PDA

View Full Version : Spy Sheriff Problem!



songoko
2005-12-29, 12:59
Hello!

Yesterday i got infected with Spy Sheriff. I removed some spyware with Spybot but i still have some problems. Everytime i open IE i get the spyware warning (C:\secure32.html). I tryed to delete the secure32 file but it doesnt help. The other problem is that there are these sites puping up all the time. And the last thing is that every time i enter windows i get 2 messages VCClient.exe program error (0xc0000135) VCMain.exe program error (0xc0000135)

Thanks in advance!!!


Logfile of HijackThis v1.99.1
Scan saved at 11:53:22, on 29.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Programi\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programi\MSI\SearchKey\StartKBHook.exe
C:\Program Files\Elantech\ktp3.exe
C:\WINDOWS\system32\paytime.exe
C:\windows\adtech2006a.exe
C:\WINDOWS\system32\paytime.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\podatki\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Programi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SearchKey] C:\Programi\MSI\SearchKey\StartKBHook.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp3.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006a.exe
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\yayrac.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\KXDAL.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programi\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programi\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Programi\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

Corrine
2005-12-29, 16:35
Welcome to Safer Networking Forums. Please see the thread linked below for complete instructions.

As you have already posted a first HJThis log, just proceed with the remaining steps and post the other logs as reply to this topic for a final check.

Thank you.

http://forums.spybot.info/showthread.php?t=1316

songoko
2005-12-29, 18:26
Hey Corrine,

thanks for the response. I followed the info in the link. When i open IE i still get that Spyware warning (C:\secure32.html) and those sites are still poping up and the error messages VCClient.exe program error (0xc0000135) VCMain.exe program error (0xc0000135) are still there. I am reall thankfull for any info on how to remove these pests.


1. The first log is in my 1 post

2. Content of smitfiles:

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [razliźica 5.1.2600]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~

svcp.csv
logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

desktop.html


~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 732 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

3. EWIDO log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 17:09:31, 29.12.2005
+ Report-Checksum: ED0D8063

+ Scan result:

HKU\S-1-5-21-484763869-842925246-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKU\S-1-5-21-484763869-842925246-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
[760] C:\WINDOWS\system32\psd.dll -> Spyware.Look2Me : Error during cleaning
[832] C:\WINDOWS\system32\psd.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pzpg.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\Vesna Lavtizar\Cookies\vesna lavtizar@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Vesna Lavtizar\Cookies\vesna lavtizar@banner.paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Vesna Lavtizar\Cookies\vesna lavtizar@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Vesna Lavtizar\Cookies\vesna lavtizar@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Vesna Lavtizar\Local Settings\Temporary Internet Files\Content.IE5\YNGXQT8N\AppWrap[1].exe -> Spyware.AdURL : Cleaned with backup
C:\drsmartloadb.exe -> Downloader.Adload.l : Cleaned with backup
C:\WINDOWS\icont.exe -> Spyware.AdURL : Cleaned with backup
C:\WINDOWS\kl.exe -> Trojan.Agent.bu : Cleaned with backup
C:\WINDOWS\system32\drivers\i386p.sys -> Not-A-Virus.SpamTool.Win32.Mailbot.b : Cleaned with backup
C:\WINDOWS\system32\en04l1dq1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\gmgrm.dll -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\kvkdvdd.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\lvl0093me.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\msctl32.dll -> Not-A-Virus.SpamTool.Win32.Mailbot.q : Cleaned with backup
C:\WINDOWS\system32\mspostsp.exe -> Trojan.Inject.i : Cleaned with backup
C:\WINDOWS\system32\paradise.raw -> Proxy.Lager.f : Cleaned with backup
C:\WINDOWS\system32\paytime.exe -> Hijacker.StartPage.agt : Cleaned with backup
C:\WINDOWS\system32\pcrfnw.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\qpqppnp.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\WINDOWS\system32\quqbu.dat -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\system32\soesrv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\vcrtkclients.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wwadefui.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\yayrac.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.aj : Cleaned with backup
C:\WINDOWS\tool3.exe -> Downloader.Small.bwr : Cleaned with backup
C:\WINDOWS\tool4.exe -> Not-A-Virus.SpamTool.Win32.Mailbot.q : Cleaned with backup
C:\WINDOWS\toolbar.exe -> Downloader.Adload.j : Cleaned with backup


