Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Infection from Random Named files

This is a discussion on Infection from Random Named files within the Resolved HJT Threads forums, part of the Tech Support Forum category. A little backstory, this infection is a smart little bugger. I have Norton AV, Spybot S&D, Adaware, and even worse,


 
 
Thread Tools Search this Thread
Old 04-09-2006, 04:54 PM   #1
Guest
 
Join Date: Apr 2006
Posts: 5
OS:



A little backstory, this infection is a smart little bugger. I have Norton AV, Spybot S&D, Adaware, and even worse, I'm a Network Security student. Somehow, this infection has managed to survive three rounds of NAV, Spybot, Adaware, Giant/Microsoft Anti-Spyware, Hitman Pro, and even mutliple attempts to kill using the HijackThis/Killbox combo. Yes, all of the above. It has hijacked Firefox, InternetExploder, and even plain old Mozilla. It bypasses my Kerio Server Firewall and my hardware firewall on my router. It points to websites behind what appears to be a shifting DNS, preventing me from running an I.P. block. In other words, I've tried everything I can think of, short of backing up and reformating the drive.

Before I post the log, I've already read several of the fixes, but I figure that posting it here, rather than doing it myself, I could avoid any possibility of screwing it up.
So, I end up here. Here is the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 7:50:47 PM, on 4/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\quartus\bin\JTAGServer.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
D:\Program Files\D-Tools\daemon.exe
C:\Program Files\Software602\PrintPack\PrnPack.exe
D:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hitman Pro\srhelper.exe
C:\Program Files\Common Files\AOL\1133295770\ee\aolsoftware.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Timex\Data Link USB\DataLinkLauncher.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://10.50.101.255/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PrintPack dispatcher] "C:\Program Files\Software602\PrintPack\PrnPack.exe" /server
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133295770\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Hitman Pro\surfright.exe" "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Hitman Pro SurfRight Helper] "C:\Program Files\Hitman Pro\srhelper.exe"
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Timex Data Link USB Launcher.lnk = ?
O9 - Extra button: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\WINDOWS\system32\Print602.dll
O9 - Extra 'Tools' menuitem: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\WINDOWS\system32\Print602.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Print2Picture - {F242786D-E1AE-49e7-BD01-E1ABCA405241} - C:\WINDOWS\system32\Print602.dll
O9 - Extra 'Tools' menuitem: Print2Picture - {F242786D-E1AE-49e7-BD01-E1ABCA405241} - C:\WINDOWS\system32\Print602.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsu...?1129556852453
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\mkc40u.dll
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\g8lmli3118.dll
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\mv6ml9j11.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: BCL easyPDF SDK Loader (bepprldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - C:\quartus\bin\JTAGServer.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Keserian is offline  
Sponsored Links
Advertisement
 
Old 04-09-2006, 05:10 PM   #2
TSF Team, Emeritus
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,100
OS: Windows XP


You have the latest version of VX2. Download L2mfix from one of these two locations:

https://www.atribune.org/downloads/l2mfix.exe
https://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the log does not open double click on it in the l2mfix folder.

Please report any errors the program may give you while running, they may be important!
Vikesrock8411 is offline  
Old 04-09-2006, 05:39 PM   #3
Guest
 
Join Date: Apr 2006
Posts: 5
OS:


