PDA

View Full Version : At wit's end with Look2Me Virus



hbaulch
2006-01-24, 22:06
I'm at wit's end. I've run all of the spyware and virus removal tools from McAfee that I got through AOL. I've run spybot and ewido. I've cleaned up issues seen with HiJackThis, but the pest keeps coming back. I hope you can help.

Here's the most recent ewido output:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:52:53 PM, 1/24/2006
+ Report-Checksum: A95F940E

+ Scan result:

:mozilla.6:C:\Documents and Settings\Howard Baulch\Application Data\Mozilla\Firefox\Profiles\d6opkeqh.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Howard Baulch\Application Data\Mozilla\Firefox\Profiles\d6opkeqh.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Howard Baulch\Application Data\Mozilla\Firefox\Profiles\d6opkeqh.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Howard Baulch\Application Data\Mozilla\Firefox\Profiles\d6opkeqh.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Howard Baulch\Application Data\Mozilla\Firefox\Profiles\d6opkeqh.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Howard Baulch\Application Data\Mozilla\Firefox\Profiles\d6opkeqh.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Howard Baulch\Application Data\Mozilla\Firefox\Profiles\d6opkeqh.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Howard Baulch\Application Data\Mozilla\Firefox\Profiles\d6opkeqh.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Howard Baulch\Application Data\Mozilla\Firefox\Profiles\d6opkeqh.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Howard Baulch\Application Data\Mozilla\Firefox\Profiles\d6opkeqh.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Howard Baulch\Application Data\Mozilla\Firefox\Profiles\d6opkeqh.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Howard Baulch\Application Data\Mozilla\Firefox\Profiles\d6opkeqh.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Howard Baulch\Application Data\Mozilla\Firefox\Profiles\d6opkeqh.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Howard Baulch\Application Data\Mozilla\Firefox\Profiles\d6opkeqh.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Howard Baulch\Application Data\Mozilla\Firefox\Profiles\d6opkeqh.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Howard Baulch\Application Data\Mozilla\Firefox\Profiles\d6opkeqh.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
[ .... deleted seemingly redundant notices to fit in 20,000 characater limit ...]
C:\Documents and Settings\Howard Baulch\Local Settings\Temp\Cookies\howard baulch@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Howard Baulch\Local Settings\Temp\Cookies\howard baulch@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Howard Baulch\Local Settings\Temporary Internet Files\Content.IE5\8DARKL23\AppWrap[1].exe -> Spyware.AdURL : Cleaned with backup
C:\Documents and Settings\Howard Baulch\Local Settings\Temporary Internet Files\Content.IE5\8DARKL23\AppWrap[2].exe -> Spyware.AdURL : Cleaned with backup
C:\Documents and Settings\Howard Baulch\Local Settings\Temporary Internet Files\Content.IE5\C9M7KX6B\drsmartload[1].exe -> Downloader.Adload.j : Cleaned with backup
C:\Documents and Settings\Howard Baulch\Local Settings\Temporary Internet Files\Content.IE5\ZXMSMLRE\AppWrap[1].exe -> Spyware.Zestyfind : Cleaned with backup
C:\Documents and Settings\Howard Baulch\Local Settings\Temporary Internet Files\Content.IE5\ZXMSMLRE\cygwid[1].exe -> Downloader.Small.bmx : Cleaned with backup
C:\Program Files\Bad Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP774\A0052979.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP774\A0052981.dll -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP774\A0052982.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP774\A0053083.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP774\A0053086.exe -> Downloader.Small.bmx : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP774\A0053106.dll -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP774\A0053107.exe -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054121.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054122.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054123.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054124.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054125.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054126.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054127.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054128.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054129.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054130.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054131.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054132.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054133.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054134.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054135.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054137.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054141.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054142.exe -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054143.exe -> Trojan.Runner.h : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054146.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054147.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054157.exe -> Spyware.AdURL : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054159.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054160.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054167.exe -> Spyware.AdURL : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054168.exe -> Spyware.Zestyfind : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054170.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP775\A0054171.dll -> Spyware.Look2Me : Cleaned with backup


::Report End

Here's the most recent HiJackThis report:

Logfile of HijackThis v1.99.1
Scan saved at 2:56:37 PM, on 1/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ancestry.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102431295\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102431295\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102431295\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - http://c.ancestry.com/MFInstall/MFInstall.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\l6j8lg1u16.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1102431295\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I hope someone can walk me through a recovery. Thanks.

hbaulch
2006-01-24, 22:19
Oh, I forgot to post the l2mfix report. Here it is:

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l6j8lg1u16.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B84442AF-FA6F-9507-ACF2-9799C8E9CB9B}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{4DBE9764-6EBD-4CEA-B21D-F28665F8CEC5}"=""
"{BAB065A6-18BC-4D8B-8067-DE96103A4189}"=""
"{D7E4AD0F-8FBB-4864-97E8-201B32662678}"=""
"{C17A2019-0095-4BAD-874A-97B640DDDE34}"=""
"{141ECEDB-0B16-4EFD-8776-25934FF33CF5}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4DBE9764-6EBD-4CEA-B21D-F28665F8CEC5}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{4DBE9764-6EBD-4CEA-B21D-F28665F8CEC5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4DBE9764-6EBD-4CEA-B21D-F28665F8CEC5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4DBE9764-6EBD-4CEA-B21D-F28665F8CEC5}\InprocServer32]
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BAB065A6-18BC-4D8B-8067-DE96103A4189}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BAB065A6-18BC-4D8B-8067-DE96103A4189}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BAB065A6-18BC-4D8B-8067-DE96103A4189}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BAB065A6-18BC-4D8B-8067-DE96103A4189}\InprocServer32]
@="C:\\WINDOWS\\system32\\MKL_MTF.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D7E4AD0F-8FBB-4864-97E8-201B32662678}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7E4AD0F-8FBB-4864-97E8-201B32662678}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7E4AD0F-8FBB-4864-97E8-201B32662678}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7E4AD0F-8FBB-4864-97E8-201B32662678}\InprocServer32]
@="C:\\WINDOWS\\system32\\ltpsd11n.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C17A2019-0095-4BAD-874A-97B640DDDE34}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C17A2019-0095-4BAD-874A-97B640DDDE34}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C17A2019-0095-4BAD-874A-97B640DDDE34}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C17A2019-0095-4BAD-874A-97B640DDDE34}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{141ECEDB-0B16-4EFD-8776-25934FF33CF5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{141ECEDB-0B16-4EFD-8776-25934FF33CF5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{141ECEDB-0B16-4EFD-8776-25934FF33CF5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{141ECEDB-0B16-4EFD-8776-25934FF33CF5}\InprocServer32]
@="C:\\WINDOWS\\system32\\stcurity.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Wed Nov 23 2005 8:06:34p A.... 1,022,464 998.50 K
danim.dll Fri Nov 4 2005 10:16:24p A.... 1,054,208 1.00 M
gdi32.dll Wed Dec 28 2005 9:54:36p A.... 280,064 273.50 K
j4p00e~1.dll Tue Jan 24 2006 1:37:56p ..S.R 234,470 228.97 K
l6j8lg~1.dll Tue Jan 24 2006 12:30:12p ..S.R 234,396 228.90 K
mkl_mtf.dll Tue Jan 24 2006 1:37:56p ..... 234,396 228.90 K
mshtml.dll Wed Nov 23 2005 8:06:34p A.... 3,015,680 2.88 M
shdocvw.dll Wed Nov 30 2005 10:59:30p A.... 1,492,480 1.42 M
urlmon.dll Fri Nov 4 2005 10:16:28p A.... 609,280 595.00 K

9 items found: 9 files (2 H/S), 0 directories.
Total of file sizes: 8,177,438 bytes 7.80 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Tue Jan 24 2006 2:55:56p ..S.R 234,396 228.90 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 234,396 bytes 228.90 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is D08D-ACF1

Directory of C:\WINDOWS\System32

01/24/2006 02:55 PM 234,396 guard.tmp
01/24/2006 01:37 PM 234,470 j4p00e7meh.dll
01/24/2006 12:30 PM 234,396 l6j8lg1u16.dll
01/24/2006 07:51 AM <DIR> DLLCACHE
01/24/2006 07:51 AM 11,264 Thumbs.db
05/24/2003 04:50 AM <DIR> Microsoft
4 File(s) 714,526 bytes
2 Dir(s) 12,082,876,416 bytes free

illukka
2006-01-25, 14:00
hi

thanks for posting that info :)

now lets attempt to fix it :

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.

hbaulch
2006-01-25, 15:46
illukka,
Thanks for responding. I did as instructed. Here are the two reports:

L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 636 'smss.exe'
Killing PID 636 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 728 'winlogon.exe'
Killing PID 728 'winlogon.exe'
Killing PID 728 'winlogon.exe'
Killing PID 728 'winlogon.exe'
Killing PID 728 'winlogon.exe'
Killing PID 728 'winlogon.exe'
Killing PID 728 'winlogon.exe'
Killing PID 728 'winlogon.exe'
Killing PID 728 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1908 'explorer.exe'
Killing PID 1908 'explorer.exe'
Killing PID 1908 'explorer.exe'
Killing PID 1908 'explorer.exe'
Killing PID 1908 'explorer.exe'
Killing PID 1908 'explorer.exe'
Killing PID 1908 'explorer.exe'
Killing PID 1908 'explorer.exe'
Killing PID 1908 'explorer.exe'
Killing PID 1908 'explorer.exe'
Killing PID 1908 'explorer.exe'
Killing PID 1908 'explorer.exe'
Killing PID 1908 'explorer.exe'
Killing PID 1908 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 528 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\g0lmla311d.dll
Successfully Deleted: C:\WINDOWS\system32\g0lmla311d.dll
Deleting: C:\WINDOWS\system32\j4p00e7meh.dll
Successfully Deleted: C:\WINDOWS\system32\j4p00e7meh.dll
Deleting: C:\WINDOWS\system32\srns.dll
Successfully Deleted: C:\WINDOWS\system32\srns.dll
Deleting: C:\WINDOWS\system32\__delete_on_reboot__guard.tmp
Successfully Deleted: C:\WINDOWS\system32\__delete_on_reboot__guard.tmp

