Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Win Fixer 2005

Started by yukondsl , Nov 05 2005 12:28 AM

  • Please log in to reply
8 replies to this topic

#1 yukondsl

yukondsl

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 05 November 2005 - 12:28 AM

I am having a dificult time in getting rid of Win Fixer 2005. Have removed with AdAware, SpyBot and CounterSpy but it keeps popping up.

    Advertisements

Register to Remove

#2 yukondsl

yukondsl

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 05 November 2005 - 12:30 AM

Here is the HiJack This log.

Logfile of HijackThis v1.99.1
Scan saved at 10:23:48 PM, on 04/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\PivX\PreEmpt\loadsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\RAMpage\RAMpage.exe
C:\WINNT\cyb2k.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\PivX\PreEmpt\PreEmptST.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ckrw.com/...path=/home.aspx
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ckrw.com/...path=/home.aspx
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINNT\system32\gebyw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RAMpage] "C:\Program Files\RAMpage\RAMpage.exe" M=28 T=4 P="C:\Program Files\RAMpage\RAMpageConfig.exe"
O4 - HKLM\..\Run: [C2K] C:\WINNT\cyb2k.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: PreEmpt.lnk = C:\Program Files\PivX\PreEmpt\PreEmptST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O16 - DPF: symsupportutil -
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181...s/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - http://whi-multi.apc.../dolcontrol.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O18 - Protocol: aim - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O20 - Winlogon Notify: gebyw - C:\WINNT\system32\gebyw.dll
O20 - Winlogon Notify: rqolk - C:\WINNT\system32\rqolk.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PreEmpt (qfcoresvc) - PivX Solutions, Inc. - C:\Program Files\PivX\PreEmpt\loadsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

#3 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 05 November 2005 - 07:09 AM

Download L2mfix from one of these two locations:

l2mfix.exe (© Shadowwar)

l2mfix.exe (© Shadowwar)

Save the file to your desktop and <double-click> l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

<double-click> l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing <enter>.

This will scan your computer and it may appear nothing is happening, then, after a minute or 2, Notepad will open with a log.

Copy/paste the contents of that log into this thread.


IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#4 yukondsl

yukondsl

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 05 November 2005 - 08:09 AM

Hi Micah_6:8 Thanks for looking at my post, here is the log you requested: L2MFIX find log 1.04a These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebyw] "Asynchronous"=dword:00000001 "DllName"="C:\\WINNT\\system32\\gebyw.dll" "Impersonate"=dword:00000000 "Startup"="SysLogon" "Logoff"="SysLogoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqolk] "Asynchronous"=dword:00000001 "DllName"="C:\\WINNT\\system32\\rqolk.dll" "Impersonate"=dword:00000000 "Startup"="SysLogon" "Logoff"="SysLogoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Read BUILTIN\Power Users (ID-IO) ALLOW Read BUILTIN\Power Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks" "{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder" "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer" "{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder" "{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut" "{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume" "{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension" "{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page" "{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook" "{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service" "{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service" "{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service" "{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View" "{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu" "{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service" "{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service" "{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler" "{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions" "{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop" "{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension" "{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon" "{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper" "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder" "{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band" "{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu" "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site" "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails" "{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor" "{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor" "{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)" "{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer" "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu" "{C56C4E21-706D-11d0-AFC5-444553540002}"="My Digital Camera" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..." "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{E0D79304-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79305-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79306-84BE-11CE-9641-444553540000}"="WinZip" "{32A9D769-5B55-4a25-9A62-86B5683FE50A}"="NikonView Drop Extension" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind" "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{472083B0-C522-11CF-8763-00608CC02F24}"="avast" "{B327765E-D724-4347-8B16-78AE18552FC3}"="NeroDigitalIconHandler" "{7F1CF152-04F8-453A-B34C-E609530A9DC8}"="NeroDigitalPropSheetHandler" ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: C:\WINNT\SYSTEM32\ adwfil.dll Tue Nov 1 2005 3:23:16p A.... 67,608 66.02 K auctfil.dll Tue Nov 1 2005 3:23:16p A.... 7,642 7.46 K bnrfil.dll Tue Nov 1 2005 3:23:16p A.... 100 0.10 K bsnlst.dll Tue Nov 1 2005 3:23:16p A.... 400 0.39 K catsrv.dll Mon Sep 5 2005 12:18:46a A.... 165,648 161.77 K catsrvut.dll Mon Sep 5 2005 12:18:46a A.... 595,728 581.77 K cdosys.dll Tue Aug 30 2005 1:29:42a A.... 2,532,112 2.41 M chtfil.dll Tue Nov 1 2005 3:23:16p A.... 10,880 10.63 K clbcatex.dll Mon Sep 5 2005 12:18:46a A.... 97,040 94.77 K clbcatq.dll Mon Sep 5 2005 12:18:46a A.... 551,184 538.27 K cmdlin~1.dll Sat Oct 8 2005 4:42:24p A.... 43,520 42.50 K colbact.dll Mon Sep 5 2005 12:18:46a A.... 41,744 40.77 K comrepl.dll Mon Sep 5 2005 12:18:46a A.... 97,552 95.27 K comsvcs.dll Mon Sep 5 2005 12:18:48a A.... 1,471,248 1.40 M comuid.dll Mon Sep 5 2005 12:18:48a A.... 625,936 611.27 K csnews.dll Tue Nov 1 2005 3:23:16p A.... 1,842 1.80 K cultfil.dll Tue Nov 1 2005 3:23:16p A.... 1,830 1.79 K danim.dll Fri Sep 2 2005 10:06:58a A.... 986,112 963.00 K dxtrans.dll Fri Sep 2 2005 3:35:16p A.... 192,000 187.50 K entfil.dll Tue Nov 1 2005 3:23:16p A.... 12,422 12.13 K es.dll Mon Sep 5 2005 12:18:46a A.... 242,448 236.77 K exusr.dll Tue Sep 27 2005 4:08:58a A.... 10 0.01 K finfil.dll Tue Nov 1 2005 3:23:16p A.... 13,154 12.84 K fmfil.dll Tue Nov 1 2005 3:23:16p A.... 11,338 11.07 K fshrfil.dll Tue Nov 1 2005 3:23:16p A.... 1,454 1.42 K gblfil.dll Tue Nov 1 2005 3:23:16p A.... 13,036 12.73 K gdwfil.dll Tue Nov 1 2005 3:23:16p A.... 1,482 1.45 K gebyw.dll Sat Oct 29 2005 1:28:00p ..... 540,692 528.02 K gnfil.dll Tue Nov 1 2005 3:23:16p A.... 9,770 9.54 K hatfil.dll Tue Nov 1 2005 3:23:16p A.... 4,442 4.34 K iawfil.dll Tue Nov 1 2005 3:23:16p A.... 5,142 5.02 K igefil.dll Tue Nov 1 2005 3:23:16p A.... 194 0.19 K imgfil.dll Tue Nov 1 2005 3:23:16p A.... 820 0.80 K jbfil.dll Tue Nov 1 2005 3:23:16p A.... 8,652 8.45 K lastup~1.dll Tue Nov 1 2005 3:23:16p A.... 18 0.02 K lgwfil.dll Tue Nov 1 2005 3:23:16p A.... 2,782 2.71 K linkinfo.dll Fri Sep 23 2005 3:03:26a A.... 17,680 17.27 K lsprst7.dll Sat Nov 5 2005 5:46:46a A.... 203 0.20 K macfil.dll Tue Nov 1 2005 3:23:16p A.... 80 0.08 K movfil.dll Tue Nov 1 2005 3:23:16p A.... 7,778 7.59 K mp3fil.dll Tue Nov 1 2005 3:23:16p A.... 778 0.76 K msdtclog.dll Mon Sep 5 2005 12:18:48a A.... 96,016 93.77 K msdtcprx.dll Mon Sep 5 2005 12:18:48a A.... 726,288 709.27 K msdtctm.dll Mon Sep 5 2005 12:18:48a A.... 1,200,400 1.14 M msdtcui.dll Mon Sep 5 2005 12:18:48a A.... 153,872 150.27 K mshtml.dll Tue Oct 4 2005 11:19:14a A.... 2,700,288 2.57 M mstime.dll Fri Sep 2 2005 3:35:12p A.... 496,128 484.50 K mtxclu.dll Mon Sep 5 2005 12:18:48a A.... 52,496 51.27 K mtxdm.dll Mon Sep 5 2005 12:18:48a A.... 26,896 26.27 K mtxlegih.dll Mon Sep 5 2005 12:18:50a A.... 35,600 34.77 K mtxoci.dll Mon Sep 5 2005 12:18:50a A.... 122,640 119.77 K netman.dll Tue Aug 16 2005 12:35:00a A.... 100,112 97.77 K nfil.dll Tue Nov 1 2005 3:23:16p A.... 116 0.11 K nnlji.dll Thu Oct 6 2005 7:14:30p ..SH. 27,149 26.51 K nvgamfil.dll Tue Nov 1 2005 3:23:16p A.... 17,388 16.98 K nwwks.dll Mon Aug 22 2005 1:20:40a A.... 61,200 59.77 K ole32.dll Mon Sep 5 2005 12:18:46a A.... 957,712 935.27 K olecli32.dll Mon Sep 5 2005 12:18:46a A.... 69,392 67.77 K olecnv32.dll Mon Sep 5 2005 12:18:46a A.... 36,624 35.77 K perfil.dll Tue Nov 1 2005 3:23:16p A.... 22,390 21.86 K picsfil.dll Tue Nov 1 2005 3:23:16p A.... 306 0.30 K pkmon.dll Tue Nov 1 2005 3:23:16p A.... 9,634 9.41 K popfil.dll Tue Nov 1 2005 3:23:16p A.... 16,802 16.41 K psyfil.dll Tue Nov 1 2005 3:23:16p A.... 12,730 12.43 K quartz.dll Tue Aug 30 2005 8:14:00a A.... 1,227,776 1.17 M rpcss.dll Mon Sep 5 2005 12:18:46a A.... 212,240 207.27 K rqolk.dll Sat Oct 29 2005 1:28:00p ..SH. 540,692 528.02 K shell32.dll Fri Sep 23 2005 3:03:26a A.... 2,360,592 2.25 M shlwapi.dll Wed Aug 31 2005 5:49:30p A.... 409,088 399.50 K sintf16.dll Mon Oct 3 2005 11:20:46p A.... 12,067 11.78 K sintf32.dll Mon Oct 3 2005 11:20:46p A.... 17,212 16.81 K sintfnt.dll Mon Oct 3 2005 11:20:46p A.... 21,840 21.33 K spmfil.dll Tue Nov 1 2005 3:23:16p A.... 733 0.71 K sporfil.dll Tue Nov 1 2005 3:23:16p A.... 12,266 11.98 K srchfrgn.dll Tue Nov 1 2005 3:23:16p A.... 542 0.53 K srchin.dll Tue Nov 1 2005 3:23:16p A.... 3,444 3.36 K srchout.dll Tue Nov 1 2005 3:23:16p A.... 258 0.25 K ssprs.dll Sat Nov 5 2005 5:46:46a A.... 71 0.07 K stclient.dll Mon Sep 5 2005 12:18:50a A.... 71,440 69.77 K swfil.dll Tue Nov 1 2005 3:23:16p A.... 6,810 6.65 K tafil.dll Tue Nov 1 2005 3:23:16p A.... 14,712 14.37 K tapfil.dll Tue Nov 1 2005 3:23:16p A.... 1,462 1.43 K tuspo.dll Wed Oct 26 2005 6:07:26p ..SH. 28,173 27.51 K txfaux.dll Mon Sep 5 2005 12:18:46a A.... 398,608 389.27 K umpnpmgr.dll Fri Sep 2 2005 1:24:06a A.... 94,480 92.27 K urlmon.dll Fri Sep 2 2005 2:19:16p A.... 457,216 446.50 K vgamfil.dll Tue Nov 1 2005 3:23:16p A.... 5,782 5.64 K viofil.dll Tue Nov 1 2005 3:23:16p A.... 4,084 3.99 K webvw.dll Fri Sep 23 2005 3:03:26a A.... 1,120,016 1.07 M winsrv.dll Fri Sep 23 2005 3:03:26a A.... 245,008 239.27 K wrestfil.dll Tue Nov 1 2005 3:23:16p A.... 6,050 5.91 K wzfil.dll Tue Nov 1 2005 3:23:16p A.... 2,246 2.19 K xolehlp.dll Mon Sep 5 2005 12:18:50a A.... 19,216 18.77 K 93 items found: 93 files (3 H/S), 0 directories. Total of file sizes: 22,620,804 bytes 21.57 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Volume in drive C is SYSTEM Volume Serial Number is 2095-D4DA Directory of C:\WINNT\System32 05/11/2005 06:01a 190,853 wybeg.ini 04/11/2005 07:54p 192,736 wybeg.bak2 29/10/2005 01:31p 162,207 wybeg.bak1 29/10/2005 01:28p 162,982 kloqr.ini 29/10/2005 01:28p 162,263 kloqr.bak1 29/10/2005 01:27p 540,692 rqolk.dll 26/10/2005 06:07p 28,173 tuspo.dll 26/10/2005 10:34a <DIR> dllcache 06/10/2005 07:14p 27,149 nnlji.dll 24/08/2005 07:58p 14,084 KGyGaAvL.sys 24/08/2005 07:58p 152 B539662902.sys 04/08/2004 02:56a 413,696 msvcp60.dll 11 File(s) 1,894,987 bytes 1 Dir(s) 37,066,117,120 bytes free

#5 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 05 November 2005 - 08:31 AM

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning that should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINNT\system32\gebyw.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINNT\system32\rqolk.dll
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HijackThis, please place a check next to the following items and click FIX CHECKED:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINNT\system32\gebyw.dll

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe

    O20 - Winlogon Notify: gebyw - C:\WINNT\system32\gebyw.dll

    O20 - Winlogon Notify: rqolk - C:\WINNT\system32\rqolk.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Copy a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

After the reboot, delete these files if they still exist:

C:\WINNT\SYSTEM32\wybeg.ini
C:\WINNT\SYSTEM32\wybeg.bak2
C:\WINNT\SYSTEM32\wybeg.bak1
C:\WINNT\SYSTEM32\kloqr.ini
C:\WINNT\SYSTEM32\kloqr.bak1
C:\WINNT\SYSTEM32\tuspo.dll
C:\WINNT\SYSTEM32\nnlji.dll

They will be "hidden".
Be sure to show hidden files when looking for these files.
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#6 yukondsl

yukondsl

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 05 November 2005 - 02:04 PM

Hi Micah_6:8

I booted into safe mode and followed the instructions as given. The log files are:

Logfile of HijackThis v1.99.1
Scan saved at 7:41:23 AM, on 05/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\PivX\PreEmpt\loadsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\RAMpage\RAMpage.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\cyb2k.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\PivX\PreEmpt\PreEmptST.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ckrw.com/...path=/home.aspx
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ckrw.com/...path=/home.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RAMpage] "C:\Program Files\RAMpage\RAMpage.exe" M=28 T=4 P="C:\Program Files\RAMpage\RAMpageConfig.exe"
O4 - HKLM\..\Run: [C2K] C:\WINNT\cyb2k.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: PreEmpt.lnk = C:\Program Files\PivX\PreEmpt\PreEmptST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O16 - DPF: symsupportutil -
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181...s/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - http://whi-multi.apc.../dolcontrol.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O18 - Protocol: aim - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PreEmpt (qfcoresvc) - PivX Solutions, Inc. - C:\Program Files\PivX\PreEmpt\loadsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)



VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINNT\system32\gebyw.dll

The second filepath entered was C:\WINNT\system32\rqolk.dll

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 116 'smss.exe'

Killing PID 408 'explorer.exe'


Killing PID 164 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINNT\system32\gebyw.dll Deleted sucessfully.
C:\WINNT\system32\rqolk.dll Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

#7 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 05 November 2005 - 02:11 PM

Looks good!!!!

GOD bless you!!!

M68 :)

Items you may wish to consider to harden your defenses against future infections:

Read "How did I get infected in the first place?"

Download/install IE-Spyad

IE-Spyad puts over 4000 known malicious web sites into IE's "restricted zone" to help prevent you from getting infected.

Check your browser settings at Qualsys.com

A series of "tests" (and suggested fixes) to help tweak IE's settings to help prevent infections when surfing the web.

Follow safe Internet practices:

1. Keep your virus definitions up to date, and scan your system regularly.

2. Don't open email, or download attachments from unrecognized email addresses.

3. Be careful when downloading email attachments, EVEN FROM PEOPLE YOU KNOW! Many virii, worms, and trojans infect a persons system then immeadiately spread themselves to the people in the infected persons addressbook via email attachments.

4. Be careful downloading files from the Internet. Scan all downloaded files with a reliable UP-TO-DATE antivirus program. Scan "zip" files BEFORE unzipping, and scan all unzipped files BEFORE USING THEM.

5. Keep your Windows and IE current with all the latest patches and updates.


Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#8 yukondsl

yukondsl

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 05 November 2005 - 02:19 PM

Thank you very much brother for your assistance and for the blessing. Cheers

#9 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 26 November 2005 - 09:16 AM

This topic is now closed.

If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.

If this is not your thread please start a New Topic.
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·