Log from L2Mfix:
L2mfix 032106
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 688 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 788 'winlogon.exe'
Killing PID 788 'winlogon.exe'
Killing PID 788 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1224 'explorer.exe'
Killing PID 1224 'explorer.exe'
Killing PID 1224 'explorer.exe'
Killing PID 1224 'explorer.exe'
Killing PID 1224 'explorer.exe'
Killing PID 1224 'explorer.exe'
Killing PID 1224 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1600 'rundll32.exe'
Killing PID 728 'rundll32.exe'
Killing PID 472 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\agpmgmts.dll
Successfully Deleted: C:\WINDOWS\system32\agpmgmts.dll
Deleting: C:\WINDOWS\system32\akptif.dll
Successfully Deleted: C:\WINDOWS\system32\akptif.dll
Deleting: C:\WINDOWS\system32\armpvcno.dll
Successfully Deleted: C:\WINDOWS\system32\armpvcno.dll
Deleting: C:\WINDOWS\system32\azaoli5318.dll
Successfully Deleted: C:\WINDOWS\system32\azaoli5318.dll
Deleting: C:\WINDOWS\system32\cbtbrkr.dll
Successfully Deleted: C:\WINDOWS\system32\cbtbrkr.dll
Deleting: C:\WINDOWS\system32\cCtsrvps.dll
Successfully Deleted: C:\WINDOWS\system32\cCtsrvps.dll
Deleting: C:\WINDOWS\system32\cfc.dll
Successfully Deleted: C:\WINDOWS\system32\cfc.dll
Deleting: C:\WINDOWS\system32\cKiscii.dll
Successfully Deleted: C:\WINDOWS\system32\cKiscii.dll
Deleting: C:\WINDOWS\system32\cumuid.dll
Successfully Deleted: C:\WINDOWS\system32\cumuid.dll
Deleting: C:\WINDOWS\system32\dn0401dqe.dll
Successfully Deleted: C:\WINDOWS\system32\dn0401dqe.dll
Deleting: C:\WINDOWS\system32\dn8m01l1e.dll
Successfully Deleted: C:\WINDOWS\system32\dn8m01l1e.dll
Deleting: C:\WINDOWS\system32\drmasf.dll
Successfully Deleted: C:\WINDOWS\system32\drmasf.dll
Deleting: C:\WINDOWS\system32\dwdskres.dll
Successfully Deleted: C:\WINDOWS\system32\dwdskres.dll
Deleting: C:\WINDOWS\system32\e2jmlc111f.dll
Successfully Deleted: C:\WINDOWS\system32\e2jmlc111f.dll
Deleting: C:\WINDOWS\system32\enrsl1971.dll
Successfully Deleted: C:\WINDOWS\system32\enrsl1971.dll
Deleting: C:\WINDOWS\system32\eps.dll
Successfully Deleted: C:\WINDOWS\system32\eps.dll
Deleting: C:\WINDOWS\system32\f0j20a1oed.dll
Successfully Deleted: C:\WINDOWS\system32\f0j20a1oed.dll
Deleting: C:\WINDOWS\system32\fesmon.dll
Successfully Deleted: C:\WINDOWS\system32\fesmon.dll
Deleting: C:\WINDOWS\system32\ffdrclnr.dll
Successfully Deleted: C:\WINDOWS\system32\ffdrclnr.dll
Deleting: C:\WINDOWS\system32\g040lahm1d4a.dll
Successfully Deleted: C:\WINDOWS\system32\g040lahm1d4a.dll
Deleting: C:\WINDOWS\system32\gfUnCompress.dll
Successfully Deleted: C:\WINDOWS\system32\gfUnCompress.dll
Deleting: C:\WINDOWS\system32\gp46l3hs1.dll
Successfully Deleted: C:\WINDOWS\system32\gp46l3hs1.dll
Deleting: C:\WINDOWS\system32\gpnml3511.dll
Successfully Deleted: C:\WINDOWS\system32\gpnml3511.dll
Deleting: C:\WINDOWS\system32\i024lafq1d2e.dll
Successfully Deleted: C:\WINDOWS\system32\i024lafq1d2e.dll
Deleting: C:\WINDOWS\system32\i0600ajmedoa0.dll
Successfully Deleted: C:\WINDOWS\system32\i0600ajmedoa0.dll
Deleting: C:\WINDOWS\system32\i460lejm1hoa.dll
