Spyware Warrior

Anubis1980

Okay, I was browsing some of my faves tonight when suddenly one site wasn't acting right. Well, it uploaded a gazillion pieces of spyware/adware/malware to my computer.

I immediately started attacking the problem. I deleted files, started uninstalling from Add/Remove Programs, ran Ad-aware, ran Spybot Search & Destroy, and even dove into HijackThis (I've become moderately adept at using it without help, having beaten a very nasty attack shortly after my previous visit).

Is it just me, or are more and more trusted sites starting to nail people with this crap?

Anyway, I got rid of ALMOST all of the garbage. Everything but my worst nemesis to date: "The ABI Network- A Division of Direct Revenue". When I tried to remove it, I got a notice that I wasn't allowed to and had to go to their support page. I did so and was told I have to download their special uninstaller. I tried, but my security blocked it. I turned that part off and downloaded it only to find it uses web-based scripts, which were then blocked. I don't have time to mess with my security settings so I e-mailed them and threatened them because what they are doing (uploading their crap on my computer and not allowing me to uninstall it on my own) is illegal and I am sick of this bullshit, especially from sites I used to visit plenty that had no problems until recently.

So I took a back door, went into Regedit, and got rid of everything with instances of this crap in it. I then used HijackThis and deleted everything I didn't recognize. I followed that up with more cleaning from Ad-aware and Spybot Search & Destroy. All this was done in Safe Mode I might add. I restart and BAM the program clones every aspect of itself.

So yeah, I gave up, I need help once again getting this crap off my computer. Here is my HijackThis log. OH, before I forget, half the crap I deleted in HijackThis previously also cloned itself. This sucks.

Here you go:

Logfile of HijackThis v1.99.1
Scan saved at 2:26:46 AM, on 6/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\logon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
c:\windows\system32\chknmeq.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [gzhggd] c:\windows\system32\chknmeq.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097996206785
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\iHsrad.dll
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Here is my Startup list as generated by HijackThis:

StartupList report, 6/18/2005, 2:48:49 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\logon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
c:\windows\system32\chknmeq.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
zBrowser Launcher = C:\Program Files\Logitech\iTouch\iTouch.exe
hpfsched = C:\WINDOWS\hpfsched.exe
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
msnappau = "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Logitech Utility = Logi_MwX.Exe
WinTask driver = C:\WINDOWS\System32\wintask.exe
WinLogon = C:\WINDOWS\logon.exe
gzhggd = c:\windows\system32\chknmeq.exe r
Win Server Updt = C:\WINDOWS\wupdt.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe C:\WINDOWS\Nail.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
(no name) - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/yinst/yinst_current.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[{41564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097996206785

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,676 bytes
Report generated in 0.030 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
_________________
~ANUBIS~

askey127 · Posted: Sat Jun 18, 2005 11:32 am Post subject:

Hi Anubis1980,

I am checking your log. Be back soon.

askey127

askey127 · Posted: Sat Jun 18, 2005 12:32 pm Post subject:

Hi Anubis 1980,
You have a Nail infection and a couple others. Let's try to get the NAIL first.
-----------------------------------------------------------
Disable WinXP System Restore
Disable System Restore to remove malware files and prevent backup of the malware. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files. You will also lose all previous restore points which are likely to be infected.
- Right-click My Computer, and then click Properties.
- On the System Restore tab, put a Check mark in the Turn Off System Restore check box.
- Click OK twice, and then click Yes when you are prompted to restart the computer.
-----------------------------------------------------------
Please print out this page or copy it to a Notepad file. You may not be able to see it in Safe Mode. Make sure to work through the fixes in the order shown below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should NOT have any open browsers, except during downloads, when following the procedures below.
-----------------------------------------------------------
Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
-----------------------------------------------------------
Please download Nailfix from here: http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to the desktop but please do NOT run it yet.
-----------------------------------------------------------
Download and install CCleaner from here.
Don't run CCleaner yet.
-----------------------------------------------------------
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml
You MUST manage to get into Safe Mode for the fix to work.
-----------------------------------------------------------
Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
-----------------------------------------------------------
Then please run Ewido Security Suite, and run a full scan. Save the logfile from the scan.
-----------------------------------------------------------
Next please run HijackThis, click Scan, and check:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.
-----------------------------------------------------------
Run CCleaner. Choose the Windows tab. Check everything EXCEPT be sure the Advanced part of the menu is all Unchecked. Choose Analyze. Let the Analyze portion finish. In heavily junk-laden older machines it could take up to 15 minutes. Then choose Run Cleaner. When cleaning is finished, click Exit.
-----------------------------------------------------------
Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
We will have a bit more work to do, but we need to see the next log to decide.

askey127

Anubis1980 · Posted: Sun Jun 19, 2005 12:53 am Post subject:

Okay, did everything in order.

HijackThis scan:

Logfile of HijackThis v1.99.1
Scan saved at 3:46:47 AM, on 6/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
c:\windows\system32\ueocafd.exe
c:\windows\system32\rxftzct.exe
C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097996206785
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\iHsrad.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[Comment: I can't seem to get rid of that )23 that ends with the runservice.exe file. I had deleted that file with KillBox because HijackThis couldn't remove it and it was never on previous HijackThis scans as I figured it to be a bad one. I know there are several other bad files but they just won't go away yet for some reason.]

Ewido scan results:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:35:59 AM, 6/19/2005
+ Report-Checksum: CC4A6D5C

+ Date of database: 6/19/2005
+ Version of scan engine: v3.0

+ Duration: 63 min
+ Scanned Files: 79882
+ Speed: 21.11 Files/Second
+ Infected files: 23
+ Removed files: 23
+ Files put in quarantine: 23
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\backups\backup-20050618-021537-166.dll -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\backups\backup-20050618-021537-855.dll -> Spyware.MediaMotor.a -> Cleaned with backup
C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\backups\backup-20050618-045953-356.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\backups\backup-20050618-045953-714.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\WINDOWS\csrss.dll -> TrojanDownloader.Small.arz -> Cleaned with backup
C:\WINDOWS\msiau.dll -> TrojanProxy.Symbab.an -> Cleaned with backup
C:\WINDOWS\smssa.dll -> TrojanDownloader.Small.arz -> Cleaned with backup
C:\WINDOWS\SSK3_B5_SSK3_B5.exe -> TrojanDropper.Small.qn -> Cleaned with backup
C:\WINDOWS\system32\eliteftb32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitesxc32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\exp.exe -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\WINDOWS\system32\ide21201.vxd -> Spyware.MediaPass -> Cleaned with backup
C:\WINDOWS\system32\instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\WINDOWS\system32\mscjjn.dll -> Spyware.180solutions -> Cleaned with backup
C:\WINDOWS\system32\vidctrl\vidctrl.exe -> Spyware.DelphinMediaViewer -> Cleaned with backup
C:\WINDOWS\system32\vidqsg.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\taskmgr.dll -> TrojanDownloader.Small.arz -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\uvchost.dll -> TrojanDownloader.Small.arz -> Cleaned with backup
C:\WINDOWS\winlogon.dll -> TrojanDownloader.Small.arz -> Cleaned with backup
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\WINDOWS\yjejodjky.exe -> Spyware.BetterInternet -> Cleaned with backup

::Report End

[NOTE: After restarting I got no less than 20 additional alerts about crap, and it was so bad I had to shut down the automatic scanning.]

