... 51,712 50.50 K
docore.dll Tue Mar 15 2005 5:15:16p A.... 151,552 148.00 K
dolsp.dll Tue Mar 15 2005 5:15:18p A.... 139,264 136.00 K
dosync.dll Wed Mar 16 2005 5:07:22p A.... 114,688 112.00 K
ehent97.dll Thu Mar 17 2005 11:53:48a ..S.R 233,248 227.78 K
f0l0la~1.dll Tue Mar 15 2005 8:36:14p ..S.R 233,248 227.78 K
goldne~1.dll Wed Feb 16 2005 1:30:14p A.... 61,440 60.00 K
icnathlp.dll Wed Mar 16 2005 11:27:12p ..S.R 233,248 227.78 K
iepeers.dll Thu Jan 27 2005 12:13:16p A.... 249,856 244.00 K
iess.dll Tue Mar 15 2005 4:32:22p ..S.R 233,248 227.78 K
iifosoft.dll Tue Mar 15 2005 5:35:08p ..S.R 233,248 227.78 K
inseng.dll Thu Jan 27 2005 12:13:16p A.... 96,256 94.00 K
iwetmib1.dll Sun Mar 20 2005 3:17:42a ..S.R 234,558 229.06 K
k4800e~1.dll Sat Mar 12 2005 8:56:12p ..S.R 232,820 227.36 K
k644lg~1.dll Tue Mar 15 2005 5:44:56a ..S.R 232,736 227.28 K
kedlt.dll Tue Mar 15 2005 3:31:00p ..S.R 233,716 228.24 K
kkdhela2.dll Tue Mar 15 2005 8:35:12p ..S.R 233,248 227.78 K
ktdal.dll Tue Mar 15 2005 4:32:36p ..S.R 233,248 227.78 K
l0j80a~1.dll Sun Mar 20 2005 3:16:24a ..S.R 234,509 229.01 K
lhtif11n.dll Fri Mar 18 2005 4:30:42p ..S.R 234,509 229.01 K
lpcalsec.dll Sun Mar 20 2005 3:12:24a ..S.R 234,509 229.01 K
lv4009~1.dll Sun Mar 20 2005 3:12:24a ..S.R 234,558 229.06 K
mdcomput.dll Sun Mar 20 2005 2:48:06a ..S.R 233,248 227.78 K
medmo.dll Wed Mar 16 2005 3:29:34p ..S.R 233,248 227.78 K
midad.dll Wed Jan 26 2005 12:24:24p A.... 356,352 348.00 K
mshtml.dll Thu Jan 27 2005 12:13:18p A.... 3,006,976 2.87 M
ole32.dll Fri Jan 14 2005 3:55:50a A.... 1,285,120 1.22 M
olecli32.dll Fri Jan 14 2005 3:55:50a A.... 74,752 73.00 K
olecnv32.dll Fri Jan 14 2005 3:55:50a A.... 37,888 37.00 K
owe2.dll Thu Mar 17 2005 9:04:16a ..S.R 234,509 229.01 K
pop5.dll Tue Dec 28 2004 2:25:26p A.... 53,760 52.50 K
pop7.dll Mon Jan 24 2005 1:13:42p A.... 53,760 52.50 K
r2xg5twa.dll Wed Mar 16 2005 5:48:56p A..H. 106 0.10 K
rlogic.dll Wed Mar 2 2005 5:13:00a A.... 36,352 35.50 K
rpcss.dll Fri Jan 14 2005 3:55:50a A.... 395,776 386.50 K
rtcpldlg.dll Tue Mar 15 2005 3:33:16p ..S.R 233,248 227.78 K
shdocvw.dll Thu Jan 27 2005 12:13:18p A.... 1,483,264 1.41 M
shell32.dll Tue Dec 21 2004 3:49:36p A.... 8,450,048 8.06 M
shlwapi.dll Thu Jan 27 2005 12:13:18p A.... 473,600 462.50 K
sporder.dll Fri Mar 11 2005 9:10:34p A.... 8,464 8.27 K
t08u0a~1.dll Mon Mar 14 2005 5:57:52p ..S.R 233,716 228.24 K
urlmon.dll Thu Jan 27 2005 12:13:18p A.... 607,744 593.50 K
wicbj.dll Wed Mar 16 2005 5:48:46p ..SH. 475 0.46 K
wininet.dll Thu Jan 27 2005 12:13:18p A.... 656,896 641.50 K

53 items found: 53 files (25 H/S), 0 directories.
Total of file sizes: 24,999,201 bytes 23.84 M
Locate .tmp files:

No matches found.
********************************************************************************
**
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 94F6-FC23

Directory of C:\WINDOWS\System32

03/20/2005 03:17 AM 234,558 iwetmib1.dll
03/20/2005 03:16 AM 234,509 l0j80a1ued.dll
03/20/2005 03:12 AM 234,509 lpcalsec.dll
03/20/2005 03:12 AM 234,558 lv4009hme.dll
03/20/2005 02:48 AM 233,248 mdcomput.dll
03/19/2005 12:12 PM <DIR> dllcache
03/18/2005 04:30 PM 234,509 lhtif11n.dll
03/17/2005 11:53 AM 233,248 ehent97.dll
03/17/2005 09:04 AM 234,509 owe2.dll
03/16/2005 11:27 PM 233,248 icnathlp.dll
03/16/2005 05:48 PM 475 wicbj.dll
03/16/2005 03:29 PM 233,248 medmo.dll
03/15/2005 08:36 PM 233,248 f0l0la3m1d.dll
03/15/2005 08:35 PM 233,248 kkdhela2.dll
03/15/2005 08:33 PM 233,248 camsnap.dll
03/15/2005 05:35 PM 233,248 iifosoft.dll
03/15/2005 05:33 PM 233,248 aycore.dll
03/15/2005 04:32 PM 233,248 KTDAL.DLL
03/15/2005 04:32 PM 233,248 iess.dll
03/15/2005 03:33 PM 233,248 rTcpldlg.dll
03/15/2005 03:30 PM 233,716 kedlt.dll
03/15/2005 05:44 AM 232,736 k644lghq164e.dll
03/14/2005 05:57 PM 233,716 t08u0al9edq.dll
03/12/2005 08:56 PM 232,820 k4800elmehqa0.dll
03/11/2005 09:03 PM 232,736 biowsewm.dll
04/15/2004 01:33 PM <DIR> Microsoft
24 File(s) 5,372,327 bytes
2 Dir(s) 2,075,111,424 bytes free

Thanks again!! I'd be lost without your great directions

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #4 on:** March 20, 2005, 03:30:42 AM »

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread
Along with a new hijackthis log.
Again, don't try and restart your computer until I have a chance to see the logs

[color=\"red\"]IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so![/color]

NOTE: After restart and L2MFIX finishes scanning for files>>give this time to finish
If a text doesn't open, run the "second.bat" located inside the L2mfix folder

JoeMac · « **Reply #5 on:** March 20, 2005, 03:44:01 AM »

Here's the log from l2mfix:

L2Mfix 1.03

Running From:
C:\HijackThis\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C-------    BUILTIN\Administrators
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\HijackThis\l2mfix
System Rebooted!

Running From:
C:\HijackThis\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1924 'explorer.exe'
Killing PID 1924 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 784 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\aycore.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\biowsewm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\camsnap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dMd8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ehent97.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f0l0la3m1d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\icnathlp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iess.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iifosoft.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k4800elmehqa0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k644lghq164e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kedlt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kkdhela2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KTDAL.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l0j80a1ued.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lhtif11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lpcalsec.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mdcomput.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\medmo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\owe2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rTcpldlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\t08u0al9edq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\aycore.dll
Successfully Deleted: C:\WINDOWS\system32\aycore.dll
deleting: C:\WINDOWS\system32\biowsewm.dll
Successfully Deleted: C:\WINDOWS\system32\biowsewm.dll
deleting: C:\WINDOWS\system32\camsnap.dll
Successfully Deleted: C:\WINDOWS\system32\camsnap.dll
deleting: C:\WINDOWS\system32\dMd8.dll
Successfully Deleted: C:\WINDOWS\system32\dMd8.dll
deleting: C:\WINDOWS\system32\ehent97.dll
Successfully Deleted: C:\WINDOWS\system32\ehent97.dll
deleting: C:\WINDOWS\system32\f0l0la3m1d.dll
Successfully Deleted: C:\WINDOWS\system32\f0l0la3m1d.dll
deleting: C:\WINDOWS\system32\icnathlp.dll
Successfully Deleted: C:\WINDOWS\system32\icnathlp.dll
deleting: C:\WINDOWS\system32\iess.dll
Successfully Deleted: C:\WINDOWS\system32\iess.dll
deleting: C:\WINDOWS\system32\iifosoft.dll
Successfully Deleted: C:\WINDOWS\system32\iifosoft.dll
deleting: C:\WINDOWS\system32\k4800elmehqa0.dll
Successfully Deleted: C:\WINDOWS\system32\k4800elmehqa0.dll
deleting: C:\WINDOWS\system32\k644lghq164e.dll
Successfully Deleted: C:\WINDOWS\system32\k644lghq164e.dll
deleting: C:\WINDOWS\system32\kedlt.dll
Successfully Deleted: C:\WINDOWS\system32\kedlt.dll
deleting: C:\WINDOWS\system32\kkdhela2.dll
Successfully Deleted: C:\WINDOWS\system32\kkdhela2.dll
deleting: C:\WINDOWS\system32\KTDAL.DLL
Successfully Deleted: C:\WINDOWS\system32\KTDAL.DLL
deleting: C:\WINDOWS\system32\l0j80a1ued.dll
Successfully Deleted: C:\WINDOWS\system32\l0j80a1ued.dll
deleting: C:\WINDOWS\system32\lhtif11n.dll
Successfully Deleted: C:\WINDOWS\system32\lhtif11n.dll
deleting: C:\WINDOWS\system32\lpcalsec.dll
Successfully Deleted: C:\WINDOWS\system32\lpcalsec.dll
deleting: C:\WINDOWS\system32\mdcomput.dll
Successfully Deleted: C:\WINDOWS\system32\mdcomput.dll
deleting: C:\WINDOWS\system32\medmo.dll
Successfully Deleted: C:\WINDOWS\system32\medmo.dll
deleting: C:\WINDOWS\system32\owe2.dll
Successfully Deleted: C:\WINDOWS\system32\owe2.dll
deleting: C:\WINDOWS\system32\rTcpldlg.dll
Successfully Deleted: C:\WINDOWS\system32\rTcpldlg.dll
deleting: C:\WINDOWS\system32\t08u0al9edq.dll
Successfully Deleted: C:\WINDOWS\system32\t08u0al9edq.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Zipping up files for submission:
adding: aycore.dll (188 bytes security) (deflated 4%)
adding: biowsewm.dll (188 bytes security) (deflated 4%)
adding: camsnap.dll (188 bytes security) (deflated 4%)
adding: dMd8.dll (188 bytes security) (deflated 5%)
adding: ehent97.dll (188 bytes security) (deflated 4%)
adding: f0l0la3m1d.dll (188 bytes security) (deflated 4%)
adding: icnathlp.dll (188 bytes security) (deflated 4%)
adding: iess.dll (188 bytes security) (deflated 4%)
adding: iifosoft.dll (188 bytes security) (deflated 4%)
adding: k4800elmehqa0.dll (188 bytes security) (deflated 4%)
adding: k644lghq164e.dll (188 bytes security) (deflated 4%)
adding: kedlt.dll (188 bytes security) (deflated 5%)
adding: kkdhela2.dll (188 bytes security) (deflated 4%)
adding: KTDAL.DLL (188 bytes security) (deflated 4%)
adding: l0j80a1ued.dll (188 bytes security) (deflated 5%)
adding: lhtif11n.dll (188 bytes security) (deflated 5%)
adding: lpcalsec.dll (188 bytes security) (deflated 5%)
adding: mdcomput.dll (188 bytes security) (deflated 4%)
adding: medmo.dll (188 bytes security) (deflated 4%)
adding: owe2.dll (188 bytes security) (deflated 5%)
adding: rTcpldlg.dll (188 bytes security) (deflated 4%)
adding: t08u0al9edq.dll (188 bytes security) (deflated 5%)
adding: guard.tmp (188 bytes security) (deflated 5%)
adding: clear.reg (188 bytes security) (deflated 23%)
adding: echo.reg (188 bytes security) (deflated 5%)
adding: direct.txt (188 bytes security) (stored 0%)
adding: lo2.txt (188 bytes security) (deflated 83%)
adding: readme.txt (188 bytes security) (deflated 49%)
adding: report.txt (188 bytes security) (deflated 66%)
adding: test.txt (188 bytes security) (deflated 79%)
adding: test2.txt (188 bytes security) (stored 0%)
adding: test3.txt (188 bytes security) (stored 0%)
adding: test5.txt (188 bytes security) (stored 0%)
adding: xfind.txt (188 bytes security) (deflated 73%)
adding: backregs/90D8387D-1E19-4A4D-9E8B-13AAC7D6D48C.reg (188 bytes security) (deflated 70%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: aycore.dll
deleting local copy: biowsewm.dll
deleting local copy: camsnap.dll
deleting local copy: dMd8.dll
deleting local copy: ehent97.dll
deleting local copy: f0l0la3m1d.dll
deleting local copy: icnathlp.dll
deleting local copy: iess.dll
deleting local copy: iifosoft.dll
deleting local copy: k4800elmehqa0.dll
deleting local copy: k644lghq164e.dll
deleting local copy: kedlt.dll
deleting local copy: kkdhela2.dll
deleting local copy: KTDAL.DLL
deleting local copy: l0j80a1ued.dll
deleting local copy: lhtif11n.dll
deleting local copy: lpcalsec.dll
deleting local copy: mdcomput.dll
deleting local copy: medmo.dll
deleting local copy: owe2.dll
deleting local copy: rTcpldlg.dll
deleting local copy: t08u0al9edq.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\aycore.dll
C:\WINDOWS\system32\biowsewm.dll
C:\WINDOWS\system32\camsnap.dll
C:\WINDOWS\system32\dMd8.dll
C:\WINDOWS\system32\ehent97.dll
C:\WINDOWS\system32\f0l0la3m1d.dll
C:\WINDOWS\system32\icnathlp.dll
C:\WINDOWS\system32\iess.dll
C:\WINDOWS\system32\iifosoft.dll
C:\WINDOWS\system32\k4800elmehqa0.dll
C:\WINDOWS\system32\k644lghq164e.dll
C:\WINDOWS\system32\kedlt.dll
C:\WINDOWS\system32\kkdhela2.dll
C:\WINDOWS\system32\KTDAL.DLL
C:\WINDOWS\system32\l0j80a1ued.dll
C:\WINDOWS\system32\lhtif11n.dll
C:\WINDOWS\system32\lpcalsec.dll
C:\WINDOWS\system32\mdcomput.dll
C:\WINDOWS\system32\medmo.dll
C:\WINDOWS\system32\owe2.dll
C:\WINDOWS\system32\rTcpldlg.dll
C:\WINDOWS\system32\t08u0al9edq.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{90D8387D-1E19-4A4D-9E8B-13AAC7D6D48C}"=-
[-HKEY_CLASSES_ROOT\CLSID\{90D8387D-1E19-4A4D-9E8B-13AAC7D6D48C}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