Successfully Deleted: C:\WINDOWS\system32\i460lejm1hoa.dll
Deleting: C:\WINDOWS\system32\iFssvcs.dll
Successfully Deleted: C:\WINDOWS\system32\iFssvcs.dll
Deleting: C:\WINDOWS\system32\infgnt5.dll
Successfully Deleted: C:\WINDOWS\system32\infgnt5.dll
Deleting: C:\WINDOWS\system32\ipq.dll
Successfully Deleted: C:\WINDOWS\system32\ipq.dll
Deleting: C:\WINDOWS\system32\ipsutil.dll
Successfully Deleted: C:\WINDOWS\system32\ipsutil.dll
Deleting: C:\WINDOWS\system32\iu41_qc.dll
Successfully Deleted: C:\WINDOWS\system32\iu41_qc.dll
Deleting: C:\WINDOWS\system32\ivq.dll
Successfully Deleted: C:\WINDOWS\system32\ivq.dll
Deleting: C:\WINDOWS\system32\j6l4lg3q16.dll
Successfully Deleted: C:\WINDOWS\system32\j6l4lg3q16.dll
Deleting: C:\WINDOWS\system32\jt0207doe.dll
Successfully Deleted: C:\WINDOWS\system32\jt0207doe.dll
Deleting: C:\WINDOWS\system32\jtju0719e.dll
Successfully Deleted: C:\WINDOWS\system32\jtju0719e.dll
Deleting: C:\WINDOWS\system32\jtl6073se.dll
Successfully Deleted: C:\WINDOWS\system32\jtl6073se.dll
Deleting: C:\WINDOWS\system32\k2440chqef4e0.dll
Successfully Deleted: C:\WINDOWS\system32\k2440chqef4e0.dll
Deleting: C:\WINDOWS\system32\k2620cjoefoc0.dll
Successfully Deleted: C:\WINDOWS\system32\k2620cjoefoc0.dll
Deleting: C:\WINDOWS\system32\k8noli5318.dll
Successfully Deleted: C:\WINDOWS\system32\k8noli5318.dll
Deleting: C:\WINDOWS\system32\kddir.dll
Successfully Deleted: C:\WINDOWS\system32\kddir.dll
Deleting: C:\WINDOWS\system32\kddsl.dll
Successfully Deleted: C:\WINDOWS\system32\kddsl.dll
Deleting: C:\WINDOWS\system32\kedfo.dll
Successfully Deleted: C:\WINDOWS\system32\kedfo.dll
Deleting: C:\WINDOWS\system32\kfdheb.dll
Successfully Deleted: C:\WINDOWS\system32\kfdheb.dll
Deleting: C:\WINDOWS\system32\kldmlt47.dll
Successfully Deleted: C:\WINDOWS\system32\kldmlt47.dll
Deleting: C:\WINDOWS\system32\knrwbrkr.dll
Successfully Deleted: C:\WINDOWS\system32\knrwbrkr.dll
Deleting: C:\WINDOWS\system32\krdinmar.dll
Successfully Deleted: C:\WINDOWS\system32\krdinmar.dll
Deleting: C:\WINDOWS\system32\kt8ol7l31.dll
Successfully Deleted: C:\WINDOWS\system32\kt8ol7l31.dll
Deleting: C:\WINDOWS\system32\ktrml7911.dll
Successfully Deleted: C:\WINDOWS\system32\ktrml7911.dll
Deleting: C:\WINDOWS\system32\m4640ejqehoe0.dll
Successfully Deleted: C:\WINDOWS\system32\m4640ejqehoe0.dll
Deleting: C:\WINDOWS\system32\mepmsnsv.dll
Successfully Deleted: C:\WINDOWS\system32\mepmsnsv.dll
Deleting: C:\WINDOWS\system32\mfutilse.dll
Successfully Deleted: C:\WINDOWS\system32\mfutilse.dll
Deleting: C:\WINDOWS\system32\mil_hp.dll
Successfully Deleted: C:\WINDOWS\system32\mil_hp.dll
Deleting: C:\WINDOWS\system32\mkc40u.dll
Successfully Deleted: C:\WINDOWS\system32\mkc40u.dll
Deleting: C:\WINDOWS\system32\mmxml4r.dll
Successfully Deleted: C:\WINDOWS\system32\mmxml4r.dll
Deleting: C:\WINDOWS\system32\moxmlr.dll
Successfully Deleted: C:\WINDOWS\system32\moxmlr.dll
Deleting: C:\WINDOWS\system32\mvj4l91q1.dll
Successfully Deleted: C:\WINDOWS\system32\mvj4l91q1.dll
Deleting: C:\WINDOWS\system32\mvlml9311.dll
Successfully Deleted: C:\WINDOWS\system32\mvlml9311.dll
Deleting: C:\WINDOWS\system32\mvnml9511.dll
Successfully Deleted: C:\WINDOWS\system32\mvnml9511.dll
Deleting: C:\WINDOWS\system32\mxvcp71.dll
Successfully Deleted: C:\WINDOWS\system32\mxvcp71.dll
Deleting: C:\WINDOWS\system32\MZJET35.DLL
Successfully Deleted: C:\WINDOWS\system32\MZJET35.DLL
Deleting: C:\WINDOWS\system32\n0r2la9o1d.dll
Successfully Deleted: C:\WINDOWS\system32\n0r2la9o1d.dll
Deleting: C:\WINDOWS\system32\o048lahu1d48.dll
Successfully Deleted: C:\WINDOWS\system32\o048lahu1d48.dll
Deleting: C:\WINDOWS\system32\o648lghu1648.dll
Successfully Deleted: C:\WINDOWS\system32\o648lghu1648.dll
Deleting: C:\WINDOWS\system32\octext32.dll
Successfully Deleted: C:\WINDOWS\system32\octext32.dll
Deleting: C:\WINDOWS\system32\ozuninst.dll
Successfully Deleted: C:\WINDOWS\system32\ozuninst.dll
Deleting: C:\WINDOWS\system32\p2r40c9qef.dll
Successfully Deleted: C:\WINDOWS\system32\p2r40c9qef.dll
Deleting: C:\WINDOWS\system32\pctorec.dll
Successfully Deleted: C:\WINDOWS\system32\pctorec.dll
Deleting: C:\WINDOWS\system32\pjspl.dll
Successfully Deleted: C:\WINDOWS\system32\pjspl.dll
Deleting: C:\WINDOWS\system32\q0rq0a95ed.dll
Successfully Deleted: C:\WINDOWS\system32\q0rq0a95ed.dll
Deleting: C:\WINDOWS\system32\r08s0al7edq.dll
Successfully Deleted: C:\WINDOWS\system32\r08s0al7edq.dll
Deleting: C:\WINDOWS\system32\r8r6li9s18.dll
Successfully Deleted: C:\WINDOWS\system32\r8r6li9s18.dll
Deleting: C:\WINDOWS\system32\rtcss.dll
Successfully Deleted: C:\WINDOWS\system32\rtcss.dll
Deleting: C:\WINDOWS\system32\rym.dll
Successfully Deleted: C:\WINDOWS\system32\rym.dll
Deleting: C:\WINDOWS\system32\s0rsla971d.dll
Successfully Deleted: C:\WINDOWS\system32\s0rsla971d.dll
Deleting: C:\WINDOWS\system32\s4880eluehq80.dll
Successfully Deleted: C:\WINDOWS\system32\s4880eluehq80.dll
Deleting: C:\WINDOWS\system32\sdell.dll
Successfully Deleted: C:\WINDOWS\system32\sdell.dll
Deleting: C:\WINDOWS\system32\searddlg.dll
Successfully Deleted: C:\WINDOWS\system32\searddlg.dll
Deleting: C:\WINDOWS\system32\SKCKETX.DLL
Successfully Deleted: C:\WINDOWS\system32\SKCKETX.DLL
Deleting: C:\WINDOWS\system32\sreio.dll
Successfully Deleted: C:\WINDOWS\system32\sreio.dll
Deleting: C:\WINDOWS\system32\STCKETX.DLL
Successfully Deleted: C:\WINDOWS\system32\STCKETX.DLL
Deleting: C:\WINDOWS\system32\stimgvw.dll
Successfully Deleted: C:\WINDOWS\system32\stimgvw.dll
Deleting: C:\WINDOWS\system32\sunscfg.dll
Successfully Deleted: C:\WINDOWS\system32\sunscfg.dll
Deleting: C:\WINDOWS\system32\svlogcfg.dll
Successfully Deleted: C:\WINDOWS\system32\svlogcfg.dll
Deleting: C:\WINDOWS\system32\sXfrcdlg.dll
Successfully Deleted: C:\WINDOWS\system32\sXfrcdlg.dll
Deleting: C:\WINDOWS\system32\udrfaxa.dll
Successfully Deleted: C:\WINDOWS\system32\udrfaxa.dll
Deleting: C:\WINDOWS\system32\wbauserv.dll
Successfully Deleted: C:\WINDOWS\system32\wbauserv.dll
Deleting: C:\WINDOWS\system32\weninet.dll
Successfully Deleted: C:\WINDOWS\system32\weninet.dll
Deleting: C:\WINDOWS\system32\wjps2.dll
Successfully Deleted: C:\WINDOWS\system32\wjps2.dll
Deleting: C:\WINDOWS\system32\wkstream.dll
Successfully Deleted: C:\WINDOWS\system32\wkstream.dll
Deleting: C:\WINDOWS\system32\wrnntbbu.dll
Successfully Deleted: C:\WINDOWS\system32\wrnntbbu.dll

msg11?.dll
0 file(s) copied.
Desktop.ini sucessfully removed




Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mkc40u.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g8lmli3118.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv6ml9j11.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\agpmgmts.dll
C:\WINDOWS\system32\akptif.dll
C:\WINDOWS\system32\armpvcno.dll
C:\WINDOWS\system32\azaoli5318.dll
C:\WINDOWS\system32\cbtbrkr.dll
C:\WINDOWS\system32\cCtsrvps.dll
C:\WINDOWS\system32\cfc.dll
C:\WINDOWS\system32\cKiscii.dll
C:\WINDOWS\system32\cumuid.dll
C:\WINDOWS\system32\dn0401dqe.dll
C:\WINDOWS\system32\dn8m01l1e.dll
C:\WINDOWS\system32\drmasf.dll
C:\WINDOWS\system32\dwdskres.dll
C:\WINDOWS\system32\e2jmlc111f.dll
C:\WINDOWS\system32\enrsl1971.dll
C:\WINDOWS\system32\eps.dll
C:\WINDOWS\system32\f0j20a1oed.dll
C:\WINDOWS\system32\fesmon.dll
C:\WINDOWS\system32\ffdrclnr.dll
C:\WINDOWS\system32\g040lahm1d4a.dll
C:\WINDOWS\system32\gfUnCompress.dll
C:\WINDOWS\system32\gp46l3hs1.dll
C:\WINDOWS\system32\gpnml3511.dll
C:\WINDOWS\system32\i024lafq1d2e.dll
C:\WINDOWS\system32\i0600ajmedoa0.dll
C:\WINDOWS\system32\i460lejm1hoa.dll
C:\WINDOWS\system32\iFssvcs.dll
C:\WINDOWS\system32\infgnt5.dll
C:\WINDOWS\system32\ipq.dll
C:\WINDOWS\system32\ipsutil.dll
C:\WINDOWS\system32\iu41_qc.dll
C:\WINDOWS\system32\ivq.dll
C:\WINDOWS\system32\j6l4lg3q16.dll
C:\WINDOWS\system32\jt0207doe.dll
C:\WINDOWS\system32\jtju0719e.dll
C:\WINDOWS\system32\jtl6073se.dll
C:\WINDOWS\system32\k2440chqef4e0.dll
C:\WINDOWS\system32\k2620cjoefoc0.dll
C:\WINDOWS\system32\k8noli5318.dll
C:\WINDOWS\system32\kddir.dll
C:\WINDOWS\system32\kddsl.dll
C:\WINDOWS\system32\kedfo.dll
C:\WINDOWS\system32\kfdheb.dll
C:\WINDOWS\system32\kldmlt47.dll
C:\WINDOWS\system32\knrwbrkr.dll
C:\WINDOWS\system32\krdinmar.dll
C:\WINDOWS\system32\kt8ol7l31.dll
C:\WINDOWS\system32\ktrml7911.dll
C:\WINDOWS\system32\m4640ejqehoe0.dll
C:\WINDOWS\system32\mepmsnsv.dll
C:\WINDOWS\system32\mfutilse.dll
C:\WINDOWS\system32\mil_hp.dll
C:\WINDOWS\system32\mkc40u.dll
C:\WINDOWS\system32\mmxml4r.dll
C:\WINDOWS\system32\moxmlr.dll
C:\WINDOWS\system32\mvj4l91q1.dll
C:\WINDOWS\system32\mvlml9311.dll
C:\WINDOWS\system32\mvnml9511.dll
C:\WINDOWS\system32\mxvcp71.dll
C:\WINDOWS\system32\MZJET35.DLL
C:\WINDOWS\system32\n0r2la9o1d.dll
C:\WINDOWS\system32\o048lahu1d48.dll
C:\WINDOWS\system32\o648lghu1648.dll
C:\WINDOWS\system32\octext32.dll
C:\WINDOWS\system32\ozuninst.dll
C:\WINDOWS\system32\p2r40c9qef.dll
C:\WINDOWS\system32\pctorec.dll
C:\WINDOWS\system32\pjspl.dll
C:\WINDOWS\system32\q0rq0a95ed.dll
C:\WINDOWS\system32\r08s0al7edq.dll
C:\WINDOWS\system32\r8r6li9s18.dll
C:\WINDOWS\system32\rtcss.dll
C:\WINDOWS\system32\rym.dll
C:\WINDOWS\system32\s0rsla971d.dll
C:\WINDOWS\system32\s4880eluehq80.dll
C:\WINDOWS\system32\sdell.dll
C:\WINDOWS\system32\searddlg.dll
C:\WINDOWS\system32\SKCKETX.DLL
C:\WINDOWS\system32\sreio.dll
C:\WINDOWS\system32\STCKETX.DLL
C:\WINDOWS\system32\stimgvw.dll
C:\WINDOWS\system32\sunscfg.dll
C:\WINDOWS\system32\svlogcfg.dll
C:\WINDOWS\system32\sXfrcdlg.dll
C:\WINDOWS\system32\udrfaxa.dll
C:\WINDOWS\system32\wbauserv.dll
C:\WINDOWS\system32\weninet.dll
C:\WINDOWS\system32\wjps2.dll
C:\WINDOWS\system32\wkstream.dll
C:\WINDOWS\system32\wrnntbbu.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7B940527-8686-4673-B444-C03EF1860F53}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7B940527-8686-4673-B444-C03EF1860F53}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7B940527-8686-4673-B444-C03EF1860F53}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7B940527-8686-4673-B444-C03EF1860F53}\InprocServer32]
@="C:\\WINDOWS\\system32\\gfUnCompress.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{209F4B3E-01FC-4FCD-B02B-72B4F03F7C3E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{209F4B3E-01FC-4FCD-B02B-72B4F03F7C3E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{209F4B3E-01FC-4FCD-B02B-72B4F03F7C3E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{209F4B3E-01FC-4FCD-B02B-72B4F03F7C3E}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E3ED7B70-1E0C-46E0-A864-DF9EEA86E645}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E3ED7B70-1E0C-46E0-A864-DF9EEA86E645}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E3ED7B70-1E0C-46E0-A864-DF9EEA86E645}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E3ED7B70-1E0C-46E0-A864-DF9EEA86E645}\InprocServer32]
@="C:\\WINDOWS\\system32\\mmxml4r.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{00E14409-93E4-4958-B8A8-1A6D19FE382F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{00E14409-93E4-4958-B8A8-1A6D19FE382F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{00E14409-93E4-4958-B8A8-1A6D19FE382F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{00E14409-93E4-4958-B8A8-1A6D19FE382F}\InprocServer32]
@="C:\\WINDOWS\\system32\\mkc40u.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{7B940527-8686-4673-B444-C03EF1860F53}"=-
"{209F4B3E-01FC-4FCD-B02B-72B4F03F7C3E}"=-
"{E3ED7B70-1E0C-46E0-A864-DF9EEA86E645}"=-
"{00E14409-93E4-4958-B8A8-1A6D19FE382F}"=-
[-HKEY_CLASSES_ROOT\CLSID\{7B940527-8686-4673-B444-C03EF1860F53}]
[-HKEY_CLASSES_ROOT\CLSID\{209F4B3E-01FC-4FCD-B02B-72B4F03F7C3E}]
[-HKEY_CLASSES_ROOT\CLSID\{E3ED7B70-1E0C-46E0-A864-DF9EEA86E645}]
[-HKEY_CLASSES_ROOT\CLSID\{00E14409-93E4-4958-B8A8-1A6D19FE382F}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/agpmgmts.dll (deflated 5%)
adding: dlls/akptif.dll (deflated 5%)
adding: dlls/armpvcno.dll (deflated 5%)
adding: dlls/azaoli5318.dll (deflated 5%)
adding: dlls/cbtbrkr.dll (deflated 4%)
adding: dlls/cCtsrvps.dll (deflated 4%)
adding: dlls/cfc.dll (deflated 4%)
adding: dlls/cKiscii.dll (deflated 5%)
adding: dlls/cumuid.dll (deflated 5%)
adding: dlls/dn0401dqe.dll (deflated 4%)
adding: dlls/dn8m01l1e.dll (deflated 5%)
adding: dlls/drmasf.dll (deflated 6%)
adding: dlls/dwdskres.dll (deflated 5%)
adding: dlls/e2jmlc111f.dll (deflated 6%)
adding: dlls/enrsl1971.dll (deflated 5%)
adding: dlls/eps.dll (deflated 4%)
adding: dlls/f0j20a1oed.dll (deflated 4%)
adding: dlls/fesmon.dll (deflated 5%)
adding: dlls/ffdrclnr.dll (deflated 5%)
adding: dlls/g040lahm1d4a.dll (deflated 5%)
adding: dlls/gfUnCompress.dll (deflated 5%)
adding: dlls/gp46l3hs1.dll (deflated 4%)
adding: dlls/gpnml3511.dll (deflated 4%)
adding: dlls/i024lafq1d2e.dll (deflated 4%)
adding: dlls/i0600ajmedoa0.dll (deflated 4%)
adding: dlls/i460lejm1hoa.dll (deflated 4%)
adding: dlls/iFssvcs.dll (deflated 4%)
adding: dlls/infgnt5.dll (deflated 5%)
adding: dlls/ipq.dll (deflated 5%)
adding: dlls/ipsutil.dll (deflated 5%)
adding: dlls/iu41_qc.dll (deflated 6%)
adding: dlls/ivq.dll (deflated 5%)
adding: dlls/j6l4lg3q16.dll (deflated 4%)
adding: dlls/jt0207doe.dll (deflated 4%)
adding: dlls/jtju0719e.dll (deflated 5%)
adding: dlls/jtl6073se.dll (deflated 5%)
adding: dlls/k2440chqef4e0.dll (deflated 5%)
adding: dlls/k2620cjoefoc0.dll (deflated 4%)
adding: dlls/k8noli5318.dll (deflated 5%)
adding: dlls/kddir.dll (deflated 5%)
adding: dlls/kddsl.dll (deflated 5%)
adding: dlls/kedfo.dll (deflated 6%)
adding: dlls/kfdheb.dll (deflated 4%)
adding: dlls/kldmlt47.dll (deflated 4%)
adding: dlls/knrwbrkr.dll (deflated 5%)
adding: dlls/krdinmar.dll (deflated 5%)
adding: dlls/kt8ol7l31.dll (deflated 4%)
adding: dlls/ktrml7911.dll (deflated 4%)
adding: dlls/m4640ejqehoe0.dll (deflated 5%)
adding: dlls/mepmsnsv.dll (deflated 6%)
adding: dlls/mfutilse.dll (deflated 5%)
adding: dlls/mil_hp.dll (deflated 4%)
adding: dlls/mkc40u.dll (deflated 4%)
adding: dlls/mmxml4r.dll (deflated 4%)
adding: dlls/moxmlr.dll (deflated 5%)
adding: dlls/mvj4l91q1.dll (deflated 5%)
adding: dlls/mvlml9311.dll (deflated 4%)
adding: dlls/mvnml9511.dll (deflated 4%)
adding: dlls/mxvcp71.dll (deflated 5%)
adding: dlls/MZJET35.DLL (deflated 5%)
adding: dlls/n0r2la9o1d.dll (deflated 6%)
adding: dlls/o048lahu1d48.dll (deflated 5%)
adding: dlls/o648lghu1648.dll (deflated 5%)
adding: dlls/octext32.dll (deflated 4%)
adding: dlls/ozuninst.dll (deflated 6%)
adding: dlls/p2r40c9qef.dll (deflated 5%)
adding: dlls/pctorec.dll (deflated 4%)
adding: dlls/pjspl.dll (deflated 4%)
adding: dlls/q0rq0a95ed.dll (deflated 4%)
adding: dlls/r08s0al7edq.dll (deflated 4%)
adding: dlls/r8r6li9s18.dll (deflated 4%)
adding: dlls/rtcss.dll (deflated 5%)
adding: dlls/rym.dll (deflated 5%)
adding: dlls/s0rsla971d.dll (deflated 5%)
adding: dlls/s4880eluehq80.dll (deflated 4%)
adding: dlls/sdell.dll (deflated 5%)
adding: dlls/searddlg.dll (deflated 5%)
adding: dlls/SKCKETX.DLL (deflated 4%)
adding: dlls/sreio.dll (deflated 5%)
adding: dlls/STCKETX.DLL (deflated 5%)
adding: dlls/stimgvw.dll (deflated 6%)
adding: dlls/sunscfg.dll (deflated 4%)
adding: dlls/svlogcfg.dll (deflated 4%)
adding: dlls/sXfrcdlg.dll (deflated 6%)
adding: dlls/udrfaxa.dll (deflated 5%)
adding: dlls/wbauserv.dll (deflated 4%)
adding: dlls/weninet.dll (deflated 6%)
adding: dlls/wjps2.dll (deflated 5%)
adding: dlls/wkstream.dll (deflated 5%)
adding: dlls/wrnntbbu.dll (deflated 4%)
adding: backregs/notibac.reg (deflated 84%)
adding: backregs/shell.reg (deflated 74%)
adding: backregs/7B940527-8686-4673-B444-C03EF1860F53.reg (deflated 70%)
adding: backregs/209F4B3E-01FC-4FCD-B02B-72B4F03F7C3E.reg (deflated 70%)
adding: backregs/E3ED7B70-1E0C-46E0-A864-DF9EEA86E645.reg (deflated 70%)
adding: backregs/00E14409-93E4-4958-B8A8-1A6D19FE382F.reg (deflated 70%)

Log from HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 8:37:01 PM, on 4/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
D:\Program Files\D-Tools\daemon.exe
C:\Program Files\Software602\PrintPack\PrnPack.exe
D:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1133295770\ee\AOLSoftware.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Hitman Pro\srhelper.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Timex\Data Link USB\DataLinkLauncher.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Acer\eManager\anbmServ.exe
C:\quartus\bin\JTAGServer.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://10.50.101.255/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PrintPack dispatcher] "C:\Program Files\Software602\PrintPack\PrnPack.exe" /server
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133295770\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Hitman Pro\surfright.exe" "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Hitman Pro SurfRight Helper] "C:\Program Files\Hitman Pro\srhelper.exe"
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Timex Data Link USB Launcher.lnk = ?
O9 - Extra button: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\WINDOWS\system32\Print602.dll
O9 - Extra 'Tools' menuitem: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\WINDOWS\system32\Print602.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Print2Picture - {F242786D-E1AE-49e7-BD01-E1ABCA405241} - C:\WINDOWS\system32\Print602.dll
O9 - Extra 'Tools' menuitem: Print2Picture - {F242786D-E1AE-49e7-BD01-E1ABCA405241} - C:\WINDOWS\system32\Print602.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsu...?1129556852453
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\mkc40u.dll (file missing)
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\g8lmli3118.dll
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\mv6ml9j11.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: BCL easyPDF SDK Loader (bepprldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - C:\quartus\bin\JTAGServer.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

I appreciate your speedy reply by the way, thanks.
Keserian is offline  
Sponsored Links
Advertisement
 
Old 04-09-2006, 05:50 PM   #4
TSF Team, Emeritus
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,100
OS: Windows XP


You had somehow managed to have multiple simultaneous L2Me infections and I am not sure if L2MeFix got them all or not. We will try fixing the reg entries and see what happens

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\mkc40u.dll (file missing)
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\g8lmli3118.dll
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\mv6ml9j11.dll
Please remember to close all other windows, including browsers then click Fix checked.
Vikesrock8411 is offline  
Old 04-09-2006, 06:17 PM   #5
Guest
 
Join Date: Apr 2006
Posts: 5
OS:


I did as you asked and here is the new log file from HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 9:15:28 PM, on 4/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
D:\Program Files\D-Tools\daemon.exe
C:\Program Files\Software602\PrintPack\PrnPack.exe
D:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Hitman Pro\srhelper.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Timex\Data Link USB\DataLinkLauncher.exe
C:\Acer\eManager\anbmServ.exe
C:\quartus\bin\JTAGServer.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://10.50.101.255/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PrintPack dispatcher] "C:\Program Files\Software602\PrintPack\PrnPack.exe" /server
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Hitman Pro\surfright.exe" "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Hitman Pro SurfRight Helper] "C:\Program Files\Hitman Pro\srhelper.exe"
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Timex Data Link USB Launcher.lnk = ?
O9 - Extra button: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\WINDOWS\system32\Print602.dll
O9 - Extra 'Tools' menuitem: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\WINDOWS\system32\Print602.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Print2Picture - {F242786D-E1AE-49e7-BD01-E1ABCA405241} - C:\WINDOWS\system32\Print602.dll
O9 - Extra 'Tools' menuitem: Print2Picture - {F242786D-E1AE-49e7-BD01-E1ABCA405241} - C:\WINDOWS\system32\Print602.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsu...?1129556852453
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: BCL easyPDF SDK Loader (bepprldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - C:\quartus\bin\JTAGServer.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

EDIT: Presently it looks like the problem has been solved, on the surface at least. There are no more popups, but it remains to be seen if this is just temporary.
Keserian is offline  
Old 04-09-2006, 07:54 PM   #6
TSF Team, Emeritus
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,100
OS: Windows XP


Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved.

Setting a new Restore Point
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter.
  • Tick the checkbox - Turn off System Restore on all drives
  • Click Apply
  • Turn it back 'On' by unticking the same checkbox & click OK

Windows Update
Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site.

Prevention
A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include:
AVG Free
Avast! Home Edition (Antivirus & Firewall)
AntiVir

A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are:
Zone Alarm
Outpost
Tiny Personal Firewall
Sunbelt Kerio Personal Firewall

Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed.

Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses.

IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC.

The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed.

Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all.

Alternative Programs
Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Desktop Weather - Free taskbar weather program that is free, malware free, and resource light.

Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
Vikesrock8411 is offline  
Old 04-09-2006, 09:27 PM   #7
Guest
 
Join Date: Apr 2006
Posts: 5
OS:


Hey thanks guys, I do use most of the above programs, and I've removed AIM and am working on removing I.E. (persistant little program) but thanks for all the help!
Keserian is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 04:51 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts