View Full Version : Surf Side Kick and Other Pop ups and Spyware
Arbitrator
2006-04-07, 06:56
This thing is killing me.....
Here is my HJT log.......Please give a desparate guy a hand
Logfile of HijackThis v1.99.1
Scan saved at 11:45:52 PM, on 4/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\windows\mousepad9.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\win32083916942432.exe
C:\WINDOWS\System32\slk8x2peu.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\e6tw76cpw.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\?dobe\w?auboot.exe
C:\WINDOWS\FNTS~1\regsvr32.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\pipc\BIN\pilogsrv.exe
C:\Program Files\pipc\BIN\pinetmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\pipc\BIN\pimsgss.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HIJACK THIS\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Danisco A/S
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:80;https=127.0.0.1:80;ftp=127.0.0.1:80;gopher=127.0.0.1:80;socks=127.0.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.danisco.com;<local>
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\aeavn.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lyhaxyu.exe
O2 - BHO: Yvakt Class - {BA3DDC15-3EF1-4DC7-B9B6-ED0403F9422A} - C:\WINDOWS\System32\OUGHYA~1.DLL
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win32083916942432] C:\WINDOWS\win32083916942432.exe
O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\System32\slk8x2peu.exe"
O4 - HKLM\..\Run: [w72371a0.dll] RUNDLL32.EXE w72371a0.dll,I2 00014ff9072371a0
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wiqkyk.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Uki] C:\Program Files\Common Files\?dobe\w?auboot.exe
O4 - HKCU\..\Run: [Bbzgvfm] C:\Program Files\Common Files\??stem32\w?auclt.exe
O4 - HKCU\..\Run: [BPS Security Console] C:\Program Files\BulletProofSoft.com\BPS Security Console\SecCon.exe
O4 - HKCU\..\Run: [Hwpt] "C:\WINDOWS\FNTS~1\regsvr32.exe" -vt ndrv
O4 - HKCU\..\Run: [Xiyv] C:\Program Files\??sks\d?xplore.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DLO Agent.lnk = C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad1.danisco.com
O17 - HKLM\Software\..\Telephony: DomainName = ad1.danisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad1.danisco.com
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\System32\OUGHYA~1.DLL
O20 - AppInit_DLLs: repairs303169569.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\t0r80a9ued.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: PIPC Log Server (pilogsrv) - OSI Software - C:\Program Files\pipc\BIN\pilogsrv.exe
O23 - Service: PI Message Subsystem (pimsgss) - OSI Software, Inc. - C:\Program Files\pipc\BIN\pimsgss.exe
O23 - Service: PI Network Manager (pinetmgr) - OSI Software, Inc. - C:\Program Files\pipc\BIN\pinetmgr.exe
O23 - Service: Symantec Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
LonnyRJones
2006-04-07, 17:29
In addremove programs uninstall
that BulletProofSoft program, BPS Security
SurfSideKick
and
quicklinks
Start Hijackthis and place a check next to these items If there.
O2 - BHO: Yvakt Class - {BA3DDC15-3EF1-4DC7-B9B6-ED0403F9422A} - C:\WINDOWS\System32\OUGHYA~1.DLL
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win32083916942432] C:\WINDOWS\win32083916942432.exe
O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\System32\slk8x2peu.exe"
O4 - HKLM\..\Run: [w72371a0.dll] RUNDLL32.EXE w72371a0.dll,I2 00014ff9072371a0
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wiqkyk.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Uki] C:\Program Files\Common Files\?dobe\w?auboot.exe
O4 - HKCU\..\Run: C:\Program Files\Common Files\??stem32\w?auclt.exe
O4 - HKCU\..\Run: [BPS Security Console] C:\Program Files\BulletProofSoft.com\BPS Security Console\SecCon.exe
O4 - HKCU\..\Run: [Hwpt] "C:\WINDOWS\FNTS~1\regsvr32.exe" -vt ndrv
O4 - HKCU\..\Run: [Xiyv] C:\Program Files\??sks\d?xplore.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\System32\OUGHYA~1.DLL
====================================
Hit fix checked and close Hijackthis.