::Report End

4. Second HijackThis report:
Logfile of HijackThis v1.99.1
Scan saved at 17:23:11, on 29.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Programi\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programi\MSI\SearchKey\StartKBHook.exe
C:\Program Files\Elantech\ktp3.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Programi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SearchKey] C:\Programi\MSI\SearchKey\StartKBHook.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp3.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\l86olij318o.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programi\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programi\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Programi\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

songoko
2005-12-31, 00:47
Hey my problem still persists. These web sites pupping up are really annoying. I runed Spybot, Ad-aware SE and ewido but nothing helped.

Thanks for all the help!!

LonnyRJones
2006-01-08, 04:38
Hi songoko
Sorry for the delay, unless your receiving help elsewhere post a fresh hijackthis log please.

songoko
2006-01-09, 16:54
Hello!

I have been away for few days. Here is the fres LOG.

Logfile of HijackThis v1.99.1
Scan saved at 15:52:54, on 9.1.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Programi\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programi\MSI\SearchKey\StartKBHook.exe
C:\Program Files\Elantech\ktp3.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Programi\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TEXTware\Illuminator 2\Illview02.exe
C:\Program Files\TEXTware\QUICKfind\QFServer.exe
C:\Programi\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Programi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SearchKey] C:\Programi\MSI\SearchKey\StartKBHook.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp3.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\lv4409hqe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programi\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programi\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Programi\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

Thanks for the help!!!

LonnyRJones
2006-01-10, 04:25
Hi
Open a command prompt (start run type cmd press enter)
type
sc delete i386p
press enter, type exit and press enter to exit the command prompt

Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Delete the VCClient folder
C:\Program Files\Common Files\VCClient

can you provide more information on these two programs ?
C:\Programi\MSI\SearchKey\StartKBHook.exe
C:\Program Files\Elantech\ktp3.exe


Next:
Download L2mfix (new version) from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
Note:
If you receive while running option #1, an error similar to: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
If it is to large to post in one reply do so in two please

songoko
2006-01-10, 18:15
L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g604lgdq160e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{2E51F473-927C-CF80-0955-AFB945CCE5F3}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Naprave ŻUniversal Plug and Play®"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{259F616C-A300-44F5-B04A-ED001A26C85C}"="SolidConverter extension"
"{23C32358-AE65-4CD0-B5A2-2C014E08B330}"=""
"{9C79EED5-7034-49FA-BC92-5323B39C5A61}"=""
"{72151D7F-AC43-434A-AAB8-615DC6390A3F}"=""
"{2618182C-89A7-4E0C-ADF5-98BB48B5BBB6}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{23C32358-AE65-4CD0-B5A2-2C014E08B330}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{23C32358-AE65-4CD0-B5A2-2C014E08B330}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{23C32358-AE65-4CD0-B5A2-2C014E08B330}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{23C32358-AE65-4CD0-B5A2-2C014E08B330}\InprocServer32]
@="C:\\WINDOWS\\system32\\vcrtkclients.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9C79EED5-7034-49FA-BC92-5323B39C5A61}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9C79EED5-7034-49FA-BC92-5323B39C5A61}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9C79EED5-7034-49FA-BC92-5323B39C5A61}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9C79EED5-7034-49FA-BC92-5323B39C5A61}\InprocServer32]
@="C:\\WINDOWS\\system32\\wwadefui.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{72151D7F-AC43-434A-AAB8-615DC6390A3F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{72151D7F-AC43-434A-AAB8-615DC6390A3F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{72151D7F-AC43-434A-AAB8-615DC6390A3F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{72151D7F-AC43-434A-AAB8-615DC6390A3F}\InprocServer32]
@="C:\\WINDOWS\\system32\\aqmeter.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2618182C-89A7-4E0C-ADF5-98BB48B5BBB6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2618182C-89A7-4E0C-ADF5-98BB48B5BBB6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2618182C-89A7-4E0C-ADF5-98BB48B5BBB6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2618182C-89A7-4E0C-ADF5-98BB48B5BBB6}\InprocServer32]
@="C:\\WINDOWS\\system32\\smrialui.dll"
"ThreadingModel"="Apartment"

**********************************************************************************

songoko
2006-01-10, 18:15
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
adivvaxx.dll Tue 2006-01-03 21:32:08 ..S.R 236.929 231,38 K
amiiiexx.dll Thu 2006-01-05 23:49:44 ..S.R 237.017 231,46 K
aqmeter.dll Tue 2006-01-10 16:57:20 ..... 235.365 229,85 K
blowsewm.dll Sun 2006-01-08 12:37:24 ..S.R 233.873 228,39 K
borlndmm.dll Wed 2060-08-18 17:40:44 ..... 24.064 23,50 K
browseui.dll Thu 2005-11-24 2:06:34 A.... 1.022.464 998,50 K
cc3250mt.dll Wed 2060-08-18 18:02:22 ..... 1.496.064 1,43 M
cdfview.dll Fri 2005-10-21 4:39:26 A.... 151.040 147,50 K
cp3245mt.dll Wed 2060-08-18 17:40:44 ..... 909.824 888,50 K
danim.dll Sat 2005-11-05 4:16:24 A.... 1.054.208 1,00 M
dcnput8.dll Mon 2006-01-02 10:42:22 ..S.R 237.192 231,63 K
divx.dll Wed 2005-12-07 18:05:52 A.... 573.952 560,50 K
divx_x~1.dll Wed 2005-12-07 18:05:50 A.... 679.936 664,00 K
divx_x~2.dll Wed 2005-12-07 18:05:50 A.... 679.936 664,00 K
divx_x~3.dll Wed 2005-12-07 18:05:50 A.... 663.552 648,00 K
dlvenum.dll Fri 2005-12-30 23:44:34 ..S.R 234.818 229,31 K
dpl100.dll Thu 2005-10-27 20:37:46 A.... 86.016 84,00 K
dpu10.dll Thu 2005-10-27 20:37:44 A.... 294.912 288,00 K
dpu11.dll Thu 2005-10-27 20:37:44 A.... 294.912 288,00 K
dpugui10.dll Thu 2005-10-27 20:37:48 A.... 53.248 52,00 K
dpugui11.dll Thu 2005-10-27 20:37:46 A.... 593.920 580,00 K
dpus11.dll Thu 2005-10-27 20:37:44 A.... 339.968 332,00 K
dpv11.dll Thu 2005-10-27 20:37:44 A.... 57.344 56,00 K
dtu100.dll Thu 2005-10-27 20:37:44 A.... 200.704 196,00 K
dxtrans.dll Fri 2005-10-21 4:39:28 A.... 205.312 200,50 K
esent.dll Thu 2005-10-20 23:20:04 A.... 1.082.368 1,03 M
extmgr.dll Fri 2005-10-21 4:39:28 A.... 55.808 54,50 K
fccfg.dll Mon 2006-01-02 12:38:58 ..S.R 233.885 228,40 K
g604lg~1.dll Tue 2006-01-10 14:26:08 ..S.R 235.365 229,85 K
gdi32.dll Thu 2005-12-29 3:54:36 A.... 280.064 273,50 K
h0n0la~1.dll Wed 2006-01-04 16:14:54 ..S.R 233.773 228,29 K
iepeers.dll Fri 2005-10-21 4:39:28 A.... 251.392 245,50 K
inseng.dll Fri 2005-10-21 4:39:28 A.... 96.256 94,00 K
j4n2le~1.dll Fri 2006-01-06 16:49:28 ..S.R 237.017 231,46 K
l6n4lg~1.dll Tue 2006-01-10 16:56:12 ..S.R 235.236 229,72 K
lxadperf.dll Thu 2006-01-05 7:59:46 ..S.R 236.929 231,38 K
maprivs.dll Wed 2006-01-04 16:14:54 ..S.R 236.929 231,38 K
mlrdim.dll Mon 2006-01-09 9:40:20 ..S.R 235.236 229,72 K
mqcms.dll Wed 2006-01-04 7:20:40 ..S.R 235.779 230,25 K
mqglibnt.dll Fri 2006-01-06 15:44:28 ..S.R 237.017 231,46 K
mshtml.dll Thu 2005-11-24 2:06:34 A.... 3.015.680 2,88 M
mshtmled.dll Fri 2005-10-21 4:39:30 A.... 448.512 438,00 K
msrating.dll Fri 2005-10-21 4:39:30 A.... 146.432 143,00 K
mstime.dll Fri 2005-10-21 4:39:30 A.... 530.944 518,50 K
msupda~1.dll Wed 2005-12-28 23:38:04 A.... 473.088 462,00 K
pngfilt.dll Fri 2005-10-21 4:39:30 A.... 39.424 38,50 K
sahcinst.dll Thu 2006-01-05 17:28:18 ..S.R 235.361 229,84 K
shdocvw.dll Thu 2005-12-01 4:59:30 A.... 1.492.480 1,42 M
shlwapi.dll Fri 2005-10-21 4:39:30 A.... 473.600 462,50 K
sintf16.dll Fri 2005-12-09 8:30:50 A.... 12.067 11,78 K
sintf32.dll Fri 2005-12-09 8:30:50 A.... 17.212 16,81 K
sintfnt.dll Fri 2005-12-09 8:30:50 A.... 21.840 21,33 K
smrialui.dll Tue 2006-01-03 17:58:14 ..S.R 235.779 230,25 K
spmsg.dll Thu 2005-10-13 0:12:26 ..... 14.048 13,72 K
sri_ci.dll Thu 2006-01-05 13:17:32 ..S.R 233.951 228,46 K
ufrrtosa.dll Sun 2006-01-01 12:29:02 ..S.R 235.232 229,72 K
uorfaxa.dll Fri 2006-01-06 8:55:06 ..S.R 234.043 228,55 K
urlmon.dll Sat 2005-11-05 4:16:28 A.... 609.280 595,00 K
w95inf16.dll Sat 2005-10-22 9:47:48 A.... 2.272 2,22 K
w95inf32.dll Sat 2005-10-22 9:47:48 A.... 4.608 4,50 K
wininet.dll Fri 2005-10-21 4:39:30 A.... 658.432 643,00 K
wtashext.dll Sat 2006-01-07 9:03:20 ..S.R 233.873 228,39 K
wydmps.dll Sun 2006-01-01 23:12:52 ..S.R 237.158 231,60 K

63 items found: 63 files (22 H/S), 0 directories.
Total of file sizes: 24.524.940 bytes 23,39 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Tue 2006-01-10 17:00:20 ..S.R 235.365 229,85 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 235.365 bytes 229,85 K
**********************************************************************************
Directory Listing of system files:
Nosilec v pogonu C nima oznake.
Serijska çtevilka nosilca je 78B4-31E7

Imenik: C:\WINDOWS\System32

10.01.2006 17:00 235.365 guard.tmp
10.01.2006 16:56 235.236 l6n4lg5q16.dll
10.01.2006 14:26 235.365 g604lgdq160e.dll
09.01.2006 09:40 235.236 mlrdim.dll
08.01.2006 12:37 233.873 blowsewm.dll
07.01.2006 09:03 233.873 wtashext.dll
06.01.2006 16:49 237.017 j4n2le5o1h.dll
06.01.2006 15:44 237.017 mqglibnt.dll
06.01.2006 08:55 234.043 uorfaxa.dll
05.01.2006 23:49 237.017 amiiiexx.dll
05.01.2006 17:28 235.361 sahcinst.dll
05.01.2006 13:17 233.951 sri_ci.dll
05.01.2006 07:59 236.929 lxadperf.dll
04.01.2006 16:14 236.929 maprivs.dll
04.01.2006 16:14 233.773 h0n0la5m1d.dll
04.01.2006 07:20 235.779 mqcms.dll
03.01.2006 21:32 236.929 adivvaxx.dll
03.01.2006 17:58 235.779 smrialui.dll
02.01.2006 12:38 233.885 fccfg.dll
02.01.2006 10:42 237.192 dcnput8.dll
01.01.2006 23:12 237.158 wydmps.dll
01.01.2006 12:29 235.232 ufrrtosa.dll
30.12.2005 23:44 234.818 dlvenum.dll
21.10.2005 21:16 <DIR> Microsoft
23 datotek 5.417.757 bajtov
1 imenikov 22.116.028.416 prosto bajtov

LonnyRJones
2006-01-10, 18:29
Thanks

Close any programs you have open since this step requires a reboot.
Close the internet connection, Unplug your modem !! if on cable or satalite.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot.
Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly
How did that go ?

Ill be back later today to look at the logs

songoko
2006-01-11, 00:08
Here is the log after the fix. I will post the Hijack this log in few min.

BTW: those programs thta were runing ktp3 and the other one were just for the touchpad and notebook utility buttons

L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 580 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 668 'winlogon.exe'
Killing PID 668 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1688 'explorer.exe'
Killing PID 1688 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 380 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
ćtevilo prekopiranih datotek: 1
Deleting: C:\WINDOWS\system32\adivvaxx.dll
Successfully Deleted: C:\WINDOWS\system32\adivvaxx.dll
Deleting: C:\WINDOWS\system32\amiiiexx.dll
Successfully Deleted: C:\WINDOWS\system32\amiiiexx.dll
Deleting: C:\WINDOWS\system32\aqmeter.dll
Successfully Deleted: C:\WINDOWS\system32\aqmeter.dll
Deleting: C:\WINDOWS\system32\blowsewm.dll
Successfully Deleted: C:\WINDOWS\system32\blowsewm.dll
Deleting: C:\WINDOWS\system32\dcnput8.dll
Successfully Deleted: C:\WINDOWS\system32\dcnput8.dll
Deleting: C:\WINDOWS\system32\dlvenum.dll
Successfully Deleted: C:\WINDOWS\system32\dlvenum.dll
Deleting: C:\WINDOWS\system32\fccfg.dll
Successfully Deleted: C:\WINDOWS\system32\fccfg.dll
Deleting: C:\WINDOWS\system32\g604lgdq160e.dll
Successfully Deleted: C:\WINDOWS\system32\g604lgdq160e.dll
Deleting: C:\WINDOWS\system32\h0n0la5m1d.dll
Successfully Deleted: C:\WINDOWS\system32\h0n0la5m1d.dll
Deleting: C:\WINDOWS\system32\j4n2le5o1h.dll
Successfully Deleted: C:\WINDOWS\system32\j4n2le5o1h.dll
Deleting: C:\WINDOWS\system32\l6n4lg5q16.dll
Successfully Deleted: C:\WINDOWS\system32\l6n4lg5q16.dll
Deleting: C:\WINDOWS\system32\lxadperf.dll
Successfully Deleted: C:\WINDOWS\system32\lxadperf.dll
Deleting: C:\WINDOWS\system32\maprivs.dll
Successfully Deleted: C:\WINDOWS\system32\maprivs.dll
Deleting: C:\WINDOWS\system32\mlrdim.dll
Successfully Deleted: C:\WINDOWS\system32\mlrdim.dll
Deleting: C:\WINDOWS\system32\mqcms.dll
Successfully Deleted: C:\WINDOWS\system32\mqcms.dll
Deleting: C:\WINDOWS\system32\mqglibnt.dll
Successfully Deleted: C:\WINDOWS\system32\mqglibnt.dll
Deleting: C:\WINDOWS\system32\sahcinst.dll
Successfully Deleted: C:\WINDOWS\system32\sahcinst.dll
Deleting: C:\WINDOWS\system32\smrialui.dll
Successfully Deleted: C:\WINDOWS\system32\smrialui.dll
Deleting: C:\WINDOWS\system32\sri_ci.dll
Successfully Deleted: C:\WINDOWS\system32\sri_ci.dll
Deleting: C:\WINDOWS\system32\ufrrtosa.dll
Successfully Deleted: C:\WINDOWS\system32\ufrrtosa.dll
Deleting: C:\WINDOWS\system32\uorfaxa.dll
Successfully Deleted: C:\WINDOWS\system32\uorfaxa.dll
Deleting: C:\WINDOWS\system32\wtashext.dll
Successfully Deleted: C:\WINDOWS\system32\wtashext.dll
Deleting: C:\WINDOWS\system32\wydmps.dll
Successfully Deleted: C:\WINDOWS\system32\wydmps.dll
Deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

