Thanks very much for your reply. I have been having troubles posting all 3 logs and I think it is because the Active scan report is so large. I have posted the HijackThis new log and the l2mfix log anyway. Is there any particular bits of the activescan you need which I can post seperately?
Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 10:27:27, on 31/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\WINDOWS\system32\msiexec.exe
C:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about
:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about
:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone:
http://Download.Windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} -
http://ax.emsisoft.com/asquared.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\en0sl1d71.dll (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
End of log.
L2mfix log:
L2mfix 051206
Creating Account.
The command completed successfully.
Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Running From:
C:\WINDOWS\system32
Killing Processes!
Killing 'smss.exe'
\SystemRoot\System32\smss.exe (660)
Killing 'winlogon.exe'
winlogon.exe (732)
Killing 'explorer.exe'
C:\WINDOWS\Explorer.EXE (1812)
Killing 'rundll32.exe'
rundll32.exe "C:\WINDOWS\system32\jPvaee.dll",DllGetVersion (1404)
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\ahrace.dll
Successfully Deleted: C:\WINDOWS\system32\ahrace.dll
Deleting: C:\WINDOWS\system32\d6j02g1mg6.dll
Successfully Deleted: C:\WINDOWS\system32\d6j02g1mg6.dll
Deleting: C:\WINDOWS\system32\en0sl1d71.dll
Successfully Deleted: C:\WINDOWS\system32\en0sl1d71.dll
Deleting: C:\WINDOWS\system32\enpul1791.dll
Successfully Deleted: C:\WINDOWS\system32\enpul1791.dll
Deleting: C:\WINDOWS\system32\h6j4lg1q16.dll
Successfully Deleted: C:\WINDOWS\system32\h6j4lg1q16.dll
Deleting: C:\WINDOWS\system32\jPvaee.dll
Successfully Deleted: C:\WINDOWS\system32\jPvaee.dll
Deleting: C:\WINDOWS\system32\kvdusr.dll
Successfully Deleted: C:\WINDOWS\system32\kvdusr.dll
Deleting: C:\WINDOWS\system32\kwdit.dll
Successfully Deleted: C:\WINDOWS\system32\kwdit.dll
Deleting: C:\WINDOWS\system32\lvjq0915e.dll
Successfully Deleted: C:\WINDOWS\system32\lvjq0915e.dll
Deleting: C:\WINDOWS\system32\n48o0el3ehq.dll
Successfully Deleted: C:\WINDOWS\system32\n48o0el3ehq.dll
Deleting: C:\WINDOWS\system32\p08q0al5edq.dll
Successfully Deleted: C:\WINDOWS\system32\p08q0al5edq.dll
Deleting: C:\WINDOWS\system32\p0n80a5ued.dll
Successfully Deleted: C:\WINDOWS\system32\p0n80a5ued.dll
Deleting: C:\WINDOWS\system32\rnutetab.dll
Successfully Deleted: C:\WINDOWS\system32\rnutetab.dll
Deleting: C:\WINDOWS\system32\WoaLogon.dll
Successfully Deleted: C:\WINDOWS\system32\WoaLogon.dll
msg11?.dll
0 file(s) copied.
Restoring Windows Update Certificates.:
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en0sl1d71.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\ahrace.dll
C:\WINDOWS\system32\d6j02g1mg6.dll
C:\WINDOWS\system32\en0sl1d71.dll
C:\WINDOWS\system32\enpul1791.dll
C:\WINDOWS\system32\h6j4lg1q16.dll
C:\WINDOWS\system32\jPvaee.dll
C:\WINDOWS\system32\kvdusr.dll
C:\WINDOWS\system32\kwdit.dll
C:\WINDOWS\system32\lvjq0915e.dll
C:\WINDOWS\system32\n48o0el3ehq.dll
C:\WINDOWS\system32\p08q0al5edq.dll
C:\WINDOWS\system32\p0n80a5ued.dll
C:\WINDOWS\system32\rnutetab.dll
C:\WINDOWS\system32\WoaLogon.dll
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{18AAA159-962F-42F7-9B98-D54ACE49FBCC}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{18AAA159-962F-42F7-9B98-D54ACE49FBCC}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{18AAA159-962F-42F7-9B98-D54ACE49FBCC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{18AAA159-962F-42F7-9B98-D54ACE49FBCC}\InprocServer32]
