Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Member
    Join Date
    Feb 2006
    Location
    Leek, Staffordshire
    Posts
    7
    Points
    0

    Default Bombarded with pop ups

    Hi. I've tried all the methods of curing my pc which you recommend.
    Running Pentium 3. Windows XP pro. First of all had browser hijacking which doesn't seem as bad since I deleted a couple of obvious entries on Hijack This log. On start up I get the message "vc main.exe:application error. The application has failed to initialise properly (0xc000135)"
    No Coolwebsearch detected and all registry items and files detected are deleted only to reappear again! Main problem now is bombardment of pop ups and web sites.

    My Hijack this log is as follows. Please help, I am finding this very distressing!

    Logfile of HijackThis v1.99.1
    Scan saved at 13:02:54, on 14/02/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
    C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\windows\winsysban8.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
    O4 - HKLM\..\Run: [winlog] winlog.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\RunServices: [winlog] winlog.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E22D739-BECF-4CD5-AA98-96266FE0CADE}: NameServer = 80.225.252.50 80.225.252.58
    O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\lv0809due.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe



    Thanks

  2. #2
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-


    O4 - HKLM\..\Run: [winlog] winlog.exe

    O4 - HKLM\..\RunServices: [winlog] winlog.exe


    REBOOT...

    However this is not causing the pop-ups, you have a VX2 L2M infection causing them....

    I need you to follow these instructions to rectify this, and then I will need you to run ewido for another infection...

    But first L2M...

    Download http://www.downloads.subratam.org/l2mfix.exe by ShadowWar.

    1. Save the file to your desktop

    2. Double click l2mfix.exe

    3. Click the Install button to extract the files and follow the prompts

    4. Open the newly added l2mfix folder on your desktop

    5. Double click l2mfix.bat

    6. Select option #1 for Run Find Log by typing 1 and then pressing enter

    7. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

    8. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  3. #3
    Member
    Join Date
    Feb 2006
    Location
    Leek, Staffordshire
    Posts
    7
    Points
    0

    Default

    Thanks Steam
    Heres the log

    L2MFIX find log 010406
    These are the registry keys present
    **********************************************************************************
    Winlogon/notify:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\f02mlaf11d2.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    **********************************************************************************
    useragent:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{A95DD376-1B43-1DE5-2D70-8808DD3E10B4}"=""

    **********************************************************************************
    Shell Extension key:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
    "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
    "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
    "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
    "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
    "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
    "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
    "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
    "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
    "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
    "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
    "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
    "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
    "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
    "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
    "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
    "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
    "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
    "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
    "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
    "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
    "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
    "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
    "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
    "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
    "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
    "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
    "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
    "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
    "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
    "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
    "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
    "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
    "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
    "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
    "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
    "{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play Devices"
    "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Scripting Host"
    "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
    "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
    "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
    "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
    "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
    "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
    "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
    "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
    "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
    "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
    "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
    "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
    "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
    "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
    "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
    "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
    "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
    "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
    "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
    "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
    "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Merge Shell Folder"
    "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
    "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Microsoft SearchBand"
    "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
    "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
    "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
    "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
    "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
    "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
    "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
    "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
    "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
    "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
    "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
    "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
    "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
    "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
    "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
    "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
    "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
    "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
    "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
    "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
    "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
    "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
    "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
    "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
    "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
    "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
    "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
    "{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
    "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
    "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
    "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
    "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
    "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
    "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
    "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
    "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
    "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
    "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
    "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
    "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
    "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
    "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
    "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
    "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
    "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
    "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
    "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
    "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
    "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
    "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
    "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
    "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
    "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
    "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
    "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
    "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
    "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
    "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
    "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
    "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
    "{BD472F60-27FA-11cf-B8B4-444553540000}"=""
    "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"=""
    "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
    "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
    "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
    "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
    "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
    "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
    "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
    "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
    "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
    "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
    "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
    "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
    "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
    "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
    "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
    "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
    "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
    "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
    "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
    "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
    "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
    "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
    "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
    "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
    "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
    "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
    "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
    "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
    "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
    "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
    "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
    "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
    "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
    "{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
    "{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
    "{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
    "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
    "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
    "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
    "{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
    "{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
    "{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
    "{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}"="Default Image Extrator for Properties"
    "{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
    "{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
    "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
    "{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
    "{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
    "{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
    "{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
    "{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
    "{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
    "{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
    "{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
    "{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
    "{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
    "{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
    "{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
    "{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
    "{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
    "{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
    "{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
    "{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
    "{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
    "{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
    "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
    "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
    "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
    "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
    "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
    "{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9}"="MediaFace extension"
    "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
    "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
    "{2CCDE150-8E6B-4B3E-9734-B0915EF07413}"=""

    **********************************************************************************
    HKEY ROOT CLASSIDS:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}]
    @="Compressed Folder Right Drag Handler"

    [HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}\InProcServer32]
    @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
    00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,7a,00,69,00,\
    70,00,66,00,6c,00,64,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}]
    @="Compressed Folder SendTo Target"
    "FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
    00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
    32,00,5c,00,7a,00,69,00,70,00,66,00,6c,00,64,00,72,00,2e,00,64,00,6c,00,6c,\
    00,2c,00,2d,00,31,00,30,00,32,00,32,00,36,00,00,00
    "NeverShowExt"=""
    "NoOpen"="Drag Files onto this icon to compress them."
    "EditFlags"=dword:00000001

    [HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\DefaultIcon]
    @="C:\\WINDOWS\\SYSTEM32\\ZIPFLDR.DLL"

    [HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\InProcServer32]
    @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
    00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,7a,00,69,00,\
    70,00,66,00,6c,00,64,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
    "ThreadingModel"="Apartment"

    [HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\ShellEx]

    [HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\ShellEx\DropHandler]
    @="{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{2CCDE150-8E6B-4B3E-9734-B0915EF07413}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{2CCDE150-8E6B-4B3E-9734-B0915EF07413}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{2CCDE150-8E6B-4B3E-9734-B0915EF07413}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{2CCDE150-8E6B-4B3E-9734-B0915EF07413}\InprocServer32]
    @="C:\\WINDOWS\\system32\\uvib.dll"
    "ThreadingModel"="Apartment"

    **********************************************************************************
    Files Found are not all bad files:

    C:\WINDOWS\SYSTEM32\
    shdocvw.dll Thu 1 Dec 2005 3:59:30 A.... 1,492,480 1.42 M
    dpu11.dll Mon 9 Jan 2006 19:32:02 A.... 294,912 288.00 K
    mshtml.dll Thu 24 Nov 2005 1:06:34 A.... 3,015,680 2.88 M
    browseui.dll Thu 24 Nov 2005 1:06:34 A.... 1,022,464 998.50 K
    sdnsapi.dll Tue 14 Feb 2006 0:05:42 ..S.R 236,138 230.60 K
    wedmtpdr.dll Mon 13 Feb 2006 15:27:26 ..S.R 234,272 228.78 K
    gdi32.dll Thu 29 Dec 2005 2:54:36 A.... 280,064 273.50 K
    dpus11.dll Mon 9 Jan 2006 19:32:02 A.... 339,968 332.00 K
    dpv11.dll Mon 9 Jan 2006 19:32:02 A.... 57,344 56.00 K
    webclnt.dll Wed 4 Jan 2006 3:35:06 A.... 68,096 66.50 K
    dpl100.dll Mon 9 Jan 2006 19:32:02 A.... 86,016 84.00 K
    dtu100.dll Mon 9 Jan 2006 19:32:02 A.... 200,704 196.00 K
    dpu10.dll Mon 9 Jan 2006 19:32:02 A.... 294,912 288.00 K
    px.dll Thu 17 Nov 2005 16:19:32 ..... 372,736 364.00 K
    pxmas.dll Thu 17 Nov 2005 16:19:32 ..... 172,032 168.00 K
    pxwave.dll Thu 17 Nov 2005 16:19:30 ..... 339,968 332.00 K
    vxblock.dll Thu 17 Nov 2005 16:19:30 ..... 28,672 28.00 K
    dpugui11.dll Mon 9 Jan 2006 19:32:02 A.... 593,920 580.00 K
    pxdrv.dll Thu 17 Nov 2005 16:19:32 ..... 421,888 412.00 K
    divx.dll Thu 26 Jan 2006 18:36:02 ..... 574,976 561.50 K
    huffyuv.dll Fri 10 Feb 2006 23:00:24 A.... 33,280 32.50 K
    avisynth.dll Fri 10 Feb 2006 23:01:58 A.... 196,608 192.00 K
    divx_x~1.dll Thu 26 Jan 2006 18:36:00 A.... 679,936 664.00 K
    divx_x~2.dll Thu 26 Jan 2006 18:36:00 A.... 679,936 664.00 K
    divx_x~3.dll Thu 26 Jan 2006 18:36:00 A.... 663,552 648.00 K
    bszip.dll Sun 12 Feb 2006 21:30:22 A.... 62,464 61.00 K
    divxwm~1.dll Tue 24 Jan 2006 18:08:30 A.... 12,288 12.00 K
    divxc32.dll Fri 10 Feb 2006 23:00:30 A.... 414,272 404.56 K
    divxc32f.dll Fri 10 Feb 2006 23:00:30 A.... 414,272 404.56 K
    uvib.dll Wed 15 Feb 2006 0:50:30 ..S.R 234,272 228.78 K
    wmp.dll Tue 6 Dec 2005 6:02:16 A.... 5,533,696 5.28 M
    f02mla~1.dll Wed 15 Feb 2006 0:30:20 ..S.R 234,272 228.78 K
    legitc~1.dll Thu 12 Jan 2006 11:32:12 A.... 543,496 530.76 K
    f40o0e~1.dll Wed 15 Feb 2006 0:49:14 ..S.R 236,138 230.60 K

    34 items found: 34 files (5 H/S), 0 directories.
    Total of file sizes: 20,065,724 bytes 19.13 M
    Locate .tmp files:

    No matches found.
    **********************************************************************************
    Directory Listing of system files:
    Volume in drive C is BOOT
    Volume Serial Number is 3C6D-15E1

    Directory of C:\WINDOWS\System32

    15/02/2006 00:50 234,272 uvib.dll
    15/02/2006 00:49 236,138 f40o0ed3eh0.dll
    15/02/2006 00:30 234,272 f02mlaf11d2.dll
    14/02/2006 00:05 236,138 sdnsapi.dll
    13/02/2006 15:27 234,272 wedmtpdr.dll
    04/08/2004 08:56 175,104 winlog.exe
    25/03/2004 18:00 Microsoft
    25/03/2004 17:20 dllcache
    6 File(s) 1,350,196 bytes
    2 Dir(s) 10,260,807,680 bytes free

  4. #4
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Close any programs you have open since this step requires a reboot.

    1. From the l2mfix folder on your desktop, double click l2mfix.bat

    2. Select option #2 for Run Fix by typing 2 and then pressing enter

    3. Press any key to reboot your computer.

    4. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.

    5. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

    IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!


    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  5. #5
    Member
    Join Date
    Feb 2006
    Location
    Leek, Staffordshire
    Posts
    7
    Points
    0

    Default

    Thanks again Steam

    The l2mfix log as follows:-

    L2mfix 010406
    Creating Account.
    The command completed successfully.

    Adding Administrative privleges.
    The command completed successfully.
    Checking for L2MFix account(0=no 1=yes):
    1
    Granting SeDebugPrivilege to L2MFIX ... successful

    Running From:
    C:\WINDOWS\system32

    Killing Processes!

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 332 'smss.exe'

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 412 'winlogon.exe'
    Killing PID 412 'winlogon.exe'
    Killing PID 412 'winlogon.exe'

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 1292 'explorer.exe'
    Killing PID 1292 'explorer.exe'
    Killing PID 1292 'explorer.exe'
    Killing PID 1292 'explorer.exe'
    Killing PID 1292 'explorer.exe'
    Killing PID 1292 'explorer.exe'
    Killing PID 1292 'explorer.exe'
    Killing PID 1292 'explorer.exe'
    Killing PID 1292 'explorer.exe'
    Killing PID 1292 'explorer.exe'
    Killing PID 1292 'explorer.exe'

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 952 'rundll32.exe'
    Killing PID 952 'rundll32.exe'
    Killing PID 952 'rundll32.exe'
    Killing PID 2020 'rundll32.exe'
    Killing PID 2020 'rundll32.exe'
    Killing PID 2020 'rundll32.exe'
    Restoring Sedebugprivilege:
    Granting SeDebugPrivilege to Administrators ... successful

    Scanning First Pass. Please Wait!

    First Pass Completed

    Second Pass Scanning

    Second pass Completed!
    1 file(s) copied.
    1 file(s) copied.
    1 file(s) copied.
    1 file(s) copied.
    1 file(s) copied.
    Deleting: C:\WINDOWS\system32\Cpmm32.dll
    Successfully Deleted: C:\WINDOWS\system32\Cpmm32.dll
    Deleting: C:\WINDOWS\system32\f40o0ed3eh0.dll
    Successfully Deleted: C:\WINDOWS\system32\f40o0ed3eh0.dll
    Deleting: C:\WINDOWS\system32\p66slgj716o.dll
    Successfully Deleted: C:\WINDOWS\system32\p66slgj716o.dll
    Deleting: C:\WINDOWS\system32\sdnsapi.dll
    Successfully Deleted: C:\WINDOWS\system32\sdnsapi.dll
    Deleting: C:\WINDOWS\system32\wedmtpdr.dll
    Successfully Deleted: C:\WINDOWS\system32\wedmtpdr.dll

    msg11?.dll
    0 file(s) copied.
    Desktop.ini sucessfully removed




    Restoring Windows Update Certificates.:

    The following Is the Current Export of the Winlogon notify key:
    ****************************************************************************
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\f40o0ed3eh0.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001


    The following are the files found:
    ****************************************************************************
    C:\WINDOWS\system32\Cpmm32.dll
    C:\WINDOWS\system32\f40o0ed3eh0.dll
    C:\WINDOWS\system32\p66slgj716o.dll
    C:\WINDOWS\system32\sdnsapi.dll
    C:\WINDOWS\system32\wedmtpdr.dll

    Registry Entries that were Deleted:
    Please verify that the listing looks ok.
    If there was something deleted wrongly there are backups in the backreg folder.
    ****************************************************************************
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}]
    @="Compressed Folder Right Drag Handler"

    [HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}\InProcServer32]
    @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
    00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,7a,00,69,00,\
    70,00,66,00,6c,00,64,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}]
    @="Compressed Folder SendTo Target"
    "FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
    00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
    32,00,5c,00,7a,00,69,00,70,00,66,00,6c,00,64,00,72,00,2e,00,64,00,6c,00,6c,\
    00,2c,00,2d,00,31,00,30,00,32,00,32,00,36,00,00,00
    "NeverShowExt"=""
    "NoOpen"="Drag Files onto this icon to compress them."
    "EditFlags"=dword:00000001

    [HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\DefaultIcon]
    @="C:\\WINDOWS\\SYSTEM32\\ZIPFLDR.DLL"

    [HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\InProcServer32]
    @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
    00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,7a,00,69,00,\
    70,00,66,00,6c,00,64,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
    "ThreadingModel"="Apartment"

    [HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\ShellEx]

    [HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\ShellEx\DropHandler]
    @="{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{2CCDE150-8E6B-4B3E-9734-B0915EF07413}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{2CCDE150-8E6B-4B3E-9734-B0915EF07413}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{2CCDE150-8E6B-4B3E-9734-B0915EF07413}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{2CCDE150-8E6B-4B3E-9734-B0915EF07413}\InprocServer32]
    @="C:\\WINDOWS\\system32\\Cpmm32.dll"
    "ThreadingModel"="Apartment"

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{BD472F60-27FA-11cf-B8B4-444553540000}"=-
    "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"=-
    "{2CCDE150-8E6B-4B3E-9734-B0915EF07413}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}]
    [-HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}]
    [-HKEY_CLASSES_ROOT\CLSID\{2CCDE150-8E6B-4B3E-9734-B0915EF07413}]
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "SV1"=""
    ****************************************************************************
    Desktop.ini Contents:
    ****************************************************************************
    [.ShellClassInfo]
    CLSID={645FF040-5081-101B-9F08-00AA002F954E}
    ****************************************************************************
    Checking for L2MFix account(0=no 1=yes):
    0
    Zipping up files for submission:
    adding: dlls/Cpmm32.dll (deflated 5%)
    adding: dlls/f40o0ed3eh0.dll (deflated 5%)
    adding: dlls/p66slgj716o.dll (deflated 4%)
    adding: dlls/sdnsapi.dll (deflated 5%)
    adding: dlls/wedmtpdr.dll (deflated 4%)
    adding: backregs/notibac.reg (deflated 87%)
    adding: backregs/shell.reg (deflated 74%)
    adding: backregs/BD472F60-27FA-11cf-B8B4-444553540000.reg (deflated 64%)
    adding: backregs/888DCA60-FC0A-11CF-8F0F-00C04FD7D062.reg (deflated 75%)
    adding: backregs/2CCDE150-8E6B-4B3E-9734-B0915EF07413.reg (deflated 70%)

    Hijackthis log as follows:-
    Logfile of HijackThis v1.99.1
    Scan saved at 19:10:01, on 15/02/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E22D739-BECF-4CD5-AA98-96266FE0CADE}: NameServer = 80.225.252.50 80.225.252.58
    O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\f40o0ed3eh0.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

  6. #6
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Looking good

    Download ewido security suite install, update and run it.

    Please set up as :-

    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

    2. Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    3. From the main ewido screen, click on update in the left menu, then click the Start update button.

    4. After the update finishes (the status bar at the bottom will display "Update successful")

    5. You may need to manually update the definitions which you can get HERE

    6. Exit Ewido. DO NOT scan yet.

    Boot into safemode...and scan with Ewido

    7. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

    8. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

    9. Once the ewido scan has completed, there will be a button located on the bottom of the screen called Save report.

    Important - You need to click "Save report" and Save it to your desktop, or you wont have a log

    reboot

    post a new hijackthis log + the ewido log

    cheers

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  7. #7
    Member
    Join Date
    Feb 2006
    Location
    Leek, Staffordshire
    Posts
    7
    Points
    0

    Default

    Hi Steam

    Fingers crossed everything is looking considerably healthier!
    New Hijackthis log:-

    Logfile of HijackThis v1.99.1
    Scan saved at 22:59:05, on 15/02/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E22D739-BECF-4CD5-AA98-96266FE0CADE}: NameServer = 80.225.252.50 80.225.252.58
    O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\f40o0ed3eh0.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

    Ewido log:-

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 22:45:26, 15/02/2006
    + Report-Checksum: B82A7E39

    + Scan result:

    C:\Documents and Settings\default\Desktop\l2mfix\dlls\Cpmm32.dll -> Adware.Look2Me : Ignored
    C:\Documents and Settings\default\Desktop\l2mfix\dlls\f40o0ed3eh0.dll -> Adware.Look2Me : Ignored
    C:\Documents and Settings\default\Desktop\l2mfix\dlls\p66slgj716o.dll -> Adware.Look2Me : Ignored
    C:\Documents and Settings\default\Desktop\l2mfix\dlls\sdnsapi.dll -> Adware.Look2Me : Ignored
    C:\Documents and Settings\default\Desktop\l2mfix\dlls\wedmtpdr.dll -> Adware.Look2Me : Ignored
    C:\Documents and Settings\default\Desktop\l2mfix\backup.zip/dlls/Cpmm32.dll -> Adware.Look2Me : Ignored
    C:\Documents and Settings\default\Desktop\l2mfix\backup.zip/dlls/f40o0ed3eh0.dll -> Adware.Look2Me : Ignored
    C:\Documents and Settings\default\Desktop\l2mfix\backup.zip/dlls/p66slgj716o.dll -> Adware.Look2Me : Ignored
    C:\Documents and Settings\default\Desktop\l2mfix\backup.zip/dlls/sdnsapi.dll -> Adware.Look2Me : Ignored
    C:\Documents and Settings\default\Desktop\l2mfix\backup.zip/dlls/wedmtpdr.dll -> Adware.Look2Me : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP581\A0087615.dll -> Adware.Look2Me : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP581\A0087619.exe -> Adware.Maxifiles : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP581\A0087623.dll -> Adware.Look2Me : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP580\A0087598.exe -> Adware.Maxifiles : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP582\A0087670.dll -> Adware.Look2Me : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP582\A0087679.dll -> Adware.Look2Me : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP582\A0087683.exe -> Adware.Maxifiles : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP582\A0087692.DLL -> Adware.Look2Me : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087726.exe -> Adware.Look2Me : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP586\A0087839.dll -> Adware.Look2Me : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP586\A0087842.dll -> Adware.Look2Me : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP586\A0087855.dll -> Adware.Look2Me : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP586\A0087856.dll -> Adware.Look2Me : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP586\A0087876.dll -> Adware.Look2Me : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP586\A0087892.dll -> Adware.Look2Me : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP586\A0087898.dll -> Adware.Look2Me : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP586\A0087899.dll -> Adware.Look2Me : Ignored
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP586\A0087900.dll -> Adware.Look2Me : Ignored
    HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup
    HKU\S-1-5-21-2025429265-920026266-854245398-1003\Software\DNS -> Adware.Shorty : Cleaned with backup
    HKU\S-1-5-21-2025429265-920026266-854245398-1003\Software\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup
    HKU\S-1-5-21-2025429265-920026266-854245398-1003\Software\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup
    HKU\S-1-5-21-2025429265-920026266-854245398-1003\Software\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup
    C:\WINDOWS\SYSTEM32\winlog.exe -> Backdoor.Rbot : Cleaned with backup
    C:\WINDOWS\TEMP\Cookies\default@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\WINDOWS\TEMP\Cookies\default@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\WINDOWS\TEMP\Cookies\default@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\WINDOWS\TEMP\Cookies\default@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\WINDOWS\TEMP\Cookies\default@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\WINDOWS\winsysupd8.exe -> Hijacker.StartPage.ahg : Cleaned with backup
    C:\WINDOWS\winsysban8.exe -> Hijacker.VB.lg : Cleaned with backup
    C:\WINDOWS\gimmygames.exe -> Downloader.VB.wd : Cleaned with backup
    C:\Program Files\Common Files\InetGet\mc-110-12-0000137.exe -> Dropper.Agent.aac : Cleaned with backup
    C:\Program Files\Toolbar888\ToolBar888.dll -> Adware.Softomate : Cleaned with backup
    C:\Downloads\CinemaTycoonSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
    C:\Downloads\MysteryCaseFilesSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
    C:\Downloads\MysteryCaseFilesSetup-dm[2].exe -> Adware.Trymedia : Cleaned with backup
    C:\Downloads\zoovetSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
    C:\drsmartload1.exe -> Downloader.VB.wr : Cleaned with backup
    C:\ucmoreiex.exe/UCMTSAIE.DLL -> Adware.Ucmore : Error during cleaning
    C:\ucmoreiex.exe/IUCMORE.DLL -> Adware.Ucmore : Error during cleaning
    C:\gimmygames.exe -> Downloader.VB.wd : Cleaned with backup
    C:\Documents and Settings\default\Local Settings\Temp\Cookies\default@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\Documents and Settings\default\Local Settings\Temp\Cookies\default@com[2].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\default\Local Settings\Temp\Cookies\default@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\Documents and Settings\default\Local Settings\Temp\Cookies\default@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\default\Local Settings\Temp\Cookies\default@h.starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wfligmcpelo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@www.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@h.starware[3].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wfmigoajiko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wjlysgcpwao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wjkyemdjehp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wfkikicpkeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wjl4epczoeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wfkiakd5abo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wfkiuoc5seq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@com[2].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@burstnet[3].txt -> TrackingCookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wflowkazgcp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wjmyqkdpihq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wjmigkd5oeq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@server3.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wfkishd5sco.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wfkyqndzkfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wfkikkc5sfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wgkiagdzggo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wfkyspazcbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wjnyomczmbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wfkiqgdzgap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wfmywgczeao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wfkoqgazcko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@e-2dj6wfk4snczwcq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\default\Cookies\default@com[3].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wfligmcpelo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@estat[1].txt -> TrackingCookie.Estat : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@www.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@com[2].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@burstnet[3].txt -> TrackingCookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wjk4shajadp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wjmiuncjikp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wfmyqhd5meo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wjkysmdzaho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wjmikld5cbq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wfkyclc5idq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wjkyunc5ifo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wjl4skcjwdo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wfkywjdzslo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wjmigjdjagq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wfk4qicpgbo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wfmiegd5seq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wjk4cmczcdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wjk4oidjelo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wjk4okajshq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wfkoegajcep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wjliekd5mlo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wjlogmazidq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wjk4omdjaco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wjmiagc5oeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\NetworkService\Cookies\default@e-2dj6wfkighcjogp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP582\snapshot\MFEX-1.DAT -> Adware.BargainBuddy : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP582\A0087669.srg -> Adware.BargainBuddy : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP582\A0087674.exe -> Adware.Maxifiles : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087697.exe -> Adware.BargainBuddy : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087698.exe -> Adware.Maxifiles : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087704.dll -> Adware.Ucmore : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087706.dll -> Adware.Ucmore : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087708.exe -> Adware.BargainBuddy : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087709.dll -> Adware.BargainBuddy : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087710.vxd -> Adware.BargainBuddy : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087711.exe -> Adware.BargainBuddy : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087712.dll -> Adware.BargainBuddy : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087713.exe -> Adware.BargainBuddy : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087715.exe -> Adware.BargainBuddy : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087717.srg -> Adware.BargainBuddy : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087718.exe -> Adware.BargainBuddy : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087719.exe -> Adware.BargainBuddy : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087720.exe -> Adware.BargainBuddy : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP584\A0087727.exe -> Dropper.Agent.aac : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP586\A0087869.dll -> Adware.Look2Me : Cleaned with backup
    C:\System Volume Information\_restore{4F7B34FC-D27F-4A58-AAFA-FDD05E5B60C0}\RP586\A0087885.dll -> Adware.Look2Me : Cleaned with backup


    ::Report End



    I am getting a message at start up saying I have changed the configuration to just use the checked list of start up items instead of loading everything - is this correct or should I change it back to loading everything??


    Thanks

    Chebes

  8. #8
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Boot to safemode ... run ewido .. and this time let it remove ALL it finds

    while in safemode run hijackthis and tick this line :-

    O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\f40o0ed3eh0.dll (file missing)


    click "fix checked"

    reboot to normal mode...

    delete the l2mfix from your desktop

    Purge your system restore folder... like this ...

    This will clear all your infected restore points...

    Turn off (Disable) System Restore in XP :-

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    Restart your computer.

    Then...

    Turn on (enable) System Restore :-

    Follow the same procedure, but this time uncheck Turn off System Restore

    if you have any problem with this... here's a link to instructions :-


    Disabling or enabling Windows XP System Restore >

    http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

    --

    I am getting a message at start up saying I have changed the configuration to just use the checked list of start up items instead of loading everything - is this correct or should I change it back to loading everything??
    It's telling you are running in selective startup ?

    This is because you have items unticked in msconfig ... nothing wrong with this .. I always run in selective startup myself.

    However items unticked in msconfig will not show in hijackthis, and there may be malware startups which could be removed...

    So ... make a list of all you have ticked/unticked (so that you can refer to it later) then tick everything ... reboot, run hijackthis and post a new log.

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  9. #9
    Member
    Join Date
    Feb 2006
    Location
    Leek, Staffordshire
    Posts
    7
    Points
    0

    Default

    Hi Steam

    Deleted everything showing up on ewido scan, deleted item you mentioned on Hijackthis. Started up on full startup mode and this is the latest Hijackthis log:-

    Logfile of HijackThis v1.99.1
    Scan saved at 15:45:58, on 16/02/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
    C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E22D739-BECF-4CD5-AA98-96266FE0CADE}: NameServer = 80.225.252.50 80.225.252.58
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

    Thanks

    Chebes

  10. #10
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    I don't see anything different from ticking everything in msconfig startup...

    Could you post the lines which were untick-ed, and you have ticked by going from selective startup to Normal startup...

    by the way... everything looks OK now

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

Page 1 of 2 12 LastLast