msg11?.dll
ćtevilo prekopiranih datotek: 0



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g604lgdq160e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\adivvaxx.dll
C:\WINDOWS\system32\amiiiexx.dll
C:\WINDOWS\system32\aqmeter.dll
C:\WINDOWS\system32\blowsewm.dll
C:\WINDOWS\system32\dcnput8.dll
C:\WINDOWS\system32\dlvenum.dll
C:\WINDOWS\system32\fccfg.dll
C:\WINDOWS\system32\g604lgdq160e.dll
C:\WINDOWS\system32\h0n0la5m1d.dll
C:\WINDOWS\system32\j4n2le5o1h.dll
C:\WINDOWS\system32\l6n4lg5q16.dll
C:\WINDOWS\system32\lxadperf.dll
C:\WINDOWS\system32\maprivs.dll
C:\WINDOWS\system32\mlrdim.dll
C:\WINDOWS\system32\mqcms.dll
C:\WINDOWS\system32\mqglibnt.dll
C:\WINDOWS\system32\sahcinst.dll
C:\WINDOWS\system32\smrialui.dll
C:\WINDOWS\system32\sri_ci.dll
C:\WINDOWS\system32\ufrrtosa.dll
C:\WINDOWS\system32\uorfaxa.dll
C:\WINDOWS\system32\wtashext.dll
C:\WINDOWS\system32\wydmps.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{23C32358-AE65-4CD0-B5A2-2C014E08B330}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{23C32358-AE65-4CD0-B5A2-2C014E08B330}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{23C32358-AE65-4CD0-B5A2-2C014E08B330}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{23C32358-AE65-4CD0-B5A2-2C014E08B330}\InprocServer32]
@="C:\\WINDOWS\\system32\\vcrtkclients.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9C79EED5-7034-49FA-BC92-5323B39C5A61}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9C79EED5-7034-49FA-BC92-5323B39C5A61}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9C79EED5-7034-49FA-BC92-5323B39C5A61}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9C79EED5-7034-49FA-BC92-5323B39C5A61}\InprocServer32]
@="C:\\WINDOWS\\system32\\wwadefui.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{72151D7F-AC43-434A-AAB8-615DC6390A3F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{72151D7F-AC43-434A-AAB8-615DC6390A3F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{72151D7F-AC43-434A-AAB8-615DC6390A3F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{72151D7F-AC43-434A-AAB8-615DC6390A3F}\InprocServer32]
@="C:\\WINDOWS\\system32\\aqmeter.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2618182C-89A7-4E0C-ADF5-98BB48B5BBB6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2618182C-89A7-4E0C-ADF5-98BB48B5BBB6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2618182C-89A7-4E0C-ADF5-98BB48B5BBB6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2618182C-89A7-4E0C-ADF5-98BB48B5BBB6}\InprocServer32]
@="C:\\WINDOWS\\system32\\smrialui.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{23C32358-AE65-4CD0-B5A2-2C014E08B330}"=-
"{9C79EED5-7034-49FA-BC92-5323B39C5A61}"=-
"{72151D7F-AC43-434A-AAB8-615DC6390A3F}"=-
"{2618182C-89A7-4E0C-ADF5-98BB48B5BBB6}"=-
[-HKEY_CLASSES_ROOT\CLSID\{23C32358-AE65-4CD0-B5A2-2C014E08B330}]
[-HKEY_CLASSES_ROOT\CLSID\{9C79EED5-7034-49FA-BC92-5323B39C5A61}]
[-HKEY_CLASSES_ROOT\CLSID\{72151D7F-AC43-434A-AAB8-615DC6390A3F}]
[-HKEY_CLASSES_ROOT\CLSID\{2618182C-89A7-4E0C-ADF5-98BB48B5BBB6}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/adivvaxx.dll (164 bytes security) (deflated 6%)
adding: dlls/amiiiexx.dll (164 bytes security) (deflated 6%)
adding: dlls/aqmeter.dll (164 bytes security) (deflated 5%)
adding: dlls/blowsewm.dll (164 bytes security) (deflated 4%)
adding: dlls/dcnput8.dll (164 bytes security) (deflated 6%)
adding: dlls/dlvenum.dll (164 bytes security) (deflated 5%)
adding: dlls/fccfg.dll (164 bytes security) (deflated 4%)
adding: dlls/g604lgdq160e.dll (164 bytes security) (deflated 5%)
adding: dlls/guard.tmp (164 bytes security) (deflated 5%)
adding: dlls/h0n0la5m1d.dll (164 bytes security) (deflated 4%)
adding: dlls/j4n2le5o1h.dll (164 bytes security) (deflated 6%)
adding: dlls/l6n4lg5q16.dll (164 bytes security) (deflated 5%)
adding: dlls/lxadperf.dll (164 bytes security) (deflated 6%)
adding: dlls/maprivs.dll (164 bytes security) (deflated 6%)
adding: dlls/mlrdim.dll (164 bytes security) (deflated 5%)
adding: dlls/mqcms.dll (164 bytes security) (deflated 5%)
adding: dlls/mqglibnt.dll (164 bytes security) (deflated 6%)
adding: dlls/sahcinst.dll (164 bytes security) (deflated 5%)
adding: dlls/smrialui.dll (164 bytes security) (deflated 5%)
adding: dlls/sri_ci.dll (164 bytes security) (deflated 4%)
adding: dlls/ufrrtosa.dll (164 bytes security) (deflated 5%)
adding: dlls/uorfaxa.dll (164 bytes security) (deflated 4%)
adding: dlls/wtashext.dll (164 bytes security) (deflated 4%)
adding: dlls/wydmps.dll (164 bytes security) (deflated 6%)
adding: backregs/23C32358-AE65-4CD0-B5A2-2C014E08B330.reg (212 bytes security) (deflated 70%)
adding: backregs/2618182C-89A7-4E0C-ADF5-98BB48B5BBB6.reg (212 bytes security) (deflated 70%)
adding: backregs/72151D7F-AC43-434A-AAB8-615DC6390A3F.reg (212 bytes security) (deflated 70%)
adding: backregs/9C79EED5-7034-49FA-BC92-5323B39C5A61.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 72%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