Oh, and it gets worse. After I did all this and restarted, EliteBar got placed on my computer the moment I came online to post this. ABI Network is still around as well. Ugh. I used HijackThis to get rid of that stupid thing (again; it only duplicates when one of the other nasties manages to get deleted permanently).

[EDIT: Since I posted I've done nothing but come here and work with normal files on my computer, yet more crap keeps installing on the computer. It's going so fast I can't keep up. I use Ad-aware, it does absolutely nothing. I use HijackThis and delete a bunch of crap I know is bad, it still doesn't help. CCleaner didn't do anything, this Ewido thing had to be turned off cuz it pops up an alert every second or so, and this EliteBar comes back every so often as well. I've deleted things from teh registry and everything to keep the computer at least functioning, but the malware won't go away. *Considers writing down company names and getting a lawyer for some seven digit lawsuits.*]
_________________
~ANUBIS~

askey127 · Posted: Sun Jun 19, 2005 5:21 am Post subject:

Re-Enable WinXP System Restore
- Right-click My Computer, and then click Properties.
- On the System Restore tab, Clear the Check mark beside the Turn Off System Restore check box.
- Click OK twice, and then click Yes when you are prompted to restart the computer.

You have a file that we would like a copy of - to check out.
1. Using Windows Explorer, go to C:\WINDOWS\system32\
Locate the file you want to zip.
c:\windows\system32\iHsrad.dll

2. Right click on the file and select "Send To" and "Compressed (zipped) Folder".
If it says do you want to designate compressed folders as the application for handling zip files, you can answer yes.
It will make a default folder called iHsrad.zip

3. Then locate and right click on the file:
C:\WINDOWS\system32\iHsrad.dll

4. Select "Copy".

5. Right click on the compressed folder (default will be iHsrad.zip) and select "Paste". The copied file will be compressed and pasted in.

7. Right click on the zipped folder and select "Explore".

8. In "File" menu select "Add a Password". Enter the password infected and confirm the password.

9. Please email to cjwd-subAThostingatessex.com (Please replace the 'AT' with an '@' )

Please copy the following to the email and attach the zipped file(s) :

The password is "infected".
The thread is found here: http://spywarewarrior.com/viewtopic.php?p=85117#85117
Paste the password and thread address in the text field, and send please.

askey127

askey127 · Posted: Sun Jun 19, 2005 5:29 am Post subject:

Oh, and I meant to ask you, do you know any possible source of that iHsrad.dll file? Is there anything familiar about it?
I'm assuming you don't know the source. Is that correct?

askey

Anubis1980 · Posted: Sun Jun 19, 2005 1:36 pm Post subject:

I'm unable to send it. Even in safe mode, the thing tells me it's in use my another program and can't be copied or compressed. I tried your suggestion and even WinZIP and WinRAR. Nothing.

This is ridiculous, and I have no idea where it came from. I was at a trusted site when it happened. It's all part of that ABI Network. Anyway I'll try my idea, but I have no idea what it is or where it's from. Just, this crap keeps loading itself more and more and when I get rid of one, another pops up. Ad-aware and HijackThis have been totally ineffective.

[MASS EDIT: I went ahead and ran Panda ActiveScan because I figured there had to be a virus doing this. Turns out there was indeed a virus, and it was a downloader. Well, that answers how the programs kept coming. Unfortunately, ABI Network is still hanging around and I still can't figure out any way to get rid of/send/compress the file you requested. It's always in use, even in Safe Mode.]

Here is the ActiveScan result, I figured it may help you get to the bottom of this:

Incident Status Location

Spyware:Spyware/BargainBuddy No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\Program Files\AutoUpdate
Adware:Adware/AdDestroyer No disinfected C:\Documents and Settings\All Users\Application Data\AdDestroyer
Adware:Adware/VirtualBouncer No disinfected C:\Documents and Settings\All Users\Application Data\VBouncer
Adware:Adware/DelFinMedia No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\WINDOWS\System32\guard.tmp
Spyware:Spyware/Media-motor No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\WINDOWS\System32\ide21201.vxd
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar
Adware:Adware/ExactSearch No disinfected Windows Registry
Virus:Trj/Downloader.AYV Disinfected Operating system
Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\backups\backup-20050618-021537-855.inf
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\backups\backup-20050619-035242-542.dll
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\backups\backup-20050619-043735-277.dll
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Owner\Local Settings\Temp\uninstall.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0M1UJ4IC\webservice[2].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0M1UJ4IC\webservice[4].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BOPEF1ZR\webservice[3].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BOPEF1ZR\webservice[4].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BOPEF1ZR\webservice[7].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BOPEF1ZR\webservice[8].htm
Adware:Adware/Envolo No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JKFMHXA5\AutoUpdaterInstaller[1].exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JKFMHXA5\webservice[3].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JKFMHXA5\webservice[5].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JKFMHXA5\webservice[8].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JKFMHXA5\webservice[9].htm
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RMK3V86P\auto_update[1]
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RMK3V86P\protector[1].exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RMK3V86P\webservice[11].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RMK3V86P\webservice[3].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RMK3V86P\webservice[9].htm
Adware:Adware/Apropos No disinfected C:\Program Files\AutoUpdate\AutoUpdate.exe
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
Adware:Adware/Abox No disinfected C:\RECYCLER\S-1-5-21-1214440339-1935655697-1957994488-1003\Dc1.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\casino.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\dating.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\drugs.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\fav.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\EliteToolBar\xml\images\virus.bmp
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInst.exe
Adware:Adware/Envolo No disinfected C:\WINDOWS\system32\auto_update_uninstall.exe
Adware:Adware/Envolo No disinfected C:\WINDOWS\system32\auto_update_uninstall.log
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitebyj32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitecxo32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitelup32.exe
Possible Virus. No disinfected C:\WINDOWS\system32\facnrc.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\guard.tmp
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\ide21201.vxd
Adware:Adware/SideSearch No disinfected C:\WINDOWS\system32\msjpok.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\vidctrl\vidctrl.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\Temp\AutoUpdate0\auto_update_install.exe
Adware:Adware/Envolo No disinfected C:\WINDOWS\Temp\AutoUpdate0\setup.inf
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\Temp\wrapperouter.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\vlbcgt.exe

Oh, and here is an updated HijackThis log after using ActiveScan and Ad-Aware:

Logfile of HijackThis v1.99.1
Scan saved at 6:08:14 PM, on 6/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097996206785
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: MS-DOSOptions - C:\WINDOWS\system32\iHsrad.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

So at least one thing has been dealt with. Sorry if I seem antsy, I just like using my computer and get cross when it's not performing correctly; that and I figure the more information/help I can provide myself, the more likely it is you can successfully clear out the problem I can't seem to get rid of. Hope this helps!
_________________
~ANUBIS~

askey127 · Posted: Mon Jun 20, 2005 1:19 pm Post subject:

Anubis,

You have a right to be antsy about this. Don't need to apologize.
Let's do a couple things as a next step:
-----------------------------------------------------------
Unregister the dll to allow copying
Go to Start, Run OR Start, Programs, Accessories, Command Prompt. Enter the following, followed by <Enter> .
regsvr32 /u iHsrad.dll
Hopefully, you should then be able to follow the earlier post and send it to us.
I'm not going to delete it yet without more data, but it may be a major cause of trouble.
Notice if you see a change in popup activity after unregistering the dll.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list. In some systems, this may be the F5 key, so try that if F8 doesn't work.
-----------------------------------------------------------
File and Folder Deletion.
In Windows Explorer, use find (F3), or use the Start, Search function to locate these files; then delete the files if present:
dl
dl.exe
suicidetb.exe
kal*sys.exe
elite*32.exe
protection.exe
protection_update.exe
If you have any problem deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
Note the name and location of any file you cannot delete. If any claim to be In Use, you can call up the task manager (ctrl-alt-del) and find the file, and end process. Then delete the file.

Find and Delete these folders, if present:
C:\WINDOWS\EliteToolBar\
C:\WINDOWS\EliteSideBar\
C:\WINDOWS\EliteBar\
C:\WINDOWS\SYSTEM32\EliteToolBar\
C:\WINDOWS\SYSTEM32\EliteSideBar\
C:\WINDOWS\SYSTEM32\EliteBar\
Note any folder you find but cannot delete.
You may have to delete all the underlying files and folders before a target folder can be deleted.

If there were any files you could not delete then please follow these additional instructions:
Run Pocket Killbox, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste the full path of each file to delete, one at a time, into the box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say "No" each time until the last one has been pasted in, whereupon you should answer "Yes".
Let the system reboot.
-----------------------------------------------------------
Run CCleaner. Choose the Windows tab. Check everything EXCEPT be sure the Advanced part of the menu is all Unchecked. Choose Analyze. Let the Analyze portion finish. In heavily junk-laden older machines it could take up to 15 minutes. Then choose Run Cleaner. When cleaning is finished, click Exit.
-----------------------------------------------------------
Post a New HJT Log from Normal Mode
Start HijackThis. Click Do System Scan and Save a Log File. When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.

askey

Anubis1980 · Posted: Mon Jun 20, 2005 5:27 pm Post subject:

Well, I haven't gotten to the rest of the post yet, but upon trying to unregister iHsrad.dll, well, it won't let me. Says "The process cannot access the file because it is being used by another process."

What now?

EDIT: Got the rest of the instructions done. Here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:42:06 PM, on 6/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097996206785
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\iHsrad.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
_________________
~ANUBIS~

askey127 · Posted: Tue Jun 21, 2005 6:24 am Post subject:

Anubis,
Let's kill that thing. Try all these steps:
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Scan. When the Scan is complete, Check the following entries:

O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\iHsrad.dll

The line may not say 'ShellScrap'. That part seems to change each log.
Make sure all other windows except HJT are closed, and Click Fix Checked.
-----------------------------------------------------------
Re-Start Your Computer in Safe Mode.
-----------------------------------------------------------
File and Folder Deletion.
Run Killbox, and click the radio button that says Delete a file on reboot. Paste C:\WINDOWS\System32\iHsrad.dll into the box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say "Yes".
Let the system reboot.
-----------------------------------------------------------
If the file iHsrad.dll was successfully removed, it should be in a folder called Submit in the root of the C: drive.
If you could zip it and send it to us per the previous post, it may tell us whether there are any hidden infections remaining. It appears to be new.
-----------------------------------------------------------
Post a New HJT Log and we'll see how we are doing.
Tell me how the machine is running. If the removal was successful, download and install the following two programs:
-----------------------------------------------------------
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs. Available from http://www.javacoolsoftware.com/spywareblaster.html
-----------------------------------------------------------
Install IE-SPYAD Find it here: https://netfiles.uiuc.edu/ehowes/www/resource.htm
IE-SPYAD adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. Once you merge this list of sites and domains into the Registry, the web sites for these companies will not be able to use cookies, ActiveX controls, Java applets, or scripting to compromise your privacy or your PC while you surf the Net. Nor will they be able to use your browser to push unwanted pop-ups, cookies, or auto-installing programs on your PC.

Thanks
askey

Anubis1980 · Posted: Tue Jun 21, 2005 10:50 am Post subject:

No go. Like I said in my earlier post, that iHsrad.dll seems to be in use even in Safe Mode. When I tried the "Delete on Reboot" option, I got the following error: "PendingFileRemoveOperations Registry Data has been Removed by External Process".
HijackThis can't delete that O20 line with it either.

Also, when I installed Spyware Blaster, it disabled a whole bunch of stuff in my internet to the point where now I can't even do a good chunk of what I did before. I uninstalled it for that reason, but now its security settings are still in place and I have no idea how to get rid of them. I'm even being disallowed from sending HTML forms, which is a huge problem because my search site, www.dogpile.com, seems to use an HTML form for its search function. Any idea how to fix this so I'm not having the problem anymore?

As for IE-Spyad, I've had that on my computer for quite a while now, no problems with that for the most part.

Anyway, the ABI Network still infests my computer, with no way to uninstall because my security settings won't let me. Here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:50:00 PM, on 6/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\HijackThis.exe

O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097996206785
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\iHsrad.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
_________________
~ANUBIS~

askey127 · Posted: Tue Jun 21, 2005 11:42 am Post subject:

Anubis,

Don't make any further attempts to get rid of the O20 line item.

To take care of the Spywareblaster problem:
Install it again if necessary. Run it. Click on the Internet Explorer tab on top. When the list of blocked items comes up, rightclick on the panel.
Choose Deselect All, then choose Remove protection for Unchecked Items.
Then you can uninstall spywareblaster if you wish, but you may want to keep it for installation later.

It now looks as if you have an infection called Look2Me. Working on it.

Be back shortly.
askey

askey127 · Posted: Tue Jun 21, 2005 12:07 pm Post subject:

Anubis,

Run Killbox. Type in C:\WINDOWS\system32\iHsrad.dll
click Replace on reboot and Check the box which says use the dummy file.
Then click on the red cross and let it reboot.

askey

Anubis1980 · Posted: Tue Jun 21, 2005 3:44 pm Post subject:

On the iHsrad.dll, still nothing. Same error as before when I try that. Still says the old error and disallows doing anything to any file that's currently in use.

Also, I did all that with Spyware Blaster, but I still get the message saying "security settings prohibit sending HTML forms". I even went set EVERYTHING in the security to "Enable" and it does nothing.
_________________
~ANUBIS~

wng_z3r0 · Posted: Tue Jun 21, 2005 6:45 pm Post subject:

hi. Askey has prior engagements that she must attend to. I am stepping in for Askey.

Let's get to it then!

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

wng
_________________
Proud member of Alliance of Security Analysis Professionals since 2005

If you found our help here worthwhile, and want to further the cause for others, and keep this site running Donate Here
My website/blog

Anubis1980 · Posted: Tue Jun 21, 2005 11:24 pm Post subject:

This just keeps getting better... >.<

New error popping up now:

C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.

Weird thing is, by choosing 'Ignore' instead I was able to get it to run through the process. It may or may not be complete, though, I have no way of knowing.

