Some Scary Adware here ,Please Help!!

Monkeyshine · 08-12-2005, 03:43 PM

Hi,
I have been infected with some spyware that I have not been able to remove with HJT, AdAware SE or AVG Free. I am posting my HJT log here. Thanks for your help!!
Logfile of HijackThis v1.99.1
Scan saved at 5:33:20 PM, on 8/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\etb\pokapoka63.exe
C:\WINDOWS\System32\jrjupj.exe
c:\windows\system32\yqhcflo.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Cas\Client\casclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=msgr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=msgr
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [amqnqz] c:\windows\system32\yqhcflo.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\SSCVRT32.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

The Nail.exe , and the pokapoka63.exe are two of the ones that keep coming back after HJT removal. Any ideas??
Thanks again for your help.
Monkeyshine

sUBs · 08-13-2005, 03:06 AM

Please do the following:

Download L2MFix - Double click L2mfix.exe & answer Yes when prompted. Then click the Install button to extract the files to a newly created folder named - L2mfix

Close all open programs
Double click L2mfix.bat
Select option #2 - Run Fix - by typing 2
Press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Copy the contents of that log and paste it here, along with a new HJT log.

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.
Please Do NOT run any other files in the l2mfix folder until you are told to

**POADB** · 08-13-2005, 03:14 AM

Hi and Welcome to TSF!

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Save the next instructions in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers on.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

It is also important you don't miss a step and perform everything in the right order!!. .

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp! - Install

Ewido Security Suite - Install & Update it's database but do not run it yet.

KillBox v2.0.0.175

Nailfix

FindIt's.zip

Process Explorer

Download LQfix and save it to your desktop. Extract the file to your desktop but do not use it yet!

Download DSRFIX from HERE onto your Desktop.
Unzip and EXTRACT the files to your Desktop.
The program creates and names the new folder to house the files.
DO NOT RUN IT YET

L2mfix

Unplug your computer from the Internet when you have finished downloading

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
[*]Open the folder dsrfix

Double click on the dsrfix batch file( the one with the little gear in it )
Once dsrfix has completed it will close on its own

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run a scan with HiJackThis & locate an entry that looks similar to this...

O4 - HKLM\..\Run: [amqnqz] c:\windows\system32\yqhcflo.exe r

The name might be different but it resides in the system32 folder & has the alphabet "r" at the end. Take note of the filename & location.

Run Process Explorer and locate name of the file you've just identified in the list of Processes.
Select the process and click Process > Suspend
Leave Process Explorer running with the process suspended until the computer reboots

Note - It's important that you KILLBOX this file in the next step, so please substitute name of the file you've just identified appropriately.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

name & location of the file you've just identified
C:\WINDOWS\Nail.exe
C:\WINDOWS\etb\pokapoka63.exe
C:\WINDOWS\dinst.exe
c:\windows\system32\yqhcflo.exe
C:\WINDOWS\System32\jrjupj.exe
C:\WINDOWS\system32\SSCVRT32.DLL
C:\WINDOWS\svcproc.exe

Select/Highlight all the filename(s) from the list above.
Copy to clipboard by pressing [CTRL]+[C] on your keyboard.
Start KillBox.exe

Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox
Click the dropdown-arrow next to the "Full Path of File to Delete" field.
Verify that the filenames you pasted are found in there.
Select/tick the following:
- 'Replace on Reboot '
- 'Use Dummy'
- 'End Explorer Shell While Killing File'
- 'Unregister.dll Before Deleting' * if it's not grayed out
Click the RED X button.
Click "Yes" at the 'Delete on Reboot' prompt.
Click "Yes" at the 'Pending Operations prompt'.

* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to manually restart Windows.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO SAFE MODE

Shut Windows down, and then turn off the computer.
Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
Windows Advanced Options menu appears.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Doubleclick LQfix.bat that you saved on your desktop earlier.
A dos window will open and close again, this is normal.

* Occasionally a DOS box may appear asking your permission to delete some files in temporary Windows directories. You must accept the deletion of these to be sure of properly removing the malware!

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Click Start>Run - type services.msc.
Locate the System Startup Service (SvcProc) service and double-click on it to open the Properties dialog.
Click the Stop button.
In the Startup type dropdown select Disabled.
Click the Apply button and then the Ok button.

Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in SvcProc & click the OK button.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :

Cas or Casino Client

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [amqnqz] c:\windows\system32\yqhcflo.exe r
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\SSCVRT32.DLL
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Enable the viewing of Hidden files

From Windows Explorer, go to Tools>Folder Options>View tab.
enable the option for `Show hidden files and folder´
disable the option for `Hide file extensions for known types´
disable the option for `Hide protected operating system files´
click "Yes" to confirm & then click "OK"

= = = = = = =

Locate and delete the following folder(s), if present:

C:\Program Files\Cas\Client\casclient.exe

Locate and delete the following file(s), if present:

C:\WINDOWS\Nail.exe
C:\WINDOWS\etb\pokapoka63.exe
C:\WINDOWS\dinst.exe
c:\windows\system32\yqhcflo.exe
C:\WINDOWS\System32\jrjupj.exe
C:\WINDOWS\system32\SSCVRT32.DLL
C:\WINDOWS\svcproc.exe

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Cleanup! & configure the program as follows:

Click Options...
Move the arrow down to Custom CleanUp!
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- [X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Ewido:

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
1. "Perform action on all infections"
2. Choose clean and click OK.
Once finished, click the Save report button
Save the report to your desktop

Close Ewido
* Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Close all other programs & double-click L2mfix.exe

When prompted, answer Accept
Then click the Install button to extract the files to a newly created folder named - L2mfix
Open the L2mfix folder & double click L2mfix.bat
Select option #2 for Run Fix by typing 2 and then press enter
Press any key to reboot your computer.

After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Copy the contents of that log and paste it here, along with a new HJT log.

Please Do NOT run any other files in the l2mfix folder until you are told to

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO NORMAL MODE

Do an online scan at Panda

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT AGAIN & Run FindIt's.bat and wait for notepad to open a text file. Please be patient as it requires some time to finish running. Then post the results in your next reply

In your next post, please include fresh logs from:

HiJackThis log

Online Scan

Ewido

FindIt

L2Me log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Monkeyshine · 08-13-2005, 11:00 AM

Hi,
I am having trouble getting my computer to restart in safe mode. It only gives me the option of which drive to boot from, but no safe mode options.
I have done everything else you reccomended up to the first safe mode reboot. Please advise.
Thanks,
Monkeyshine

sUBs · 08-13-2005, 11:24 AM

From your description, it appears like you managed to get into the wrong boot menu. You just described the motherboards boot options.

POADB's instructions were meant for Windows boot options.
Try this.. wait a bit longer before starting to tap the [F8] key.
If that doesnt work, try these other keys ...[ctrl] or [F5]

Another thing.. I have conferred with POADB & we agreed that it would be more advisable to the L2MFix first. Please do that now & post the L2Mfix log before proceeding with the other steps outllined for Safe Mode

Thank you.
sUBs

Monkeyshine · 08-13-2005, 12:11 PM

Ok, here is the log you requested:
Setting Directory
C:\Documents and Settings\Chris Monk
Setting Directory
C:\Documents and Settings\Chris Monk
System Rebooted!

Running From:
C:\Documents and Settings\Chris Monk

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1404 'explorer.exe'
Killing PID 1404 'explorer.exe'
Killing PID 1404 'explorer.exe'
Killing PID 1404 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Setting Directory
C:\Documents and Settings\Chris Monk
System Rebooted!

Running From:
C:\Documents and Settings\Chris Monk

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1408 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\aalui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aalui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dilay.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dilay.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gbedit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gbedit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\imxrtmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\imxrtmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mcw3prt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mcw3prt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mmcat32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mmcat32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\xisp1res.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\xisp1res.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\aalui.dll
Successfully Deleted: C:\WINDOWS\system32\aalui.dll
deleting: C:\WINDOWS\system32\aalui.dll
Successfully Deleted: C:\WINDOWS\system32\aalui.dll
deleting: C:\WINDOWS\system32\dilay.dll
Successfully Deleted: C:\WINDOWS\system32\dilay.dll
deleting: C:\WINDOWS\system32\dilay.dll
Successfully Deleted: C:\WINDOWS\system32\dilay.dll
deleting: C:\WINDOWS\system32\gbedit.dll
Successfully Deleted: C:\WINDOWS\system32\gbedit.dll
deleting: C:\WINDOWS\system32\gbedit.dll
Successfully Deleted: C:\WINDOWS\system32\gbedit.dll
deleting: C:\WINDOWS\system32\imxrtmgr.dll
Successfully Deleted: C:\WINDOWS\system32\imxrtmgr.dll
deleting: C:\WINDOWS\system32\imxrtmgr.dll
Successfully Deleted: C:\WINDOWS\system32\imxrtmgr.dll
deleting: C:\WINDOWS\system32\mcw3prt.dll
Successfully Deleted: C:\WINDOWS\system32\mcw3prt.dll
deleting: C:\WINDOWS\system32\mcw3prt.dll
Successfully Deleted: C:\WINDOWS\system32\mcw3prt.dll
deleting: C:\WINDOWS\system32\mmcat32.dll
Successfully Deleted: C:\WINDOWS\system32\mmcat32.dll
deleting: C:\WINDOWS\system32\mmcat32.dll
Successfully Deleted: C:\WINDOWS\system32\mmcat32.dll
deleting: C:\WINDOWS\system32\xisp1res.dll
Successfully Deleted: C:\WINDOWS\system32\xisp1res.dll
deleting: C:\WINDOWS\system32\xisp1res.dll
Successfully Deleted: C:\WINDOWS\system32\xisp1res.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Zipping up files for submission:
adding: aalui.dll (164 bytes security) (deflated 48%)
adding: dilay.dll (164 bytes security) (deflated 48%)
adding: gbedit.dll (164 bytes security) (deflated 48%)
adding: imxrtmgr.dll (164 bytes security) (deflated 48%)
adding: mcw3prt.dll (164 bytes security) (deflated 48%)
adding: mmcat32.dll (164 bytes security) (deflated 48%)
adding: xisp1res.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 2%)
adding: lo2.txt (164 bytes security) (deflated 86%)
adding: test.txt (164 bytes security) (deflated 84%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 81%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: aalui.dll
deleting local copy: aalui.dll
deleting local copy: dilay.dll
deleting local copy: dilay.dll
deleting local copy: gbedit.dll
deleting local copy: gbedit.dll
deleting local copy: imxrtmgr.dll
deleting local copy: imxrtmgr.dll
deleting local copy: mcw3prt.dll
deleting local copy: mcw3prt.dll
deleting local copy: mmcat32.dll
deleting local copy: mmcat32.dll
deleting local copy: xisp1res.dll
deleting local copy: xisp1res.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\aalui.dll
C:\WINDOWS\system32\aalui.dll
C:\WINDOWS\system32\dilay.dll
C:\WINDOWS\system32\dilay.dll
C:\WINDOWS\system32\gbedit.dll
C:\WINDOWS\system32\gbedit.dll
C:\WINDOWS\system32\imxrtmgr.dll
C:\WINDOWS\system32\imxrtmgr.dll
C:\WINDOWS\system32\mcw3prt.dll
C:\WINDOWS\system32\mcw3prt.dll
C:\WINDOWS\system32\mmcat32.dll
C:\WINDOWS\system32\mmcat32.dll
C:\WINDOWS\system32\xisp1res.dll
C:\WINDOWS\system32\xisp1res.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Thanks again,
Monkeyshine

sUBs · 08-13-2005, 12:16 PM

Further instructions...