songoko
2006-01-11, 00:09
Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 23:08:41, on 10.1.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Programi\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Elantech\ktp3.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Programi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SearchKey] C:\Programi\MSI\SearchKey\StartKBHook.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp3.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\g604lgdq160e.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programi\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programi\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Programi\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

songoko
2006-01-11, 00:19
HEY!!

I did everything u adviced me to do and i think its all ok now. No more annoying pup ups every 2 min that throw you out of any prog that is running. Thanks for all the help!
Will donate a bit $$ after i get my credit card!!!

THANKS :bigthumb:

LonnyRJones
2006-01-11, 05:23
Hi

Have hijackthis fix this item
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\g604lgdq160e.dll (file missing)
===========
Close hijackthis

Did you install that hosts file ?

What antivirus program do you use ? there are several good free programs to choose from, interested ?

tashi
2006-01-12, 18:22
Hello, this topic will now be archived to prevent others with similar issues posting in it.

If you need it re-opened please pm me or one of the forum mods. :)

tashi
2006-01-14, 12:19
Re-opened, I pmed Lonny and let him know you are here.

Cheers. :)

songoko
2006-01-14, 12:31
Tashi thanks for the fast response!!

Hello LonnyRJones i am really greatefull for the additional help!

I fixed the O20 problem. And installed the host file!

Currently i dont have a antivirus programm installed but if you know any good ones i would install it.

Thanks for the help!!!

LonnyRJones
2006-01-14, 12:40
Are there any problems left ?

I suggest (if you can get a paid for program) Kaspersky or Nod32 antivirus

List of free programs


Install atleast a free anti virus and firewall program
Dont make the common mistake of installing more than one anti virus or firewall
AVG Anti-Virus-Free: http://www.grisoft.com/us/us_dwnl_free.php
AntiVir Personal Edition: http://www.free-av.com/
avast! 4 Home - Free antivirus software :
http://www.asw.cz/eng/free_virus_protectio.html

Understanding and Using Firewalls:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=60
ZoneAlarm provide's a paid for and free version http://www.zonelabs.com/
http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za
Kerio Personal Firewall
For home users, Kerio Personal Firewall 4 is available in two flavors -
the full edition and the limited free edition.
http://www.kerio.com/us/kpf_download.html
Sygate free for personal/home http://soho.sygate.com/products/spf_standard.htm
Outpost http://www.outpost.uk.com/download/outpost1.html

songoko
2006-01-14, 14:46
Thanks Lonny!!

All problems are gone now! Downloading the free AV and firewall programs!

Case closed!

Thanks for all the help!!:bigthumb:

LonnyRJones
2006-01-15, 06:42
Im Glad we could help ;)
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let one of the forum moderators know.