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j4p00e7meh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\g0lmla311d.dll
C:\WINDOWS\system32\j4p00e7meh.dll
C:\WINDOWS\system32\srns.dll
C:\WINDOWS\system32\__delete_on_reboot__guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4DBE9764-6EBD-4CEA-B21D-F28665F8CEC5}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{4DBE9764-6EBD-4CEA-B21D-F28665F8CEC5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4DBE9764-6EBD-4CEA-B21D-F28665F8CEC5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4DBE9764-6EBD-4CEA-B21D-F28665F8CEC5}\InprocServer32]
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BAB065A6-18BC-4D8B-8067-DE96103A4189}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BAB065A6-18BC-4D8B-8067-DE96103A4189}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BAB065A6-18BC-4D8B-8067-DE96103A4189}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BAB065A6-18BC-4D8B-8067-DE96103A4189}\InprocServer32]
@="C:\\WINDOWS\\system32\\srns.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D7E4AD0F-8FBB-4864-97E8-201B32662678}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7E4AD0F-8FBB-4864-97E8-201B32662678}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7E4AD0F-8FBB-4864-97E8-201B32662678}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7E4AD0F-8FBB-4864-97E8-201B32662678}\InprocServer32]
@="C:\\WINDOWS\\system32\\ltpsd11n.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C17A2019-0095-4BAD-874A-97B640DDDE34}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C17A2019-0095-4BAD-874A-97B640DDDE34}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C17A2019-0095-4BAD-874A-97B640DDDE34}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C17A2019-0095-4BAD-874A-97B640DDDE34}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{141ECEDB-0B16-4EFD-8776-25934FF33CF5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{141ECEDB-0B16-4EFD-8776-25934FF33CF5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{141ECEDB-0B16-4EFD-8776-25934FF33CF5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{141ECEDB-0B16-4EFD-8776-25934FF33CF5}\InprocServer32]
@="C:\\WINDOWS\\system32\\stcurity.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{4DBE9764-6EBD-4CEA-B21D-F28665F8CEC5}"=-
"{BAB065A6-18BC-4D8B-8067-DE96103A4189}"=-
"{D7E4AD0F-8FBB-4864-97E8-201B32662678}"=-
"{C17A2019-0095-4BAD-874A-97B640DDDE34}"=-
"{141ECEDB-0B16-4EFD-8776-25934FF33CF5}"=-
[-HKEY_CLASSES_ROOT\CLSID\{4DBE9764-6EBD-4CEA-B21D-F28665F8CEC5}]
[-HKEY_CLASSES_ROOT\CLSID\{BAB065A6-18BC-4D8B-8067-DE96103A4189}]
[-HKEY_CLASSES_ROOT\CLSID\{D7E4AD0F-8FBB-4864-97E8-201B32662678}]
[-HKEY_CLASSES_ROOT\CLSID\{C17A2019-0095-4BAD-874A-97B640DDDE34}]
[-HKEY_CLASSES_ROOT\CLSID\{141ECEDB-0B16-4EFD-8776-25934FF33CF5}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/g0lmla311d.dll (188 bytes security) (deflated 4%)
adding: dlls/j4p00e7meh.dll (188 bytes security) (deflated 5%)
adding: dlls/srns.dll (188 bytes security) (deflated 5%)
adding: dlls/__delete_on_reboot__guard.tmp (188 bytes security) (deflated 5%)
adding: backregs/141ECEDB-0B16-4EFD-8776-25934FF33CF5.reg (212 bytes security) (deflated 70%)
adding: backregs/4DBE9764-6EBD-4CEA-B21D-F28665F8CEC5.reg (212 bytes security) (deflated 70%)
adding: backregs/BAB065A6-18BC-4D8B-8067-DE96103A4189.reg (212 bytes security) (deflated 70%)
adding: backregs/C17A2019-0095-4BAD-874A-97B640DDDE34.reg (212 bytes security) (deflated 70%)
adding: backregs/D7E4AD0F-8FBB-4864-97E8-201B32662678.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (188 bytes security) (deflated 72%)
adding: backregs/shell.reg (188 bytes security) (deflated 74%)

Logfile of HijackThis v1.99.1
Scan saved at 8:39:35 AM, on 1/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102431295\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\AOL\1102431295\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1102431295\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP

Scheduler.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\common files\aol\1102431295\ee\aolssc.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ancestry.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided

by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102431295\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common

Files\AOL\1102431295\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common

Files\AOL\1102431295\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) -

http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) -

http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) -

http://c.ancestry.com/MFInstall/MFInstall.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\j4p00e7meh.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common

Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common

Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common

Files\AOL\1102431295\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido

anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido

anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner -

C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe

I look forward to your next instructions.

Howard

illukka
2006-01-25, 16:05
hi

good stuff there :)

now open hijackthis
press do a system scan only
put checkmarks next to these lines:
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\j4p00e7meh.dll (file missing)

then close all other programs, leaving only hijackthis running, and click fix checked

reboot

next its time to do some scans:

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.



also post a new hjt log thank you :)

hbaulch
2006-01-25, 18:37
illukka,

I just wanted to let you know that I'm still working on this. I fixed the items with hijackthis as you directed. I'm still running kaspersky online now. I have some large local mail folders containing my genealogy research that it is taking forever to process. It's been running for over 8000 seconds so far and is 57% done. I'll post the information you requested as soon as I can. Thanks.

Howard

hbaulch
2006-01-25, 19:46
illukka,

I have the reports from Kaspersky Online Scanner and HJT. When I tried to reply with both included, I got an error message that there were more than 12 images in my post. Since I personally put no images in the post, something iin the report must be interpreted as an image. I suspect the Kaspersky report, so I'll first copy part of it with this message and then the remainder of it with the HJT report:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, January 25, 2006 12:31:19
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/01/2006
Kaspersky Anti-Virus database records: 173063
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 126497
Number of viruses found: 4
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 11166 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox/[From Mike Greer <mike@ntarchitect.com>][Date Thu, 08 Sep 2005 11:00:42 -0400]/UNNAMED/[From Irene <irenemoulder@ev1.net>][Date Wed, 21 Sep 2005 08:27:12 -0500]/UNNAMED/[From Julie Wrege <bounce@tennisrecruiting.net>][Date Wed, 21 Sep 2005 09:53:51 -0400]/UNNAMED/[From paul ... /[From h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;][Date h=Message-ID:Received .. ... /[From hbaulch@columbus.rr.com][Date Fri, 16 ... /File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox/[From Mike Greer <mike@ntarchitect.com>][Date Thu, 08 Sep 2005 11:00:42 -0400]/UNNAMED/[From Irene <irenemoulder@ev1.net>][Date Wed, 21 Sep 2005 08:27:12 -0500]/UNNAMED/[From Julie Wrege <bounce@tennisrecruiting.net>][Date Wed, 21 Sep 2005 09:53:51 -0400]/UNNAMED/[From paul ... /[From h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;][Date h=Message-ID:Received .. ... /[From hbaulch@columbus.rr.com][Date Fri, 16 Dec 2005 00: ... /mailtext.zip Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox/[From Mike Greer <mike@ntarchitect.com>][Date Thu, 08 Sep 2005 11:00:42 -0400]/UNNAMED/[From Irene <irenemoulder@ev1.net>][Date Wed, 21 Sep 2005 08:27:12 -0500]/UNNAMED/[From Julie Wrege <bounce@tennisrecruiting.net>][Date Wed, 21 Sep 2005 09:53:51 -0400]/UNNAMED/[From paul ... /[From h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;][Date h=Message-ID:Received .. ... /[From hbaulch@columbus.rr.com][Date Fri, 16 Dec 2005 00:35:02 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox/[From Mike Greer <mike@ntarchitect.com>][Date Thu, 08 Sep 2005 11:00:42 -0400]/UNNAMED/[From Irene <irenemoulder@ev1.net>][Date Wed, 21 Sep 2005 08:27:12 -0500]/UNNAMED/[From Julie Wrege <bounce@tennisrecruiting.net>][Date Wed, 21 Sep 2005 09:53:51 -0400]/UNNAMED/[From paul ... /[From h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;][Date h=Message-ID:Received ... /[From Dbauer6251@aol.com][Date Thu, 15 Dec 2005 18:00:24 -0500 (EST)]/UNNAMED Infected: Email-Worm.Win32.Sober.y
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox/[From Mike Greer <mike@ntarchitect.com>][Date Thu, 08 Sep 2005 11:00:42 -0400]/UNNAMED/[From Irene <irenemoulder@ev1.net>][Date Wed, 21 Sep 2005 08:27:12 -0500]/UNNAMED/[From Julie Wrege <bounce@tennisrecruiting.net>][Date Wed, 21 Sep 2005 09:53:51 -0400]/UNNAMED/[From paul ... /[From h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;][Date h=Message-ID:Received:Date ... /[From Admin@fbi.gov][Date Thu, 15 Dec 2005 21:18:22 +0000 (UTC)]/UNNAMED Infected: Email-Worm.Win32.Sober.y

... More in the next post.

hbaulch
2006-01-25, 19:48
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox/[From Mike Greer <mike@ntarchitect.com>][Date Thu, 08 Sep 2005 11:00:42 -0400]/UNNAMED/[From Irene <irenemoulder@ev1.net>][Date Wed, 21 Sep 2005 08:27:12 -0500]/UNNAMED/[From Julie Wrege <bounce@tennisrecruiting.net>][Date Wed, 21 Sep 2005 09:53:51 -0400]/UNNAMED/[From paul ... /[From h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;][Date h= ... /[Fr ... /[From eBay Inc <support_ref_52@ebay.com>][Date Sun, 01 Jan 2006 19:16:48 +020 ... /html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox/[From Mike Greer <mike@ntarchitect.com>][Date Thu, 08 Sep 2005 11:00:42 -0400]/UNNAMED/[From Irene <irenemoulder@ev1.net>][Date Wed, 21 Sep 2005 08:27:12 -0500]/UNNAMED/[From Julie Wrege <bounce@tennisrecruiting.net>][Date Wed, 21 Sep 2005 09:53:51 -0400]/UNNAMED/[From paul ... /[From h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;][Date h= ... /[Fr ... /[From eBay Inc <support_ref_52@ebay.com>][Date Sun, 01 Jan 2006 19:16:48 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox/[From Mike Greer <mike@ntarchitect.com>][Date Thu, 08 Sep 2005 11:00:42 -0400]/UNNAMED/[From Irene <irenemoulder@ev1.net>][Date Wed, 21 Sep 2005 08:27:12 -0500]/UNNAMED/[From Julie Wrege <bounce@tennisrecruiting.net>][Date Wed, 21 Sep 2005 09:53:51 -0400]/UNNAMED/[From paul ... /[From h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;][Date h= ... /[From Shirley Fritsche <beeandbop31@midsouth.rr.com>][Date Sat, 31 Dec 2005 16:02:56 -0800]/text Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox/[From Mike Greer <mike@ntarchitect.com>][Date Thu, 08 Sep 2005 11:00:42 -0400]/UNNAMED/[From Irene <irenemoulder@ev1.net>][Date Wed, 21 Sep 2005 08:27:12 -0500]/UNNAMED/[From Julie Wrege <bounce@tennisrecruiting.net>][Date Wed, 21 Sep 2005 09:53:51 -0400]/UNNAMED/[From paul ... /[From h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;][Date h=Message-ID:Recei ... /[From webmaster@brecnet.com][Date Wed, 28 Dec 2005 20:28:35 +0000 (UTC)]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox/[From Mike Greer <mike@ntarchitect.com>][Date Thu, 08 Sep 2005 11:00:42 -0400]/UNNAMED/[From Irene <irenemoulder@ev1.net>][Date Wed, 21 Sep 2005 08:27:12 -0500]/UNNAMED/[From Julie Wrege <bounce@tennisrecruiting.net>][Date Wed, 21 Sep 2005 09:53:51 -0400]/UNNAMED/[From paul ... /[From h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;][Date h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox/[From Mike Greer <mike@ntarchitect.com>][Date Thu, 08 Sep 2005 11:00:42 -0400]/UNNAMED/[From Irene <irenemoulder@ev1.net>][Date Wed, 21 Sep 2005 08:27:12 -0500]/UNNAMED/[From Julie Wrege <bounce@tennisrecruiting.net>][Date Wed, 21 Sep 2005 09:53:51 -0400]/UNNAMED/[From paul lambert <phlambert@msn.com>][Date Thu, 22 Sep 2005 09:03:49 -0400]/UNNAMED/[From lkapt@charter.net][Date Sat, 24 Sep 2005 ... /[From Larry George <LGeorge@univenture.com>][Date Wed, 12 Oct 2005 07:13:28 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox/[From Mike Greer <mike@ntarchitect.com>][Date Thu, 08 Sep 2005 11:00:42 -0400]/UNNAMED/[From Irene <irenemoulder@ev1.net>][Date Wed, 21 Sep 2005 08:27:12 -0500]/UNNAMED/[From Julie Wrege <bounce@tennisrecruiting.net>][Date Wed, 21 Sep 2005 09:53:51 -0400]/UNNAMED/[From paul lambert <phlambert@msn.com>][Date Thu, 22 Sep 2005 09:03:49 -0400]/UNNAMED/[From lkapt@charter.net][Date Sat, 24 Sep 2005 09:48:16 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox/[From Mike Greer <mike@ntarchitect.com>][Date Thu, 08 Sep 2005 11:00:42 -0400]/UNNAMED/[From Irene <irenemoulder@ev1.net>][Date Wed, 21 Sep 2005 08:27:12 -0500]/UNNAMED/[From Julie Wrege <bounce@tennisrecruiting.net>][Date Wed, 21 Sep 2005 09:53:51 -0400]/UNNAMED/[From paul lambert <phlambert@msn.com>][Date Thu, 22 Sep 2005 09:03:49 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox/[From Mike Greer <mike@ntarchitect.com>][Date Thu, 08 Sep 2005 11:00:42 -0400]/UNNAMED/[From Irene <irenemoulder@ev1.net>][Date Wed, 21 Sep 2005 08:27:12 -0500]/UNNAMED/[From Julie Wrege <bounce@tennisrecruiting.net>][Date Wed, 21 Sep 2005 09:53:51 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox/[From Mike Greer <mike@ntarchitect.com>][Date Thu, 08 Sep 2005 11:00:42 -0400]/UNNAMED/[From Irene <irenemoulder@ev1.net>][Date Wed, 21 Sep 2005 08:27:12 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox/[From Mike Greer <mike@ntarchitect.com>][Date Thu, 08 Sep 2005 11:00:42 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Howard Baulch\Application Data\Thunderbird\Profiles\ja4ob5rt.default\Mail\pop-server.columbus.rr.com\Inbox Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Howard Baulch\Local Settings\Temporary Internet Files\Content.IE5\KPABW9QF\installer[1].exe/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\Documents and Settings\Howard Baulch\Local Settings\Temporary Internet Files\Content.IE5\KPABW9QF\installer[1].exe Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\Temp\l2mfix\backup.zip/dlls/g0lmla311d.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Temp\l2mfix\backup.zip/dlls/j4p00e7meh.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Temp\l2mfix\backup.zip/dlls/srns.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Temp\l2mfix\backup.zip/dlls/__delete_on_reboot__guard.tmp Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Temp\l2mfix\backup.zip Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Temp\l2mfix\dlls\g0lmla311d.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Temp\l2mfix\dlls\j4p00e7meh.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Temp\l2mfix\dlls\srns.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Temp\l2mfix\dlls\__delete_on_reboot__guard.tmp Infected: not-a-virus:AdWare.Win32.Look2Me.ab

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 12:35:37 PM, on 1/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\AOL\1102431295\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1102431295\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102431295\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\program files\common files\aol\1102431295\ee\aolssc.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ancestry.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102431295\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common

Files\AOL\1102431295\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common

Files\AOL\1102431295\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) -

http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) -

http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - http://c.ancestry.com/MFInstall/MFInstall.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common

Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common

Files\AOL\1102431295\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I await further instructions. Thanks for the progress so far!

Howard

hbaulch
2006-01-25, 20:47
P.S. - I should tell you that I am no longer experiencing browser pop-ups, and for that, my wits have been restored. :)

Howard

illukka
2006-01-26, 13:44
hi

the hjt log has smoe items in need of fixing, but first you must disable spybot's tea timer as it may prevent hjt fixes:

please disable TeaTimer by doing the following:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

next open hijackthis, click do a system scan only
checkmark these lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

then close all browsers and explorer windows, and click fix checked

this line:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 is it set by you ?
if not, fix it too

lot of infected emails, what is your resident antivirus ?
is it fully up to date and functional ?

kaspersky scan only detects, you might want to try a scan that disinfects:
Perform a full scan here: Trendmicro (http://housecall.trendmicro.com/), check AutoClean and let it remove anything it finds.



Run HijackThis! again and post a final log please.

hbaulch
2006-01-26, 15:54
Good morning (or afternoon to you),

I made the fixes through HJT as you directed. I'm running housecall.trendmicro right now. It first gave a 20.5 hour estimate; now it says 4 hours.

To answer your questions ... my antivirus has been McAfee VirusScan for many years. It is up to date and active. I, too, was surprised by the infected emails reported by Kaspersky. The report is difficult to interpret. It seems to show infected emails in my INBOX from a Mike Greer and a Julie Wrege. There are no emails in my current INBOX from either of them. Could they be logically deleted emails? I have not compacted my INBOX in quite awhile.

Here is my current HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:40:11 AM, on 1/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102431295\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\AOL\1102431295\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1102431295\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\aol\1102431295\ee\aolssc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ancestry.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102431295\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common

Files\AOL\1102431295\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common

Files\AOL\1102431295\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) -

http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) -

http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - http://c.ancestry.com/MFInstall/MFInstall.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common

Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common

Files\AOL\1102431295\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I will post results of housecall.trendmicro when it completes.

Howard

illukka
2006-01-26, 16:09
hi

i noticed the McAdee entries in your log, that why i was wondering.. i know its a very capable antivirus to say the least ;)
its probably because KAV is currently the technological leader of antiviruses, its able to scan more file formats that any other scanner, so it's bound to scan and find more :)
also different antiviruses detect different viruses.. thats why i'm asking you to run all these scans :bigthumb:

once you get through that housecall, can you do a scan with updated mcafee in safe mode? just to see if it detects anything.. in my opinion it should !

nothing in the log, but lets wait for the av scan results before i give you the "all clean speech"

let me know if you experience any kind of errors, or problems, OK ?

hbaulch
2006-01-26, 16:45
HI,

Actually, I have already run McAfee in safe mode. It finds nothing. One peculiar aspect of it, though, is that ActiveShield is occasionally reporting a suspect file, but when I run VirusScan, it finds nothing.

housecall is still running.

hb

hbaulch
2006-01-26, 17:26
Housecall finished. It only found one adware instance and 18 cookies to clean up. Should I try compressing my INBOX and rerunning Kaspersky?

hbaulch
2006-01-26, 18:47
Hi,

I compressed my Inbox with Thunderbird and re-ran Kaspersky Online. As I suspected, it now reports no infections in the Inbox file. Kaspersky may be analyzing more file types than other scanners, but they clearly have a minor problem with mail files that only logically delete messages until you compress the mail database.

So, am I ready for the clean speech? :)

hbaulch
2006-01-26, 19:43
Here is the latest report from Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, January 26, 2006 12:41:27
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 26/01/2006
Kaspersky Anti-Virus database records: 173270
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: false
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 127628
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 7599 sec

Infected Object Name - Virus Name
C:\Temp\l2mfix\dlls\g0lmla311d.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Temp\l2mfix\dlls\j4p00e7meh.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Temp\l2mfix\dlls\srns.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Temp\l2mfix\dlls\__delete_on_reboot__guard.tmp Infected: not-a-virus:AdWare.Win32.Look2Me.ab

Scan process completed.

:beerbeerb

illukka
2006-01-26, 20:15
hi

cheers :beerbeerb


yep all clean

these:
C:\Temp\l2mfix\dlls\g0lmla311d.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Temp\l2mfix\dlls\j4p00e7meh.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Temp\l2mfix\dlls\srns.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Temp\l2mfix\dlls\__delete_on_reboot__guard.tmp Infected: not-a-virus:AdWare.Win32.Look2Me.ab

look like l2mefixes backups, those can be deleted

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore (http://www.bleepingcomputer.com/forums/tutorial63.html)

or

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Reenable system restore with instructions from tutorial above


Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topict405.html)


Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers (http://www.bleepingcomputer.com/forums/tutorial43.html)


Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/tutorial48.html)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

IE/Spyad (https://netfiles.uiuc.edu/ehowes/www/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)


cheers again

:D

hbaulch
2006-01-26, 21:06
Thanks so much for your help. .... Off to make a donation! :angel:

illukka
2006-01-28, 13:25
As the problem appears to be resolved this topic will be archived.
If you need it re-opened contact the forum staff

Glad we could help