@="C:\\WINDOWS\\system32\\kvdusr.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{3C9FC332-DC77-42D5-BB57-803F097176AA}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{3C9FC332-DC77-42D5-BB57-803F097176AA}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{3C9FC332-DC77-42D5-BB57-803F097176AA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{3C9FC332-DC77-42D5-BB57-803F097176AA}\InprocServer32]
@="C:\\WINDOWS\\system32\\rnutetab.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{0AA8923B-C5DD-4EF1-8D7C-E9E411A70014}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{0AA8923B-C5DD-4EF1-8D7C-E9E411A70014}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{0AA8923B-C5DD-4EF1-8D7C-E9E411A70014}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{0AA8923B-C5DD-4EF1-8D7C-E9E411A70014}\InprocServer32]
@="C:\\WINDOWS\\system32\\WoaLogon.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{D34B2FDA-BE3F-4405-9A95-1257E57535A9}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{D34B2FDA-BE3F-4405-9A95-1257E57535A9}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{D34B2FDA-BE3F-4405-9A95-1257E57535A9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{D34B2FDA-BE3F-4405-9A95-1257E57535A9}\InprocServer32]
@="C:\\WINDOWS\\system32\\kwdit.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{4C796A96-89DC-4792-9647-4D0A5F90D518}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4C796A96-89DC-4792-9647-4D0A5F90D518}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4C796A96-89DC-4792-9647-4D0A5F90D518}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4C796A96-89DC-4792-9647-4D0A5F90D518}\InprocServer32]
@="C:\\WINDOWS\\system32\\jPvaee.dll"
"ThreadingModel"="Apartment"
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A59DCF98-DE02-4D89-B9E3-3DA4F64FB7B7}"=-
"{18AAA159-962F-42F7-9B98-D54ACE49FBCC}"=-
"{3C9FC332-DC77-42D5-BB57-803F097176AA}"=-
"{0AA8923B-C5DD-4EF1-8D7C-E9E411A70014}"=-
"{D34B2FDA-BE3F-4405-9A95-1257E57535A9}"=-
"{4C796A96-89DC-4792-9647-4D0A5F90D518}"=-
[-HKEY_CLASSES_ROOT\CLSID\{A59DCF98-DE02-4D89-B9E3-3DA4F64FB7B7}]
[-HKEY_CLASSES_ROOT\CLSID\{18AAA159-962F-42F7-9B98-D54ACE49FBCC}]
[-HKEY_CLASSES_ROOT\CLSID\{3C9FC332-DC77-42D5-BB57-803F097176AA}]
[-HKEY_CLASSES_ROOT\CLSID\{0AA8923B-C5DD-4EF1-8D7C-E9E411A70014}]
[-HKEY_CLASSES_ROOT\CLSID\{D34B2FDA-BE3F-4405-9A95-1257E57535A9}]
[-HKEY_CLASSES_ROOT\CLSID\{4C796A96-89DC-4792-9647-4D0A5F90D518}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/ahrace.dll (164 bytes security) (deflated 4%)
adding: dlls/d6j02g1mg6.dll (164 bytes security) (deflated 5%)
adding: dlls/en0sl1d71.dll (164 bytes security) (deflated 4%)
adding: dlls/enpul1791.dll (164 bytes security) (deflated 4%)
adding: dlls/h6j4lg1q16.dll (164 bytes security) (deflated 5%)
adding: dlls/jPvaee.dll (164 bytes security) (deflated 4%)
adding: dlls/kvdusr.dll (164 bytes security) (deflated 4%)
adding: dlls/kwdit.dll (164 bytes security) (deflated 4%)
adding: dlls/lvjq0915e.dll (164 bytes security) (deflated 5%)
adding: dlls/n48o0el3ehq.dll (164 bytes security) (deflated 4%)
adding: dlls/p08q0al5edq.dll (164 bytes security) (deflated 5%)
adding: dlls/p0n80a5ued.dll (164 bytes security) (deflated 5%)
adding: dlls/rnutetab.dll (164 bytes security) (deflated 4%)
adding: dlls/WoaLogon.dll (164 bytes security) (deflated 4%)
adding: backregs/0AA8923B-C5DD-4EF1-8D7C-E9E411A70014.reg (188 bytes security) (deflated 70%)
adding: backregs/18AAA159-962F-42F7-9B98-D54ACE49FBCC.reg (188 bytes security) (deflated 70%)
adding: backregs/3C9FC332-DC77-42D5-BB57-803F097176AA.reg (188 bytes security) (deflated 70%)
adding: backregs/4C796A96-89DC-4792-9647-4D0A5F90D518.reg (188 bytes security) (deflated 70%)
adding: backregs/D34B2FDA-BE3F-4405-9A95-1257E57535A9.reg (188 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 63%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)
End of log.
Any help would be much appreciated. Thankyou.