From the L2MFix folder, double-click L2mfix.bat
Select option #4 - Merge Winlogon Notify Defaults - by typing 4
Type E to exit the program.

Note: You can do this at any part of the fix. Preferbaly..the sooner, the better

Please proceed with the rest of POADB's instructions. You may leave out the part about L2MFix.

Monkeyshine · 08-13-2005, 12:21 PM

Hi sUBs,
I did that, and it brought up this text file:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

OK So Far??

sUBs · 08-13-2005, 12:36 PM

Nope..not okay

Go to the L2Mfixdirectory. Within there, locate a sub-folder called 'regfixes'
Locate & right click on the file called "winlogon defaults".
Select merge & answer YES when prompted to merge into the registry

Let me know how it went.

Monkeyshine · 08-13-2005, 12:44 PM

That appeared to go OK, but I did not see a log file on that.
jrjupj keeps popping up prompt windows in some unrecognizable text now.
Please Advise.
Monkeyshine

sUBs · 08-13-2005, 12:51 PM

Launch Process Explorer.
Locate & double click on the entry - C:\WINDOWS\System32\jrjupj.exe
Select Strings
The select the option -Memory
Click Save & save the file to Desktop
Post the contents of that file here.

Monkeyshine · 08-13-2005, 01:02 PM

Ok Subs, here is the log. The exe file had changed names by the time I got back to it, but I believe this is what you need. Thanks, Monkeyshine
!This program cannot be run in DOS mode.
'Rich
.text
.data
.rsrc
UPX!
t:VVVV
PVVh
u!Wj
SVW3
YYt
YYt
YPV
YYt9
SWP
QWSP
PPPP
QQSV
Ph|_B
QQV3
SVW
QVj
PSVW
TaB
trf
WWPW
SVW
SSVh
Lj S
WhD
daB
QVWj
RQP
RPV
QVj
uRh
Vht
Vhp
Vhd
VhH
YYtxVh
YYt`Vh
YYtOVh
YYt>Vh
YYt&Vh
YYt
YYt
LaB
LaB
QVj
RPV
WSV
XPh
RPV
tEj
v?WS
WSj
SVW3
u7Wj
QSPW
SVW3
YYt
QQ;G
EotA
YY#E
F8tPPWj
;NDw
;NDw
daB
SVWQ3
Bh|gB
htgB
tgB
h|gB
htgB
Yu&S
tgB
htgB
tgB
h|gB
QQSV
tgB
s,hpgB
SVWQ
hpgB
TaB
tgB
VWu
VWh
h|gB
htgB
tgB
pgB
tgB
xgB
5tgB
SSj
SSh
QSV
hpgB
YYu
TaB
5tgB
YYt~
tgB
tgB
YYt1+E
5tgB
YYt7+
tgB
tgB
VWh
LaB
QQSQ3
YYt
tIVWh
@PVj
ttVWj@Y
SVW3
tvSSj
SSh
t>SS
SVP
SVW
PPPPj
YPV
SVW
QSV
F$SP
WSSSSSSSSj
tbj
uPS
PUUh
UUU
Wjz
SVh
WWWW
t.WWh
WWh
WWh
WWh
QVW3
Yt Q
YYV
YYjI
YYjI
YvZ
VWjIY3
YYu
SWj
QSW
QVW
SVW
DSVW
PVP
SVW
QVW
SVW
SSh
SSP
SSj
RPj
QSP
QSV
uJ8E
QPV
xSVW3
uajD^V
PSSSSSS
SVW
YYu
YYP
QQSV
SSS
f=PEu
SUV
PUUj UUU
SWj
MXQ
QSSj$SSSPS
t,SSh
SSh
SSh
hep@
E|Pj@
YYt
PPj PPP
SSSS
Pj@WV
Vjz
VVVV
hVv@
Pj@WV
QQSV
QVW
QSW3
tKV
v!UV
SVW2
QSV
QSV
tOV
Ht*HHt
Hu*W
YYt
YYu
YYt
QVQ
QVQ
RhX
PPPQ
SSQ
@uef
MZu]8]
tTS
@u=SS
,SVW
QWP
SVW
VSSSSSSQP
SSj
SSj
WSj0QRP
RSh
RSh
QQV
XSV
Wt&hd
PSVh
\SVW
YYu
YYu
YYu
YYu
YYu
VVVj
_Xt*j
QSVW
OT9H
GTu
GLS
HtSH
G<CH;
vdW
YtL
SVW
tPQ
SVW3
9>tPQ
SVW
YYu
YYu
YYu
YYu
YYu
QSW
F;w(r
QQS3
vxV
YYt
SUV
FL;FPu
YYuRh(
YYu"j4
tjj
YYu
YYuVjX
SVW
YYu
YYu
YYu
YYu
YYu
YYu
LaB
AJu
TaB
TaB
YYuuSW
Phx
YYta
SPj
QSV
QSV
SVW
u9jAY3
t_WjAY3
PSh
TaB
SVW
QSVW
QSV
SVW
tmht
YYu
Phh
YYu
YYu
YYu
YYu
SVj
tvj
uRj(
t'PQ
tOQ
tyj
uTj(
t'PQ
SVW3
YYP
Rjd
CGYG;
YYt
QVW
PSVW
VSP
VSP
uv8E
QVW
SVW
WSP
WSP
SSSS
PPS
QSh
SSj
tfS
WWWW
SVW
VSW
Jj@h
VSW
QVh
SSW
uPW
SSh
SVW
SVj
PaB
YYt
v`hU
VTW
SVWj
EdP3
PSS
VSSS
E`Pj@WV
Wj?Y3
tUV
SVW3
LaB
vTh
TaB
sTh
b.#1Ph
etP
QQV3
tKVVh@
SSSj
t>Sj
SVW
DaB
YYuS
YYt
YYt2
SSh
w3VWj
SVW
SSSV
YSjh
`SVW
YYu
SSSj
SSSj
jdP
upj
PSSj
PWj
YYu
Ht(Hu%
Ht3Ht
SUW
9JFFAAf;
YWVP
RPV
LSVW
^0SSSS
PSSh
<SVW
SPje
jeW
t*VW
Sjl
Pjn
Sjh
lSVW3
Wjh
mu/h8
pt/HHt$Ht
SVW
SVW
tJQ
YYt
QQSV
SVW
TaB
tuj
PVVW
zu49u
YYP
t0WQ
SVW3
YtY
WWWWP
t'hl
jjjj
jjjjj
@bfmnprs
Reason:
Line:
, Col=
Line=
GetModuleHandle
Using:
recoveryIntervalRescue
recoveryIntervalNormal
pollIntervalRescue
pollIntervalNormal
startupPause
component
name
winFile
sysFile
value
key
hive
reg
missing
exists
rescuer
file
url
restoreIf
(null)
Win32 code =
Error parsing
Error
"] /@value
message[@code="
TaB
8SVW
SVW3
9x(uoh
PhX
TaB
YYP
ucj
tDh
SVW3
YYtEjL
uJj4
QQSV
QQSV
SVW
tSSW
QQV
HSVW
SSSj
YSP
PSh
SUVW3
n$9n<_t
QQVW
dSV
SSSj
F@9^@tK
SSSj
t>9N@u
SUW
PUWj
SSSj
FDt
QRPh
daB
QRPh
QRPh$-B
DaB
QRPhD-B
QRPhd-B
QRPh
QRPh
Yh$bB
QQV
TaB
QRPh
LaB
PaB
SVW
SVj
~VWS
SVW
FVWj
WSVPj
VRP
LSVWj
SVW
VC20XC00U
SVWU
tYVU
t?xH
VWj
QQSVWd
SVW
PPP
PtYY
SVW
SVWUj
SVW
t.;t$$t(
YYu
YYu
BBFFf
YtE+u
SVW
QQS
SVW
SVW
jdY
YYu
FFP
PSB
TSB
pzA
XSB
dSB
8MZu
IQS
IQS
ANu
wLVWP
VWS
tXV
FVWS
AABB
t0GF
YYt
urj
uiSj
NCu
YVW
DPB
XPB
u,hX
F95PdB
5LdB
HdB
hdPB
YhpPB
hPB
5PdB
XdB
uwj
XdB
XdB
XdB
XdB
8csm
YYu"
8csm
8csm
>csm
tJj
QQV
sVS;7|B;w
;csm
YYu
>csm
;csm
uij
8csm
HRB
HRB
5HRB
uIh
YYt-V
5HRB
VWh
HRB
YYt+V
5HRB
WSV
VPV
VPV
XRB
hRB
PRB
u8SS3
FVh,
E SS
SSV
t!SS9]
VSW
Wtd
WPS
HHt
HHt`HHt\
LSB
ZtX
HSB
PSB
TSB
EIf
HSB
RPWS
WVj0
CYC
VqA
ppA
ypA
rnf=p
r^f=Z
rNf=
r0f=J
DZB
DZB
DZB
DZB
Wj0S
PSW
hSB
hSB
lSB
lSB
lSB
QSVW
xTB
=xTB
VWu
t7VP
QQSVW3
SUVW
tyf9
SSS+
@PVSS
t#SSUP
t$$VSS
UVW
UVW
YYt.
YYt
PSF
F,98uX
YYV
uNV
HVB
LVB
YYj
u:Vj
GWh,
WWS
6PWS
t WW
VSW
WWWWVSW
tCVj
t2WWVPVSW
tXS
tZj
tXS
=HdB
PWh,
VVVV
SVP
VVS
WSV
VWj Y
SVW
YYu
SVWj ^
hLZB
hdZB
PPPP
PPPP
@PWV
SVW
VWumh
WVS
PPPPPPPP
WVS
PPPPPPPP
HHtjHHtF
xTB
5xTB
VWsX
uAj
tVPV
DZB
+t"HHt
DZB
DZB
DZB
HHu&
NYu
tmS
KYu
t@VW
WVS
YYt
tHS
paB
QRPh
%paB
laB
%laB
taB
%taB
QhW
hgB
hgB
dgB
hgB
dgB
hgB
AABBf
tCf;
GGf
SSj
tPf
lgB
u5SSWh,
=lgB
lgB
lgB
Y9E t
E SSSS
VWj
tgB
xgB
h4bB
tgB
xgB
wbs
wfK
wMV
whZ
wBu
wYS
Delete
NoRemove
ForceRemove
Val
SOFTWARE\Classes
zepmon
Poller
Popped:
Poll Interval:
Recovery Interval:
Software\DrDebug\Poller
|%d,%d,%d,%d,%d|
DBPoller|
Poller Timings
p (Poller watcher).
r (registry).
s (service).
(PARAMETER UNKNOWN).
n (Nail).
no parameter (assuming install).
b (AutoChk).
f (file system driver).
m (print monitor).
Debug Key Defined, using Debug Timings (in Seconds):
Startup Pause: %d
Normal Poll Interval: %d
Rescue Poll Interval: %d
Normal Recovery Interval: %d
Rescue Recovery Interval: %d
Start-up Parameter:
PPoller|
Software\DrDebug\PollerTiming
MbP?
SvcProc
aurora
DrPMon
rescuer
endpoint
USER32.dll
WINSPOOL.DRV
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
WININET.dll
<5IkQ
<5IkQ
<5IkQ
fKg
QZN
invalid string position
string too long
bad allocation
Oyz
SHLWAPI.dll
csm
Unknown exception
CorExitProcess
mscoree.dll
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
kernel32.dll
EEE
ppxxxx
(null)
GAIsProcessorFeaturePresent
KERNEL32
runtime error
TLOSS error
SING error
DOMAIN error
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Program:
A buffer overrun has been detected which has corrupted the program's
internal state. The program cannot safely continue execution and must
now be terminated.
Buffer overrun detected!
A security error of unknown cause has been detected which has
corrupted the program's internal state. The program cannot safely
continue execution and must now be terminated.
Unknown security failure detected!
InitializeCriticalSectionAndSpinCount
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Sat
Fri
Thu
Wed
Tue
Mon
Sun
1#QNAN
1#INF
1#IND
1#SNAN
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
VERSION.dll
callinghome.biz
%d.%d.%d.%d
FUnknown error 0x%0lX
IDispatch error #%d
ror creating XML document
PollerMessages.xml
GetWindowsDirectory
GetSystemDirectory
DynData
HKDD
HKEY_DYN_DATA
PerformanceData
HKPD
HKEY_PERFORMANCE_DATA
CurrentConfig
HKCC
HKEY_CURRENT_CONFIG
Users
HKU
HKEY_USERS
LocalMachine
HKLM
HKEY_LOCAL_MACHINE
CurrentUser
HKCU
HKEY_CURRENT_USER
ClassesRoot
HKCR
HKEY_CLASSES_ROOT
@NdisMediaConnectStatus
WAN
InstanceName
XML
XML
Test
\StringFileInfo\%04X%04X\%s
\VarFileInfo\Translation
OLESelfRegister
SpecialBuild
ProductVersion
ProductName
PrivateBuild
OriginalFilename
LegalTrademarks
LegalCopyright
InternalName
FileVersion
FileDescription
CompanyName
Comments
.exe
Software\Microsoft\Windows\CurrentVersion\Run
invalid map/set<T> iterator
map/set<T> too long
winlogon.exe
explorer.exe
*.exe
packager.exe
operationsRoot
WQL
SELECT * FROM MSNdis_MediaConnectStatus
ROOT\WMI
User-Agent: MultiPoint|0.0.0.1
retries
StopAtTryAll
StopAtAnyFailure
stopAt
TraversalLeastUsedFirst
TraversalBestFirst
traversal
StartAtLastGood
startAt
name
operation
No Thread alive.
Thread not yet created, call the start() method.
An object implementing the IRunnable interface required.
Thread already started.
CleanUpOnFailure
CleanUpOnSuccess
cleanUp
ReprocessOnFailure
reprocess
retryMultiplier
retryWait
pretryWait
actionGroup
TypeGet
TypePost
local
TypeExecute
host
type
action
\System32
windir
SYSTEM32
WINDOWS
DeleteOnFailure
DeleteOnSuccess
DeleteByGroup
DeleteNever
DeleteAlways
delete
timeOut
hostFile
hostPath
sourceFile
sourcePath
%s%s.html
%d%d%dZ6%de%d%d7%d%d
http://
destinationFile
destinationPath
False
encryptURL
CommByWIOnly
CommByTnOnly
CommByWITn
CommByTnWI
commBy
Data
Content-Type: application/x-www-form-urlencoded
HTTP/1.0
GET
POST
iexplorer.exe
StrToIntA
shlwapi.dll
InternetReadFile
InternetQueryDataAvailable
HttpQueryInfoA
InternetCloseHandle
InternetOpenUrlA
InternetOpenA
wininet.dll
CreateRemoteThread Failed
MessageBoxA
wsprintfA
EnumMonitorsA
RegDeleteKeyA
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegSetValueExA
CloseServiceHandle
QueryServiceConfigA
OpenServiceA
OpenSCManagerA
RegQueryValueExA
CryptReleaseContext
CryptAcquireContextA
CryptGetProvParam
CryptDestroyKey
CryptImportKey
CryptGenKey
CryptExportKey
CryptGetKeyParam
CryptDecrypt
CommandLineToArgvW
CoUninitialize
CoInitializeSecurity
CoInitializeEx
OleRun
CoCreateInstance
InternetGetConnectedState
InternetCrackUrlA
InternetCheckConnectionA
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpQueryInfoA
InternetReadFile
InternetCloseHandle
PathFileExistsA
PathAddBackslashA
PathFindFileNameA
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
CharNextA
RegDeleteValueA
FreeSid
InitializeSecurityDescriptor
AllocateAndInitializeSid
GetLengthSid
InitializeAcl
AddAccessDeniedAce
AddAccessAllowedAce
SetSecurityDescriptorDacl
RegNotifyChangeKeyValue
SHGetFileInfoA
CoSetProxyBlanket
IWA
.?AVbad_alloc@std@@
.?AVtype_info@@
HcB
xcB
VWA
pzA
PST
PDT
HMXB
S;uD
z?aUY
zc%C1
NKeb
.?AVCAtlException@ATL@@
.?AVCPollerException@@
.?AV_com_error@@
.?AVout_of_range@std@@
.?AVexception@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVCThreadException@@
c:\windows\system32\dnavha.exe
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
GlobalFindAtomA
InterlockedExchange
GetACP
GetLocaleInfoA
GetThreadLocale
GetVersionExA
MultiByteToWideChar
WideCharToMultiByte
RaiseException
GetLastError
InitializeCriticalSection
DeleteCriticalSection
SizeofResource
LockResource
LoadResource
FindResourceA
FindResourceExA
lstrcmpiA
lstrlenA
GetEnvironmentVariableA
GlobalGetAtomNameA
lstrcatA
GetWindowsDirectoryA
CloseHandle
DuplicateHandle
GetCurrentProcess
OpenProcess
GetExitCodeThread
ReleaseMutex
SetEvent
SetThreadPriority
GetCurrentThread
SetPriorityClass
InterlockedDecrement
GlobalFree
GetCommandLineW
Sleep
WaitForSingleObject
WaitForMultipleObjects
SetProcessWorkingSetSize
SetConsoleCtrlHandler
SetProcessShutdownParameters
OpenEventA
InterlockedIncrement
GetVolumeInformationA
GetModuleHandleA
TerminateProcess
GetExitCodeProcess
DeleteFileA
GetShortPathNameA
LocalFree
FormatMessageA
CreateThread
EnterCriticalSection
LeaveCriticalSection
LocalAlloc
GetSystemDirectoryA
IsBadReadPtr
IsBadWritePtr
GetModuleFileNameA
lstrcpynA
CopyFileA
SystemTimeToFileTime
GetSystemTimeAsFileTime
CompareFileTime
GetTickCount
CreateFileA
SetFileTime
GetFileTime
HeapFree
GetProcessHeap
HeapAlloc
CreateEventA
CreateMutexA
GetThreadContext
SetThreadContext
CreateRemoteThread
CreateProcessA
ExitThread
FlushInstructionCache
VirtualProtectEx
SetThreadPriorityBoost
OpenThread
WriteProcessMemory
ResumeThread
Process32First
Process32Next
Thread32First
Thread32Next
CreateToolhelp32Snapshot
FindFirstFileA
FindClose
FindNextFileA
ExitProcess
TerminateThread
ReadFile
SetFilePointer
GetFileSize
ResetEvent
GetTempPathA
GetTempFileNameA
CreateDirectoryA
RemoveDirectoryA
GetLocalTime
WriteFile
VirtualAllocEx
VirtualFreeEx
ReadProcessMemory
LoadLibraryA
FreeLibrary
GetProcAddress
HeapReAlloc
HeapDestroy
HeapSize
VirtualProtect
VirtualAlloc
GetSystemInfo
VirtualQuery
RtlUnwind
GetStartupInfoA
GetCommandLineA
HeapCreate
VirtualFree
SetUnhandledExceptionFilter
TlsAlloc
SetLastError
GetCurrentThreadId
TlsFree
TlsSetValue
TlsGetValue
GetOEMCP
GetCPInfo
LCMapStringA
LCMapStringW
GetStdHandle
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
QueryPerformanceCounter
GetCurrentProcessId
IsBadCodePtr
GetStringTypeA
GetStringTypeW
SetStdHandle
FlushFileBuffers
.text
`.rdata
@.data
.rsrc
TMs
h|1/nG
EnumM
Kfig=J
f_:a@s
Imj
ExmW"
VWh
JToArgvW
dT{S
Al[k!
ccGixV
Redj
rhe1,
dAdd
1H-ej
kMb
zSa
NbC
nkR
DaG
NoYfy
/vjn
guSJx
yBl,k
e(L/kCf#
lQv/
2EOn
yDz
!ZFG
dACP3
/tplhdi
i`\XTP
LHD<0i
?PST
HMXB
S;uD
z?aUY
zc%C1
NKeb
CAtlE
@ATL
Bgout_of_rCv
,8BLV`
Glob
ndAtomA
ByQToWidemX3
Raise
ympion
6catm
ytK
CoW
Ex Sv>
uWD
aEFJAEk
hmf
IsB
nWDe
F8BC
1sh%u
Cab
Boo5
lgM
Vvl
tlUnw}'&
,QTe,
OEM
LCM
_?swr
vyp
7kKx
Hmw
blP@
s+Tx
.xrc
GIu
uKe
TCA&
FkM
mZ1Ap
EQy
6ixEl>
cng
UQC^
rbu
Cnrr
zW"u
FVs#
iah
kEN
dXS
*OXbb
>Tgir
Wed@
sRB
Z~Gm:6
uY[z
a'4tU*
uhd
YXc
3AsCm
yPam_f
hEnQ
'Ddx
h]IQm
Vxy
vGe
e_PTa
XVR
xdx
0lQvr
ECx
L3cz
Cjg-f
[Ivl
IoC`J
mOu
sA-p
xQG
qckK!n
eia
[9ZTh
HQh(
yRLL/r
?fJz
mdf4
=Cw6j
.2Xnn
rmr
fYwX
zSa
MdL
iAB#
Q$Gt
6bafs
xMK
EvE
}DLEp
Sod
IAdC
wJw
edF
HxHqH
dthr
mq(lX
XfIu
KERNEL32.DLL
LoadLibraryA
GetProcAddress
ExitProcess
XML
VS_VERSION_INFO
StringFileInfo
FileVersion
ProductVersion
VarFileInfo
Translation
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
W_QYP
OOOO
kernel32
Sleep
RPP
XXfa
RPS
Zfa

sUBs · 08-13-2005, 01:07 PM

Just noticed an anomaly with your L2MFix log. It mentoned that it couldnt find a Windows file called rundll32.exe.

