View Full Version : cmdservice problems
Uri.raveh
2006-01-17, 11:05
Hi guys,
I can't get rid of this cmdservice virus.
I read this thread but I'm not sure about what I should do:
http://forums.spybot.info/showthread.php?t=1227
here is my HJT logfile:
Logfile of HijackThis v1.99.1
Scan saved at 11.01.44, on 17/01/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\htpatch.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\carpserv.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\ScreenPrint32 v3\ScreenPrint32.exe
C:\Programmi\Winamp\winampa.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\Sony Handheld\HOTSYNC.EXE
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\AutoCAD 2002\acad.exe
C:\Programmi\Winamp\winamp.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
D:\Uri\Appoggio programmi\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ScreenPrint32] C:\Programmi\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Connector] C:\WINNT\system32\Winx\SYTS.EXE -n
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ntdll.dll] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\RunServices: [Windows Configuration] wincfg32.exe
O4 - Startup: Manager HotSync.lnk = C:\Programmi\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.registration.sonystyle-europe.com (HKLM)
O16 - DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} (XNC600NetCam Control) - http://82.88.96.65:81/XNC600NetCam.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c15.cab
O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - file://C:\Programmi\AutoCAD 2002\SysVerChk.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Programmi\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Programmi\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Programmi\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Programmi\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{F599DEA0-53B4-4797-9822-D0B0C4A67A5C}: NameServer = 1.253.128.10,1.253.128.11
O20 - Winlogon Notify: AdminDebug - C:\WINNT\system32\gp68l3ju1.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
Spybot can't remove 2 cmdService registry lines he finds.
What shoud I do?
Please help!
Thank you
Uri
LonnyRJones
2006-01-22, 07:54
Hello Uri
that cmdservice detection is only a leftover, not to worry.
Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\RunServices: [Windows Configuration] wincfg32.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me...bridge-c15.cab
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Download L2mfix (new version) from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
Note:
If you receive while running option #1, an error similar to: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
If it is to large to post in one reply do so in two please
Uri.raveh
2006-01-23, 09:34
Thanks for your reply!
I followed the steps and everything went smooth but as I'm writing I had a popup so I guess we're not quite there yet.
Well here's the L2MFIX report: (part 1)
L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\o4840elqehqe0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1123297E-21DB-1934-E06B-686DF7A24945}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Propriet… dei file Multimedia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Gestore scanner ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Pagina di protezione NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Pagina di propriet… di Docfile OLE"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Estensioni shell per la condivisione"
"{41E300E0-78B6-11ce-849B-444553540000}"="Estensione CPL PlusPack"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Estensione scheda video del Pannello di controllo"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Estensione monitor del Pannello di controllo"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Estensione panoramica video del Pannello di controllo"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Pagina di protezione DS"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Gestore dati dei ritagli di shell"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Estensione copia dischi"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Estensioni shell per oggetti Rete Microsoft Windows"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gestore monitor ICM"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gestore stampante ICM"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Estensioni shell per la compressione dei file"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Estensione shell per la stampante Web"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu di scelta rapida di crittografia"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Sincronia file"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Estensione di icona di HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Profilo ICC"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Pagina di protezione della stampante"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Estensioni shell per la condivisione"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Estensioni di shell per Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Estensione Crypto PKO"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Estensione firma crittografata"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Rete e connessioni remote"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Servizio Cronologia Url Microsoft"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Cronologia"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="File temporanei Internet"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Hook per la ricerca di URL Microsoft"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Schermata iniziale applicazioni Internet Explorer 4"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Operazioni pianificate"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Cartella Preferiti"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="Risorse del computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Cartella Sincronia file"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Collegamento alla cartella"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Volume installato"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="Estensione pagina propriet… file"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="Pagina tipi di file"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="Hook di tipi di file MIME"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Servizio CopyTo Microsoft"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Servizio automazione della shell"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Menu Avvio"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Apri con gestore menu di scelta rapida"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Mostra estensioni HTML del Pannello di controllo"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Estensione pagina propriet… Opzioni cartella"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Helper trascinamento selezione Shell"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Aggiungere l'elemento di crittografia al menu di scelta rapida in Esplora risorse"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barra degli strumenti Microsoft Internet"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Stato del download"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Shell Folder accresciuto"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Shell Folder 2 accresciuto"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="SearchBand"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Ricerca all'interno"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Ricerca Web"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="Co&llegamenti"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilit… opzioni della struttura del Registro di sistema"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Indirizzo"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Completamento automatico Microsoft"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Immagine di anteprima"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="Elenco di Completamento automatico MRU"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Elenco di Completamento automatico della Cronologia di Microsoft"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Elenco di Completamento automatico di Shell Folder di Microsoft"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Contenitore dell'elenco di Completamento automatico multiplo Microsoft"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistenza utente"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Impostazioni cartella globale"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Cartella cache ActiveX"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Cartella Subscription"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Anteprima"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="Programma di estrazione pagine HTML in anteprima"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Programma di estrazione filtri grafici di Office in anteprima"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gestione applicazioni shell"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Enumeratore applicazioni installate"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Menu file non in linea"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Opzioni cartella File non in linea"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Cartella file non in linea"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Elenco di Completamento automatico MRU personalizzato"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessibile"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Indicatore di avanzamento popup"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Parser della barra degli indirizzi"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="File temporanei Internet"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="File del canale"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Collegamento al canale"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Contatti..."
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Cartelle Web"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{C81DCBCA-8AE2-41FC-9C39-78B160393210}"="RhinoShExt"
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu"
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}"="AutoCAD Digital Signatures Icon Overlay Handler"
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}"="Autodesk Drawing Preview"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{C2B4FFC2-0A3A-4FF5-90BE-CB452C396FCC}"=""
"{BE07759D-8454-4BE5-A9B4-E48C1B453E35}"=""
"{A4385C6B-E756-4297-86D6-1F047793AAFC}"=""
"{DAE67D26-2C53-4711-B049-93B84C832620}"=""
"{A5ADB269-97B8-4181-AAA0-520C44370BF0}"=""
"{7FB11542-D2D0-47B2-B1DA-B950C56306D5}"=""
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
**********************************************************************************
Uri.raveh
2006-01-23, 09:35
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{C2B4FFC2-0A3A-4FF5-90BE-CB452C396FCC}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{C2B4FFC2-0A3A-4FF5-90BE-CB452C396FCC}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{C2B4FFC2-0A3A-4FF5-90BE-CB452C396FCC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{C2B4FFC2-0A3A-4FF5-90BE-CB452C396FCC}\InprocServer32]
@="C:\\WINNT\\system32\\nadeapi.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{A4385C6B-E756-4297-86D6-1F047793AAFC}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A4385C6B-E756-4297-86D6-1F047793AAFC}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A4385C6B-E756-4297-86D6-1F047793AAFC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A4385C6B-E756-4297-86D6-1F047793AAFC}\InprocServer32]
@="C:\\WINNT\\system32\\lu_messagetext.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{DAE67D26-2C53-4711-B049-93B84C832620}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{DAE67D26-2C53-4711-B049-93B84C832620}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{DAE67D26-2C53-4711-B049-93B84C832620}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{DAE67D26-2C53-4711-B049-93B84C832620}\InprocServer32]
@="C:\\WINNT\\system32\\anomps.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{A5ADB269-97B8-4181-AAA0-520C44370BF0}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A5ADB269-97B8-4181-AAA0-520C44370BF0}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A5ADB269-97B8-4181-AAA0-520C44370BF0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A5ADB269-97B8-4181-AAA0-520C44370BF0}\InprocServer32]
@="C:\\WINNT\\system32\\gD400ihme84a0.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{7FB11542-D2D0-47B2-B1DA-B950C56306D5}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{7FB11542-D2D0-47B2-B1DA-B950C56306D5}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{7FB11542-D2D0-47B2-B1DA-B950C56306D5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{7FB11542-D2D0-47B2-B1DA-B950C56306D5}\InprocServer32]
@="C:\\WINNT\\system32\\dfquery.dll"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINNT\SYSTEM32\
anomps.dll Tue 27 Dec 2005 9.29.32 ..S.R 236.054 230,52 K
aza001~1.dll Wed 18 Jan 2006 10.45.02 ..S.R 236.524 230,98 K
aza6li~1.dll Tue 3 Jan 2006 17.44.52 ..S.R 235.874 230,34 K
d00m0a~1.dll Tue 17 Jan 2006 9.33.30 ..S.R 234.564 229,07 K
dfquery.dll Mon 23 Jan 2006 9.27.18 ..S.R 236.006 230,47 K
dn2s01~1.dll Tue 29 Nov 2005 9.25.10 ..S.R 234.807 229,30 K
dnj601~1.dll Thu 12 Jan 2006 8.59.18 ..S.R 233.553 228,08 K
dnn001~1.dll Wed 21 Dec 2005 12.31.04 ..S.R 235.321 229,80 K
e2jmlc~1.dll Wed 4 Jan 2006 18.01.36 ..S.R 235.269 229,75 K