Here's the log:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SideBySide]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\iHsrad.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{2EC85DE4-74B2-A4A9-594E-4F08BE439A4D}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}"="eLicense Control"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{6586083B-E1DA-4EF1-B5FD-E258B51CF43E}"=""
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}"="Windows Desktop Search"
"{97090E2F-3062-4459-855B-014F0D3CDBB1}"="MSN Deskbar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D426CFD0-87FC-4906-98D9-A23F5D515D61}]
@="MSN Desktop Search Outlook Express ISearchFolder Class"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6586083B-E1DA-4EF1-B5FD-E258B51CF43E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6586083B-E1DA-4EF1-B5FD-E258B51CF43E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6586083B-E1DA-4EF1-B5FD-E258B51CF43E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6586083B-E1DA-4EF1-B5FD-E258B51CF43E}\InprocServer32]
@="C:\\WINDOWS\\system32\\dCdrm.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 9CA0-F92C

Directory of C:\WINDOWS\System32

06/21/2005 06:58 PM 417,792 dCdrm.dll
06/21/2005 01:19 PM 417,792 mhc42u.dll
06/21/2005 01:13 PM 417,792 mavbvm50.dll
06/20/2005 08:17 PM 417,792 oVkley.dll
06/20/2005 01:59 PM 417,792 waaservc.dll
06/19/2005 01:20 PM 417,792 ahifile.dll
06/18/2005 08:05 PM 417,792 HAFcom20.dll
06/18/2005 04:43 AM 1,673 mmf.sys
06/18/2005 04:43 AM 417,792 myricons.dll
06/18/2005 02:18 AM 417,792 wni.dll
06/18/2005 01:45 AM 417,792 guard.tmp
06/17/2005 11:32 PM 417,792 daauth.dll
06/17/2005 10:47 PM 417,792 iPssam.dll
06/17/2005 10:47 PM 417,792 iHsrad.dll
06/17/2005 10:45 PM 417,792 WehRm.dll
06/17/2005 10:45 PM 417,792 wwhip6.dll
06/17/2005 10:44 PM 417,792 wfstream.dll
06/17/2005 10:44 PM 417,792 wfspdmod.dll
04/23/2005 02:07 PM <DIR> dllcache
10/11/2003 07:25 PM 71 SYSDRVWC.SYS
09/22/2002 11:01 PM <DIR> Microsoft
19 File(s) 7,104,208 bytes
2 Dir(s) 13,716,291,584 bytes free
_________________
~ANUBIS~

wng_z3r0 · Posted: Wed Jun 22, 2005 3:38 am Post subject:

Go here and use the approprient fix for your system then run find l2mfix again.
http://www.tech-forums.net/computer/topic/29806.html
More info here: http://support.microsoft.com/default.aspx?scid=kb;en-us;324767

Also, what site infected you with all of this crap?

wng
_________________
Proud member of Alliance of Security Analysis Professionals since 2005

If you found our help here worthwhile, and want to further the cause for others, and keep this site running Donate Here
My website/blog

Anubis1980 · Posted: Wed Jun 22, 2005 12:03 pm Post subject:

Here is the new log:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SideBySide]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\iHsrad.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{2EC85DE4-74B2-A4A9-594E-4F08BE439A4D}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}"="eLicense Control"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{6586083B-E1DA-4EF1-B5FD-E258B51CF43E}"=""
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}"="Windows Desktop Search"
"{97090E2F-3062-4459-855B-014F0D3CDBB1}"="MSN Deskbar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D426CFD0-87FC-4906-98D9-A23F5D515D61}]
@="MSN Desktop Search Outlook Express ISearchFolder Class"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6586083B-E1DA-4EF1-B5FD-E258B51CF43E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6586083B-E1DA-4EF1-B5FD-E258B51CF43E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6586083B-E1DA-4EF1-B5FD-E258B51CF43E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6586083B-E1DA-4EF1-B5FD-E258B51CF43E}\InprocServer32]
@="C:\\WINDOWS\\system32\\dCdrm.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
ahifile.dll Sun Jun 19 2005 1:20:56p ..S.R 417,792 408.00 K
daauth.dll Fri Jun 17 2005 11:32:26p ..S.R 417,792 408.00 K
dcdrm.dll Tue Jun 21 2005 6:58:44p ..S.R 417,792 408.00 K
frapsvid.dll Thu Apr 7 2005 8:48:56a A.... 36,864 36.00 K
hafcom20.dll Sat Jun 18 2005 8:06:00p ..S.R 417,792 408.00 K
ihsrad.dll Fri Jun 17 2005 10:47:08p ..S.R 417,792 408.00 K
ipssam.dll Fri Jun 17 2005 10:47:12p ..S.R 417,792 408.00 K
mavbvm50.dll Tue Jun 21 2005 1:13:50p ..S.R 417,792 408.00 K
mhc42u.dll Tue Jun 21 2005 1:19:48p ..S.R 417,792 408.00 K
myricons.dll Sat Jun 18 2005 4:43:04a ..S.R 417,792 408.00 K
ovkley.dll Mon Jun 20 2005 8:17:58p ..S.R 417,792 408.00 K
waaservc.dll Mon Jun 20 2005 1:59:06p ..S.R 417,792 408.00 K
wehrm.dll Fri Jun 17 2005 10:45:06p ..S.R 417,792 408.00 K
wfspdmod.dll Fri Jun 17 2005 10:44:50p ..S.R 417,792 408.00 K
wfstream.dll Fri Jun 17 2005 10:44:54p ..S.R 417,792 408.00 K
wni.dll Sat Jun 18 2005 2:18:20a ..S.R 417,792 408.00 K
wwhip6.dll Fri Jun 17 2005 10:45:02p ..S.R 417,792 408.00 K

17 items found: 17 files (16 H/S), 0 directories.
Total of file sizes: 6,721,536 bytes 6.41 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Sat Jun 18 2005 1:45:26a ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 9CA0-F92C

Directory of C:\WINDOWS\System32

06/21/2005 06:58 PM 417,792 dCdrm.dll
06/21/2005 01:19 PM 417,792 mhc42u.dll
06/21/2005 01:13 PM 417,792 mavbvm50.dll
06/20/2005 08:17 PM 417,792 oVkley.dll
06/20/2005 01:59 PM 417,792 waaservc.dll
06/19/2005 01:20 PM 417,792 ahifile.dll
06/18/2005 08:05 PM 417,792 HAFcom20.dll
06/18/2005 04:43 AM 1,673 mmf.sys
06/18/2005 04:43 AM 417,792 myricons.dll
06/18/2005 02:18 AM 417,792 wni.dll
06/18/2005 01:45 AM 417,792 guard.tmp
06/17/2005 11:32 PM 417,792 daauth.dll
06/17/2005 10:47 PM 417,792 iPssam.dll
06/17/2005 10:47 PM 417,792 iHsrad.dll
06/17/2005 10:45 PM 417,792 WehRm.dll
06/17/2005 10:45 PM 417,792 wwhip6.dll
06/17/2005 10:44 PM 417,792 wfstream.dll
06/17/2005 10:44 PM 417,792 wfspdmod.dll
04/23/2005 02:07 PM <DIR> dllcache
10/11/2003 07:25 PM 71 SYSDRVWC.SYS
09/22/2002 11:01 PM <DIR> Microsoft
19 File(s) 7,104,208 bytes
2 Dir(s) 10,509,553,664 bytes free

The site was www.freeroms.com, when I clicked on the "SNES" link on the left.
_________________
~ANUBIS~

wng_z3r0 · Posted: Wed Jun 22, 2005 12:43 pm Post subject:

yep... you have VX2 on your computer.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
_________________
Proud member of Alliance of Security Analysis Professionals since 2005

If you found our help here worthwhile, and want to further the cause for others, and keep this site running Donate Here
My website/blog

Anubis1980 · Posted: Wed Jun 22, 2005 6:31 pm Post subject:

Well, that got rid of the tHsrad.dll! Good deal! Unfortunately, my computer is still plagued by 'The ABI Network'.