AND here's the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:39:49 AM, on 3/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\McAfee.com\Agent\MCAGENT.EXE
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system32\qprsw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\pxmer.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\hgmx3jbu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CProgram%20Files%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\hgmx3jbu.slt\prefs.js)
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\MCAGENT.EXE
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [w3oR3pj] qprsw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [h075RfH9V] pxmer.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Kodak EasyShare software.lnk = E:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = E:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

Thanks!

JoeMac

guestolo · « **Reply #6 on:** March 20, 2005, 04:01:23 AM »

Download and save to desktop CleanUp.zip
[attachment=73:attachment]
UNZIP the contents too desktop so you now have CleanUp.reg on your desktop

Again, print this out or save too a notepad file on your desktop

Open Hijackthis>>Open Misc tools section>>open Process Manager and kill these processes if still running and if you can
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system32\qprsw.exe
C:\WINDOWS\system32\pxmer.exe

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [w3oR3pj] qprsw.exe

O4 - HKCU\..\Run: [h075RfH9V] pxmer.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Access your Add/Remove programs and remove if found
POP

Restart into safe mode

Find and delete these files or folders if found
C:\WINDOWS\system32\qprsw.exe <-file
C:\WINDOWS\system32\pxmer.exe <-file

C:\Program Files\AutoUpdate <-folder

Double click on CleanUp.reg and allow to merge to the registry

Restart back to Normal mode

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Under the Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

I would advise you too do an online virus scan at Panda's just to be safe
Temporarily disable McAfee's if you can
Could you run the online scan in this manner please
Go to this link
http://www.pandasoftware.com/activescan/co...n_principal.htm
Don't start it yet
Now, this is VERY IMPORTANT
Close out all unnecessary programs running in the background
including this window

Bring up the Task Manager(right click the bottom taskbar and select Task Manager)
End process on these if you can

explorer.exe <---this will cause all your Icons and taskbar to disappear

After that is done you will have only the Task Manager and the page from Panda's open
Click the SCAN MY PC button>>>This should bring up a pop up window from Panda's
Close down the IE page that I linked you to Panda's but keep their popup window open

Now you have Panda's popup window open and the Task Manager

Click the NEXT button>>If prompted at any time to install an Active X allow it
Supply an email address
Let it load the activex control and load the virus definitions

To start the scan ensure you select My Computer or My whole computer
Something like that

Let it completely finish scanning, don't use the computer at all

When the scan is done, you should have the option of saving a report
Can you post that back later

Next
In Task Manager click FILE at the top
Then Click NEW TASK (Run)
In the open field type in
"explorer.exe" without the quotes and then click OK

This should bring back up the Desktop Icons and Taskbar

Restart your computer afterwards

Come back to the forum and post a fresh hijackthis log from Normal mode and the results from Panda's

JoeMac · « **Reply #7 on:** March 20, 2005, 05:37:17 AM »

Here's the fresh hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:34:09 AM, on 3/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\McAfee.com\Agent\MCAGENT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
E:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\hgmx3jbu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CProgram%20Files%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\hgmx3jbu.slt\prefs.js)
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\MCAGENT.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Kodak EasyShare software.lnk = E:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = E:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

And here's the results from Panda:

Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\q17i9a4j.exe
Adware:Adware/Hotbar No disinfected C:\Documents and Settings\Joe\Application Data\Hotbar
Adware:Adware/Apropos No disinfected C:\Program Files\cxtpls
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/SideSearch No disinfected C:\Program Files\sep
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\farmmext.inf
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\Aklsp.dll
Adware:Adware/ESyndicate No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\HijackThis\l2mfix\backup.zip[aycore.dll]
Adware:Adware/Look2Me No disinfected C:\HijackThis\l2mfix\backup.zip[biowsewm.dll]
Adware:Adware/Look2Me No disinfected C:\HijackThis\l2mfix\backup.zip[camsnap.dll]
Adware:Adware/Look2Me No disinfected C:\HijackThis\l2mfix\backup.zip[ehent97.dll]
Adware:Adware/Look2Me No disinfected C:\HijackThis\l2mfix\backup.zip[f0l0la3m1d.dll]
Adware:Adware/Look2Me No disinfected C:\HijackThis\l2mfix\backup.zip[icnathlp.dll]
Adware:Adware/Look2Me No disinfected C:\HijackThis\l2mfix\backup.zip[iess.dll]
Adware:Adware/Look2Me No disinfected C:\HijackThis\l2mfix\backup.zip[iifosoft.dll]
Adware:Adware/Look2Me No disinfected C:\HijackThis\l2mfix\backup.zip[k644lghq164e.dll]
Adware:Adware/Look2Me No disinfected C:\HijackThis\l2mfix\backup.zip[kkdhela2.dll]
Adware:Adware/Look2Me No disinfected C:\HijackThis\l2mfix\backup.zip[KTDAL.DLL]
Adware:Adware/Look2Me No disinfected C:\HijackThis\l2mfix\backup.zip[mdcomput.dll]
Adware:Adware/Look2Me No disinfected C:\HijackThis\l2mfix\backup.zip[medmo.dll]
Adware:Adware/Look2Me No disinfected C:\HijackThis\l2mfix\backup.zip[rTcpldlg.dll]
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\ace.dll
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\CxtPls.dll
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\CxtPls.exe
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\ProxyStub.dll
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\uninstaller.exe
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\WinGenerics.dll
Adware:Adware/Hotbar No disinfected C:\Program Files\hbinst\Hbinst.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\70tovmto.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\ceres.dll
Adware:Adware/ISearch No disinfected C:\WINDOWS\delprot.ini
Adware:Adware/Look2Me No disinfected C:\WINDOWS\iconu.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\farmmext.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inst\3p_1n.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\aklsp.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\akrules.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\akupd.dll
Adware:Adware/Envolo No disinfected C:\WINDOWS\system32\auto_update_uninstall.exe
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\system32\docore.dll
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\system32\dolsp.dll
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\system32\dosync.dll
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\javex80.vxd[nvms.dll]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\javex80.vxd[nls.exe]
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\psis80ex.ax[mscb.dll]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[cashback.exe]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\q17i9a4j.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\Temp\auf0.exe
Adware:Adware/Envolo No disinfected C:\WINDOWS\Temp\AutoUpdate0\setup.inf
Adware:Adware/Apropos No disinfected C:\WINDOWS\Temp\cxtpls_loader.exe
Virus:Trj/Multidropper.QW Disinfected C:\WINDOWS\Temp\RAZR.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0W5AHY6P\AproposClientInstaller[1].exe
Virus:Trj/Bhotcher.A Disinfected C:\WINDOWS\Temp\WBCM_Installer.exe

Thanks!!

JoeMac

guestolo · « **Reply #8 on:** March 20, 2005, 12:56:21 PM »

Let's try some final cleanup

Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, etc...
Windows Cleanup
Install for now, don't run a scan yet

Download and Save to desktop Esynd.zip
UNZIP the contents so you now have Esynd.reg on your desktop
[attachment=74:attachment]

Print the rest of this or save too a notepad file

Access your Add/Remove programs and remove if found Esyndicate
Look for these ones and remove them too if found
TopText, TopText ILookup, HotText, or ContextPro

Restart into safe mode

Find and delete these files or folders if found
FILES
C:\WINDOWS\CERES.DLL
C:\WINDOWS\system32\q17i9a4j.exe
C:\keys.ini
C:\WINDOWS\inf\farmmext.inf
C:\WINDOWS\deskbar.ini
C:\WINDOWS\system32\Aklsp.dll
C:\WINDOWS\70tovmto.exe
C:\WINDOWS\Buddy.exe
C:\WINDOWS\delprot.ini
C:\WINDOWS\iconu.exe
C:\WINDOWS\inst\3p_1n.exe
C:\WINDOWS\system32\aklsp.dll
C:\WINDOWS\system32\akrules.dll
C:\WINDOWS\system32\akupd.dll
C:\WINDOWS\system32\auto_update_uninstall.exe
C:\WINDOWS\system32\docore.dll
C:\WINDOWS\system32\dolsp.dll
C:\WINDOWS\system32\dosync.dll
C:\WINDOWS\system32\javex80.vxd[nvms.dll]
C:\WINDOWS\system32\javex80.vxd[nls.exe]
C:\WINDOWS\system32\psis80ex.ax[mscb.dll]
C:\WINDOWS\system32\psis80ex.ax[cashback.exe]
C:\WINDOWS\system32\q17i9a4j.exe

FOLDERS
C:\Documents and Settings\Joe\Application Data\Hotbar
C:\Program Files\CxtPls
C:\Program Files\sep
C:\Program Files\hbinst
C:\Program Files\eZula

Double click on Esynd.reg and allow to merge to the registry

Open Windows CleanUp!>>START>>All programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Restart back to Normal mode

Back in Windows
Can you please Download and save too desktop this removal tool from Symantecs
FixAprop.exe

Run the tool>>It will scan your drive, let it fix what it finds,
Save the log when it's done, Restart your computer afterwards

back in Windows
Post back a fresh Hijackthis log and the log from FixAprop.exe

Could you also
Open Spybot>>Click on HELP>>ABOUT
Let me know Spybot version and Latest detection Update date

Open Ad-Aware
Click on Details in Initialization Status
Let me know Reference number and Internal Build
Thanks

JoeMac · « **Reply #9 on:** March 20, 2005, 03:34:17 PM »

Here's some of the info you asked for:
Spybot - Search & Destroy 1.3, latest update 01/06/2005
Ad-Aware - Build 1.05; Definitions File SE1R33 16.03.2005

I ran what you suggested, but didn't end up w/a log from FixAprop.exe (don't know what I did wrong)...

Here's the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:09:46 PM, on 3/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee.com\Agent\MCAGENT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
E:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\hgmx3jbu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CProgram%20Files%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\hgmx3jbu.slt\prefs.js)
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\MCAGENT.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Kodak EasyShare software.lnk = E:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = E:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

Everything is running better - CPU usage is down in the single digits again! Any suggestions on what to do to keep this from happening again...clearly McAfee AV & Firewall weren't enough!

Thanks again...

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

JoeMac

guestolo · « **Reply #10 on:** March 20, 2005, 04:38:32 PM »

You seem to be behind on updates for Spybot
You should
Search for updates, download all of them
Check for Problems and fix everything in RED

Restart your computer

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Both of the above don't run in the background
The next one I use does,
SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
Check for updates after installation
It won't, and doesn't have too update that much, but check for updates once a month

Stay safe Joe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: Another Desktop.exe victim (Read 3080 times)

JoeMac

Another Desktop.exe victim

JoeMac

Another Desktop.exe victim

guestolo

Another Desktop.exe victim

JoeMac

Another Desktop.exe victim

guestolo

Another Desktop.exe victim

JoeMac

Another Desktop.exe victim

guestolo

Another Desktop.exe victim

JoeMac

Another Desktop.exe victim

guestolo

Another Desktop.exe victim

JoeMac

Another Desktop.exe victim

guestolo

Another Desktop.exe victim