e602lg~1.dll Wed 18 Jan 2006 9.57.02 ..S.R 233.851 228,37 K
en22l1~1.dll Wed 14 Dec 2005 11.05.02 ..S.R 235.129 229,62 K
en68l1~1.dll Thu 1 Dec 2005 9.15.32 ..S.R 234.178 228,69 K
en8ql1~1.dll Fri 16 Dec 2005 9.02.26 ..S.R 236.851 231,30 K
enl8l1~1.dll Wed 14 Dec 2005 9.14.48 ..S.R 235.739 230,21 K
enpul1~1.dll Wed 11 Jan 2006 9.15.48 ..S.R 234.233 228,74 K
f8l02i~1.dll Wed 23 Nov 2005 10.03.34 ..S.R 237.144 231,59 K
fp4403~1.dll Thu 12 Jan 2006 9.53.44 ..S.R 237.232 231,67 K
fp6s03~1.dll Wed 21 Dec 2005 18.21.14 ..S.R 236.033 230,50 K
fp8003~1.dll Tue 17 Jan 2006 13.23.14 ..S.R 234.547 229,05 K
fp8s03~1.dll Mon 28 Nov 2005 9.09.56 ..S.R 233.639 228,16 K
g6jo0g~1.dll Wed 4 Jan 2006 14.37.56 ..S.R 234.473 228,98 K
g6jolg~1.dll Wed 11 Jan 2006 11.27.22 ..S.R 233.906 228,42 K
g8400i~1.dll Tue 3 Jan 2006 12.09.34 ..S.R 235.922 230,39 K
gd400i~1.dll Wed 4 Jan 2006 18.06.52 ..S.R 234.157 228,67 K
h2j40c~1.dll Wed 14 Dec 2005 9.54.42 ..S.R 234.320 228,83 K
h6l20g~1.dll Mon 9 Jan 2006 9.19.18 ..S.R 236.903 231,35 K
hrlq05~1.dll Wed 4 Jan 2006 12.45.24 ..S.R 234.692 229,19 K
i2nmlc~1.dll Tue 17 Jan 2006 17.56.26 ..S.R 235.616 230,09 K
i4600e~1.dll Thu 29 Dec 2005 9.34.12 ..S.R 234.449 228,95 K
i6jqlg~1.dll Wed 23 Nov 2005 9.25.12 ..S.R 235.788 230,26 K
irjol5~1.dll Tue 3 Jan 2006 9.48.04 ..S.R 237.189 231,63 K
j06mla~1.dll Mon 12 Dec 2005 9.24.24 ..S.R 237.182 231,62 K
j22q0c~1.dll Wed 23 Nov 2005 10.19.52 ..S.R 235.628 230,11 K
jt4607~1.dll Tue 17 Jan 2006 15.26.00 ..S.R 235.111 229,60 K
jt8s07~1.dll Wed 28 Dec 2005 11.19.06 ..S.R 235.056 229,55 K
jtjo07~1.dll Tue 17 Jan 2006 14.51.28 ..S.R 234.781 229,28 K
k408le~1.dll Thu 12 Jan 2006 17.31.38 ..S.R 234.150 228,66 K
k826li~1.dll Wed 30 Nov 2005 9.02.36 ..S.R 236.452 230,91 K
k8620i~1.dll Tue 6 Dec 2005 10.30.26 ..S.R 234.752 229,25 K
kt8ml7~1.dll Thu 1 Dec 2005 10.36.46 ..S.R 233.841 228,36 K
l0l60a~1.dll Thu 12 Jan 2006 17.28.08 ..S.R 233.563 228,09 K
l2l6lc~1.dll Tue 17 Jan 2006 9.27.26 ..S.R 236.096 230,56 K
l42s0e~1.dll Wed 28 Dec 2005 12.42.26 ..S.R 234.993 229,48 K
lu_mes~1.dll Fri 23 Dec 2005 17.52.06 ..S.R 235.270 229,75 K
lv2409~1.dll Mon 23 Jan 2006 9.25.34 ..S.R 235.522 230,00 K
lvrs09~1.dll Fri 25 Nov 2005 9.33.46 ..S.R 235.554 230,03 K
m8poli~1.dll Fri 13 Jan 2006 21.08.34 ..S.R 237.045 231,49 K
mv04l9~1.dll Wed 21 Dec 2005 9.49.14 ..S.R 236.679 231,13 K
mv0ul9~1.dll Fri 23 Dec 2005 9.39.52 ..S.R 237.179 231,62 K
mvp8l9~1.dll Tue 13 Dec 2005 17.08.02 ..S.R 234.187 228,70 K
n0p40a~1.dll Fri 25 Nov 2005 12.12.50 ..S.R 235.225 229,71 K
n86q0i~1.dll Thu 29 Dec 2005 15.11.46 ..S.R 234.953 229,45 K
o2660c~1.dll Wed 4 Jan 2006 14.49.46 ..S.R 234.819 229,31 K
o4840e~1.dll Mon 23 Jan 2006 9.10.34 ..S.R 236.006 230,47 K
o8lu0i~1.dll Tue 13 Dec 2005 9.26.50 ..S.R 233.717 228,24 K
p04ula~1.dll Fri 23 Dec 2005 17.52.18 ..S.R 237.188 231,63 K
p08q0a~1.dll Tue 6 Dec 2005 20.14.30 ..S.R 234.484 228,99 K
p0n8la~1.dll Tue 17 Jan 2006 18.26.04 ..S.R 236.314 230,77 K
p48qle~1.dll Wed 4 Jan 2006 11.15.56 ..S.R 235.741 230,21 K
p8p6li~1.dll Tue 17 Jan 2006 9.30.26 ..S.R 236.142 230,61 K
pncrt.dll Wed 16 Nov 2005 14.19.56 A.... 278.528 272,00 K
pndx5016.dll Wed 16 Nov 2005 14.19.58 A.... 6.656 6,50 K
pndx5032.dll Wed 16 Nov 2005 14.19.58 A.... 5.632 5,50 K
r0r6la~1.dll Tue 27 Dec 2005 19.46.18 ..S.R 236.054 230,52 K
r68s0g~1.dll Wed 14 Dec 2005 9.26.38 ..S.R 234.694 229,19 K
rmoc3260.dll Wed 16 Nov 2005 14.20.02 A.... 176.167 172,04 K
66 items found: 66 files (62 H/S), 0 directories.
Total of file sizes: 15.059.324 bytes 14,36 M
Locate .tmp files:
No matches found.
**********************************************************************************
Directory Listing of system files:
Il volume nell'unit… C Š Sistema
Numero di serie del volume: 10E3-209C
Directory di C:\WINNT\System32
23/01/2006 09.27 236.006 dfquery.dll
23/01/2006 09.25 235.522 lv2409fqe.dll
23/01/2006 09.10 236.006 o4840elqehqe0.dll
18/01/2006 10.46 <DIR> dllcache
18/01/2006 10.45 236.524 aza0015me.dll
18/01/2006 09.57 233.851 e602lgdo160c.dll
17/01/2006 18.26 236.314 p0n8la5u1d.dll
17/01/2006 17.56 235.616 i2nmlc511f.dll
17/01/2006 15.25 235.111 jt4607hse.dll
17/01/2006 14.51 234.781 jtjo0713e.dll
17/01/2006 13.23 234.547 fp8003lme.dll
17/01/2006 09.33 234.564 d00m0ad1ed0.dll
17/01/2006 09.30 236.142 p8p6li7s18.dll
17/01/2006 09.27 236.096 l2l6lc3s1f.dll
13/01/2006 21.08 237.045 m8poli7318.dll
12/01/2006 17.31 234.150 k408ledu1h08.dll
12/01/2006 17.28 233.563 l0l60a3sed.dll
12/01/2006 09.53 237.232 fp4403hqe.dll
12/01/2006 08.59 233.553 dnj6011se.dll
11/01/2006 11.27 233.906 g6jolg1316.dll
11/01/2006 09.15 234.233 enpul1791.dll
09/01/2006 09.19 236.903 h6l20g3oe6.dll
04/01/2006 18.06 234.157 gD400ihme84a0.dll
04/01/2006 18.01 235.269 e2jmlc111f.dll
04/01/2006 14.49 234.819 o2660cjsefo60.dll
04/01/2006 14.37 234.473 g6jo0g13e6.dll
04/01/2006 12.45 234.692 hrlq0535e.dll
04/01/2006 11.15 235.741 p48qlel51hq.dll
03/01/2006 17.44 235.874 aza6lifs1826.dll
03/01/2006 12.09 235.922 g8400ihme84a0.dll
03/01/2006 09.48 237.189 irjol5131.dll
29/12/2005 15.11 234.953 n86q0ij5e8o.dll
29/12/2005 09.34 234.449 i4600ejmehoa0.dll
28/12/2005 12.42 234.993 l42s0ef7eh2.dll
28/12/2005 11.19 235.056 jt8s07l7e.dll
27/12/2005 19.46 236.054 r0r6la9s1d.dll
27/12/2005 09.29 236.054 anomps.dll
23/12/2005 17.52 237.188 p04ulah91d4.dll
23/12/2005 17.52 235.270 lu_messagetext.dll
23/12/2005 09.39 237.179 mv0ul9d91.dll
21/12/2005 18.21 236.033 fp6s03j7e.dll
21/12/2005 12.31 235.321 dnn0015me.dll
21/12/2005 09.49 236.679 mv04l9dq1.dll
16/12/2005 09.02 236.851 en8ql1l51.dll
14/12/2005 11.05 235.129 en22l1fo1.dll
14/12/2005 09.54 234.320 h2j40c1qef.dll
14/12/2005 09.26 234.694 r68s0gl7e6q.dll
14/12/2005 09.14 235.739 enl8l13u1.dll
13/12/2005 17.08 234.187 mvp8l97u1.dll
13/12/2005 09.26 233.717 o8lu0i39e8.dll
12/12/2005 09.24 237.182 j06mlaj11do.dll
06/12/2005 20.14 234.484 p08q0al5edq.dll
06/12/2005 10.30 234.752 k8620ijoe8oc0.dll
01/12/2005 10.36 233.841 kt8ml7l11.dll
01/12/2005 09.15 234.178 en68l1ju1.dll
30/11/2005 09.02 236.452 k826lifs1826.dll
29/11/2005 09.25 234.807 dn2s01f7e.dll
28/11/2005 09.09 233.639 fp8s03l7e.dll
25/11/2005 12.12 235.225 n0p40a7qed.dll
25/11/2005 09.33 235.554 lvrs0997e.dll
23/11/2005 10.19 235.628 j22q0cf5ef2.dll
23/11/2005 10.03 237.144 f8l02i3mg8.dll
23/11/2005 09.25 235.788 i6jqlg1516.dll
21/01/2005 13.05 32 {813A7F5C-EAEF-445B-A94F-05E3A7EBEF35}.dat
63 File 14.592.373 byte
1 Directory 6.819.106.816 byte disponibili
LonnyRJones
2006-01-23, 12:13
Thanks
Next: Close any programs you have open since this step requires a reboot.
Close the internet connection, Unplug your modem !! if on cable or satalite.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot.
Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
Uri.raveh
2006-01-24, 09:14
L2mfix 010406
Creating Account.
Esecuzione comando riuscita.
Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*
zip error: Nothing to do! (backup.zip)
adding: backregs/7FB11542-D2D0-47B2-B1DA-B950C56306D5.reg (164 bytes security) (deflated 70%)
adding: backregs/A4385C6B-E756-4297-86D6-1F047793AAFC.reg (164 bytes security) (deflated 69%)
adding: backregs/A5ADB269-97B8-4181-AAA0-520C44370BF0.reg (164 bytes security) (deflated 70%)
adding: backregs/C2B4FFC2-0A3A-4FF5-90BE-CB452C396FCC.reg (164 bytes security) (deflated 70%)
adding: backregs/DAE67D26-2C53-4711-B049-93B84C832620.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (152 bytes security) (deflated 85%)
adding: backregs/shell.reg (152 bytes security) (deflated 74%)
Uri.raveh
2006-01-24, 09:15
Still popping up windows appear. I didn't try to fix anything with HJT this time.
Logfile of HijackThis v1.99.1
Scan saved at 9.10.31, on 24/01/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\htpatch.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\carpserv.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Programmi\ScreenPrint32 v3\ScreenPrint32.exe
C:\Programmi\Winamp\winampa.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\Sony Handheld\HOTSYNC.EXE
D:\Uri\Appoggio programmi\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ScreenPrint32] C:\Programmi\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Connector] C:\WINNT\system32\Winx\SYTS.EXE -n
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ntdll.dll] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - Startup: Manager HotSync.lnk = C:\Programmi\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.registration.sonystyle-europe.com (HKLM)
O16 - DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} (XNC600NetCam Control) - http://82.88.96.65:81/XNC600NetCam.cab
O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - file://C:\Programmi\AutoCAD 2002\SysVerChk.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Programmi\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Programmi\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Programmi\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Programmi\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{F599DEA0-53B4-4797-9822-D0B0C4A67A5C}: NameServer = 1.253.128.10,1.253.128.11
O20 - Winlogon Notify: Welcome - C:\WINNT\system32\lv2409fqe.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
LonnyRJones
2006-01-24, 17:39
Hi
Curious is your system fat32 or NTFS ?
Lets see if Blacklite shows something
Post a report from this tool
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
!!Do not rename any files yet
Uri.raveh
2006-01-25, 10:07
Hi Lonny,
Thank you for the time you are dedicating to this.
I tried this last tool. It couldn't find any hidden processes. The operating system is windows 2000.
Is there any way of removing the registry keys through DOS?
These are the keys that SpyBot can't kill:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
LonnyRJones
2006-01-25, 11:27
Hi
Its not cmdserice that i am conserned with we can cover that later, its look2me
Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
@echo off
echo Searching please wait....
(@echo off
echo Running from %CD%
CHKNTFS %SystemDrive%
For %%i in (%windir%\system32) do findstr /M "WinShutdown" %%i\*.dll
For %%i in (%windir%\system32) do findstr /M "WinShutdown" %%i\*.tmp
)>logit.txt 2>&1
start notepad logit.txt
exit
Run check.bat and post back with the text that will open
Uri.raveh
2006-01-25, 16:04
Hi,
It's not the cmdService that causes it all???
Here's the check.bat login.txt:
Running from C:\Documents and Settings\Administrator\Desktop\Anti Spyware
Il file system Š di tipo NTFS.
C: non Š danneggiata.
C:\WINNT\system32\anomps.dll
C:\WINNT\system32\aza0015me.dll
C:\WINNT\system32\aza6lifs1826.dll
C:\WINNT\system32\azao0713e.dll
C:\WINNT\system32\d00m0ad1ed0.dll
C:\WINNT\system32\dn2s01f7e.dll
C:\WINNT\system32\dnj6011se.dll
C:\WINNT\system32\dnn0015me.dll
C:\WINNT\system32\e2jmlc111f.dll
C:\WINNT\system32\e602lgdo160c.dll
C:\WINNT\system32\en22l1fo1.dll
C:\WINNT\system32\en68l1ju1.dll
C:\WINNT\system32\en8ql1l51.dll
C:\WINNT\system32\enl8l13u1.dll
C:\WINNT\system32\enpul1791.dll
C:\WINNT\system32\f8l02i3mg8.dll
C:\WINNT\system32\fp4403hqe.dll
C:\WINNT\system32\fp6s03j7e.dll
C:\WINNT\system32\fp8003lme.dll
C:\WINNT\system32\fp8s03l7e.dll
C:\WINNT\system32\g4jo0e13eh.dll
C:\WINNT\system32\g6jo0g13e6.dll
C:\WINNT\system32\g6jolg1316.dll
C:\WINNT\system32\g8400ihme84a0.dll
C:\WINNT\system32\gD400ihme84a0.dll
C:\WINNT\system32\h2j40c1qef.dll
C:\WINNT\system32\h6l20g3oe6.dll
C:\WINNT\system32\hrlq0535e.dll
C:\WINNT\system32\i2nmlc511f.dll
C:\WINNT\system32\i4600ejmehoa0.dll
C:\WINNT\system32\i6jqlg1516.dll
C:\WINNT\system32\irjol5131.dll
C:\WINNT\system32\irr6l59s1.dll
C:\WINNT\system32\j06mlaj11do.dll
C:\WINNT\system32\j22q0cf5ef2.dll
C:\WINNT\system32\jt4607hse.dll
C:\WINNT\system32\jt6s07j7e.dll
C:\WINNT\system32\jt8s07l7e.dll
C:\WINNT\system32\jtjo0713e.dll
C:\WINNT\system32\k408ledu1h08.dll
C:\WINNT\system32\k826lifs1826.dll
C:\WINNT\system32\k8620ijoe8oc0.dll
C:\WINNT\system32\kt8ml7l11.dll
C:\WINNT\system32\ktpml7711.dll
C:\WINNT\system32\l0l60a3sed.dll
C:\WINNT\system32\l2j8lc1u1f.dll
C:\WINNT\system32\l2l6lc3s1f.dll
C:\WINNT\system32\l42s0ef7eh2.dll
C:\WINNT\system32\lu_messagetext.dll
C:\WINNT\system32\lvrs0997e.dll
C:\WINNT\system32\m6820gloe6qc0.dll
C:\WINNT\system32\m8poli7318.dll
C:\WINNT\system32\mv04l9dq1.dll
C:\WINNT\system32\mv0ul9d91.dll
C:\WINNT\system32\mvp8l97u1.dll
C:\WINNT\system32\mz4sdmod.dll
C:\WINNT\system32\n0p40a7qed.dll
C:\WINNT\system32\n86q0ij5e8o.dll
C:\WINNT\system32\o2660cjsefo60.dll
C:\WINNT\system32\o8lu0i39e8.dll
C:\WINNT\system32\p04ulah91d4.dll
C:\WINNT\system32\p08q0al5edq.dll
C:\WINNT\system32\p0n8la5u1d.dll
C:\WINNT\system32\p48qlel51hq.dll
C:\WINNT\system32\p8p6li7s18.dll
C:\WINNT\system32\r0r6la9s1d.dll
C:\WINNT\system32\r68s0gl7e6q.dll
C:\WINNT\system32\rZsser.dll
FINDSTR: Impossibile aprire C:\WINNT\system32\fpn2035oe.dll
FINDSTR: Impossibile aprire C:\WINNT\system32\mhiseq.dll
FINDSTR: Impossibile aprire C:\WINNT\system32\q2pslc771f.dll
LonnyRJones
2006-01-25, 19:45
Thanks
Save xcaclsIT.zip to c:\
or the root of the drive that windows is installed on (normaly c:)
(edited to remove Link , Its a beta)
Extract the files inside also to C:\, open the new xcaclsIT folder
open badfiles text and add this entire list.
C:\WINNT\system32\anomps.dll
C:\WINNT\system32\aza0015me.dll
C:\WINNT\system32\aza6lifs1826.dll
C:\WINNT\system32\azao0713e.dll
C:\WINNT\system32\d00m0ad1ed0.dll
C:\WINNT\system32\dn2s01f7e.dll
C:\WINNT\system32\dnj6011se.dll
C:\WINNT\system32\dnn0015me.dll
C:\WINNT\system32\e2jmlc111f.dll
C:\WINNT\system32\e602lgdo160c.dll
C:\WINNT\system32\en22l1fo1.dll
C:\WINNT\system32\en68l1ju1.dll
C:\WINNT\system32\en8ql1l51.dll
C:\WINNT\system32\enl8l13u1.dll
C:\WINNT\system32\enpul1791.dll
C:\WINNT\system32\f8l02i3mg8.dll
C:\WINNT\system32\fp4403hqe.dll
C:\WINNT\system32\fp6s03j7e.dll
C:\WINNT\system32\fp8003lme.dll
C:\WINNT\system32\fp8s03l7e.dll
C:\WINNT\system32\g4jo0e13eh.dll
C:\WINNT\system32\g6jo0g13e6.dll
C:\WINNT\system32\g6jolg1316.dll
C:\WINNT\system32\g8400ihme84a0.dll
C:\WINNT\system32\gD400ihme84a0.dll
C:\WINNT\system32\h2j40c1qef.dll
C:\WINNT\system32\h6l20g3oe6.dll
C:\WINNT\system32\hrlq0535e.dll
C:\WINNT\system32\i2nmlc511f.dll
C:\WINNT\system32\i4600ejmehoa0.dll
C:\WINNT\system32\i6jqlg1516.dll
C:\WINNT\system32\irjol5131.dll
C:\WINNT\system32\irr6l59s1.dll
C:\WINNT\system32\j06mlaj11do.dll
C:\WINNT\system32\j22q0cf5ef2.dll
C:\WINNT\system32\jt4607hse.dll
C:\WINNT\system32\jt6s07j7e.dll
C:\WINNT\system32\jt8s07l7e.dll
C:\WINNT\system32\jtjo0713e.dll
C:\WINNT\system32\k408ledu1h08.dll
C:\WINNT\system32\k826lifs1826.dll
C:\WINNT\system32\k8620ijoe8oc0.dll
C:\WINNT\system32\kt8ml7l11.dll
C:\WINNT\system32\ktpml7711.dll
C:\WINNT\system32\l0l60a3sed.dll
C:\WINNT\system32\l2j8lc1u1f.dll
C:\WINNT\system32\l2l6lc3s1f.dll
C:\WINNT\system32\l42s0ef7eh2.dll
C:\WINNT\system32\lu_messagetext.dll
C:\WINNT\system32\lvrs0997e.dll
C:\WINNT\system32\m6820gloe6qc0.dll
C:\WINNT\system32\m8poli7318.dll
C:\WINNT\system32\mv04l9dq1.dll
C:\WINNT\system32\mv0ul9d91.dll
C:\WINNT\system32\mvp8l97u1.dll
C:\WINNT\system32\mz4sdmod.dll
C:\WINNT\system32\n0p40a7qed.dll
C:\WINNT\system32\n86q0ij5e8o.dll
C:\WINNT\system32\o2660cjsefo60.dll
C:\WINNT\system32\o8lu0i39e8.dll
C:\WINNT\system32\p04ulah91d4.dll
C:\WINNT\system32\p08q0al5edq.dll
C:\WINNT\system32\p0n8la5u1d.dll
C:\WINNT\system32\p48qlel51hq.dll
C:\WINNT\system32\p8p6li7s18.dll
C:\WINNT\system32\r0r6la9s1d.dll
C:\WINNT\system32\r68s0gl7e6q.dll
C:\WINNT\system32\rZsser.dll
C:\WINNT\system32\fpn2035oe.dll
C:\WINNT\system32\mhiseq.dll
C:\WINNT\system32\q2pslc771f.dll
C:\WINNT\system32\guard.tmp
exit the text and save as you do. Now run xcalcsit.bat, restart your PC when prompted
there will be a bluescreen error, not to worry. once windows has loaded run
c:\xcalcsit\Afterreboot.bat and post the report text
Aslo run the batch you made before and if any file show post logit.txt
Uri.raveh
2006-01-26, 09:38
Here's the "xcaclsIT" report:
Running from C:\xcaclsIT
Il file system Š di tipo NTFS.
C: non Š danneggiata.
Files proccessed and moved to C:\xcaclsIT\!backups
processed file: C:\WINNT\system32\anomps.dll
processed file: C:\WINNT\system32\aza0015me.dll
processed file: C:\WINNT\system32\aza6lifs1826.dll
processed file: C:\WINNT\system32\azao0713e.dll
processed file: C:\WINNT\system32\d00m0ad1ed0.dll
processed file: C:\WINNT\system32\dn2s01f7e.dll
processed file: C:\WINNT\system32\dnj6011se.dll
processed file: C:\WINNT\system32\dnn0015me.dll
processed file: C:\WINNT\system32\e2jmlc111f.dll
processed file: C:\WINNT\system32\e602lgdo160c.dll
processed file: C:\WINNT\system32\en22l1fo1.dll
processed file: C:\WINNT\system32\en68l1ju1.dll
processed file: C:\WINNT\system32\en8ql1l51.dll
processed file: C:\WINNT\system32\enl8l13u1.dll
processed file: C:\WINNT\system32\enpul1791.dll
processed file: C:\WINNT\system32\f8l02i3mg8.dll
processed file: C:\WINNT\system32\fp4403hqe.dll
processed file: C:\WINNT\system32\fp6s03j7e.dll
processed file: C:\WINNT\system32\fp8003lme.dll
processed file: C:\WINNT\system32\fp8s03l7e.dll
processed file: C:\WINNT\system32\g4jo0e13eh.dll
processed file: C:\WINNT\system32\g6jo0g13e6.dll
processed file: C:\WINNT\system32\g6jolg1316.dll
processed file: C:\WINNT\system32\g8400ihme84a0.dll
processed file: C:\WINNT\system32\gD400ihme84a0.dll
processed file: C:\WINNT\system32\h2j40c1qef.dll
processed file: C:\WINNT\system32\h6l20g3oe6.dll
processed file: C:\WINNT\system32\hrlq0535e.dll
processed file: C:\WINNT\system32\i2nmlc511f.dll
processed file: C:\WINNT\system32\i4600ejmehoa0.dll
processed file: C:\WINNT\system32\i6jqlg1516.dll
processed file: C:\WINNT\system32\irjol5131.dll
processed file: C:\WINNT\system32\irr6l59s1.dll
processed file: C:\WINNT\system32\j06mlaj11do.dll
processed file: C:\WINNT\system32\j22q0cf5ef2.dll
processed file: C:\WINNT\system32\jt4607hse.dll
processed file: C:\WINNT\system32\jt6s07j7e.dll
processed file: C:\WINNT\system32\jt8s07l7e.dll
processed file: C:\WINNT\system32\jtjo0713e.dll
processed file: C:\WINNT\system32\k408ledu1h08.dll
processed file: C:\WINNT\system32\k826lifs1826.dll
processed file: C:\WINNT\system32\k8620ijoe8oc0.dll
processed file: C:\WINNT\system32\kt8ml7l11.dll
processed file: C:\WINNT\system32\ktpml7711.dll
processed file: C:\WINNT\system32\l0l60a3sed.dll
processed file: C:\WINNT\system32\l2j8lc1u1f.dll
processed file: C:\WINNT\system32\l2l6lc3s1f.dll
processed file: C:\WINNT\system32\l42s0ef7eh2.dll
processed file: C:\WINNT\system32\lu_messagetext.dll
processed file: C:\WINNT\system32\lvrs0997e.dll
processed file: C:\WINNT\system32\m6820gloe6qc0.dll
processed file: C:\WINNT\system32\m8poli7318.dll
processed file: C:\WINNT\system32\mv04l9dq1.dll
processed file: C:\WINNT\system32\mv0ul9d91.dll
processed file: C:\WINNT\system32\mvp8l97u1.dll
processed file: C:\WINNT\system32\mz4sdmod.dll
processed file: C:\WINNT\system32\n0p40a7qed.dll
processed file: C:\WINNT\system32\n86q0ij5e8o.dll
processed file: C:\WINNT\system32\o2660cjsefo60.dll
processed file: C:\WINNT\system32\o8lu0i39e8.dll
processed file: C:\WINNT\system32\p04ulah91d4.dll
processed file: C:\WINNT\system32\p08q0al5edq.dll
processed file: C:\WINNT\system32\p0n8la5u1d.dll
processed file: C:\WINNT\system32\p48qlel51hq.dll
processed file: C:\WINNT\system32\p8p6li7s18.dll
processed file: C:\WINNT\system32\r0r6la9s1d.dll
processed file: C:\WINNT\system32\r68s0gl7e6q.dll
processed file: C:\WINNT\system32\rZsser.dll
processed file: C:\WINNT\system32\q2pslc771f.dll
And the check.bat login.txt:
Running from C:\Documents and Settings\Administrator\Desktop\Anti Spyware
Il file system Š di tipo NTFS.
C: non Š danneggiata.
C:\WINNT\system32\aza40a7qed.dll
C:\WINNT\system32\n2l80c3uef.dll
FINDSTR: Impossibile aprire C:\WINNT\system32\dn8o01l3e.dll
FINDSTR: Impossibile aprire C:\WINNT\system32\hr4m05h1e.dll
FINDSTR: Impossibile aprire C:\WINNT\system32\mvobjs.dll
LonnyRJones
2006-01-26, 09:59
Hi
Keep in mind that bug creates new file's every time the pc is restarted or when you log off and on again
repeat the same instructions again this time add this list to the bafiles.txt
C:\WINNT\system32\aza40a7qed.dll
C:\WINNT\system32\n2l80c3uef.dll
C:\WINNT\system32\dn8o01l3e.dll
C:\WINNT\system32\hr4m05h1e.dll
C:\WINNT\system32\mvobjs.dll
Uri.raveh
2006-01-26, 14:57
Hi, here's what came out.
By the way, I had no blue screen error both times.
xcalclsIT report:
Running from C:\xcaclsIT
Il file system Š di tipo NTFS.
C: non Š danneggiata.
Files proccessed and moved to C:\xcaclsIT\!backups
processed file: C:\WINNT\system32\aza40a7qed.dll
processed file: C:\WINNT\system32\n2l80c3uef.dll
processed file: C:\WINNT\system32\dn8o01l3e.dll
processed file: C:\WINNT\system32\hr4m05h1e.dll
chack.bat login.txt:
Running from C:\Documents and Settings\Administrator\Desktop\Anti Spyware
Il file system Š di tipo NTFS.
C: non Š danneggiata.
FINDSTR: Impossibile aprire C:\WINNT\system32\j4n20e5oeh.dll
FINDSTR: Impossibile aprire C:\WINNT\system32\mttask.dll
FINDSTR: Impossibile aprire C:\WINNT\system32\n4l8le3u1h.dll
Should I add these file too to the badfiles.txt and run again?
If it keeps on creating them how can we stop it?
Thanks
uri
LonnyRJones
2006-01-26, 15:13
Hi
Have you restarted the pc since running check bat ?
if not yes add those files to the list, be sure to edit out "FINDSTR: Impossibile aprire " that part though
Uri.raveh
2006-01-27, 10:27
I did restart it so I did the whole thing again. Now I'll try to keep the pc running.
So here we go
xcaclsIT report:
Running from C:\xcaclsIT
Il file system Š di tipo NTFS.
C: non Š danneggiata.
Files proccessed and moved to C:\xcaclsIT\!backups
processed file: C:\WINNT\system32\n4l8le3u1h.dll
check.bat login.txt
Running from C:\Documents and Settings\Administrator\Desktop\Anti Spyware
Il file system Š di tipo NTFS.
C: non Š danneggiata.
C:\WINNT\system32\dn2o01f3e.dll
C:\WINNT\system32\p8p60i7se8.dll
FINDSTR: Impossibile aprire C:\WINNT\system32\en44l1hq1.dll
FINDSTR: Impossibile aprire C:\WINNT\system32\jt8207loe.dll
FINDSTR: Impossibile aprire C:\WINNT\system32\rWsscrpt.dll
What should I do next?
LonnyRJones
2006-01-27, 13:12
Ok
add this list to badfiles.txt
C:\WINNT\system32\dn2o01f3e.dll
C:\WINNT\system32\p8p60i7se8.dll
C:\WINNT\system32\en44l1hq1.dll
C:\WINNT\system32\jt8207loe.dll
C:\WINNT\system32\rWsscrpt.dll
save and exit notepad then run xcalcsIt.bat and restart the pc, run check bat again and post that log if there are still files showing
Uri.raveh
2006-01-27, 14:52
hi
here's the log:
Running from C:\Documents and Settings\Administrator\Desktop\Anti Spyware
Il file system Š di tipo NTFS.
C: non Š danneggiata.
C:\WINNT\system32\lp_trans.dll
FINDSTR: Impossibile aprire C:\WINNT\system32\rWsscrpt.dll
I've noticed that the last file name here has already been added to the badfiles.txt
The first one no.
Uri.raveh
2006-01-27, 14:53
should I continue doing this until no more file names appear?
If so, What do I do then?
LonnyRJones
2006-01-27, 15:06
Hi
Yes keep repeating the same steps, add the files to the list
then run xcalcsIT.bat, reboot the pc, run afterreboot.bat then run check.bat
when the files are finaly gone we need to see if Option 2 in l2mfix will work again
Uri.raveh
2006-01-30, 10:02
Hi,
Sorry for posting only now.
I've tried maybe 10 times the whole thing. check.bat keeps finding new files every time.
There's one file that xcaclsIT can't handle and it says it is used by other programs. It's this one:
C:\WINNT\system32\dGtime.dll
What do you think?
thanx
Uri
Uri.raveh
2006-01-30, 10:27
I tried l2mfix again
L2mfix 010406
Creating Account.
Esecuzione comando riuscita.
Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Running From:
C:\WINNT\system32
Killing Processes!
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 152 'smss.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 196 'winlogon.exe'
Killing PID 196 'winlogon.exe'
Error 0x5 : Accesso negato.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1296 'explorer.exe'
Killing PID 1296 'explorer.exe'
Error 0x5 : Accesso negato.
Here's a new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 10.27.18, on 30/01/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\htpatch.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\carpserv.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\ScreenPrint32 v3\ScreenPrint32.exe
C:\Programmi\Winamp\winampa.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\Sony Handheld\HOTSYNC.EXE
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\AutoCAD 2002\acad.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Programmi\Internet Explorer\iexplore.exe
D:\Uri\Appoggio programmi\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ScreenPrint32] C:\Programmi\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Connector] C:\WINNT\system32\Winx\SYTS.EXE -n
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ntdll.dll] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - Startup: Manager HotSync.lnk = C:\Programmi\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.registration.sonystyle-europe.com (HKLM)
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Programmi\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Programmi\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Programmi\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Programmi\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{F599DEA0-53B4-4797-9822-D0B0C4A67A5C}: NameServer = 1.253.128.10,1.253.128.11
O20 - Winlogon Notify: CSCSettings - C:\WINNT\system32\en44l1hq1.dll (file missing)
O20 - Winlogon Notify: RunOnce - C:\WINNT\system32\p8p6li7s18.dll (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINNT\system32\dGtime.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
Anything I should delete before rebooting?
LonnyRJones
2006-01-30, 13:17
Hi
Fix these items with hijackthis
O20 - Winlogon Notify: CSCSettings - C:\WINNT\system32\en44l1hq1.dll (file missing)
O20 - Winlogon Notify: RunOnce - C:\WINNT\system32\p8p6li7s18.dll (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINNT\system32\dGtime.dll (file missing)
run afterreboot.bat it will (should) unlock dGtime.dll and move it to the backups folder
run check.bat again and post its log
Uri.raveh
2006-01-30, 14:34
Here's the check.bat log:
Running from C:\Documents and Settings\Administrator\Desktop\Anti Spyware
Il file system Š di tipo NTFS.
C: non Š danneggiata.
No more popups!!! .... at least in the last few hours....
Can we declare victory? anything else I should do?
Thanks a lot!
Uri
LonnyRJones
2006-01-30, 14:57
Not yet we still need to get l2mfix running, I will ask the others.
In the meantime
Run hijackthis and fix this item, unless you know what it is ?
O4 - HKLM\..\Run: [Connector] C:\WINNT\system32\Winx\SYTS.EXE -n
restart the pc and delete the winx folder
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
How did that go ?
Replace it about once monthly to keep it updated
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
This topic will now be archived to prevent others with similiar issues posting in it.
If you have not resolved the problem, please send me or Lonny a pm to re-open the thread and provide a link to the topic.
Cheers. :)