[B]Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post a fresh hijackthis log please
In another reply:
Download L2mfix (new version) from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
Note:
If you receive while running option #1, an error similar to: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
If it is to large to post in one reply do so in two please
Arbitrator
2006-04-08, 06:25
Logfile of HijackThis v1.99.1
Scan saved at 11:21:27 PM, on 4/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\webHancer\Programs\whagent.exe
C:\Program Files\webHancer\Programs\whsurvey.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\?dobe\w?auboot.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\VEVSUi1BUkJP\command.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\pipc\BIN\pilogsrv.exe
C:\Program Files\pipc\BIN\pinetmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\pipc\BIN\pimsgss.exe
C:\Program Files\VERITAS\Backup Exec\RANT\belnapi.exe
C:\Program Files\VERITAS\Backup Exec\RANT\belnapi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HIJACK THIS\HijackThis.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Danisco A/S
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:80;https=127.0.0.1:80;ftp=127.0.0.1:80;gopher=127.0.0.1:80;socks=127.0.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.danisco.com;<local>
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\aeavn.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lyhaxyu.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [newname] C:\windows\newname9.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DLO Agent.lnk = C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad1.danisco.com
O17 - HKLM\Software\..\Telephony: DomainName = ad1.danisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad1.danisco.com
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\ir28l5fu1.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VEVSUi1BUkJP\command.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: PIPC Log Server (pilogsrv) - OSI Software - C:\Program Files\pipc\BIN\pilogsrv.exe
O23 - Service: PI Message Subsystem (pimsgss) - OSI Software, Inc. - C:\Program Files\pipc\BIN\pimsgss.exe
O23 - Service: PI Network Manager (pinetmgr) - OSI Software, Inc. - C:\Program Files\pipc\BIN\pinetmgr.exe
O23 - Service: Symantec Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Arbitrator
2006-04-08, 06:40
Logfile of HijackThis v1.99.1
Scan saved at 11:32:13 PM, on 4/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\VEVSUi1BUkJP\command.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\pipc\BIN\pilogsrv.exe
C:\Program Files\pipc\BIN\pinetmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\pipc\BIN\pimsgss.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\webHancer\Programs\whagent.exe
C:\Program Files\webHancer\Programs\whsurvey.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HIJACK THIS\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Danisco A/S
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:80;https=127.0.0.1:80;ftp=127.0.0.1:80;gopher=127.0.0.1:80;socks=127.0.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.danisco.com;<local>
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\aeavn.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lyhaxyu.exe
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [newname] C:\windows\newname9.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DLO Agent.lnk = C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad1.danisco.com
O17 - HKLM\Software\..\Telephony: DomainName = ad1.danisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad1.danisco.com
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\hr6s05j7e.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VEVSUi1BUkJP\command.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: PIPC Log Server (pilogsrv) - OSI Software - C:\Program Files\pipc\BIN\pilogsrv.exe
O23 - Service: PI Message Subsystem (pimsgss) - OSI Software, Inc. - C:\Program Files\pipc\BIN\pimsgss.exe
O23 - Service: PI Network Manager (pinetmgr) - OSI Software, Inc. - C:\Program Files\pipc\BIN\pinetmgr.exe
O23 - Service: Symantec Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
I am working on the L2M stuff now.
Thanks
Arbitrator
2006-04-08, 06:54
Here is the L2m logfile:
L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr6s05j7e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1FA70A40-9088-8DF0-82D1-E4395550D1B6}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
@=""
"{6af09ec9-b429-11d4-a1fb-0090960218cb}"="My Bluetooth Places"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{8DD11CED-62DA-46DF-A7B3-7832C137FC66}"=""
"{4FC0B03C-D4EE-48E9-8FEC-1D0D490EB1D2}"=""
"{477C51A4-BAEB-44BA-AC35-BFDCC7618A71}"=""
"{A0A1A50D-1744-4E28-83BB-89EB357F80FF}"=""
"{51917337-5113-4EC2-9CB6-C6212D0EF3E9}"="BPS Data Shredder Context Menu"
"{069D6BEC-492F-46F2-8378-E8A7DD5C9C62}"=""
"{2C6A0FD6-B146-4F94-B124-AF0028A62E25}"=""
"{C05E26A8-B0B6-45B6-BE6E-8B6DB13A39CC}"=""
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{4FC0B03C-D4EE-48E9-8FEC-1D0D490EB1D2}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4FC0B03C-D4EE-48E9-8FEC-1D0D490EB1D2}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4FC0B03C-D4EE-48E9-8FEC-1D0D490EB1D2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4FC0B03C-D4EE-48E9-8FEC-1D0D490EB1D2}\InprocServer32]
@="C:\\WINDOWS\\system32\\nntevent.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{477C51A4-BAEB-44BA-AC35-BFDCC7618A71}]
@=""
"IDEx"="ADDR"
[HKEY_CLASSES_ROOT\CLSID\{477C51A4-BAEB-44BA-AC35-BFDCC7618A71}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{477C51A4-BAEB-44BA-AC35-BFDCC7618A71}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{477C51A4-BAEB-44BA-AC35-BFDCC7618A71}\InprocServer32]
@="C:\\WINDOWS\\system32\\lFprxy.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{A0A1A50D-1744-4E28-83BB-89EB357F80FF}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A0A1A50D-1744-4E28-83BB-89EB357F80FF}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A0A1A50D-1744-4E28-83BB-89EB357F80FF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A0A1A50D-1744-4E28-83BB-89EB357F80FF}\InprocServer32]
@="C:\\WINDOWS\\system32\\dikquota.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{069D6BEC-492F-46F2-8378-E8A7DD5C9C62}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{069D6BEC-492F-46F2-8378-E8A7DD5C9C62}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{069D6BEC-492F-46F2-8378-E8A7DD5C9C62}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{069D6BEC-492F-46F2-8378-E8A7DD5C9C62}\InprocServer32]
@="C:\\WINDOWS\\system32\\astxprxy.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{2C6A0FD6-B146-4F94-B124-AF0028A62E25}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{2C6A0FD6-B146-4F94-B124-AF0028A62E25}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{2C6A0FD6-B146-4F94-B124-AF0028A62E25}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{2C6A0FD6-B146-4F94-B124-AF0028A62E25}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{C05E26A8-B0B6-45B6-BE6E-8B6DB13A39CC}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{C05E26A8-B0B6-45B6-BE6E-8B6DB13A39CC}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{C05E26A8-B0B6-45B6-BE6E-8B6DB13A39CC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{C05E26A8-B0B6-45B6-BE6E-8B6DB13A39CC}\InprocServer32]
@="C:\\WINDOWS\\system32\\iEssvcs.dll"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
atmtd.dll Fri Apr 7 2006 6:03:02p A.... 687,592 671.48 K
dmonwv.dll Sun Apr 2 2006 1:54:22a A.... 32,256 31.50 K
ehwyoyx.dll Mon Mar 27 2006 12:49:30p A.... 139,264 136.00 K
eosaqai.dll Thu Apr 6 2006 11:06:38p A.... 73,216 71.50 K
feqlg.dll Thu Apr 6 2006 11:06:38p A.... 12,288 12.00 K
hr6s05~1.dll Fri Apr 7 2006 6:01:34p ..S.R 234,846 229.34 K
iessvcs.dll Fri Apr 7 2006 11:29:52p ..S.R 234,846 229.34 K
ir4ol5~1.dll Sun Apr 2 2006 5:44:56p ..S.R 235,871 230.34 K
mvlsl9~1.dll Fri Apr 7 2006 11:26:28p ..S.R 234,272 228.78 K
nntevent.dll Sun Apr 2 2006 5:44:56p ..S.R 234,526 229.03 K
oughya~1.dll Sun Apr 2 2006 1:53:54a A.... 196,608 192.00 K
pbjsecg.dll Sun Apr 2 2006 1:53:20a A.... 51,712 50.50 K
sporder.dll Sun Apr 2 2006 1:54:16a A.... 8,464 8.27 K
w72371a0.dll Sun Apr 2 2006 1:54:44a A.... 51,712 50.50 K
14 items found: 14 files (5 H/S), 0 directories.
Total of file sizes: 2,427,473 bytes 2.31 M
Locate .tmp files:
No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 64FC-19A7
Directory of C:\WINDOWS\System32
04/07/2006 11:29 PM 234,846 iEssvcs.dll
04/07/2006 11:26 PM 234,272 mvlsl9371.dll
04/07/2006 06:01 PM 234,846 hr6s05j7e.dll
04/02/2006 05:44 PM 234,526 nntevent.dll
04/02/2006 05:44 PM 235,871 ir4ol5h31.dll
01/16/2006 08:19 AM <DIR> dllcache
07/13/2004 10:45 AM <DIR> Microsoft
5 File(s) 1,174,361 bytes
2 Dir(s) 40,467,906,560 bytes free
LonnyRJones
2006-04-08, 07:02
Thanks
Go start run and type or paste in
sc delete cmdService
hit ok or press enter
Go start run type in
sc delete "Network Monitor"
hit ok or press enter
In addremove programs uninstall webhancer and Network Monitor
Close any programs you have open since this step requires a reboot.
Close the internet connection, Unplug your modem !! if on cable or satalite
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot.
Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
Arbitrator
2006-04-08, 07:28
L2mfix 032106
Creating Account.
The command completed successfully.
Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Running From:
C:\WINDOWS\system32
Killing Processes!
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 816 'smss.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 916 'winlogon.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1640 'explorer.exe'
Killing PID 1640 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 556 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\hr6s05j7e.dll
Successfully Deleted: C:\WINDOWS\system32\hr6s05j7e.dll
Deleting: C:\WINDOWS\system32\iEssvcs.dll
Successfully Deleted: C:\WINDOWS\system32\iEssvcs.dll
Deleting: C:\WINDOWS\system32\ir4ol5h31.dll
Successfully Deleted: C:\WINDOWS\system32\ir4ol5h31.dll
Deleting: C:\WINDOWS\system32\mvlsl9371.dll
Successfully Deleted: C:\WINDOWS\system32\mvlsl9371.dll
Deleting: C:\WINDOWS\system32\nntevent.dll
Successfully Deleted: C:\WINDOWS\system32\nntevent.dll
msg11?.dll
0 file(s) copied.
Restoring Windows Update Certificates.:
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr6s05j7e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\hr6s05j7e.dll
C:\WINDOWS\system32\iEssvcs.dll
C:\WINDOWS\system32\ir4ol5h31.dll
C:\WINDOWS\system32\mvlsl9371.dll
C:\WINDOWS\system32\nntevent.dll
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{4FC0B03C-D4EE-48E9-8FEC-1D0D490EB1D2}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4FC0B03C-D4EE-48E9-8FEC-1D0D490EB1D2}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4FC0B03C-D4EE-48E9-8FEC-1D0D490EB1D2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4FC0B03C-D4EE-48E9-8FEC-1D0D490EB1D2}\InprocServer32]
@="C:\\WINDOWS\\system32\\nntevent.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{477C51A4-BAEB-44BA-AC35-BFDCC7618A71}]
@=""
"IDEx"="ADDR"
[HKEY_CLASSES_ROOT\CLSID\{477C51A4-BAEB-44BA-AC35-BFDCC7618A71}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{477C51A4-BAEB-44BA-AC35-BFDCC7618A71}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{477C51A4-BAEB-44BA-AC35-BFDCC7618A71}\InprocServer32]
@="C:\\WINDOWS\\system32\\lFprxy.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{A0A1A50D-1744-4E28-83BB-89EB357F80FF}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A0A1A50D-1744-4E28-83BB-89EB357F80FF}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A0A1A50D-1744-4E28-83BB-89EB357F80FF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{A0A1A50D-1744-4E28-83BB-89EB357F80FF}\InprocServer32]
@="C:\\WINDOWS\\system32\\dikquota.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{069D6BEC-492F-46F2-8378-E8A7DD5C9C62}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{069D6BEC-492F-46F2-8378-E8A7DD5C9C62}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{069D6BEC-492F-46F2-8378-E8A7DD5C9C62}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{069D6BEC-492F-46F2-8378-E8A7DD5C9C62}\InprocServer32]
@="C:\\WINDOWS\\system32\\astxprxy.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{2C6A0FD6-B146-4F94-B124-AF0028A62E25}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{2C6A0FD6-B146-4F94-B124-AF0028A62E25}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{2C6A0FD6-B146-4F94-B124-AF0028A62E25}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{2C6A0FD6-B146-4F94-B124-AF0028A62E25}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{C05E26A8-B0B6-45B6-BE6E-8B6DB13A39CC}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{C05E26A8-B0B6-45B6-BE6E-8B6DB13A39CC}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{C05E26A8-B0B6-45B6-BE6E-8B6DB13A39CC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{C05E26A8-B0B6-45B6-BE6E-8B6DB13A39CC}\InprocServer32]
@="C:\\WINDOWS\\system32\\iEssvcs.dll"
"ThreadingModel"="Apartment"
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{8DD11CED-62DA-46DF-A7B3-7832C137FC66}"=-
"{4FC0B03C-D4EE-48E9-8FEC-1D0D490EB1D2}"=-
"{477C51A4-BAEB-44BA-AC35-BFDCC7618A71}"=-
"{A0A1A50D-1744-4E28-83BB-89EB357F80FF}"=-
"{069D6BEC-492F-46F2-8378-E8A7DD5C9C62}"=-
"{2C6A0FD6-B146-4F94-B124-AF0028A62E25}"=-
"{C05E26A8-B0B6-45B6-BE6E-8B6DB13A39CC}"=-
[-HKEY_CLASSES_ROOT\CLSID\{8DD11CED-62DA-46DF-A7B3-7832C137FC66}]
[-HKEY_CLASSES_ROOT\CLSID\{4FC0B03C-D4EE-48E9-8FEC-1D0D490EB1D2}]
[-HKEY_CLASSES_ROOT\CLSID\{477C51A4-BAEB-44BA-AC35-BFDCC7618A71}]
[-HKEY_CLASSES_ROOT\CLSID\{A0A1A50D-1744-4E28-83BB-89EB357F80FF}]
[-HKEY_CLASSES_ROOT\CLSID\{069D6BEC-492F-46F2-8378-E8A7DD5C9C62}]
[-HKEY_CLASSES_ROOT\CLSID\{2C6A0FD6-B146-4F94-B124-AF0028A62E25}]
[-HKEY_CLASSES_ROOT\CLSID\{C05E26A8-B0B6-45B6-BE6E-8B6DB13A39CC}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/hr6s05j7e.dll (164 bytes security) (deflated 5%)
adding: dlls/iEssvcs.dll (164 bytes security) (deflated 5%)
adding: dlls/ir4ol5h31.dll (164 bytes security) (deflated 5%)
adding: dlls/mvlsl9371.dll (164 bytes security) (deflated 4%)
adding: dlls/nntevent.dll (164 bytes security) (deflated 4%)
adding: backregs/069D6BEC-492F-46F2-8378-E8A7DD5C9C62.reg (212 bytes security) (deflated 70%)
adding: backregs/2C6A0FD6-B146-4F94-B124-AF0028A62E25.reg (212 bytes security) (deflated 70%)
adding: backregs/477C51A4-BAEB-44BA-AC35-BFDCC7618A71.reg (212 bytes security) (deflated 69%)
adding: backregs/4FC0B03C-D4EE-48E9-8FEC-1D0D490EB1D2.reg (212 bytes security) (deflated 70%)
adding: backregs/A0A1A50D-1744-4E28-83BB-89EB357F80FF.reg (212 bytes security) (deflated 70%)
adding: backregs/C05E26A8-B0B6-45B6-BE6E-8B6DB13A39CC.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 72%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)
Arbitrator
2006-04-08, 07:29
Logfile of HijackThis v1.99.1
Scan saved at 12:29:04 AM, on 4/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\pipc\BIN\pilogsrv.exe
C:\Program Files\pipc\BIN\pinetmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\pipc\BIN\pimsgss.exe
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HIJACK THIS\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Danisco A/S
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:80;https=127.0.0.1:80;ftp=127.0.0.1:80;gopher=127.0.0.1:80;socks=127.0.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.danisco.com;<local>
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\aeavn.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lyhaxyu.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [newname] C:\windows\newname9.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DLO Agent.lnk = C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad1.danisco.com
O17 - HKLM\Software\..\Telephony: DomainName = ad1.danisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad1.danisco.com
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\hr6s05j7e.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: PIPC Log Server (pilogsrv) - OSI Software - C:\Program Files\pipc\BIN\pilogsrv.exe
O23 - Service: PI Message Subsystem (pimsgss) - OSI Software, Inc. - C:\Program Files\pipc\BIN\pimsgss.exe
O23 - Service: PI Network Manager (pinetmgr) - OSI Software, Inc. - C:\Program Files\pipc\BIN\pinetmgr.exe
O23 - Service: Symantec Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
LonnyRJones
2006-04-08, 08:48
Start Hijackthis and place a check next to these items If there.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [newname] C:\windows\newname9.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\hr6s05j7e.dll (file missing)
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Manualy delete these files and folders
C:\WINDOWS\VEVSUi1BUkJP
C:\Program Files\webHancer
C:\Program Files\Network Monitor
C:\Program Files\SurfSideKick 3
C:\windows\newname9.exe
C:\windows\mousepad9.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\win32083916942432.exe
C:\WINDOWS\System32\slk8x2peu.exe
=======================
Download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip).
Unzip it to it’s own folder (c:\BFU) It must be unzipped and in the Root\BFU folder. Root is the drive windows is installed to
Rightclick on this link and choose save target as, save qooFix.bat to that BFU folder.
http://downloads.subratam.org/Lon/qooFix.bat
Run qooFix.bat, Close all browsers and explorer folder's
Choose option 1 (Qoolfix autofix) and fallow the prompts
patience, it will take about five minutes.
After the PC has restarted and you are here at the forum make/post another hijackthis log.
Arbitrator
2006-04-09, 00:52
Here's the newest...
Logfile of HijackThis v1.99.1
Scan saved at 5:50:14 PM, on 4/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\HIJACK THIS\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Danisco A/S
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:80;https=127.0.0.1:80;ftp=127.0.0.1:80;gopher=127.0.0.1:80;socks=127.0.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.danisco.com;<local>
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\aeavn.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lyhaxyu.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [jlnjnr] C:\WINDOWS\System32\jtjrnt.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [fiulo] C:\WINDOWS\System32\jtjrnt.exe reg_run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DLO Agent.lnk = C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad1.danisco.com
O17 - HKLM\Software\..\Telephony: DomainName = ad1.danisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad1.danisco.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: PIPC Log Server (pilogsrv) - OSI Software - C:\Program Files\pipc\BIN\pilogsrv.exe
O23 - Service: PI Message Subsystem (pimsgss) - OSI Software, Inc. - C:\Program Files\pipc\BIN\pimsgss.exe
O23 - Service: PI Network Manager (pinetmgr) - OSI Software, Inc. - C:\Program Files\pipc\BIN\pinetmgr.exe
O23 - Service: Symantec Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
LonnyRJones
2006-04-09, 02:00
was there any problem with bfu.zip bfu.exe and qoolfix.bat ?
Are C:\bfu\BFU.exe and c:\BFU\qoofix.bat present ?
It doesnt appear to have been used correctly
Arbitrator
2006-04-09, 04:13
The files are there and I did not have any problems running them. Should I try to run them again?
LonnyRJones
2006-04-09, 06:04
Run c:\BFU\qoofix.bat choose autofix
Fallow the prompts, you should get a prompt to restart the PC (did you ?) , choose yes
after the restart make and post a new hiajckthis log.
Arbitrator
2006-04-09, 06:37
When I restarted, it told me that BFU was not responding and I had to end the task. This is probably what went wrong. Here is the Hijack this anyways...
Logfile of HijackThis v1.99.1
Scan saved at 11:37:26 PM, on 4/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\pipc\BIN\pilogsrv.exe
C:\Program Files\pipc\BIN\pinetmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\pipc\BIN\pimsgss.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\HIJACK THIS\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Danisco A/S
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:80;https=127.0.0.1:80;ftp=127.0.0.1:80;gopher=127.0.0.1:80;socks=127.0.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.danisco.com;<local>
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\aeavn.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lyhaxyu.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [jlnjnr] C:\WINDOWS\System32\jtjrnt.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [fiulo] C:\WINDOWS\System32\jtjrnt.exe reg_run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DLO Agent.lnk = C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad1.danisco.com
O17 - HKLM\Software\..\Telephony: DomainName = ad1.danisco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad1.danisco.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: PIPC Log Server (pilogsrv) - OSI Software - C:\Program Files\pipc\BIN\pilogsrv.exe
O23 - Service: PI Message Subsystem (pimsgss) - OSI Software, Inc. - C:\Program Files\pipc\BIN\pimsgss.exe
O23 - Service: PI Network Manager (pinetmgr) - OSI Software, Inc. - C:\Program Files\pipc\BIN\pinetmgr.exe
O23 - Service: Symantec Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
LonnyRJones
2006-04-09, 06:46
That helps explain it, although im unsure why it would hang
Scan and fix these items with hijackthis
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\aeavn.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lyhaxyu.exe
O4 - HKLM\..\Run: [jlnjnr] C:\WINDOWS\System32\jtjrnt.exe reg_run
O4 - HKCU\..\Run: [fiulo] C:\WINDOWS\System32\jtjrnt.exe reg_run
===================
Restart your PC for the changes to take effect.
Replace the Hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated
Unless there are problems now ?, post back in a few days and let us know how your pc is acting.
LonnyRJones
2006-04-13, 11:56
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.