Here is the log from that scan:

L2Mfix 1.03

Running From:
C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1260 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1340 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\ahifile.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ahifile.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\daauth.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\daauth.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\HAFcom20.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\HAFcom20.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iHsrad.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iHsrad.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iPssam.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iPssam.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mavbvm50.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mavbvm50.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mhc42u.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mhc42u.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mqdtcuiu.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mqdtcuiu.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\myricons.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\myricons.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oVkley.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oVkley.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\unrdpa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\unrdpa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\waaservc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\waaservc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WehRm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\WehRm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wfspdmod.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wfspdmod.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wfstream.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wfstream.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wni.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wni.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wwhip6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wwhip6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\ahifile.dll
Successfully Deleted: C:\WINDOWS\system32\ahifile.dll
deleting: C:\WINDOWS\system32\ahifile.dll
Successfully Deleted: C:\WINDOWS\system32\ahifile.dll
deleting: C:\WINDOWS\system32\daauth.dll
Successfully Deleted: C:\WINDOWS\system32\daauth.dll
deleting: C:\WINDOWS\system32\daauth.dll
Successfully Deleted: C:\WINDOWS\system32\daauth.dll
deleting: C:\WINDOWS\system32\HAFcom20.dll
Successfully Deleted: C:\WINDOWS\system32\HAFcom20.dll
deleting: C:\WINDOWS\system32\HAFcom20.dll
Successfully Deleted: C:\WINDOWS\system32\HAFcom20.dll
deleting: C:\WINDOWS\system32\iHsrad.dll
Successfully Deleted: C:\WINDOWS\system32\iHsrad.dll
deleting: C:\WINDOWS\system32\iHsrad.dll
Successfully Deleted: C:\WINDOWS\system32\iHsrad.dll
deleting: C:\WINDOWS\system32\iPssam.dll
Successfully Deleted: C:\WINDOWS\system32\iPssam.dll
deleting: C:\WINDOWS\system32\iPssam.dll
Successfully Deleted: C:\WINDOWS\system32\iPssam.dll
deleting: C:\WINDOWS\system32\mavbvm50.dll
Successfully Deleted: C:\WINDOWS\system32\mavbvm50.dll
deleting: C:\WINDOWS\system32\mavbvm50.dll
Successfully Deleted: C:\WINDOWS\system32\mavbvm50.dll
deleting: C:\WINDOWS\system32\mhc42u.dll
Successfully Deleted: C:\WINDOWS\system32\mhc42u.dll
deleting: C:\WINDOWS\system32\mhc42u.dll
Successfully Deleted: C:\WINDOWS\system32\mhc42u.dll
deleting: C:\WINDOWS\system32\mqdtcuiu.dll
Successfully Deleted: C:\WINDOWS\system32\mqdtcuiu.dll
deleting: C:\WINDOWS\system32\mqdtcuiu.dll
Successfully Deleted: C:\WINDOWS\system32\mqdtcuiu.dll
deleting: C:\WINDOWS\system32\myricons.dll
Successfully Deleted: C:\WINDOWS\system32\myricons.dll
deleting: C:\WINDOWS\system32\myricons.dll
Successfully Deleted: C:\WINDOWS\system32\myricons.dll
deleting: C:\WINDOWS\system32\oVkley.dll
Successfully Deleted: C:\WINDOWS\system32\oVkley.dll
deleting: C:\WINDOWS\system32\oVkley.dll
Successfully Deleted: C:\WINDOWS\system32\oVkley.dll
deleting: C:\WINDOWS\system32\unrdpa.dll
Successfully Deleted: C:\WINDOWS\system32\unrdpa.dll
deleting: C:\WINDOWS\system32\unrdpa.dll
Successfully Deleted: C:\WINDOWS\system32\unrdpa.dll
deleting: C:\WINDOWS\system32\waaservc.dll
Successfully Deleted: C:\WINDOWS\system32\waaservc.dll
deleting: C:\WINDOWS\system32\waaservc.dll
Successfully Deleted: C:\WINDOWS\system32\waaservc.dll
deleting: C:\WINDOWS\system32\WehRm.dll
Successfully Deleted: C:\WINDOWS\system32\WehRm.dll
deleting: C:\WINDOWS\system32\WehRm.dll
Successfully Deleted: C:\WINDOWS\system32\WehRm.dll
deleting: C:\WINDOWS\system32\wfspdmod.dll
Successfully Deleted: C:\WINDOWS\system32\wfspdmod.dll
deleting: C:\WINDOWS\system32\wfspdmod.dll
Successfully Deleted: C:\WINDOWS\system32\wfspdmod.dll
deleting: C:\WINDOWS\system32\wfstream.dll
Successfully Deleted: C:\WINDOWS\system32\wfstream.dll
deleting: C:\WINDOWS\system32\wfstream.dll
Successfully Deleted: C:\WINDOWS\system32\wfstream.dll
deleting: C:\WINDOWS\system32\wni.dll
Successfully Deleted: C:\WINDOWS\system32\wni.dll
deleting: C:\WINDOWS\system32\wni.dll
Successfully Deleted: C:\WINDOWS\system32\wni.dll
deleting: C:\WINDOWS\system32\wwhip6.dll
Successfully Deleted: C:\WINDOWS\system32\wwhip6.dll
deleting: C:\WINDOWS\system32\wwhip6.dll
Successfully Deleted: C:\WINDOWS\system32\wwhip6.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Zipping up files for submission:
adding: ahifile.dll (164 bytes security) (deflated 48%)
adding: daauth.dll (164 bytes security) (deflated 48%)
adding: HAFcom20.dll (164 bytes security) (deflated 48%)
adding: iHsrad.dll (164 bytes security) (deflated 48%)
adding: iPssam.dll (164 bytes security) (deflated 48%)
adding: mavbvm50.dll (164 bytes security) (deflated 48%)
adding: mhc42u.dll (164 bytes security) (deflated 48%)
adding: mqdtcuiu.dll (164 bytes security) (deflated 48%)
adding: myricons.dll (164 bytes security) (deflated 48%)
adding: oVkley.dll (164 bytes security) (deflated 48%)
adding: unrdpa.dll (164 bytes security) (deflated 48%)
adding: waaservc.dll (164 bytes security) (deflated 48%)
adding: WehRm.dll (164 bytes security) (deflated 48%)
adding: wfspdmod.dll (164 bytes security) (deflated 48%)
adding: wfstream.dll (164 bytes security) (deflated 48%)
adding: wni.dll (164 bytes security) (deflated 48%)
adding: wwhip6.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 22%)
adding: echo.reg (164 bytes security) (deflated 11%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 87%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 62%)
adding: test.txt (164 bytes security) (deflated 89%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 85%)
adding: backregs/6586083B-E1DA-4EF1-B5FD-E258B51CF43E.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: ahifile.dll
deleting local copy: ahifile.dll
deleting local copy: daauth.dll
deleting local copy: daauth.dll
deleting local copy: HAFcom20.dll
deleting local copy: HAFcom20.dll
deleting local copy: iHsrad.dll
deleting local copy: iHsrad.dll
deleting local copy: iPssam.dll
deleting local copy: iPssam.dll
deleting local copy: mavbvm50.dll
deleting local copy: mavbvm50.dll
deleting local copy: mhc42u.dll
deleting local copy: mhc42u.dll
deleting local copy: mqdtcuiu.dll
deleting local copy: mqdtcuiu.dll
deleting local copy: myricons.dll
deleting local copy: myricons.dll
deleting local copy: oVkley.dll
deleting local copy: oVkley.dll
deleting local copy: unrdpa.dll
deleting local copy: unrdpa.dll
deleting local copy: waaservc.dll
deleting local copy: waaservc.dll
deleting local copy: WehRm.dll
deleting local copy: WehRm.dll
deleting local copy: wfspdmod.dll
deleting local copy: wfspdmod.dll
deleting local copy: wfstream.dll
deleting local copy: wfstream.dll
deleting local copy: wni.dll
deleting local copy: wni.dll
deleting local copy: wwhip6.dll
deleting local copy: wwhip6.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\ahifile.dll
C:\WINDOWS\system32\ahifile.dll
C:\WINDOWS\system32\daauth.dll
C:\WINDOWS\system32\daauth.dll
C:\WINDOWS\system32\HAFcom20.dll
C:\WINDOWS\system32\HAFcom20.dll
C:\WINDOWS\system32\iHsrad.dll
C:\WINDOWS\system32\iHsrad.dll
C:\WINDOWS\system32\iPssam.dll
C:\WINDOWS\system32\iPssam.dll
C:\WINDOWS\system32\mavbvm50.dll
C:\WINDOWS\system32\mavbvm50.dll
C:\WINDOWS\system32\mhc42u.dll
C:\WINDOWS\system32\mhc42u.dll
C:\WINDOWS\system32\mqdtcuiu.dll
C:\WINDOWS\system32\mqdtcuiu.dll
C:\WINDOWS\system32\myricons.dll
C:\WINDOWS\system32\myricons.dll
C:\WINDOWS\system32\oVkley.dll
C:\WINDOWS\system32\oVkley.dll
C:\WINDOWS\system32\unrdpa.dll
C:\WINDOWS\system32\unrdpa.dll
C:\WINDOWS\system32\waaservc.dll
C:\WINDOWS\system32\waaservc.dll
C:\WINDOWS\system32\WehRm.dll
C:\WINDOWS\system32\WehRm.dll
C:\WINDOWS\system32\wfspdmod.dll
C:\WINDOWS\system32\wfspdmod.dll
C:\WINDOWS\system32\wfstream.dll
C:\WINDOWS\system32\wfstream.dll
C:\WINDOWS\system32\wni.dll
C:\WINDOWS\system32\wni.dll
C:\WINDOWS\system32\wwhip6.dll
C:\WINDOWS\system32\wwhip6.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{6586083B-E1DA-4EF1-B5FD-E258B51CF43E}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6586083B-E1DA-4EF1-B5FD-E258B51CF43E}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

Here's also a new HijackThis log for you:

Logfile of HijackThis v1.99.1
Scan saved at 9:30:56 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll (file missing)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097996206785
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
_________________
~ANUBIS~

wng_z3r0 · Posted: Wed Jun 22, 2005 7:02 pm Post subject:

well, it looks like ABI is part of aurora/nail that askey removed.
I don't see it running. Please tell me how ABI is affecting you. Are you getting popups? ABI files? etc... If you need to, go ahead and save a screenshot here:
http://imageshack.ws

and then post the linky here.
wng
_________________
Proud member of Alliance of Security Analysis Professionals since 2005

If you found our help here worthwhile, and want to further the cause for others, and keep this site running Donate Here
My website/blog

wng_z3r0 · Posted: Wed Jun 22, 2005 7:07 pm Post subject:

also, we would like to get our hands on some of those VX2 files..for testing.

There should have been a folder created called C:\submit
or something like that.
It might be in the l2mfix FOLDER

I need you to:
right click the submit folder and click send to->compressed folder

7. Right click on the zipped folder and select "Explore".

8. In "File" menu select "Add a Password". Enter the password infected and confirm the password.

9. Please email to cjwd-sub (AT) hostingatessex.com (Please replace the 'AT' with an '@' )

Please copy the following to the email and attach the zipped file(s) :

The password is "infected".
The thread is found here. http://spywarewarrior.com/viewtopic.php?p=85548#85548

Paste it in the text field.

and send please.
_________________
Proud member of Alliance of Security Analysis Professionals since 2005

If you found our help here worthwhile, and want to further the cause for others, and keep this site running Donate Here
My website/blog

wng_z3r0 · Posted: Wed Jun 22, 2005 7:22 pm Post subject:

sorry for the multiple postings.... bad habit Sad

Download killbox here:

KillBox

Unzip the folder to your desktop.

Start Killbox.exe

When it is open, enter C:\WINDOWS\system32\ahifile.dll into the field labeled "Full path of file to delete".

Select the replace with dummy option.

Then press the button that looks like a red circle with a white X in it.

You will get a prompt that asks you this:

Anubis1980 · Posted: Wed Jun 22, 2005 9:11 pm Post subject:

First, for ABI, it's still in my Add/Remove Programs, and every night at around 3-5am I keep getting pop-ups and several things installed on my computer that I am able to remove but still takes a lot of time to deal with. The worst is EliteBar, which also won't leave my Add/Remove Programs after ewido took down the files. I'm not sure how much was because of what you just got rid of, but I'm pretty sure EliteBar is part of ABI, and it kept coming even last night.

For the files, well, I didn't find any Submit folder, but there is a ZIP file called backup.zip that has all the files in it I think, so I sent that.

To deleting all them files, well, I tried to do what you said, but it kept saying the stuff had been removed. I looked in the System32 folder myself, and sure enough, they're all already gone.

Here is the new log from l2mfix:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}"="eLicense Control"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}"="Windows Desktop Search"
"{97090E2F-3062-4459-855B-014F0D3CDBB1}"="MSN Deskbar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D426CFD0-87FC-4906-98D9-A23F5D515D61}]
@="MSN Desktop Search Outlook Express ISearchFolder Class"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
frapsvid.dll Thu Apr 7 2005 8:48:56a A.... 36,864 36.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 36,864 bytes 36.00 K
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 9CA0-F92C

Directory of C:\WINDOWS\System32

06/18/2005 04:43 AM 1,673 mmf.sys
04/23/2005 02:07 PM <DIR> dllcache
10/11/2003 07:25 PM 71 SYSDRVWC.SYS
09/22/2002 11:01 PM <DIR> Microsoft
2 File(s) 1,744 bytes
2 Dir(s) 9,919,037,440 bytes free

Here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:11:36 AM, on 6/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll (file missing)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097996206785
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
_________________
~ANUBIS~

wng_z3r0 · Posted: Thu Jun 23, 2005 4:01 am Post subject:

well, you don't have elitebar in your hijackthis log, but here's the removal instructions:
please download to desktop but don't run yet:

WinsockXPFix
and this program:
Elitebarremoval

Copy the text inside the 'Code' box to Notepad, and save in a location of your choice as Fix.reg (make sure you save as type: 'all files')

wng_z3r0 · Posted: Thu Jun 23, 2005 4:03 am Post subject:

also, let's be sure that VX2 is gone. Please run option 2 of l2mfix again...
_________________
Proud member of Alliance of Security Analysis Professionals since 2005

If you found our help here worthwhile, and want to further the cause for others, and keep this site running Donate Here
My website/blog

Anubis1980 · Posted: Thu Jun 23, 2005 2:03 pm Post subject:

Well, the pop-ups and installations seem to have ceased (I'll know for sure within the next 24 hours), but the a couple other big problems are still present.

1) ABI Network and EliteBar are still in my Add/Remove Programs. I want them gone. How do I get rid of that crap?

2) EliteBar killed my MSN Toolbar. How do I get it back?

3) Something is making my computer think www.dogpile.com is a Restricted Site despite the fact that it's not on the list (I looked several times over). As such, I get an error saying I can't send HTML forms unless I set Submit Non-encrypted Forms to Enable under Restricted Sites (not good). How do I fix that?

Here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:58:08 PM, on 6/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll (file missing)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097996206785
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Here is the new l2mfix log:

L2Mfix 1.03

Running From:
C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1008 'explorer.exe'
Killing PID 1008 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
updating: clear.reg (164 bytes security) (deflated 2%)
updating: echo.reg (164 bytes security) (deflated 11%)
updating: direct.txt (164 bytes security) (stored 0%)
updating: lo2.txt (164 bytes security) (deflated 73%)
updating: readme.txt (164 bytes security) (deflated 49%)
updating: report.txt (164 bytes security) (deflated 59%)
updating: test.txt (164 bytes security) (stored 0%)
updating: test2.txt (164 bytes security) (stored 0%)
updating: test3.txt (164 bytes security) (stored 0%)
updating: test5.txt (164 bytes security) (stored 0%)
adding: log.txt (164 bytes security) (deflated 87%)
updating: backregs/6586083B-E1DA-4EF1-B5FD-E258B51CF43E.reg (164 bytes security) (deflated 70%)
updating: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

_________________
~ANUBIS~

wng_z3r0 · Posted: Thu Jun 23, 2005 2:23 pm Post subject:

ok: let's try the following.
go to start-> run.
paste this in:
regedit.exe /e c:\policies.txt "Hkey_current_user\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run"

hit enter.
Then go to start->run
and paste this in:
regedit.exe /e c:\policies1.txt "hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run"
and hit enter

Then go to hijackthis. click on: open the misc tools section
click on "open uninstall manager"
then
click on "save list"

Then give the contents of these lists as a reply to this thread:
1. c:\policies.txt
2. c:\policies1.txt
3. the program manager list you saved.

to get your toolbar back, download it here:
http://toolbar.msn.com/

Next, do this:
Please go to:
start-->run

and type this in:
regedit

Then click on the FILE menu and select export
Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL

Then, go to start-->run

and type this in:
notepad

Paste this into the box:

Anubis1980 · Posted: Fri Jun 24, 2005 1:12 am Post subject:

The computer didn't seem to want to make those first two exports you told me to make. I did exactly as you said, but no file was created when I went to go get it.

Here is the HijackThis file:

7-Zip 3.13
Ad-aware 6 Personal
Adobe Acrobat 5.0
AudioHQ
BitTorrent 3.4.2
CCleaner (remove only)
Creative Surround Mixer
Direct Show Ogg Vorbis Filter (remove only)
DivX Player
DivX Pro Codec Adware
EliteBar Internet Explorer Toolbar
ewido security suite
FINAL FANTASY XI
FINAL FANTASY XI: Chains of Promathia
FINAL FANTASY XI: Rise of the Zilart
Flash Decompiler
Fraps
GSpot Codec Information Appliance
Hex Workshop v3.1
HP DeskJet 610C Series (Remove only)
ICQ
IrfanView (remove only)
Logitech iTouch Software
Logitech MouseWare 9.79
Logitech Resource Center
Microsoft Data Access Components KB870669
Microsoft Works 4.5
MSN Messenger 7.0
MSN Search Toolbar
Music MasterWorks v3.81
MUSICMATCH® Jukebox
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
NVIDIA Windows 95/98/ME/2000/XP Stereo Drivers
Paint Shop Pro 7 Try And Buy
PlayOnline Viewer and Tetra Master
QuickTime
RealOne Player
SimCity 4 Deluxe
SmartFTP
Spybot - Search & Destroy 1.2
SpywareBlaster v3.4
TableSmith
The ABI Network- A Division of Direct Revenue
Trillian
WeatherMaster 1.1.3
Wilderness Mapper
Winamp (remove only)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB821253
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q814995
Windows XP Service Pack 1
WinMX
WinRAR archiver
WinZip
XviD MPEG-4 Video Codec
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
_________________
~ANUBIS~

wng_z3r0 · Posted: Fri Jun 24, 2005 1:56 pm Post subject:

I dunno why that command line isn't working. It doesn't work on my computer either... strange
Anyways, let's continue on with the fix
go to hijackthis. click on: open the misc tools section
click on "open uninstall manager"

click this entry, and then hit the delete button:
EliteBar Internet Explorer Toolbar

Also, I noticed you are using Spybot 1.2
This is an outdated version. Please uninstall it, then download the latest version here.
http://net-integration.net/main/content/view/105/25/

Please go to:
start-->run

and type this in:
regedit

Then click on the FILE menu and select export
Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL
Then, open up the l2mfix folder, and run this reg file:
winlogondefaults.reg
hitting yes for confirmation.

Finally, it looks like Bittorrent isn't as clean as it used to be. I am willing to bet AT LEAST your Nail infection came from there, if not more.

See here for more info:
http://www.vitalsecurity.org/

So, you might wanna reconsider that particular p2p client.

Post back with a HJT log, and symptoms.
wng
_________________
Proud member of Alliance of Security Analysis Professionals since 2005

If you found our help here worthwhile, and want to further the cause for others, and keep this site running Donate Here
My website/blog

Anubis1980 · Posted: Fri Jun 24, 2005 2:17 pm Post subject:

On deleted EliteBar, I decided to delete the entry for ABI Network as well. Is that okay?

As for Spybot, well, looks like the site is down for updating, so I'll have to come back to that a little later. Should be okay, though, seeing as it's been a very long time since Spybot detected anything that Ad-aware didn't already get.

As for the Nail infection, I can pretty much guarantee EVERYTHING that's happened started with the ABI Network and the web site I posted earlier (the SNES link on www.freeroms.com ). Reason being that I haven't used BitTorrent for a really REALLY long time (like over a year I'd guess) until a couple days ago, and that was after all this happened (and after the Nail infection was fixed, as well). So take my word for it, ABI Network caused EVERYTHING.

Oh, here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:18:34 PM, on 6/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll (file missing)
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0000.1082\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll/search.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097996206785
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
_________________
~ANUBIS~

wng_z3r0 · Posted: Fri Jun 24, 2005 2:49 pm Post subject:

I guess I lose the bet then Evil or Very Mad

I'd say around 70-80% of nail infections that I've come across are due to bit torrent...

anyways,
is elitebar and ABI still coming back? How's those popups?

wng
_________________
Proud member of Alliance of Security Analysis Professionals since 2005

If you found our help here worthwhile, and want to further the cause for others, and keep this site running Donate Here
My website/blog

Anubis1980 · Posted: Fri Jun 24, 2005 7:21 pm Post subject:

All seems to be quiet so far, and nothing new is getting installed. Toolbar is back, Dogpile works, and no pop-ups or anything of the sort.

Is it finally all clean?
_________________
~ANUBIS~

wng_z3r0 · Posted: Sat Jun 25, 2005 8:33 am Post subject:

well, since you've had so much junk on your computer, I'd like it if you ran these steps:

To start with I would like you to do this

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Do a virus scan here.
If you get report of files that can’t be cleaned / deleted please write down the filenames and locations and post that in your reply.

Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT

First is Spybot S & D available from here.

1. Downloaded and Install Spybot S&D, accepting the Default Settings

2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.

3. Close ALL windows except Spybot S&D

4. Click the button to ‘Search for Updates’ then download and install the Updates.

5. Next click the button ‘Check for Problems'

6. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window

7. Make certain there is a check mark beside all of the RED entries ONLY.

8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.

9. REBOOT to complete the scan and clear memory.

Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.

Open adaware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the webupdate screen.

If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Make sure the "Automatically quarantine objects prior to removal" setting is checked green and then click "Proceed" to save your changes.

Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Leave the option for low-risk threats unchecked also. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a green checkmark:

Scan within archives

Then click on the "Tweak" Button to open up the tweak settings.

Open up the Scanning Engine section and make sure all of the following are On with a green checkmark:

Scan registry for all users instead of current user only

Make sure the following is unchecked with a red X:

Unload recognized processes & modules during scan.

Open up the Cleaning Engine section and make sure all of the following are On with a green checkmark:

Always try to unload modules before deletion
During Removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot.

Click the "Proceed" button to save settings. Click next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to "Scan Complete".

Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. Then all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.

Run the scan, and then reboot.

Then post a new HJT log as a reply to this topic.
_________________
Proud member of Alliance of Security Analysis Professionals since 2005

If you found our help here worthwhile, and want to further the cause for others, and keep this site running Donate Here
My website/blog

Anubis1980 · Posted: Sat Jun 25, 2005 11:30 am Post subject:

Well, Spybot's web site is still down, so I had to skip that step. I ran that virus scan, but at the end, although it said it found a few, when it tried to display them, nothing came up. I saved the final log, but there were things found. Should I just go find the files and delete them?

Anyway, here is the virus scan report:

Virus Scan 0 virus cleaned, 0 virus deleted

Results:
We have detected 4 infected file(s) with 4 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 4 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 0 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
C:\WINDOWS\system32\climsd.exe TROJ_DLOADER.QI No action available
C:\WINDOWS\system32\exp TROJ_SMALL.AAL No action available
C:\WINDOWS\system32\wintask.exe TROJ_SMALL.AAL No action available
C:\WINDOWS\Temp\Del2A.tmp TROJ_AGENT.RS No action available

Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 2 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 2 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken
TROJ_SMALL.AAL Trojan No action available
TROJ_TL.A Trojan No action available

Here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:59:00 PM, on 6/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0000.1082\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll/search.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097996206785
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
_________________
~ANUBIS~

wng_z3r0 · Posted: Sun Jun 26, 2005 10:20 am Post subject:

ok: let's go after those 2 trojans

delete these files:
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\climsd.exe
C:\WINDOWS\Temp\Del2A.tmp <<folder

Then,
Please print the instructions below.
Then reboot your computer
As soon as it starts to boot, rapidly press the f8 key.
select safe mode from the menu
If you are still unsure, see here

IN safe mode, go to start->run
type in:
cleanmgr
hit enter
then clean out your temp files and IE temp files

Finally, run Panda Activescan here:
Panda ActiveScan

wng
_________________
Proud member of Alliance of Security Analysis Professionals since 2005

If you found our help here worthwhile, and want to further the cause for others, and keep this site running Donate Here
My website/blog

Anubis1980 · Posted: Sun Jun 26, 2005 5:39 pm Post subject:

Looks like that worked to get rid of that. Thing is, Activescan is still finding a bunch of adware that Ad-aware if not finding last I scanned.

Here is the Activescan log:

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/AdDestroyer No disinfected C:\Documents and Settings\All Users\Application Data\AdDestroyer
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\System32\nsvsvc\nsv.ocx
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\WINDOWS\System32\ide21201.vxd
Adware:Adware/EliteBar No disinfected Windows Registry
Virus:Trj/Downloader.AYV Disinfected C:\!Submit\wintask.exe
Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\backups\backup-20050618-021537-855.inf
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\backups\backup-20050619-035242-542.dll
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\backups\backup-20050619-043735-277.dll
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\backups\backup-20050622-032342-840.dll
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/WinAD No disinfected C:\Program Files\Media Access\MediaAccC.dll
Adware:Adware/WinTools No disinfected C:\WINDOWS\hisistheurls.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInst.exe
Virus:Trj/Downloader.AYV Disinfected C:\WINDOWS\system32\exp
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\ide21201.vxd
Adware:Adware/SideSearch No disinfected C:\WINDOWS\system32\msjpok.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\nsvsvc\nsv.ocx
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\Temp\cfin[cfin]
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\Temp\cfout.txt
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\Temp\cln41.tmp
Adware:Adware/WinAD No disinfected C:\WINDOWS\Temp\MediaAccessInstPack.exe
Virus:Trj/Delmed.A Disinfected C:\WINDOWS\Temp\s030109.Stub.exe
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\Temp\seedcorn_2_215
Adware:Adware/Transponder No disinfected C:\WINDOWS\vlbcgt.exe
_________________
~ANUBIS~

wng_z3r0 · Posted: Sun Jun 26, 2005 6:32 pm Post subject:

ok.. from the looks of the log, you have some infections we need to deal with!

Use add/remove programs for these programs:
DelfinMedia Viewer

then go to start->run and type this in:
"c:\program files\Sidefind\update\sidefind.exe" /remove
and follow the removal prompts

Some of the stuff is here
C:\Documents and Settings\Owner\Desktop\Utilities\HijackThis\backups\backup-20050619-035242-542.dll

which is fine. THat's HijackThis's backup.

So, go through and delete all the stuff that says No disinfected. If needed, use killbox to remove them.

Download killbox here:

KillBox

Unzip the folder to your desktop.

Start Killbox.exe

When it is open, enter <insert file here> into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

You will get a prompt that asks you this:

Anubis1980 · Posted: Mon Jun 27, 2005 5:09 pm Post subject:

The Delfin program isn't in my Add/Remove Programs list.

Oh, and the computer says that Sidefind thing doesn't exist.

I got rid of the rest except for the three things here:

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected Windows Registry

Anyway, here is the new Activescan log:

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/AdDestroyer No disinfected C:\Documents and Settings\All Users\Application Data\AdDestroyer
Adware:Adware/DelFinMedia No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access
Adware:Adware/EliteBar No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[ahifile.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[daauth.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[HAFcom20.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[iHsrad.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[iPssam.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[mavbvm50.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[mhc42u.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[mqdtcuiu.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[myricons.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[oVkley.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[unrdpa.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[waaservc.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[WehRm.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[wfspdmod.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[wfstream.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[wni.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[wwhip6.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Owner\Desktop\Utilities\l2mfix\backup.zip[guard.tmp]
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\Temp\cfin[cfin]
_________________
~ANUBIS~

wng_z3r0 · Posted: Mon Jun 27, 2005 6:22 pm Post subject:

Hey that looks alot better. The only file remaining is this:
C:\WINDOWS\Temp\cfin
and this:
C:\Documents and Settings\All Users\Application Data\AdDestroyer
try deleting it. If needed, use killbox's delete on reboot.

Download killbox here:

KillBox

Unzip the folder to your desktop.

Start Killbox.exe

When it is open, enter C:\WINDOWS\Temp\cfin into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

You will get a prompt that asks you this: