Taskbar troubles.
So, like a week ago, my ZoneAlarm came up and said something about some duplicate programs running, one of which was explorer.exe. I denied it from double-running or whatever.
Whatever happened, my taskbar disappeared. When I minimize windows, they just line up real tiny at the bottom of my screen, right above where the taskbar should be. I know it's not just minimized or something like that.
CTRL+Esc does not bring up my start menu, neither does the Windows key. CRTL-ALT-DEL brings up my TM and I am able to run programs off of that [File->New Task] but even after running a bunch of Ad-Aware, Spybot, HiJackThis, Panda scans and Housecall scans, I still haven't found anything that would have caused this.
I created a new account and aside from some pop-ups, it seems to be working fine, so just the one account seems to be infected. If I reboot in safe mode, the only way I can attain the Taskbar is when I'm logged on as the admin and not as the infected user.
I downloaded a regedit file from http://www.kellys-korner-xp.com/xp_tweaks.htm [file #117] and that helped things out for a while, but just last night my system went shotty again.
That was a mouthful.
Whatever happened, my taskbar disappeared. When I minimize windows, they just line up real tiny at the bottom of my screen, right above where the taskbar should be. I know it's not just minimized or something like that.
CTRL+Esc does not bring up my start menu, neither does the Windows key. CRTL-ALT-DEL brings up my TM and I am able to run programs off of that [File->New Task] but even after running a bunch of Ad-Aware, Spybot, HiJackThis, Panda scans and Housecall scans, I still haven't found anything that would have caused this.
I created a new account and aside from some pop-ups, it seems to be working fine, so just the one account seems to be infected. If I reboot in safe mode, the only way I can attain the Taskbar is when I'm logged on as the admin and not as the infected user.
I downloaded a regedit file from http://www.kellys-korner-xp.com/xp_tweaks.htm [file #117] and that helped things out for a while, but just last night my system went shotty again.
That was a mouthful.
0
Comments
http://www.short-media.com/forum/showthread.php?t=14915
Scan saved at 10:07:14 PM, on 7/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Adam Klosterhaus_2\My Documents\Adam II\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\aim\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120586495513
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Which scan?
Also, yes, I know my log is clean. I posted this same problem in the emergency help forum, but they only gave me a solution that worked for a couple of days, so when I re-posted, they sent me here.
Something changed your computer (again). Did you try disabling System Restore, re-running the patch, then turning System Restore back on?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
OK, so I disabled SysRes., ran all my spyware/adaware stuff, ran the patch and re-activated SysRes.
Things seem back to normal.
Here's my latest HJT log [I'm currently running my Panda scan]
Logfile of HijackThis v1.99.0
Scan saved at 11:14:29 AM, on 7/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Adam Klosterhaus\My Documents\Adam II\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\aim\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120586495513
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Thanks everyone.
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll
Adware:adware/look2me No disinfected C:\WINDOWS\SYSTEM32\guard.tmp
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.dll
Adware:adware/consumeralertsystemNo disinfected HKEY_CURRENT_USER\SOFTWARE\CAS
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Adware:adware/searchexe No disinfected HKEY_CLASSES_ROOT\Interface\{72423E8F-8011-11D2-BE79-00A0C9A83DA3}
Adware:adware/myway No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\1M7POHI2\webservice[3].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\1M7POHI2\webservice[4].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\1M7POHI2\webservice[5].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2SM0LODZ\webservice[4].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2SM0LODZ\webservice[5].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O9YQ424N\webservice[3].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O9YQ424N\webservice[4].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S4R262RZ\webservice[3].htm
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9EB32FAC-1308-4945-AB54-11C6F8\E83F3902-DB3C-477A-B84A-CC3803
Adware:Adware/BookedSpace No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\CD323F35-FD09-4EA4-B80B-839D50\1A00153B-F34F-47FA-8576-D2A77A
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsauwwjr.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:Adware/Midaddle No disinfected C:\WINDOWS\ru.exe
Adware:Adware/Aurora No disinfected C:\WINDOWS\sncrrj.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\apwav.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\azicap32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\bJsesrv.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\bNtt.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\chmuid.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\cStsrvut.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\ctusapi.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\cyrtcli.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\dhquery.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\djvx_xx0c.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\dksetup.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\dunet.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\dwuGUI11.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\dyound3d.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\dzloader.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\dzrgui.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\geUnCompress.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\guard.tmp
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\hgtplug.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\hhtplug.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\im41_qcx.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\jrdw400.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\jWvacypt.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\kadhe319.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\kcdhu1.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\kfdit.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\kndmac.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\krdcz2.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\kxdgae.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\kxdsf.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\kydkaz.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\LVX2KUSB.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\mddemui.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\milbui.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\mrvcrt40.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\mzdemui.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\ncptools.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\nhtshell.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\nltcfgx.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\qwartz.dll
Adware:Adware/Midaddle No disinfected C:\WINDOWS\system32\rpen.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\rQssapi.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\uxrv80a.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\voa.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\vxr.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\wdock32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\wedap32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\wenscard.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\whssvc.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\wicsvc.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\wjhext.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\wkdmlog.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\wkidx.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\wmnipsec.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\wpnsock.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\wSssl.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\temp\3277610_1084_3596_1304_61.41.tmp
Adware:Adware/EliteBar No disinfected C:\WINDOWS\temp\525128_1084_3596_2324_61.41.tmp
Adware:Adware/EliteBar No disinfected C:\WINDOWS\temp\6751226_3184_3596_516_61.41.tmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\XHJB8JK4\casino[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\XHJB8JK4\dating[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\XHJB8JK4\drugs[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\XHJB8JK4\fav[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\XHJB8JK4\virus[1].bmp
Adware:Adware/EliteBar No disinfected C:\winnt\temp\4522834_1084_1468_3124_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\winnt\temp\525128_1084_1468_1460_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\winnt\temp\6751226_3184_1468_4040_62.41.tmp
Delete these files or directories if they exist:
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\SYSTEM32\guard.tmp
C:\WINDOWS\SYSTEM32\stlb2.xml
C:\WINDOWS\bsauwwjr.exe
C:\WINDOWS\Downloaded Program Files\WildApp.inf
C:\WINDOWS\ru.exe
C:\WINDOWS\sncrrj.exe
C:\WINDOWS\system32\apwav.dll
C:\WINDOWS\system32\azicap32.dll
C:\WINDOWS\system32\bJsesrv.dll
C:\WINDOWS\system32\bNtt.dll
C:\WINDOWS\system32\chmuid.dll
C:\WINDOWS\system32\cStsrvut.dll
C:\WINDOWS\system32\ctusapi.dll
C:\WINDOWS\system32\cyrtcli.dll
C:\WINDOWS\system32\dhquery.dll
C:\WINDOWS\system32\djvx_xx0c.dll
C:\WINDOWS\system32\dksetup.dll
C:\WINDOWS\system32\dunet.dll
C:\WINDOWS\system32\dwuGUI11.dll
C:\WINDOWS\system32\dyound3d.dll
C:\WINDOWS\system32\dzloader.dll
C:\WINDOWS\system32\dzrgui.dll
C:\WINDOWS\system32\geUnCompress.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\hgtplug.dll
C:\WINDOWS\system32\hhtplug.dll
C:\WINDOWS\system32\im41_qcx.dll
C:\WINDOWS\system32\jrdw400.dll
C:\WINDOWS\system32\jWvacypt.dll
C:\WINDOWS\system32\kadhe319.dll
C:\WINDOWS\system32\kcdhu1.dll
C:\WINDOWS\system32\kndmac.dll
C:\WINDOWS\system32\krdcz2.dll
C:\WINDOWS\system32\kxdgae.dll
C:\WINDOWS\system32\kxdsf.dll
C:\WINDOWS\system32\kydkaz.dll
C:\WINDOWS\system32\LVX2KUSB.DLL
C:\WINDOWS\system32\mddemui.dll
C:\WINDOWS\system32\milbui.dll
C:\WINDOWS\system32\mrvcrt40.dll
C:\WINDOWS\system32\mzdemui.dll
C:\WINDOWS\system32\ncptools.dll
C:\WINDOWS\system32\nhtshell.dll
C:\WINDOWS\system32\nltcfgx.dll
C:\WINDOWS\system32\qwartz.dll
C:\WINDOWS\system32\rpen.exe
C:\WINDOWS\system32\rQssapi.dll
C:\WINDOWS\system32\uxrv80a.dll
C:\WINDOWS\system32\voa.dll
C:\WINDOWS\system32\vxr.dll
C:\WINDOWS\system32\wdock32.dll
C:\WINDOWS\system32\wedap32.dll
C:\WINDOWS\system32\wenscard.dll
C:\WINDOWS\system32\whssvc.dll
C:\WINDOWS\system32\wicsvc.dll
C:\WINDOWS\system32\wjhext.dll
C:\WINDOWS\system32\wkdmlog.dll
C:\WINDOWS\system32\wkidx.dll
C:\WINDOWS\system32\wmnipsec.dll
C:\WINDOWS\system32\wpnsock.dll
C:\WINDOWS\system32\wSssl.dll
Download ewido security suite. Run the setup file for ewido. You will be prompted to update before you can scan using ewido. Run ewido and remove all objects found.
Run activescan again and post the results.
Incident Status Location
Adware:Adware/EliteBar No disinfected c:\winnt\temp\1311124_1572_2020_1224_62.41.tmp
Adware:Adware/EliteBar No disinfected c:\winnt\temp\3080524_1572_2020_2420_62.41.tmp
Adware:Adware/EliteBar No disinfected c:\winnt\temp\983330_1564_2020_2068_62.41.tmp
Adware:Adware/EliteBar No disinfected c:\winnt\temp\2097456_1564_2020_1528_62.41.tmp
Adware:Adware/EliteBar No disinfected c:\winnt\temp\721152_1564_2020_1016_62.41.tmp
Adware:Adware/EliteBar No disinfected c:\winnt\temp\655690_1564_2020_2304_62.41.tmp
Adware:Adware/EliteBar No disinfected c:\winnt\temp\196878_1564_2020_2836_62.41.tmp
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/consumeralertsystemNo disinfected HKEY_CURRENT_USER\SOFTWARE\CAS
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Adware:adware/myway No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\casino.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\dating.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\drugs.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\fav.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\virus.bmp
Adware:Adware/Aurora No disinfected C:\WINDOWS\sncrrj.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\cStsrvut.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\kfdit.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\mfisam11.dll
Adware:Adware/EliteBar No disinfected C:\winnt\temp\1311124_1572_2020_1224_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\winnt\temp\196878_1564_2020_2836_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\winnt\temp\2097456_1564_2020_1528_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\winnt\temp\3080524_1572_2020_2420_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\winnt\temp\5112258_3496_2020_3812_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\winnt\temp\655690_1564_2020_2304_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\winnt\temp\721152_1564_2020_1016_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\winnt\temp\787000_3496_2020_1364_62.41.tmp
Adware:Adware/EliteBar No disinfected C:\winnt\temp\983330_1564_2020_2068_62.41.tmp
I cannot find the file B]C:\WINDOWS\Downloaded Program Files\WildApp.inf[/B. When I navigate to that directory, even if hidden files are shown, that specific file is not there, but keeps coming up in the scan.
While still in registry editor scroll back up to the top of the menu and double click on this directory-HKEY_CURRENT_USER>navigate to and double click on this directory-SOFTWARE>Find this entry, right click on it and then click delete>CAS.
For this entry-Adware:adware/myway No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{014DA6C9-189F-421A-88CD-07CFE51CFF10} follow the same steps as above. Navigate through the directories as listed-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser. When you double click the webBrowser directory you will see a list in the center of your screen. Find this CLSID 014DA6C9-189F-421A-88CD-07CFE51CFF10 then right click on it. Click delete.
Delete these files or directories if they exist:
c:\winnt\temp\1311124_1572_2020_1224_62.41.tmp
c:\winnt\temp\3080524_1572_2020_2420_62.41.tmp
c:\winnt\temp\983330_1564_2020_2068_62.41.tmp
c:\winnt\temp\2097456_1564_2020_1528_62.41.tmp
c:\winnt\temp\721152_1564_2020_1016_62.41.tmp
c:\winnt\temp\655690_1564_2020_2304_62.41.tmp
c:\winnt\temp\196878_1564_2020_2836_62.41.tmp
C:\WINDOWS\SYSTEM32\stlb2.xml
C:\WINDOWS\Downloaded Program Files\WildApp.inf
C:\WINDOWS\etb
C:\WINDOWS\sncrrj.exe
C:\WINDOWS\system32\cStsrvut.dll
C:\WINDOWS\system32\kfdit.dll
C:\WINDOWS\system32\mfisam11.dll
C:\winnt\temp\1311124_1572_2020_1224_62.41.tmp
C:\winnt\temp\196878_1564_2020_2836_62.41.tmp
C:\winnt\temp\2097456_1564_2020_1528_62.41.tmp
C:\winnt\temp\3080524_1572_2020_2420_62.41.tmp
C:\winnt\temp\5112258_3496_2020_3812_62.41.tmp
C:\winnt\temp\655690_1564_2020_2304_62.41.tmp
C:\winnt\temp\721152_1564_2020_1016_62.41.tmp
C:\winnt\temp\787000_3496_2020_1364_62.41.tmp
C:\winnt\temp\983330_1564_2020_2068_62.41.tmp
Please run activescan once again and let me know the results. Post a new Hijack his log with all hidden files viewable.
Logfile of HijackThis v1.99.1
Scan saved at 12:40:24 AM, on 7/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\aim\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Adam Klosterhaus\My Documents\Adam II\Downloads\hijackthis_199\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\aim\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120586495513
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\guUnCompress.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Question: What is B]O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\guUnCompress.dll[/B?
Latest activescan log:
Incident Status Location
Adware:adware/look2me No disinfected C:\WINDOWS\SYSTEM32\guard.tmp
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
I cannot find WildApp.inf anywhere on my CPU. I've used the standard search option for it and it comes up empty, and when I navigate to the folder, even showing hidden files, it is still not there.
I have not found any info on this file. I'd leave it there for now until I can get something conclusive on it.
Delete these files:
C:\WINDOWS\SYSTEM32\guard.tmp
C:\WINDOWS\SYSTEM32\stlb2.xml
Run activescan and let me know the results. Are you still having problems?
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
OK, I went ahead and deleted the MAGNET registry like I have so many times before. I'm pretty sure all of this is caused by the WildApp.inf that I cannot find anywhere.
I am constantly getting pop-ups by:
castlecorps.com
partypoker.com
winantiviruspro.com
redzip.com
adopt.hotbar.com
loadingwebsite.com
Which, as I understand it, are all connected to wildapp.inf
Do you not have a Downloaded Program Files directory? This file is there.
I understand the file is there, but even when I show all hidden files and navigate to that folder, it does not contain that file.
I'd take a screenshot to show you, but I don't know how and I'd imagine that you'd believe me.
Boot into safe mode.
Once booting has completed open Killbox. In the field "path of file to delete" copy and paste:
C:\WINDOWS\Downloaded Program Files\WildApp.inf
Check delete on reboot. Click delete. Killbox will ask if you want to delete on next reboot. Click yes.
Reboot into normal mode.
Run activescan again and save the results. Post those results with a new Hijack This log.
HiJackThis!
Logfile of HijackThis v1.99.1
Scan saved at 11:20:18 AM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\aim\aim.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Adam Klosterhaus\My Documents\Adam II\Downloads\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\aim\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Norton SystemWorks] "c:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120586495513
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\guUnCompress.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Activescan
Incident Status Location
Adware:adware/look2me No disinfected C:\WINDOWS\SYSTEM32\guard.tmp
Adware:adware/statblaster No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WildApp.inf
Adware:adware/savenow No disinfected Windows Registry
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\guard.tmp
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\LBXP2P32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\mwutilse.dll
Open Killbox and copy/paste this into the path of file to delete:
C:\WINDOWS\system32\guUnCompress.dll
Then check the unregister dll before deleting box. Then check delete on reboot.
Reboot.
Post a new log.
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453090731
Scan saved at 12:08:16 AM, on 8/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\aim\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Adam Klosterhaus\My Documents\Adam II\Downloads\hijackthis_199\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\aim\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Norton SystemWorks] "c:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120586495513
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\guUnCompress.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Incident Status Location
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\SYSTEM32\exclean.exe
Adware:adware/look2me No disinfected C:\WINDOWS\SYSTEM32\guard.tmp
Adware:adware/statblaster No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WildApp.inf
Adware:adware/savenow No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Adam Klosterhaus\My Documents\Adam II\Downloads\hijackthis_199\backups\backup-20050804-233943-550.dll
Adware:Adware/ExactSearch No disinfected C:\Documents and Settings\Adam Klosterhaus\My Documents\Adam II\Downloads\hijackthis_199\backups\backup-20050804-233943-835.dll
Adware:Adware/eZula No disinfected C:\Documents and Settings\Adam Klosterhaus\My Documents\Adam II\Downloads\hijackthis_199\backups\backup-20050804-233943-945.dll
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:Adware/Midaddle No disinfected C:\WINDOWS\ru.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\guard.tmp
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\LBXP2P32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\mwutilse.dll
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\system32\nsy9.dll
Adware:Adware/Midaddle No disinfected C:\WINDOWS\system32\rpen.exe
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\temp\f176484953.exe
Adware:Adware/Midaddle No disinfected C:\WINDOWS\temp\Mshtml3.exe
I'm sorry, but nothing is being solved.
I imagine you're as frustrated as me :o
Download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
Double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
Logfile of HijackThis v1.99.1
Scan saved at 8:13:29 PM, on 8/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Rebate Retriever\RebateRetriever.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\aim\aim.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Adam Klosterhaus\My Documents\Adam II\Downloads\hijackthis_199\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\aim\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Rebate Retriever] C:\Program Files\Rebate Retriever\RebateRetriever.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Norton SystemWorks] "c:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120586495513
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\System32\GEARSec.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
L2Mfix 1.03a
Running From:
C:\Documents and Settings\Adam Klosterhaus\Desktop\l2mfix
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting registry permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
Registry Permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C
BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Setting up for Reboot
Starting Reboot!
C:\Documents and Settings\Adam Klosterhaus\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\Adam Klosterhaus\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2436 'rundll32.exe'
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINDOWS\system32\guUnCompress.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guUnCompress.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\LBXP2P32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\LBXP2P32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mwutilse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mwutilse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rYsmxs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rYsmxs.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uwrsdpia.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uwrsdpia.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\guUnCompress.dll
Successfully Deleted: C:\WINDOWS\system32\guUnCompress.dll
deleting: C:\WINDOWS\system32\guUnCompress.dll
Successfully Deleted: C:\WINDOWS\system32\guUnCompress.dll
deleting: C:\WINDOWS\system32\LBXP2P32.DLL
Successfully Deleted: C:\WINDOWS\system32\LBXP2P32.DLL
deleting: C:\WINDOWS\system32\LBXP2P32.DLL
Successfully Deleted: C:\WINDOWS\system32\LBXP2P32.DLL
deleting: C:\WINDOWS\system32\mwutilse.dll
Successfully Deleted: C:\WINDOWS\system32\mwutilse.dll
deleting: C:\WINDOWS\system32\mwutilse.dll
Successfully Deleted: C:\WINDOWS\system32\mwutilse.dll
deleting: C:\WINDOWS\system32\rYsmxs.dll
Successfully Deleted: C:\WINDOWS\system32\rYsmxs.dll
deleting: C:\WINDOWS\system32\rYsmxs.dll
Successfully Deleted: C:\WINDOWS\system32\rYsmxs.dll
deleting: C:\WINDOWS\system32\uwrsdpia.dll
Successfully Deleted: C:\WINDOWS\system32\uwrsdpia.dll
deleting: C:\WINDOWS\system32\uwrsdpia.dll
Successfully Deleted: C:\WINDOWS\system32\uwrsdpia.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
Zipping up files for submission:
adding: guUnCompress.dll (164 bytes security) (deflated 48%)
adding: LBXP2P32.DLL (164 bytes security) (deflated 48%)
adding: mwutilse.dll (164 bytes security) (deflated 48%)
adding: rYsmxs.dll (164 bytes security) (deflated 48%)
adding: uwrsdpia.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 71%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 89%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: test.txt (164 bytes security) (deflated 79%)
adding: test2.txt (164 bytes security) (deflated 50%)
adding: test3.txt (164 bytes security) (deflated 50%)
adding: test5.txt (164 bytes security) (deflated 50%)
adding: xfind.txt (164 bytes security) (deflated 75%)
adding: backregs/0C104568-0A0F-4AE8-B2D4-7EB2269FC6B3.reg (164 bytes security) (deflated 69%)
adding: backregs/7C156F57-2A85-4479-86B5-40D8AC33DD62.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: guUnCompress.dll
deleting local copy: guUnCompress.dll
deleting local copy: LBXP2P32.DLL
deleting local copy: LBXP2P32.DLL
deleting local copy: mwutilse.dll
deleting local copy: mwutilse.dll
deleting local copy: rYsmxs.dll
deleting local copy: rYsmxs.dll
deleting local copy: uwrsdpia.dll
deleting local copy: uwrsdpia.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\guUnCompress.dll
C:\WINDOWS\system32\guUnCompress.dll
C:\WINDOWS\system32\LBXP2P32.DLL
C:\WINDOWS\system32\LBXP2P32.DLL
C:\WINDOWS\system32\mwutilse.dll
C:\WINDOWS\system32\mwutilse.dll
C:\WINDOWS\system32\rYsmxs.dll
C:\WINDOWS\system32\rYsmxs.dll
C:\WINDOWS\system32\uwrsdpia.dll
C:\WINDOWS\system32\uwrsdpia.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{CD3D394D-37F0-4936-A4C8-71A4F0E45D4B}"=-
"{0D15698A-C38F-4F3E-9582-B85291C60550}"=-
"{1AEF7E61-141E-4F45-9273-4FC9063E8520}"=-
"{071F52A7-A05D-4E14-AAF6-290E4D6CE6F0}"=-
"{85397823-DC8A-400B-89AC-2AA9725CD7F2}"=-
"{A2D54714-EEA0-4072-AE29-1C232F364884}"=-
"{868395ED-5565-4DA5-A3B7-E85F137A554C}"=-
"{24D4B760-F69E-4A3A-BF61-9621506E6182}"=-
"{13EE40D1-7BD5-4C8E-B8B9-98DEF8D481D4}"=-
"{3B5D9DFA-C2E2-4F05-BF78-99E9F6605C31}"=-
"{0C104568-0A0F-4AE8-B2D4-7EB2269FC6B3}"=-
"{18467CE1-591A-428E-9744-56A169AB2CB9}"=-
"{90F7990E-BFFF-46B7-B845-ADD42478C851}"=-
"{4EDC39F3-FC68-4C96-B565-37BBD5E403DE}"=-
"{1CEBF502-35F6-46A7-9A47-1E0F661F77F2}"=-
"{41F20E63-9CCF-49EB-BDDF-C5BB710C03EE}"=-
"{015631E0-9632-4473-B5AE-B781DE2F982E}"=-
"{A48DF5A7-AED9-4F62-B14E-8F9F90F32C64}"=-
"{40302018-4A11-40EC-AE0B-858C02568CC6}"=-
"{EEEFEEAE-96D2-4628-83C9-C732FA24C7B6}"=-
"{62967620-6F1C-4872-B2A8-55DED28F274A}"=-
"{39C53C5F-664C-4DCE-9893-81A9362274FF}"=-
"{BA46DCBA-7690-4680-AB4C-4A8F2AD14AF5}"=-
"{24DAB8FF-2A36-40A4-AA12-21B135A954BD}"=-
"{9492AC6E-C0D6-40FC-8B12-50EDA7DD2C37}"=-
"{CD95261A-EA99-4FBF-88F9-DD728EEC0FF4}"=-
"{7C156F57-2A85-4479-86B5-40D8AC33DD62}"=-
[-HKEY_CLASSES_ROOT\CLSID\{CD3D394D-37F0-4936-A4C8-71A4F0E45D4B}]
[-HKEY_CLASSES_ROOT\CLSID\{0D15698A-C38F-4F3E-9582-B85291C60550}]
[-HKEY_CLASSES_ROOT\CLSID\{1AEF7E61-141E-4F45-9273-4FC9063E8520}]
[-HKEY_CLASSES_ROOT\CLSID\{071F52A7-A05D-4E14-AAF6-290E4D6CE6F0}]
[-HKEY_CLASSES_ROOT\CLSID\{85397823-DC8A-400B-89AC-2AA9725CD7F2}]
[-HKEY_CLASSES_ROOT\CLSID\{A2D54714-EEA0-4072-AE29-1C232F364884}]
[-HKEY_CLASSES_ROOT\CLSID\{868395ED-5565-4DA5-A3B7-E85F137A554C}]
[-HKEY_CLASSES_ROOT\CLSID\{24D4B760-F69E-4A3A-BF61-9621506E6182}]
[-HKEY_CLASSES_ROOT\CLSID\{13EE40D1-7BD5-4C8E-B8B9-98DEF8D481D4}]
[-HKEY_CLASSES_ROOT\CLSID\{3B5D9DFA-C2E2-4F05-BF78-99E9F6605C31}]
[-HKEY_CLASSES_ROOT\CLSID\{0C104568-0A0F-4AE8-B2D4-7EB2269FC6B3}]
[-HKEY_CLASSES_ROOT\CLSID\{18467CE1-591A-428E-9744-56A169AB2CB9}]
[-HKEY_CLASSES_ROOT\CLSID\{90F7990E-BFFF-46B7-B845-ADD42478C851}]
[-HKEY_CLASSES_ROOT\CLSID\{4EDC39F3-FC68-4C96-B565-37BBD5E403DE}]
[-HKEY_CLASSES_ROOT\CLSID\{1CEBF502-35F6-46A7-9A47-1E0F661F77F2}]
[-HKEY_CLASSES_ROOT\CLSID\{41F20E63-9CCF-49EB-BDDF-C5BB710C03EE}]
[-HKEY_CLASSES_ROOT\CLSID\{015631E0-9632-4473-B5AE-B781DE2F982E}]
[-HKEY_CLASSES_ROOT\CLSID\{A48DF5A7-AED9-4F62-B14E-8F9F90F32C64}]
[-HKEY_CLASSES_ROOT\CLSID\{40302018-4A11-40EC-AE0B-858C02568CC6}]
[-HKEY_CLASSES_ROOT\CLSID\{EEEFEEAE-96D2-4628-83C9-C732FA24C7B6}]
[-HKEY_CLASSES_ROOT\CLSID\{62967620-6F1C-4872-B2A8-55DED28F274A}]
[-HKEY_CLASSES_ROOT\CLSID\{39C53C5F-664C-4DCE-9893-81A9362274FF}]
[-HKEY_CLASSES_ROOT\CLSID\{BA46DCBA-7690-4680-AB4C-4A8F2AD14AF5}]
[-HKEY_CLASSES_ROOT\CLSID\{24DAB8FF-2A36-40A4-AA12-21B135A954BD}]
[-HKEY_CLASSES_ROOT\CLSID\{9492AC6E-C0D6-40FC-8B12-50EDA7DD2C37}]
[-HKEY_CLASSES_ROOT\CLSID\{CD95261A-EA99-4FBF-88F9-DD728EEC0FF4}]
[-HKEY_CLASSES_ROOT\CLSID\{7C156F57-2A85-4479-86B5-40D8AC33DD62}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************