Please navigate to the directory - c:\windows\system32 .
Try locating rundll32.exe within there.
Let me know if it's present

Monkeyshine · 08-13-2005, 01:10 PM

Yes it is in there.

sUBs · 08-13-2005, 01:13 PM

Okay..Let's try booting into Safe Mode again to complete the rest of POADB's instructions.

Monkeyshine · 08-13-2005, 01:36 PM

OK, now I am having trouble getting into the management console to locate the system startup service. The last two steps seemed to go OK with the nailfix and lqfix files, but I can't get into the management console for some reason.

Monkeyshine

sUBs · 08-13-2005, 01:42 PM

Glad to hear that you managed to enter Safe Mode. Good work.

You may skip the part about the management console & proceed with the fix. Skip any part that you aren't able to complete & just keep doing it till the whole fix is complete. Let me know of any parts skipped when you complete.

Remember to close all windows when you're running Ewido.

I'll see you on the other side. Good luck.

Monkeyshine · 08-13-2005, 04:46 PM

Hi,
I just completed all the scans and fixes you reccomended. Here are the logs:

**Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 5:29:24 PM, on 8/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=msgr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=msgr
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

**Ewido Log:

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:09:54 PM, 8/13/2005
+ Report-Checksum: 772B922

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Chris Monk\backup.zip/aalui.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris Monk\backup.zip/dilay.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris Monk\backup.zip/gbedit.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris Monk\backup.zip/imxrtmgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris Monk\backup.zip/mcw3prt.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris Monk\backup.zip/mmcat32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris Monk\backup.zip/xisp1res.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris Monk\backup.zip/guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\Hijack This\backups\backup-20050713-211223-167.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\Hijack This\backups\backup-20050713-211223-168.dll -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\Hijack This\backups\backup-20050804-174749-104.dll -> Spyware.PurityScan : Cleaned with backup
C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\Hijack This\backups\backup-20050804-174749-688.dll -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\CasStub\casstub.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1.tmp -> Spyware.Cookie.7search : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2F.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq30.tmp -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq31.tmp -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp -> TrojanDownloader.IstBar.ku : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq48.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4A.tmp -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq59.tmp -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5A.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq67.tmp -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6A.tmp -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq98.tmp -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ActiveX.ocx -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\ocesofy.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\ru.exe -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\chaec6.exe -> Spyware.Apropos : Cleaned with backup
C:\WINDOWS\system32\conres.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\nst19.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\qbpenlc.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\thlrtqkc.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\vlgkgzqakoz.exe -> Adware.BetterInternet : Cleaned with backup

::Report End

**Panda Log:

Incident Status Location

Adware:adware/clkoptimizer No disinfected C:\WINDOWS\SYSTEM32\datadx.dll
Adware:adware/topspyware No disinfected C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/apropos No disinfected C:\PROGRAM FILES\Aprps
Adware:adware/consumeralertsystemNo disinfected C:\PROGRAM FILES\CasStub
Adware:adware/elitebar No disinfected C:\DOCUMENTS AND SETTINGS\CHRIS MONK\FAVORITES\Casino & Carrers
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/aurora No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\Cache\35897D89d01[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\Cache\833CF8F7d01[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\L2mfix\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\L2mfix\l2mfix.exe[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\Nailfix\Nailfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\Nailfix\Nailfix.zip[Process.exe]
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\Uninstall.exe
Possible Virus. No disinfected C:\Program Files\Rhapsody\xviews.dll
Adware:Adware/Look2Me No disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\pss\knkc.exeCommon Startup
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\apayk.dat
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\system32\datadx.dll

**L2mFix Log:

L2Mfix 1.03a

Running From:
C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\L2mfix\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\L2mfix\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\L2mfix\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1548 'explorer.exe'
Killing PID 1548 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (164 bytes security) (deflated 2%)
adding: echo.reg (164 bytes security) (deflated 14%)
adding: direct.txt (164 bytes security) (deflated 4%)
adding: lo2.txt (164 bytes security) (deflated 74%)
adding: noti.txt (164 bytes security) (deflated 87%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: test.txt (164 bytes security) (stored 0%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: backregs/D9FE8167-DDAA-431E-8666-04C8FC75309E.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

**Find It's Log:

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 08/13/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 24C4-CADB

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 24C4-CADB

Directory of C:\WINDOWS\system32

08/13/2005 05:35 PM 1,406 AddQuit.ico
08/13/2005 05:35 PM 9,470 Desktop.ico
08/13/2005 05:35 PM 1,406 Help.ico
08/13/2005 05:35 PM 5,350 IE.ico
08/13/2005 05:35 PM 1,718 Open.ico
08/13/2005 05:35 PM 1,718 Quick.ico
10/22/2001 09:10 AM 4,398 SBLive.ico
08/13/2005 05:35 PM 2,550 Uninstall.ico
8 File(s) 28,016 bytes
0 Dir(s) 40,216,006,656 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

HKEY_CURRENT_USER\Software\aurora\AUI3d5OfSInst
HKEY_CURRENT_USER\Software\aurora\AUC3n5trMsgSDisp
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky1S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky2S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky3S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky4S
HKEY_CURRENT_USER\Software\aurora\AUC1o3d5eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUT3i5m7eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUD3s5tSSEnd
HKEY_CURRENT_USER\Software\aurora\AU3N5a7tionSCode
HKEY_CURRENT_USER\Software\aurora\AUP3D5om
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSCheckSIn
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSMots
HKEY_CURRENT_USER\Software\aurora\AUM3o5deSSync
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSCab
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSEx
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSLstest
HKEY_CURRENT_USER\Software\aurora\AUB3D5om
HKEY_CURRENT_USER\Software\aurora\AUE3v5nt
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSBath
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSysSInf
HKEY_CURRENT_USER\Software\aurora\AUL3n5Title
HKEY_CURRENT_USER\Software\aurora\AUC3u5rrentSMode
HKEY_CURRENT_USER\Software\aurora\AUC3n5tFyl
HKEY_CURRENT_USER\Software\aurora\AUI3g5noreS
HKEY_CURRENT_USER\Software\aurora\AUL3a5stSSChckin
HKEY_CURRENT_USER\Software\aurora\AUS3t5atusOfSInst

**Personal Notes From Monkeyshine*

*I could not access the system startup sevice management console to try to find SvcProc
*I could not find SvcProc with the Hijack This "delete an NT Service" function
*I could find no Cas or Casino client in Ad/Remove Programs
*I could not find the following files while deleting from the list you had made:
pokapoka63.exe, yqhcflo.exe, svcproc.exe , Nail.exe
*I could not delete the file jrjupj.exe, access was denied

The computer seems to be behaving OK for now, but I can see I still have a lot of cleaning yet to do. Please let me know what to try next.
Thanks again for all of your help,
Monkeyshine

sUBs · 08-13-2005, 11:44 PM

Good work..You're doing well
Some extra work to do...

I need you to update Ewido again. Please go to this website - http://www.ewido.net/en/download/updates/
Download the full updated database (Approximately 3600 KB) & install it unto your copy of Ewido.

I need you to download some extra files.

WinPfind.zip

TrackQoo.zip

Unplug your computer from the internet when you've finished

Please save the following instructions in Notepad. I have customed my instructions on the assumption that you have Notepad 'on'. It may lead to some confusion should you choose to do otherwise.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Copy the filename/s listed below.
Select/Highlight all the filenames & then click on Notepad's Edit menu & select Copy

C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\Program Files\Cas\Client\Uninstall.exe
C:\Program Files\Windows Media Player\wmplayer.exe.tmp
C:\WINDOWS\pss\knkc.exeCommon Startup
C:\WINDOWS\system32\apayk.dat
C:\WINDOWS\system32\datadx.dll
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\system32\conres.cpl

Launch KillBox.exe

Go to the File menu, and choose Paste from Clipboard
Click the dropdown-arrow next to the Full Path of File to Delete field.
Verify that the filenames you pasted are found in there.
Select/tick the following:
- Replace on Reboot
- Unregister dlll Before deleting * if it's not grayed out
Click the RED X button.
Click Yes at the Delete on Reboot prompt.
Click Yes at the 'Pending Operations prompt'.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO SAFE MODE

Shut Windows down, and then turn off the computer.
Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
Windows Advanced Options menu appears.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

If you have not done so already, please enable the viewing of Hidden files

From Windows Explorer, go to Tools>Folder Options> View tab.
Enable the option for Show hidden files and folder
Disable the option for Hide file extensions for known types
Disable the option for Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folder(s), if present:

C:\PROGRAM FILES\Aprps
C:\PROGRAM FILES\CasStub
C:\Program Files\Cas\
C:\DOCUMENTS AND SETTINGS\CHRIS MONK\FAVORITES\Casino & Carrers

I would also like you to verify if the files you deleted using Killbox is gone.
Locate and verify if the following files are present:

C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\Program Files\Cas\Client\Uninstall.exe
C:\Program Files\Windows Media Player\wmplayer.exe.tmp
C:\WINDOWS\pss\knkc.exeCommon Startup
C:\WINDOWS\system32\apayk.dat
C:\WINDOWS\system32\datadx.dll
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\system32\conres.cpl

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Cleanup! using the following configuration:

Click Options...
Move the arrow down to Custom CleanUp!
Put a check next to the following:
- Empty Recycle Bins
- Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Ewido with it's updated definitions:(it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
1. Perform action on all infections
2. Choose clean and click OK.
Once finished, click the Save report button
Save the report to your desktop

Close Ewido

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Double-click WinPFind.zip & extract the contents to a new folder at Drive C.

From within that folder, double click WinPFind.exe
Click Start Scan
Once the Scan is complete, it will create a report in a text file
- Go to the WinPFind folder & locate WinPFind.txt
Post the results in your next reply!

* This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO NORMAL MODE

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
Click On 'Scan Now'
Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
Begin the scan by selecting My Computer
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
If it finds any malware, it will offer you a report. Click on see report
Then click Save report
Post the contents of the report in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

Save it to your desktop.
Double-click the new icon on your desktop (tmas-web-scan.exe)
It will say "Loading TrendMicro definitions".
Once the definitions are loaded, the program will appear to close then re-open.
Click Start Scan
After it's done scanning, click "Scan Results"
Make sure all items found have a check next to them, then click Clean Threats Now.
Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Locate & double-click on TrackQoo1.vbs . Wait a few seconds and a notepad page will pop up, Copy & Paste those results in your next reply.
* If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

In your next post, please include fresh logs from:

HiJackThis log

Online Scan

Ewido

WinPfind

TrackQoo1.vbs

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Monkeyshine · 08-14-2005, 11:38 AM

Hi,
I completed all scans and fixes as you reccomended. Here are the logs:

**L2MFix Log

L2Mfix 1.03a

Running From:
C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\L2mfix\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\L2mfix\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\L2mfix\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1548 'explorer.exe'
Killing PID 1548 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (164 bytes security) (deflated 2%)
adding: echo.reg (164 bytes security) (deflated 14%)
adding: direct.txt (164 bytes security) (deflated 4%)
adding: lo2.txt (164 bytes security) (deflated 74%)
adding: noti.txt (164 bytes security) (deflated 87%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: test.txt (164 bytes security) (stored 0%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: backregs/D9FE8167-DDAA-431E-8666-04C8FC75309E.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

**Ewido Log:

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:04:04 PM, 8/14/2005
+ Report-Checksum: 4D5DEAE6

+ Scan result:

:mozilla.11:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup

::Report End

**Panda Online Scan Log:

Incident Status Location

Adware:adware/elitebar No disinfected C:\DOCUMENTS AND SETTINGS\CHRIS MONK\FAVORITES\Finances & Business
Adware:adware/aurora No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\Cache\35897D89d01[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Chris Monk\Application Data\Mozilla\Firefox\Profiles\jafxu0ad.default\Cache\833CF8F7d01[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\L2mfix\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\L2mfix\l2mfix.exe[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\Nailfix\Nailfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\Nailfix\Nailfix.zip[Process.exe]
Possible Virus. No disinfected C:\Program Files\Rhapsody\xviews.dll

**Trackqoo Log:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- avast
{472083B0-C522-11CF-8763-00608CC02F24}
C:\Program Files\Alwil Software\Avast4\ashShell.dll

Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG Free\avgse.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- nfnkxnxn
{3111780c-f512-4370-99f5-80b4bad13e56}
C:\WINDOWS\System32\wuwvs.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
==============================
C:\Documents and Settings\Chris Monk\Start Menu\Programs\Startup

desktop.ini
desktop.ini
==============================
C:\WINDOWS\system32 cpl files

access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
AudioHQU.cpl Creative Technology Ltd.
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
US428cp.cpl Tascam
wuaucpl.cpl Microsoft Corporation

**Trend Micro Log:

Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\LimeWire'
Found '' in 'SOFTWARE\Magnet'
Found '' in 'SOFTWARE\Classes\magnet'
Found '' in 'SOFTWARE\Classes\magnet\shell\open\command'
Found 'URL Protocol' in 'SOFTWARE\Classes\magnet'
Found '' in 'SOFTWARE\Classes\Remove'
Internet URL Shortcuts
Files and Directories
Found '' in 'C:\Documents and Settings\Chris Monk\Favorites\Finances & Business'
Found '' in 'C:\Documents and Settings\Chris Monk\Favorites\Health & Insurance'
Found '' in 'C:\Documents and Settings\Chris Monk\Favorites\Homelife & Travel'
Found 'LimeWire20.dll' in 'C:\Program Files\LimeWire'
Found 'LimeWire20.dll' in 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Documents and Settings\Chris Monk\Favorites\Finances & Business' in shortcut areas.
Checking for 'C:\Documents and Settings\Chris Monk\Favorites\Finances & Business' in startup areas.
Cleaning 'C:\Documents and Settings\Chris Monk\Favorites\Finances & Business'
Checking for 'C:\Documents and Settings\Chris Monk\Favorites\Health & Insurance' in shortcut areas.
Checking for 'C:\Documents and Settings\Chris Monk\Favorites\Health & Insurance' in startup areas.
Cleaning 'C:\Documents and Settings\Chris Monk\Favorites\Health & Insurance'
Checking for 'C:\Documents and Settings\Chris Monk\Favorites\Homelife & Travel' in shortcut areas.
Checking for 'C:\Documents and Settings\Chris Monk\Favorites\Homelife & Travel' in startup areas.
Cleaning 'C:\Documents and Settings\Chris Monk\Favorites\Homelife & Travel'
Checking for 'C:\Program Files\LimeWire\LimeWire20.dll' in shortcut areas.
Checking for 'C:\Program Files\LimeWire\LimeWire20.dll' in startup areas.
Cleaning 'C:\Program Files\LimeWire\LimeWire20.dll'
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp\LimeWire20.dll' in shortcut areas.
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp\LimeWire20.dll' in startup areas.
Cleaning 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp\LimeWire20.dll'
Finished Cleaning

Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:17:52 PM, on 8/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Documents and Settings\Chris Monk\Desktop\Cleaning Programs\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=msgr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=msgr
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

**Personal Notes From Monkeyshine:
*While deleting files in safe mode, I was unable to delete the file C:\WINDOWS\pss\knkc.exe
*On and off during the cleaning process, I got a few dos windows popping up with the C:\WINDOWS\System32\jrjupj.exe path specified.
*Other than that everything seemed to go pretty smooth.

Thanks again for your time and review. Please advise my next move.
Monkeyshine

08-12-2005, 03:43 PM	#1 (permalink)
Monkeyshine Registered User Join Date: Nov 2004 Posts: 37 OS: WinXP	Some Scary Adware here ,Please Help!! Hi, I have been infected with some spyware that I have not been able to remove with HJT, AdAware SE or AVG Free. I am posting my HJT log here. Thanks for your help!! Logfile of HijackThis v1.99.1 Scan saved at 5:33:20 PM, on 8/12/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\etb\pokapoka63.exe C:\WINDOWS\System32\jrjupj.exe c:\windows\system32\yqhcflo.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Cas\Client\casclient.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Hijack This\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=msgr R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=msgr F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka63.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe O4 - HKLM\..\Run: [amqnqz] c:\windows\system32\yqhcflo.exe r O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe" O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\SSCVRT32.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe The Nail.exe , and the pokapoka63.exe are two of the ones that keep coming back after HJT removal. Any ideas?? Thanks again for your help. Monkeyshine

08-13-2005, 03:06 AM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,453 OS: N/A	Please do the following: Download L2MFix - Double click L2mfix.exe & answer Yes when prompted. Then click the Install button to extract the files to a newly created folder named - L2mfix Close all open programs Double click L2mfix.bat Select option #2 - Run Fix - by typing 2 Press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Copy the contents of that log and paste it here, along with a new HJT log. If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files. Please Do NOT run any other files in the l2mfix folder until you are told to __________________ Question - what have you done for the community today?

08-13-2005, 03:14 AM	#3 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	Hi and Welcome to TSF! Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". Save the next instructions in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers on. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below. It is also important you don't miss a step and perform everything in the right order!!. . = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Please download these additional files/programs. Do not run them unless instructed to do so. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. CleanUp! - Install Ewido Security Suite - Install & Update it's database but do not run it yet. KillBox v2.0.0.175 Nailfix FindIt's.zip Process Explorer Download LQfix and save it to your desktop. Extract the file to your desktop but do not use it yet! Download DSRFIX from HERE onto your Desktop. Unzip and EXTRACT the files to your Desktop. The program creates and names the new folder to house the files. DO NOT RUN IT YET L2mfix Unplug your computer from the Internet when you have finished downloading = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = []Open the folder dsrfix* Double click on the dsrfix batch file( the one with the little gear in it ) Once dsrfix has completed it will close on its own = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run a scan with HiJackThis & locate an entry that looks similar to this... O4 - HKLM\..\Run: [amqnqz] c:\windows\system32\yqhcflo.exe r The name might be different but it resides in the system32 folder & has the alphabet *"r"* at the end. Take note of the filename & location. Run Process Explorer and locate name of the file you've just identified in the list of Processes. Select the process and click Process > Suspend Leave Process Explorer running with the process suspended until the computer reboots Note - It's important that you KILLBOX this file in the next step, so please substitute name of the file you've just identified appropriately. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = name & location of the file you've just identified C:\WINDOWS\Nail.exe C:\WINDOWS\etb\pokapoka63.exe C:\WINDOWS\dinst.exe c:\windows\system32\yqhcflo.exe C:\WINDOWS\System32\jrjupj.exe C:\WINDOWS\system32\SSCVRT32.DLL C:\WINDOWS\svcproc.exe Select/Highlight all the filename(s) from the list above. Copy to clipboard by pressing [CTRL]+[C] on your keyboard. Start KillBox.exe Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox Click the dropdown-arrow next to the "Full Path of File to Delete" field. Verify that the filenames you pasted are found in there. Select/tick the following: 'Replace on Reboot ' 'Use Dummy' 'End Explorer Shell While Killing File' 'Unregister.dll Before Deleting' * if it's not grayed out Click the RED X button. Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the 'Pending Operations prompt'. * If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to manually restart Windows. * If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = REBOOT TO SAFE MODE Shut Windows down, and then turn off the computer. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. Doubleclick LQfix.bat that you saved on your desktop earlier. A dos window will open and close again, this is normal. * Occasionally a DOS box may appear asking your permission to delete some files in temporary Windows directories. You must accept the deletion of these to be sure of properly removing the malware! = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Click Start>Run - type services.msc. Locate the System Startup Service (SvcProc) service and double-click on it to open the Properties dialog. Click the Stop button. In the Startup type dropdown select Disabled. Click the Apply button and then the Ok button. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in SvcProc & click the OK button. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Uninstall the following programs, if present, using Control Panel > Add/Remove Programs : Cas or Casino Client = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka63.exe O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe O4 - HKLM\..\Run: [amqnqz] c:\windows\system32\yqhcflo.exe r O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe" O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\SSCVRT32.DLL O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options>View tab. enable the option for `Show hidden files and folder´ disable the option for `Hide file extensions for known types´ disable the option for `Hide protected operating system files´ click "Yes" to confirm & then click "OK" = = = = = = = Locate and delete the following folder(s), if present: C:\Program Files\Cas\Client\casclient.exe Locate and delete the following file(s), if present: C:\WINDOWS\Nail.exe C:\WINDOWS\etb\pokapoka63.exe C:\WINDOWS\dinst.exe c:\windows\system32\yqhcflo.exe C:\WINDOWS\System32\jrjupj.exe C:\WINDOWS\system32\SSCVRT32.DLL C:\WINDOWS\svcproc.exe = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Cleanup! & configure the program as follows: Click Options... Move the arrow down to Custom CleanUp! Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will delete all the files in your temp folders without making a backup = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Ewido: Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button Save the report to your desktop Close Ewido * Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Close all other programs & double-click L2mfix.exe When prompted, answer Accept Then click the Install button to extract the files to a newly created folder named - L2mfix Open the L2mfix folder & double click L2mfix.bat Select option #2 for Run Fix by typing 2 and then press enter Press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Copy the contents of that log and paste it here, along with a new HJT log. Please Do NOT run any other files in the l2mfix folder until you are told to = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = REBOOT TO NORMAL MODE Do an online scan at Panda Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = REBOOT AGAIN & Run FindIt's.bat and wait for notepad to open a text file. Please be patient as it requires some time to finish running. Then post the results in your next reply In your next post, please include fresh logs from: HiJackThis log Online Scan Ewido FindIt L2Me log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________

08-13-2005, 11:24 AM	#5 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,453 OS: N/A	From your description, it appears like you managed to get into the wrong boot menu. You just described the motherboards boot options. POADB's instructions were meant for Windows boot options. Try this.. wait a bit longer before starting to tap the [F8] key. If that doesnt work, try these other keys ...[ctrl] or [F5] Another thing.. I have conferred with POADB & we agreed that it would be more advisable to the L2MFix first. Please do that now & post the L2Mfix log before proceeding with the other steps outllined for Safe Mode Thank you. sUBs __________________ Question - what have you done for the community today?

08-13-2005, 12:16 PM	#7 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,453 OS: N/A	Further instructions... From the L2MFix folder, double-click L2mfix.bat Select option #4 - Merge Winlogon Notify Defaults - by typing 4 Type E to exit the program. Note: You can do this at any part of the fix. Preferbaly..the sooner, the better Please proceed with the rest of POADB's instructions. You may leave out the part about L2MFix. __________________ Question - what have you done for the community today? Last edited by sUBs; 08-13-2005 at 12:17 PM.

08-13-2005, 11:00 AM	#4 (permalink)
Monkeyshine Registered User Join Date: Nov 2004 Posts: 37 OS: WinXP	Hi, I am having trouble getting my computer to restart in safe mode. It only gives me the option of which drive to boot from, but no safe mode options. I have done everything else you reccomended up to the first safe mode reboot. Please advise. Thanks, Monkeyshine

08-13-2005, 12:11 PM	#6 (permalink)
Monkeyshine Registered User Join Date: Nov 2004 Posts: 37 OS: WinXP	Ok, here is the log you requested: Setting Directory C:\Documents and Settings\Chris Monk Setting Directory C:\Documents and Settings\Chris Monk System Rebooted! Running From: C:\Documents and Settings\Chris Monk killing explorer and rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1404 'explorer.exe' Killing PID 1404 'explorer.exe' Killing PID 1404 'explorer.exe' Killing PID 1404 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Setting Directory C:\Documents and Settings\Chris Monk System Rebooted! Running From: C:\Documents and Settings\Chris Monk killing explorer and rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1408 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Backing Up: C:\WINDOWS\system32\aalui.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\aalui.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\dilay.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\dilay.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\gbedit.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\gbedit.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\imxrtmgr.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\imxrtmgr.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\mcw3prt.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\mcw3prt.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\mmcat32.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\mmcat32.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\xisp1res.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\xisp1res.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\guard.tmp 1 file(s) copied. Backing Up: C:\WINDOWS\system32\guard.tmp 1 file(s) copied. deleting: C:\WINDOWS\system32\aalui.dll Successfully Deleted: C:\WINDOWS\system32\aalui.dll deleting: C:\WINDOWS\system32\aalui.dll Successfully Deleted: C:\WINDOWS\system32\aalui.dll deleting: C:\WINDOWS\system32\dilay.dll Successfully Deleted: C:\WINDOWS\system32\dilay.dll deleting: C:\WINDOWS\system32\dilay.dll Successfully Deleted: C:\WINDOWS\system32\dilay.dll deleting: C:\WINDOWS\system32\gbedit.dll Successfully Deleted: C:\WINDOWS\system32\gbedit.dll deleting: C:\WINDOWS\system32\gbedit.dll Successfully Deleted: C:\WINDOWS\system32\gbedit.dll deleting: C:\WINDOWS\system32\imxrtmgr.dll Successfully Deleted: C:\WINDOWS\system32\imxrtmgr.dll deleting: C:\WINDOWS\system32\imxrtmgr.dll Successfully Deleted: C:\WINDOWS\system32\imxrtmgr.dll deleting: C:\WINDOWS\system32\mcw3prt.dll Successfully Deleted: C:\WINDOWS\system32\mcw3prt.dll deleting: C:\WINDOWS\system32\mcw3prt.dll Successfully Deleted: C:\WINDOWS\system32\mcw3prt.dll deleting: C:\WINDOWS\system32\mmcat32.dll Successfully Deleted: C:\WINDOWS\system32\mmcat32.dll deleting: C:\WINDOWS\system32\mmcat32.dll Successfully Deleted: C:\WINDOWS\system32\mmcat32.dll deleting: C:\WINDOWS\system32\xisp1res.dll Successfully Deleted: C:\WINDOWS\system32\xisp1res.dll deleting: C:\WINDOWS\system32\xisp1res.dll Successfully Deleted: C:\WINDOWS\system32\xisp1res.dll deleting: C:\WINDOWS\system32\guard.tmp Successfully Deleted: C:\WINDOWS\system32\guard.tmp deleting: C:\WINDOWS\system32\guard.tmp Successfully Deleted: C:\WINDOWS\system32\guard.tmp Zipping up files for submission: adding: aalui.dll (164 bytes security) (deflated 48%) adding: dilay.dll (164 bytes security) (deflated 48%) adding: gbedit.dll (164 bytes security) (deflated 48%) adding: imxrtmgr.dll (164 bytes security) (deflated 48%) adding: mcw3prt.dll (164 bytes security) (deflated 48%) adding: mmcat32.dll (164 bytes security) (deflated 48%) adding: xisp1res.dll (164 bytes security) (deflated 48%) adding: guard.tmp (164 bytes security) (deflated 48%) adding: clear.reg (164 bytes security) (deflated 2%) adding: lo2.txt (164 bytes security) (deflated 86%) adding: test.txt (164 bytes security) (deflated 84%) adding: test2.txt (164 bytes security) (stored 0%) adding: test3.txt (164 bytes security) (stored 0%) adding: test5.txt (164 bytes security) (stored 0%) adding: xfind.txt (164 bytes security) (deflated 81%) Restoring Registry Permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Revoking access for predefined group "Administrators" Inherited ACE can not be revoked here! Inherited ACE can not be revoked here! Registry permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Read BUILTIN\Power Users (ID-IO) ALLOW Read BUILTIN\Power Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful deleting local copy: aalui.dll deleting local copy: aalui.dll deleting local copy: dilay.dll deleting local copy: dilay.dll deleting local copy: gbedit.dll deleting local copy: gbedit.dll deleting local copy: imxrtmgr.dll deleting local copy: imxrtmgr.dll deleting local copy: mcw3prt.dll deleting local copy: mcw3prt.dll deleting local copy: mmcat32.dll deleting local copy: mmcat32.dll deleting local copy: xisp1res.dll deleting local copy: xisp1res.dll deleting local copy: guard.tmp deleting local copy: guard.tmp The following Is the Current Export of the Winlogon notify key: ************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] "Asynchronous"=dword:00000000 "DllName"="" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" The following are the files found: ************************************************************************ C:\WINDOWS\system32\aalui.dll C:\WINDOWS\system32\aalui.dll C:\WINDOWS\system32\dilay.dll C:\WINDOWS\system32\dilay.dll C:\WINDOWS\system32\gbedit.dll C:\WINDOWS\system32\gbedit.dll C:\WINDOWS\system32\imxrtmgr.dll C:\WINDOWS\system32\imxrtmgr.dll C:\WINDOWS\system32\mcw3prt.dll C:\WINDOWS\system32\mcw3prt.dll C:\WINDOWS\system32\mmcat32.dll C:\WINDOWS\system32\mmcat32.dll C:\WINDOWS\system32\xisp1res.dll C:\WINDOWS\system32\xisp1res.dll C:\WINDOWS\system32\guard.tmp C:\WINDOWS\system32\guard.tmp Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. ************************************************************************ REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] ************************************************************************ Desktop.ini Contents: ************************************************************************ ************************************************************************** Thanks again, Monkeyshine

08-13-2005, 12:21 PM	#8 (permalink)
Monkeyshine Registered User Join Date: Nov 2004 Posts: 37 OS: WinXP	Hi sUBs, I did that, and it brought up this text file: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 OK So Far??

08-13-2005, 12:36 PM	#9 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,453 OS: N/A	Nope..not okay Go to the L2Mfixdirectory. Within there, locate a sub-folder called 'regfixes' Locate & right click on the file called "winlogon defaults". Select merge & answer YES when prompted to merge into the registry Let me know how it went. __________________ Question - what have you done for the community today?

08-13-2005, 12:44 PM	#10 (permalink)
Monkeyshine Registered User Join Date: Nov 2004 Posts: 37 OS: WinXP	That appeared to go OK, but I did not see a log file on that. jrjupj keeps popping up prompt windows in some unrecognizable text now. Please Advise. Monkeyshine

08-13-2005, 12:51 PM	#11 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,453 OS: N/A	Launch Process Explorer. Locate & double click on the entry - C:\WINDOWS\System32\jrjupj.exe Select Strings The select the option -Memory Click Save & save the file to Desktop Post the contents of that file here. __________________ Question - what have you done for the community today?

08-13-2005, 01:02 PM	#12 (permalink)
Monkeyshine Registered User Join Date: Nov 2004 Posts: 37 OS: WinXP	Ok Subs, here is the log. The exe file had changed names by the time I got back to it, but I believe this is what you need. Thanks, Monkeyshine !This program cannot be run in DOS mode. 'Rich .text .data .rsrc UPX! t:VVVV PVVh u!Wj SVW3 YYt YYt YPV YYt9 SWP QWSP PPPP QQSV Ph\|_B QQV3 SVW QVj PSVW TaB trf WWPW SVW SSVh Lj S WhD daB QVWj RQP RPV QVj uRh Vht Vhp Vhd VhH YYtxVh YYt`Vh YYtOVh YYt>Vh YYt&Vh YYt YYt LaB LaB QVj RPV WSV XPh RPV tEj v?WS WSj SVW3 u7Wj QSPW SVW3 YYt QQ;G EotA YY#E F8tPPWj ;NDw ;NDw daB SVWQ3 Bh\|gB htgB tgB h\|gB htgB Yu&S tgB htgB tgB h\|gB QQSV tgB s,hpgB SVWQ hpgB TaB tgB VWu VWh h\|gB htgB tgB pgB tgB xgB 5tgB SSj SSh QSV hpgB YYu TaB 5tgB YYt~ tgB tgB YYt1+E 5tgB YYt7+ tgB tgB VWh LaB QQSQ3 YYt tIVWh @PVj ttVWj@Y SVW3 tvSSj SSh t>SS SVP SVW PPPPj YPV SVW QSV F$SP WSSSSSSSSj tbj uPS PUUh UUU Wjz SVh WWWW t.WWh WWh WWh WWh QVW3 Yt Q YYV YYjI YYjI YvZ VWjIY3 YYu SWj QSW QVW SVW DSVW PVP SVW QVW SVW SSh SSP SSj RPj QSP QSV uJ8E QPV xSVW3 uajD^V PSSSSSS SVW YYu YYP QQSV SSS f=PEu SUV PUUj UUU SWj MXQ QSSj$SSSPS t,SSh SSh SSh hep@ E\|Pj@ YYt PPj PPP SSSS Pj@WV Vjz VVVV hVv@ Pj@WV QQSV QVW QSW3 tKV v!UV SVW2 QSV QSV tOV HtHHt HuW YYt YYu YYt QVQ QVQ RhX PPPQ SSQ @uef MZu]8] tTS @u=SS ,SVW QWP SVW VSSSSSSQP SSj SSj WSj0QRP RSh RSh QQV XSV Wt&hd PSVh \SVW YYu YYu YYu YYu YYu VVVj _Xtj QSVW OT9H GTu GLS HtSH G<CH; vdW YtL SVW tPQ SVW3 9>tPQ SVW YYu YYu YYu YYu YYu QSW F;w(r QQS3 vxV YYt SUV FL;FPu YYuRh( YYu"j4 tjj YYu YYuVjX SVW YYu YYu YYu YYu YYu YYu LaB AJu TaB TaB YYuuSW Phx YYta SPj QSV QSV SVW u9jAY3 t_WjAY3 PSh TaB SVW QSVW QSV SVW tmht YYu Phh YYu YYu YYu YYu SVj tvj uRj( t'PQ tOQ tyj uTj( t'PQ SVW3 YYP Rjd CGYG; YYt QVW PSVW VSP VSP uv8E QVW SVW WSP WSP SSSS PPS QSh SSj tfS WWWW SVW VSW Jj@h VSW QVh SSW uPW SSh SVW SVj PaB YYt v`hU VTW SVWj EdP3 PSS VSSS E`Pj@WV Wj?Y3 tUV SVW3 LaB vTh TaB sTh b.#1Ph etP QQV3 tKVVh@ SSSj t>Sj SVW DaB YYuS YYt YYt2 SSh w3VWj SVW SSSV YSjh `SVW YYu SSSj SSSj jdP upj PSSj PWj YYu Ht(Hu% Ht3Ht SUW 9JFFAAf; YWVP RPV LSVW ^0SSSS PSSh <SVW SPje jeW tVW Sjl Pjn Sjh lSVW3 Wjh mu/h8 pt/HHt$Ht SVW SVW tJQ YYt QQSV SVW TaB tuj PVVW zu49u YYP t0WQ SVW3 YtY WWWWP t'hl jjjj jjjjj @bfmnprs Reason: Line: , Col= Line= GetModuleHandle Using: recoveryIntervalRescue recoveryIntervalNormal pollIntervalRescue pollIntervalNormal startupPause component name winFile sysFile value key hive reg missing exists rescuer file url restoreIf (null) Win32 code = Error parsing Error "] /@value message[@code=" TaB 8SVW SVW3 9x(uoh PhX TaB YYP ucj tDh SVW3 YYtEjL uJj4 QQSV QQSV SVW tSSW QQV HSVW SSSj YSP PSh SUVW3 n$9n<_t QQVW dSV SSSj F@9^@tK SSSj t>9N@u SUW PUWj SSSj FDt QRPh daB QRPh QRPh$-B DaB QRPhD-B QRPhd-B QRPh QRPh Yh$bB QQV TaB QRPh LaB PaB SVW SVj ~VWS SVW FVWj WSVPj VRP LSVWj SVW VC20XC00U SVWU tYVU t?xH VWj QQSVWd SVW PPP PtYY SVW SVWUj SVW t.;t$$t( YYu YYu BBFFf YtE+u SVW QQS SVW SVW jdY YYu FFP PSB TSB pzA XSB dSB 8MZu IQS IQS ANu wLVWP VWS tXV FVWS AABB t0GF YYt urj uiSj NCu YVW DPB XPB u,hX F95PdB 5LdB HdB hdPB YhpPB hPB 5PdB XdB uwj XdB XdB XdB XdB 8csm YYu" 8csm 8csm >csm tJj QQV sVS;7\|B;w ;csm YYu >csm ;csm uij 8csm HRB HRB 5HRB uIh YYt-V 5HRB VWh HRB YYt+V 5HRB WSV VPV VPV XRB hRB PRB u8SS3 FVh, E SS SSV t!SS9] VSW Wtd WPS HHt HHt`HHt\ LSB ZtX HSB PSB TSB EIf HSB RPWS WVj0 CYC VqA ppA ypA rnf=p r^f=Z rNf= r0f=J DZB DZB DZB DZB Wj0S PSW hSB hSB lSB lSB lSB QSVW xTB =xTB VWu t7VP QQSVW3 SUVW tyf9 SSS+ @PVSS t#SSUP t$$VSS UVW UVW YYt. YYt PSF F,98uX YYV uNV HVB LVB YYj u:Vj GWh, WWS 6PWS t WW VSW WWWWVSW tCVj t2WWVPVSW tXS tZj tXS =HdB PWh, VVVV SVP VVS WSV VWj Y SVW YYu SVWj ^ hLZB hdZB PPPP PPPP @PWV SVW VWumh WVS PPPPPPPP WVS PPPPPPPP HHtjHHtF xTB 5xTB VWsX uAj tVPV DZB +t"HHt DZB DZB DZB HHu& NYu tmS KYu t@VW WVS YYt tHS paB QRPh %paB laB %laB taB %taB QhW hgB hgB dgB hgB dgB hgB AABBf tCf; GGf SSj tPf lgB u5SSWh, =lgB lgB lgB Y9E t E SSSS VWj tgB xgB h4bB tgB xgB wbs wfK wMV whZ wBu wYS Delete NoRemove ForceRemove Val SOFTWARE\Classes zepmon Poller Popped: Poll Interval: Recovery Interval: Software\DrDebug\Poller \|%d,%d,%d,%d,%d\| DBPoller\| Poller Timings p (Poller watcher). r (registry). s (service). (PARAMETER UNKNOWN). n (Nail). no parameter (assuming install). b (AutoChk). f (file system driver). m (print monitor). Debug Key Defined, using Debug Timings (in Seconds): Startup Pause: %d Normal Poll Interval: %d Rescue Poll Interval: %d Normal Recovery Interval: %d Rescue Recovery Interval: %d Start-up Parameter: PPoller\| Software\DrDebug\PollerTiming MbP? SvcProc aurora DrPMon rescuer endpoint USER32.dll WINSPOOL.DRV ADVAPI32.dll SHELL32.dll ole32.dll OLEAUT32.dll WININET.dll <5IkQ <5IkQ <5IkQ fKg QZN invalid string position string too long bad allocation Oyz SHLWAPI.dll csm Unknown exception CorExitProcess mscoree.dll FlsFree FlsSetValue FlsGetValue FlsAlloc kernel32.dll EEE ppxxxx (null) GAIsProcessorFeaturePresent KERNEL32 runtime error TLOSS error SING error DOMAIN error - This application cannot run using the active version of the Microsoft .NET Runtime Please contact the application's support team for more information. - unable to initialize heap - not enough space for lowio initialization - not enough space for stdio initialization - pure virtual function call - not enough space for _onexit/atexit table - unable to open console device - unexpected heap error - unexpected multithread lock error - not enough space for thread data This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. - not enough space for environment - not enough space for arguments - floating point not loaded Microsoft Visual C++ Runtime Library Runtime Error! Program: <program name unknown> !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~ Program: A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated. Buffer overrun detected! A security error of unknown cause has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated. Unknown security failure detected! InitializeCriticalSectionAndSpinCount GetProcessWindowStation GetUserObjectInformationA GetLastActivePopup GetActiveWindow MessageBoxA user32.dll HH:mm:ss dddd, MMMM dd, yyyy MM/dd/yy December November October September August July June April March February January Dec Nov Oct Sep Aug Jul Jun May Apr Mar Feb Jan Saturday Friday Thursday Wednesday Tuesday Monday Sunday Sat Fri Thu Wed Tue Mon Sun 1#QNAN 1#INF 1#IND 1#SNAN SunMonTueWedThuFriSat JanFebMarAprMayJunJulAugSepOctNovDec VERSION.dll callinghome.biz %d.%d.%d.%d FUnknown error 0x%0lX IDispatch error #%d ror creating XML document PollerMessages.xml GetWindowsDirectory GetSystemDirectory DynData HKDD HKEY_DYN_DATA PerformanceData HKPD HKEY_PERFORMANCE_DATA CurrentConfig HKCC HKEY_CURRENT_CONFIG Users HKU HKEY_USERS LocalMachine HKLM HKEY_LOCAL_MACHINE CurrentUser HKCU HKEY_CURRENT_USER ClassesRoot HKCR HKEY_CLASSES_ROOT @NdisMediaConnectStatus WAN InstanceName XML XML Test \StringFileInfo\%04X%04X\%s \VarFileInfo\Translation OLESelfRegister SpecialBuild ProductVersion ProductName PrivateBuild OriginalFilename LegalTrademarks LegalCopyright InternalName FileVersion FileDescription CompanyName Comments .exe Software\Microsoft\Windows\CurrentVersion\Run invalid map/set<T> iterator map/set<T> too long winlogon.exe explorer.exe .exe packager.exe operationsRoot WQL SELECT * FROM MSNdis_MediaConnectStatus ROOT\WMI User-Agent: MultiPoint\|0.0.0.1 retries StopAtTryAll StopAtAnyFailure stopAt TraversalLeastUsedFirst TraversalBestFirst traversal StartAtLastGood startAt name operation No Thread alive. Thread not yet created, call the start() method. An object implementing the IRunnable interface required. Thread already started. CleanUpOnFailure CleanUpOnSuccess cleanUp ReprocessOnFailure reprocess retryMultiplier retryWait pretryWait actionGroup TypeGet TypePost local TypeExecute host type action \System32 windir SYSTEM32 WINDOWS DeleteOnFailure DeleteOnSuccess DeleteByGroup DeleteNever DeleteAlways delete timeOut hostFile hostPath sourceFile sourcePath %s%s.html %d%d%dZ6%de%d%d7%d%d http:// destinationFile destinationPath False encryptURL CommByWIOnly CommByTnOnly CommByWITn CommByTnWI commBy Data Content-Type: application/x-www-form-urlencoded HTTP/1.0 GET POST iexplorer.exe StrToIntA shlwapi.dll InternetReadFile InternetQueryDataAvailable HttpQueryInfoA InternetCloseHandle InternetOpenUrlA InternetOpenA wininet.dll CreateRemoteThread Failed MessageBoxA wsprintfA EnumMonitorsA RegDeleteKeyA RegCloseKey RegCreateKeyExA RegOpenKeyExA RegSetValueExA CloseServiceHandle QueryServiceConfigA OpenServiceA OpenSCManagerA RegQueryValueExA CryptReleaseContext CryptAcquireContextA CryptGetProvParam CryptDestroyKey CryptImportKey CryptGenKey CryptExportKey CryptGetKeyParam CryptDecrypt CommandLineToArgvW CoUninitialize CoInitializeSecurity CoInitializeEx OleRun CoCreateInstance InternetGetConnectedState InternetCrackUrlA InternetCheckConnectionA InternetOpenA InternetConnectA HttpOpenRequestA HttpAddRequestHeadersA HttpSendRequestA HttpQueryInfoA InternetReadFile InternetCloseHandle PathFileExistsA PathAddBackslashA PathFindFileNameA GetFileVersionInfoSizeA GetFileVersionInfoA VerQueryValueA CharNextA RegDeleteValueA FreeSid InitializeSecurityDescriptor AllocateAndInitializeSid GetLengthSid InitializeAcl AddAccessDeniedAce AddAccessAllowedAce SetSecurityDescriptorDacl RegNotifyChangeKeyValue SHGetFileInfoA CoSetProxyBlanket IWA .?AVbad_alloc@std@@ .?AVtype_info@@ HcB xcB VWA pzA PST PDT HMXB S;uD z?aUY zc%C1 NKeb .?AVCAtlException@ATL@@ .?AVCPollerException@@ .?AV_com_error@@ .?AVout_of_range@std@@ .?AVexception@@ .?AVlogic_error@std@@ .?AVlength_error@std@@ .?AVCThreadException@@ c:\windows\system32\dnavha.exe abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ GlobalFindAtomA InterlockedExchange GetACP GetLocaleInfoA GetThreadLocale GetVersionExA MultiByteToWideChar WideCharToMultiByte RaiseException GetLastError InitializeCriticalSection DeleteCriticalSection SizeofResource LockResource LoadResource FindResourceA FindResourceExA lstrcmpiA lstrlenA GetEnvironmentVariableA GlobalGetAtomNameA lstrcatA GetWindowsDirectoryA CloseHandle DuplicateHandle GetCurrentProcess OpenProcess GetExitCodeThread ReleaseMutex SetEvent SetThreadPriority GetCurrentThread SetPriorityClass InterlockedDecrement GlobalFree GetCommandLineW Sleep WaitForSingleObject WaitForMultipleObjects SetProcessWorkingSetSize SetConsoleCtrlHandler SetProcessShutdownParameters OpenEventA InterlockedIncrement GetVolumeInformationA GetModuleHandleA TerminateProcess GetExitCodeProcess DeleteFileA GetShortPathNameA LocalFree FormatMessageA CreateThread EnterCriticalSection LeaveCriticalSection LocalAlloc GetSystemDirectoryA IsBadReadPtr IsBadWritePtr GetModuleFileNameA lstrcpynA CopyFileA SystemTimeToFileTime GetSystemTimeAsFileTime CompareFileTime GetTickCount CreateFileA SetFileTime GetFileTime HeapFree GetProcessHeap HeapAlloc CreateEventA CreateMutexA GetThreadContext SetThreadContext CreateRemoteThread CreateProcessA ExitThread FlushInstructionCache VirtualProtectEx SetThreadPriorityBoost OpenThread WriteProcessMemory ResumeThread Process32First Process32Next Thread32First Thread32Next CreateToolhelp32Snapshot FindFirstFileA FindClose FindNextFileA ExitProcess TerminateThread ReadFile SetFilePointer GetFileSize ResetEvent GetTempPathA GetTempFileNameA CreateDirectoryA RemoveDirectoryA GetLocalTime WriteFile VirtualAllocEx VirtualFreeEx ReadProcessMemory LoadLibraryA FreeLibrary GetProcAddress HeapReAlloc HeapDestroy HeapSize VirtualProtect VirtualAlloc GetSystemInfo VirtualQuery RtlUnwind GetStartupInfoA GetCommandLineA HeapCreate VirtualFree SetUnhandledExceptionFilter TlsAlloc SetLastError GetCurrentThreadId TlsFree TlsSetValue TlsGetValue GetOEMCP GetCPInfo LCMapStringA LCMapStringW GetStdHandle UnhandledExceptionFilter FreeEnvironmentStringsA GetEnvironmentStrings FreeEnvironmentStringsW GetEnvironmentStringsW SetHandleCount GetFileType QueryPerformanceCounter GetCurrentProcessId IsBadCodePtr GetStringTypeA GetStringTypeW SetStdHandle FlushFileBuffers .text `.rdata @.data .rsrc TMs h\|1/nG EnumM Kfig=J f_:a@s Imj ExmW" VWh JToArgvW dT{S Al[k! ccGixV Redj rhe1, dAdd 1H-ej kMb zSa NbC nkR DaG NoYfy /vjn guSJx yBl,k e(L/kCf# lQv/ 2EOn yDz !ZFG dACP3 /tplhdi i`\XTP LHD<0i ?PST HMXB S;uD z?aUY zc%C1 NKeb CAtlE @ATL Bgout_of_rCv ,8BLV` Glob ndAtomA ByQToWidemX3 Raise ympion 6catm ytK CoW Ex Sv> uWD aEFJAEk hmf IsB nWDe F8BC 1sh%u Cab Boo5 lgM Vvl tlUnw}'& ,QTe, OEM LCM _?swr vyp 7kKx Hmw blP@ s+Tx .xrc GIu uKe TCA& FkM mZ1Ap EQy 6ixEl> cng UQC^ rbu Cnrr zW"u FVs# iah kEN dXS OXbb >Tgir Wed@ sRB Z~Gm:6 uY[z a'4tU uhd YXc 3AsCm yPam_f hEnQ 'Ddx h]IQm Vxy vGe e_PTa XVR xdx 0lQvr ECx L3cz Cjg-f [Ivl IoC`J mOu sA-p xQG qckK!n eia [9ZTh HQh( yRLL/r ?fJz mdf4 =Cw6j .2Xnn rmr fYwX zSa MdL iAB# Q$Gt 6bafs xMK EvE }DLEp Sod IAdC wJw edF HxHqH dthr mq(lX XfIu KERNEL32.DLL LoadLibraryA GetProcAddress ExitProcess XML VS_VERSION_INFO StringFileInfo FileVersion ProductVersion VarFileInfo Translation kernel32.dll GetProcAddress GetModuleHandleA LoadLibraryA W_QYP OOOO kernel32 Sleep RPP XXfa RPS Zfa

08-13-2005, 01:07 PM	#13 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,453 OS: N/A	Just noticed an anomaly with your L2MFix log. It mentoned that it couldnt find a Windows file called rundll32.exe. Please navigate to the directory - c:\windows\system32 . Try locating rundll32.exe within there. Let me know if it's present __________________ Question - what have you done for the community today?

08-13-2005, 01:10 PM	#14 (permalink)
Monkeyshine Registered User Join Date: Nov 2004 Posts: 37 OS: WinXP	Yes it is in there.

08-13-2005, 01:13 PM	#15 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,453 OS: N/A	Okay..Let's try booting into Safe Mode again to complete the rest of POADB's instructions. __________________ Question - what have you done for the community today?

08-13-2005, 01:36 PM	#16 (permalink)
Monkeyshine Registered User Join Date: Nov 2004 Posts: 37 OS: WinXP	OK, now I am having trouble getting into the management console to locate the system startup service. The last two steps seemed to go OK with the nailfix and lqfix files, but I can't get into the management console for some reason. Monkeyshine

08-13-2005, 01:42 PM	#17 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,453 OS: N/A	Glad to hear that you managed to enter Safe Mode. Good work. You may skip the part about the management console & proceed with the fix. Skip any part that you aren't able to complete & just keep doing it till the whole fix is complete. Let me know of any parts skipped when you complete. Remember to close all windows when you're running Ewido. I'll see you on the other side. Good luck. __________________ Question - what have you done for the community today?

08-13-2005, 11:44 PM	#19 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,453 OS: N/A	Good work..You're doing well Some extra work to do... I need you to update Ewido again. Please go to this website - http://www.ewido.net/en/download/updates/ Download the full updated database (Approximately 3600 KB) & install it unto your copy of Ewido. I need you to download some extra files. WinPfind.zip TrackQoo.zip Unplug your computer from the internet when you've finished Please save the following instructions in Notepad. I have customed my instructions on the assumption that you have Notepad 'on'. It may lead to some confusion should you choose to do otherwise. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS Run a scan with HiJackThis & select/tick the following & click "Fix checked" : R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing) O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Copy the filename/s listed below. Select/Highlight all the filenames & then click on Notepad's Edit menu & select Copy C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs C:\Program Files\Cas\Client\Uninstall.exe C:\Program Files\Windows Media Player\wmplayer.exe.tmp C:\WINDOWS\pss\knkc.exeCommon Startup C:\WINDOWS\system32\apayk.dat C:\WINDOWS\system32\datadx.dll C:\WINDOWS\cfgmgr52.ini C:\WINDOWS\system32\conres.cpl Launch KillBox.exe Go to the File menu, and choose Paste from Clipboard Click the dropdown-arrow next to the Full Path of File to Delete field. Verify that the filenames you pasted are found in there. Select/tick the following: Replace on Reboot Use Dummy End Explorer Shell While Killing File Unregister dlll Before deleting * if it's not grayed out Click the RED X button. Click Yes at the Delete on Reboot prompt. Click Yes at the 'Pending Operations prompt'. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = REBOOT TO SAFE MODE Shut Windows down, and then turn off the computer. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options> View tab. Enable the option for Show hidden files and folder Disable the option for Hide file extensions for known types Disable the option for Hide protected operating system files Click Yes to confirm & then click OK Locate and delete the following folder(s), if present: C:\PROGRAM FILES\Aprps C:\PROGRAM FILES\CasStub C:\Program Files\Cas\ C:\DOCUMENTS AND SETTINGS\CHRIS MONK\FAVORITES\Casino & Carrers I would also like you to verify if the files you deleted using Killbox is gone. Locate and verify if the following files are present: C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs C:\Program Files\Cas\Client\Uninstall.exe C:\Program Files\Windows Media Player\wmplayer.exe.tmp C:\WINDOWS\pss\knkc.exeCommon Startup C:\WINDOWS\system32\apayk.dat C:\WINDOWS\system32\datadx.dll C:\WINDOWS\cfgmgr52.ini C:\WINDOWS\system32\conres.cpl = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Cleanup! using the following configuration: Click Options... Move the arrow down to Custom CleanUp! Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files (Windows XP only) [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Ewido with it's updated definitions:(it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: Perform action on all infections Choose clean and click OK. Once finished, click the Save report button Save the report to your desktop Close Ewido = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Double-click WinPFind.zip & extract the contents to a new folder at Drive C. From within that folder, double click WinPFind.exe Click Start Scan Once the Scan is complete, it will create a report in a text file Go to the WinPFind folder & locate WinPFind.txt Post the results in your next reply! * This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = REBOOT TO NORMAL MODE Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it Click On 'Scan Now' Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB Begin the scan by selecting My Computer * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. If it finds any malware, it will offer you a report. Click on see report Then click Save report Post the contents of the report in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button). Save it to your desktop. Double-click the new icon on your desktop (tmas-web-scan.exe) It will say "Loading TrendMicro definitions". Once the definitions are loaded, the program will appear to close then re-open. Click Start Scan After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click Clean Threats Now. Click Exit. Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Locate & double-click on TrackQoo1.vbs . Wait a few seconds and a notepad page will pop up, Copy & Paste those results in your next reply. * If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless! In your next post, please include fresh logs from: HiJackThis log Online Scan Ewido WinPfind TrackQoo1.vbs Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today? Last edited by sUBs; 08-14-2005 at 12:06 AM.