I also have spybot showing hklm\system\controlset001\services\cmdservice and ...currentcontrolset\services\cmdservice as unfixable and i cannot remove them from the registry. What do these do? What do they start? and how do i change permissions or whatever was said above to blow them away?
thanks,
gsgi
gsgi , hi :)
Please have a look at this thread,last post, where I wrote info about editing the registry. I repeat what I wrote there, don´t change anything without backing up .
http://www.landzdown.com/index.php?topic=3566.msg14803#msg14803
You click next to those entries in the registry:
+hkey_local_machine
+system
+controlset001
+services
cmdservice
Rightclick "cmdservice" and remove it. If it wont work, follow the instructions on how to change permissions and try again.
Then do the same with
+hkey_local_machine
+system
currentcontrolset
services
cmdservice
Also, I would like to see a HiJack This log. We might be able to modify things from there when we know better what is hiding in your system.
Download HiJack This from here: http://www.thespykiller.co.uk/files/HJTsetup.exe
This will download HiJack This to your computer, choose "Save" and navigate to the folder where it´s saved and doubleclick upon it.
This is a complete installer that installs Hijackthis onto the computer to C:\Program Files\HijackThis and makes an entry in the start menu & allows you to have a shortcut on desktop as well.
then.......
Doubleclick the HJT icon on your desktop, hit "Do a system scan and save logfile". Save the logfile and a txt-file will be produced.. Copy that one and paste it here and we´ll have a look at it.
Die Hard :)
ok - this is my bosses computer - his kid had kazza on it --- it was full of malware
i have run all of these many times and in safe mode ad 1.06r, spybot 1.4, ewido, nod32, microsoft malicious remover, cwsshredder 2.15, and microsoft anti spyware ... trend 2006 won't scan (it doesn't find any drives) nothing else had this problem. mc cafe security suite comes with our cable modem service - maybei'll use that ...
hijack log
Logfile of HijackThis v1.99.1
Scan saved at 11:31:04 PM, on 12/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\SYSTEM32\WINLOGON.EXE
D:\WINNT\SYSTEM32\SERVICES.EXE
D:\WINNT\SYSTEM32\LSASS.EXE
D:\WINNT\system32\svchost.exe
D:\WINNT\SYSTEM32\SPOOLSV.EXE
D:\WINNT\System32\svchost.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\PROGRAM FILES\EWIDO ANTI-MALWARE\EWIDOGUARD.EXE
D:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
D:\WINNT\Explorer.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
D:\PROGRAM FILES\AD MUNCHER\ADMUNCH.EXE
D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Outlook Mail Services] express.exe
O4 - HKLM\..\Run: [Ad Muncher] D:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\RunServices: [Outlook Mail Services] express.exe
O4 - HKCU\..\Run: [Outlook Mail Services] express.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - D:\WINNT\msvcrs.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Hi, gsgi. Die Hard is currently unavailable and asked for backup until he returns.
Real time monitoring programs can interfer with the cleanup of your computer. It is advisable that you temporarilly disable those programs before cleaning and then enable after the cleanup is completed.
Ewido Security Suite (EwidoGuard)
Launch Ewido and in the main window click "Realtime protection" (in green indicating "Active") to change to inactive.
MS AntiSpyware (MSAS) Beta
1. Right-click on the Microsoft Anti-Spyware icon in the system tray [it's the one with the red and yellow bulls-eye].
2. Click on "Security Agents Status".
3. Click on "Disable real-time protection".
Next right-click on the Microsoft Anti-Spyware icon in the system tray again to open Microsoft Anti-Spyware.
1. Click on the Options menu and choose Settings.
2. In the left pane column click on "Real Time Protection".
3. Under Startup Options, uncheck "Enable (MSAS) Security Agents on startup (recommended)"
4. Under Real-time spyware threat protection, uncheck and "Enable real-time spyware threat protection" (recommended).
5. Click the Save button and close Microsoft AntiSpyware.
Finally, right-click on the MSAS icon in the system tray and select "Shutdown Microsoft Antispyware".
Spybot TeaTimer
As you indicated you ran Spybot, please also make sure TeaTimer is also disabled. To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box.
You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm
Ok, now that the system is ready, please scan with HijackThis and place a checkmark next to each of the following items and click FIX CHECKED:
R3 - Default URLSearchHook is missing
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [Outlook Mail Services] express.exe
O4 - HKLM\..\RunServices: [Outlook Mail Services] express.exe
O4 - HKCU\..\Run: [Outlook Mail Services] express.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - D:\WINNT\msvcrs.exe (file missing)
Download CCleaner from the link at the upper right of this page: http://www.filehippo.com/download_ccleaner.html .
Instructions for using CCleaner:
1. Before first use, check under Options > Advanced > UNcheck "Only delete files in Windows Temp folder older than 48 hours".
2. A pop up box will appear advising this process will permanently delete files from your system.
3. To protect logon cookies that you wish to retain, under Options > Cookies. Select and using the arrow move those cookies to the "Cookies to keep" column.
4. Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the "Internet Explorer" section.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.
In the Applications Tab:
Clean all in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.
5. Click the "Run Cleaner" button and it will scan and clean your system.
6. Click exit.
7. Shutdown/restart the computer.
If you have any questions, just ask.
Please post a fresh HijackThis© (Merijn) log and let us know how your bosses machine is running.
Thanks,
Corrine :rose:
Note: After the cleanup is completed, you'll want to check for Windows updates as I see IE is at SP1 and needs to be updates to SP2.
ok, i did everything as advised. i uninstalled trend pccillin since it was not working - stopped ewido, ms anti spyware, ran ccleaner, rebooted, unloaded ms anti-spyware and ewido and ran hijack this. i looked for explorer sp2 but this is 2000 pro not xp, so explorer sp1 seems to be the latest ...
thanks for your wonderful assistance
Logfile of HijackThis v1.99.1
Scan saved at 2:29:07 AM, on 12/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
D:\Program Files\Ad Muncher\AdMunch.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Ad Muncher] D:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - D:\WINNT\msvcrs.exe (file missing)
since i seemed to see ewido and ms antiapyware things in the last hijack this log - i uninstalled them - rebooted and here is a cleaner hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 2:37:23 AM, on 12/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
D:\Program Files\Ad Muncher\AdMunch.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Ad Muncher] D:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - D:\WINNT\msvcrs.exe (file missing)
gsgi :)
You had the outmost expertice helping you out while I was absent :)
Maybe you misunderstood the advice about Ewido and MSAS ? You should just turn off the real time monitor.
But never mind, they are free so please install them again , they work wonderfully together.
Ewido: http://www.ewido.net/en/download/
MSAS: http://www.microsoft.com/athome/security/spyware/software/default.mspx
Install them both to start with, but turn off the real time monitor in accordance with Corrine´s instructions :)
Do not run them yet.
A quick guide to the Ewido program is found here:
http://www.greyknight17.com/spy/Tutorials/ewidoQuickGuide.pdf
Start with HiJack This and checkmark this detail, then hit "fix checked" and click "yes" at the prompt that follows:
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - D:\WINNT\msvcrs.exe (file missing)
Now reboot into safe mode (press the F8-key repetedly on bootup) and delete the following files, in bold text. Once the computer starts in safe mode your desktop will look differently than usual, with less number of icons and they are larger :
D:\WINNT\msvcrs.exe
D:\WINNT\express.exe
In order to find them, click (Windowskey+E) and in the toolbar click "Tools>Folder options" and under tab "View" checkmark "Show hidden files and folders" and uncheck "Hide protected system files" and "Hide file extentions for known filetypes"
Now, while still in safe mode, run the Ewido scanner and remove what it finds.Save the report and reboot normally and post the Ewido report together with a new HiJack This-log.
Die Hard :)
Logfile of HijackThis v1.99.1
Scan saved at 10:41:14 AM, on 12/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
D:\Program Files\Ad Muncher\AdMunch.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\ewido anti-malware\securitysuite.exe
D:\Program Files\Hijackthis\HijackThis.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Ad Muncher] D:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - D:\WINNT\msvcrs.exe (file missing)
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 10:28:47 AM, 12/23/2005
+ Report-Checksum: 25BA7EE0
+ Scan result:
C:\WINDOWS\Application Data\Wildtangent\Cdacache\00\00\15.dat/wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\_RESTORE\ARCHIVE\FS1469.CAB/A0154874.CPY -> Spyware.WildTangent : Cleaned with backup
C:\_RESTORE\ARCHIVE\FS1469.CAB/A0154918.CPY -> Spyware.WildTangent : Cleaned with backup
::Report End
D:\WINNT\msvcrs.exe
D:\WINNT\express.exe
i did not find these files, but i did forget to click on show hidden files. i did a dir /s from cmd window to look over the whole hd for them too. I'll look again this time with the system file switches.
-gsgi
D:\WINNT\msvcrs.exe
D:\WINNT\express.exe
these files do not exist. have a double check the whole system.
-gsgi
I have now also scanned with panda on-line, bit-defender on-line and trojan hunter on-line ... a few things were found and deleted but nothing I think was running.
Housecalls will not work, nor will pc-cillin 2006. Two processes do not finish loading when pc-cillin 2006 is installed, ctlart32.exe and asynwcfg.exe ... asynwcfg is in winnt/system32 and is not marked at all. ctlart32.exe is in program files\mvrinzip and is marked with long non-sensical strings in the comments, company name, internal name etc ... there is also a ace,dll and a wingenerics.dll in this directory and ace.dll on goggle comes up as this: http://www.scanspyware.net/info/PeopleOnPage.AproposMedia.htm
ctlart32.exe shows up in the registry at HK USERS s-1-...\software\microsoft\internet explorer\explorer bars
ace.dll shows up in the installation history of the registry at the end of a line on acrobat reader
thanks,
greg
gsgi :)
Sorry for the late reply :flowers:
We celebrate hollidays, but malwares don´t :(
Download the FREE Swandog46 Apropos Fix from here :
http://swandog46.geekstogo.com/aproposfix.exe
Save to your desktop but DON'T run it just yet.
Reboot your computer in Safe Mode. Reboot and tap the F8-key repetedly on bootup.
Then Unzip aproposfix.exe to your desktop. From inside the new folder run the RunThis.bat and follow the prompts.
While still in safe mode, run Ewido once again.
After they have completed reboot back as Normal and post the Ewido report together with a new HiJack This log.
Die Hard :)
Logfile of HijackThis v1.99.1
Scan saved at 7:23:14 AM, on 12/29/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\userinit.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Ad Muncher] D:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - D:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Secure MSVS (MicroService32) - Unknown owner - D:\WINNT\msvcrs.exe (file missing)
i think this is pretty clean. still left with thelast entry which does not go away even when i select fix_this in hijack this and the original problem i posted about -- cmdservice entries remain unfixable by spybot -- what are they... also i have run a sfc /scannow ... svchost crashes when loading safe mode with networking support but safe mode and normal mode are unaffected ...
gsgi :)
Could you please do this for me?
Open the registry editor (click [windowskey+R] and type regedit>OK ) and navigate to the following regkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE083}
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
Once found, on each of them click in the toolbar "File>Export" and choose to export them as a .txt-file and put to a location of your convenience.
Then copy the contents of the text-files and post it here.
Die Hard :)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
@=""
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID"=hex:09,04
"@D:\\WINNT\\system32\\shell32.dll,-9227"="My Documents"
"@D:\\WINNT\\system32\\shell32.dll,-8964"="Recycle Bin"
"@D:\\WINNT\\system32\\shell32.dll,-9216"="My Computer"
"@D:\\WINNT\\system32\\shell32.dll,-9217"="My Network Places"
"@shdoclc.dll,-866"="Related"
"@shdoclc.dll,-864"="Show &Related Links"
"@shdoclc.dll,-865"="Shows links related to the current page."
"@D:\\WINNT\\System32\\cdfview.dll,-4610"="Channel File"
"@shdoclc.dll,-867"="&Tip of the Day"
"@shdoclc.dll,-868"="Shows the Tip of the Day."
"@browselc.dll,-13137"="&Address"
"@browselc.dll,-13138"="&Links"
"@D:\\Program Files\\AIM\\AimRes.dll,-255"="AOL Instant Messenger"
"@D:\\WINNT\\System32\\msi.dll,-34"="Windows Installer Package"
"@D:\\WINNT\\System32\\msi.dll,-35"="Windows Installer Patch"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-3"="AIFF Audio File"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-5"="Audio CD Track"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-6"="iTunes Music Database File"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-16"="iTunes Music Store URL"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-7"="M3U Audio Playlist"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-1"="MPEG-4 Audio File"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-2"="MPEG-4 Audio File (Protected)"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-9"="MPEG Layer 2 Audio"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-10"="MPEG Layer 3 Audio"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-12"="PLS Audio Playlist"
"@D:\\Program Files\\iTunes\\iTunes.Resources\\iTunesRegistry.dll,-15"="WAVE Audio File"
"@D:\\WINNT\\inf\\unregmp2.exe,-9903"="AIFF Format Sound"
"@D:\\WINNT\\inf\\unregmp2.exe,-9909"="Windows Media Audio/Video file"
"@D:\\WINNT\\inf\\unregmp2.exe,-9910"="Windows Media Audio/Video playlist"
"@D:\\WINNT\\inf\\unregmp2.exe,-9904"="AU Format Sound"
"@D:\\WINNT\\inf\\unregmp2.exe,-9905"="Video Clip"
"@D:\\WINNT\\inf\\unregmp2.exe,-9918"="CD Audio Track"
"@D:\\WINNT\\inf\\unregmp2.exe,-9902"="Movie Clip"
"@D:\\WINNT\\inf\\unregmp2.exe,-9926"="M3U file"
"@D:\\WINNT\\inf\\unregmp2.exe,-9907"="MIDI Sequence"
"@D:\\WINNT\\inf\\unregmp2.exe,-9925"="MP3 Format Sound"
"@D:\\WINNT\\inf\\unregmp2.exe,-9908"="Wave Sound"
"@D:\\WINNT\\inf\\unregmp2.exe,-9911"="Windows Media Audio shortcut"
"@D:\\WINNT\\inf\\unregmp2.exe,-9912"="Windows Media Audio file"
"@D:\\WINNT\\inf\\unregmp2.exe,-9920"="Windows Media Player Download Package"
"@D:\\WINNT\\inf\\unregmp2.exe,-9915"="Windows Media Player Skin File"
"@D:\\WINNT\\inf\\unregmp2.exe,-9914"="Windows Media Audio/Video file"
"@D:\\WINNT\\inf\\unregmp2.exe,-9916"="Windows Media Player Skin Package"
"@D:\\WINNT\\inf\\unregmp2.exe,-9923"="Windows Media playlist"
"@D:\\WINNT\\inf\\unregmp2.exe,-9913"="Windows Media Audio/Video playlist"
"@inetcplc.dll,-4774"="ActiveX controls and plug-ins"
"@inetcplc.dll,-4775"="Run ActiveX controls and plug-ins"
"@inetcplc.dll,-4803"="Enable"
"@inetcplc.dll,-4806"="Administrator approved"
"@inetcplc.dll,-4805"="Disable"
"@inetcplc.dll,-4804"="Prompt"
"@inetcplc.dll,-4776"="Download signed ActiveX controls"
"@inetcplc.dll,-4783"="Initialize and script ActiveX controls not marked as safe"
"@inetcplc.dll,-4784"="Script ActiveX controls marked safe for scripting"
"@inetcplc.dll,-4777"="Download unsigned ActiveX controls"
"@inetcplc.dll,-4788"="User Authentication"
"@inetcplc.dll,-4790"="Logon"
"@inetcplc.dll,-4807"="Anonymous logon"
"@inetcplc.dll,-4808"="Prompt for user name and password"
"@inetcplc.dll,-4810"="Automatic logon only in Intranet zone"
"@inetcplc.dll,-4809"="Automatic logon with current username and password"
"@inetcplc.dll,-4791"="Downloads"
"@inetcplc.dll,-4792"="File download"
"@inetcplc.dll,-4793"="Font download"
"@vmhelper.dll,-4003"="Java permissions"
"@vmhelper.dll,-4004"="Custom"
"@vmhelper.dll,-4005"="Disable Java"
"@vmhelper.dll,-4006"="High safety"
"@vmhelper.dll,-4007"="Low safety"
"@vmhelper.dll,-4008"="Medium safety"
"@inetcplc.dll,-4794"="Miscellaneous"
"@inetcplc.dll,-4862"="Don't prompt for client certificate selection when no certificates or only one certificate exists"
"@inetcplc.dll,-4785"="Access data sources across domains"
"@inetcplc.dll,-4796"="Drag and drop or copy and paste files"
"@inetcplc.dll,-4797"="Submit nonencrypted form data"
"@inetcplc.dll,-4795"="Installation of desktop items"
"@inetcplc.dll,-4798"="Launching programs and files in an IFRAME"
"@inetcplc.dll,-4870"="Allow META REFRESH"
"@inetcplc.dll,-4872"="Display mixed content"
"@inetcplc.dll,-4830"="Software channel permissions"
"@inetcplc.dll,-4816"="High safety"
"@inetcplc.dll,-4814"="Low safety"
"@inetcplc.dll,-4815"="Medium safety"
"@inetcplc.dll,-4855"="Navigate sub-frames across different domains"
"@inetcplc.dll,-4853"="Userdata persistence"
"@inetcplc.dll,-4782"="Scripting"
"@inetcplc.dll,-4786"="Active scripting"
"@inetcplc.dll,-4787"="Scripting of Java applets"
"@inetcplc.dll,-4854"="Allow paste operations via script"
"@inetcplc.dll,-4746"="Accessibility"
"@inetcplc.dll,-4731"="Always expand ALT text for images"
"@inetcplc.dll,-4732"="Move system caret with focus/selection changes"
"@inetcplc.dll,-4745"="Browsing"
"@inetcplc.dll,-4852"="Use inline AutoComplete"
"@inetcplc.dll,-4856"="Enable Personalized Favorites Menu"
"@inetcplc.dll,-4866"="Force offscreen compositing even under Terminal Server (requires restart)"
"@inetcplc.dll,-4833"="Show friendly HTTP error messages"
"@inetcplc.dll,-4734"="Show friendly URLs"
"@inetcplc.dll,-4743"="Use Passive FTP (for firewall and DSL modem compatibility)"
"@inetcplc.dll,-4737"="Enable folder view for FTP sites"
"@inetcplc.dll,-4840"="Show Go button in Address bar"
"@inetcplc.dll,-4748"="Show Internet Explorer on the desktop"
"@inetcplc.dll,-4837"="Automatically check for Internet Explorer updates"
"@inetcplc.dll,-4836"="Enable Install On Demand (Internet Explorer)"
"@inetcplc.dll,-4835"="Notify when downloads complete"
"@inetcplc.dll,-4838"="Close unused folders in History and Favorites (requires restart)"
"@inetcplc.dll,-4829"="Enable page transitions"
"@inetcplc.dll,-4861"="Reuse windows for launching shortcuts"
"@inetcplc.dll,-4736"="Enable offline items to be synchronized on a schedule"
"@inetcplc.dll,-4831"="Disable script debugging"
"@inetcplc.dll,-4832"="Display a notification about every script error"
"@inetcplc.dll,-4735"="Use smooth scrolling"
"@inetcplc.dll,-4828"="Underline links"
"@inetcplc.dll,-4825"="Always"
"@inetcplc.dll,-4827"="Hover"
"@inetcplc.dll,-4826"="Never"
"@inetcplc.dll,-4874"="Enable third-party browser extensions (requires restart)"
"@inetcplc.dll,-4839"="Always send URLs as UTF-8 (requires restart)"
"@inetcplc.dll,-4875"="Enable Install On Demand (Other)"
"@inetcplc.dll,-4747"="Security"
"@inetcplc.dll,-4750"="Empty Temporary Internet Files folder when browser is closed"
"@inetcplc.dll,-4749"="Do not save encrypted pages to disk"
"@inetcplc.dll,-4761"="Check for publisher's certificate revocation"
"@inetcplc.dll,-4762"="Check for signatures on downloaded programs"
"@inetcplc.dll,-4863"="Enable Integrated Windows Authentication (requires restart)"
"@inetcplc.dll,-4756"="Enable Profile Assistant"
"@inetcplc.dll,-4757"="Warn if changing between secure and not secure mode"
"@inetcplc.dll,-4759"="Warn about invalid site certificates"
"@inetcplc.dll,-4752"="Use SSL 2.0"
"@inetcplc.dll,-4753"="Use SSL 3.0"
"@inetcplc.dll,-4760"="Check for server certificate revocation (requires restart)"
"@inetcplc.dll,-4758"="Warn if forms submittal is being redirected"
"@inetcplc.dll,-4754"="Use TLS 1.0"
"@inetcplc.dll,-4822"="HTTP 1.1 settings"
"@inetcplc.dll,-4823"="Use HTTP 1.1"
"@inetcplc.dll,-4824"="Use HTTP 1.1 through proxy connections"
"@vmhelper.dll,-4000"="Java console enabled (requires restart)"
"@vmhelper.dll,-4001"="JIT compiler for virtual machine enabled (requires restart)"
"@vmhelper.dll,-4002"="Java logging enabled"
"@inetcplc.dll,-4744"="Multimedia"
"@inetcplc.dll,-4741"="Play animations in web pages"
"@inetcplc.dll,-4871"="Enable Automatic Image Resizing"
"@inetcplc.dll,-4876"="Don't display online media content in the media bar"
"@inetcplc.dll,-4865"="Enable Image Toolbar (requires restart)"
"@inetcplc.dll,-4742"="Show pictures"
"@inetcplc.dll,-4843"="Show image download placeholders"
"@inetcplc.dll,-4738"="Smart image dithering"
"@inetcplc.dll,-4739"="Play sounds in web pages"
"@inetcplc.dll,-4740"="Play videos in web pages"
"@inetcplc.dll,-4769"="Printing"
"@inetcplc.dll,-4770"="Print background colors and images"
"@inetcplc.dll,-4771"="Search from the Address bar"
"@inetcplc.dll,-4844"="When searching"
"@inetcplc.dll,-4845"="Display results, and go to the most likely site"
"@inetcplc.dll,-4847"="Just display the results in the main window"
"@inetcplc.dll,-4846"="Just go to the most likely site"
"@inetcplc.dll,-4848"="Do not search from the Address bar"
"@shell32.dll,-28964"="You have chosen to display protected operating system files (files labeled System and Hidden) in Windows Explorer.
These files are required to start and run Windows 2000. Deleting or editing them can make your computer inoperable.
Are you sure you want to display these files?"
gsgi :)
Nothing is showing there. That´s good....and bad. Because we still haven´t found the strange items we´re looking for.
Could you please run a tool called datFind.bat : http://virus-protect.net/bat/datFind.bat
When clicking it once it will create a log, collapse it to the taskbar and click any key to create the next one, until you have four logs. Copy the top files in the logs from the last 2 months and paste it into the thread.
And I whish you a Happy New Year :thumbsup:
Die Hard :)
Volume in drive D has no label.
Volume Serial Number is C88A-F42B
Directory of D:\WINNT\system32
12/23/2005 11:26p 2,550 Uninstall.ico
12/23/2005 11:26p 1,406 Help.ico
12/23/2005 11:26p 1,718 Open.ico
12/23/2005 11:26p 5,350 IE.ico
12/23/2005 11:26p 9,470 Desktop.ico
12/23/2005 11:26p 1,718 Quick.ico
12/23/2005 09:50p 0 asfiles.txt
12/21/2005 11:35a 16,384 Perflib_Perfdata_648.dat
12/18/2005 11:09p 181,760 AM-Install.exe
12/18/2005 10:12p 2,715 MRT.INI
12/18/2005 09:56p 16,384 Perflib_Perfdata_454.dat
12/14/2005 05:28p 1,145 0g6490eo.sys
12/14/2005 05:24p 16,384 Perflib_Perfdata_51c.dat
12/13/2005 10:22p 16,384 Perflib_Perfdata_134.dat
12/13/2005 10:19p 16,384 Perflib_Perfdata_4f0.dat
12/13/2005 10:18p 16,384 Perflib_Perfdata_318.dat
12/13/2005 04:50p 16,384 Perflib_Perfdata_47c.dat
12/12/2005 09:57p 16,384 Perflib_Perfdata_310.dat
12/12/2005 05:02p 16,384 Perflib_Perfdata_4b8.dat
12/11/2005 04:46p 16,384 Perflib_Perfdata_48c.dat
12/09/2005 10:56a 16,384 Perflib_Perfdata_524.dat
12/07/2005 01:38p 2,714,976 MRT.exe
12/04/2005 12:31p 16,384 Perflib_Perfdata_52c.dat
12/03/2005 11:04p 16,384 Perflib_Perfdata_49c.dat
12/03/2005 10:37p 16,384 Perflib_Perfdata_498.dat
12/03/2005 10:32p 16,384 Perflib_Perfdata_1dc.dat
12/03/2005 08:40a 16,384 Perflib_Perfdata_3f8.dat
12/03/2005 08:37a 16,384 Perflib_Perfdata_4cc.dat
12/03/2005 08:36a 16,384 Perflib_Perfdata_3a0.dat
12/03/2005 07:52a 4,147,013 etwr.txt
11/22/2005 04:49p 2,700,288 MSHTML.DLL
11/16/2005 05:07p 16,384 Perflib_Perfdata_490.dat
11/15/2005 12:12p 126,680 GCCollection.dll
11/15/2005 12:12p 117,976 hashlib.dll
11/15/2005 12:12p 95,448 gcUnCompress.dll
11/14/2005 09:46p 624 app.log
11/09/2005 10:14p 91,888 FNTCACHE.DAT
11/03/2005 05:23p 16,384 Perflib_Perfdata_3a8.dat
10/29/2005 07:13a 16,384 Perflib_Perfdata_38c.dat
10/23/2005 10:28p 13,536 spmsg.dll
10/22/2005 02:55p 16,384 Perflib_Perfdata_434.dat
10/21/2005 03:17p 1,339,392 SHDOCVW.DLL
10/21/2005 02:05p 184,320 adwerkz.dll
10/21/2005 12:51p 575,488 WININET.DLL
10/21/2005 12:51p 459,776 URLMON.DLL
10/21/2005 12:49p 192,512 DXTRANS.DLL
10/21/2005 12:49p 496,640 MSTIME.DLL
10/20/2005 07:08p 986,112 DANIM.DLL
10/07/2005 01:19a 233,744 GDI32.DLL
10/06/2005 04:33a 1,638,672 WIN32K.SYS
10/06/2005 04:20a 1,713,600 NTKRNLPA.EXE
10/06/2005 04:20a 1,691,008 NTOSKRNL.EXE
09/23/2005 06:03a 245,008 WINSRV.DLL
09/23/2005 06:03a 1,120,016 webvw.dll
09/23/2005 06:03a 17,680 linkinfo.dll
09/23/2005 06:03a 2,360,592 SHELL32.DLL
09/05/2005 03:18a 35,600 mtxlegih.dll
09/05/2005 03:18a 122,640 mtxoci.dll
09/05/2005 03:18a 71,440 stclient.dll
09/05/2005 03:18a 19,216 xolehlp.dll
09/05/2005 03:18a 153,872 msdtcui.dll
09/05/2005 03:18a 1,200,400 msdtctm.dll
09/05/2005 03:18a 726,288 msdtcprx.dll
09/05/2005 03:18a 52,496 mtxclu.dll
09/05/2005 03:18a 26,896 mtxdm.dll
09/05/2005 03:18a 96,016 msdtclog.dll
09/05/2005 03:18a 1,471,248 comsvcs.dll
09/05/2005 03:18a 625,936 comuid.dll
09/05/2005 03:18a 36,624 OLECNV32.DLL
09/05/2005 03:18a 398,608 txfaux.dll
09/05/2005 03:18a 165,648 catsrv.dll
09/05/2005 03:18a 69,392 olecli32.dll
09/05/2005 03:18a 595,728 catsrvut.dll
09/05/2005 03:18a 97,040 clbcatex.dll
09/05/2005 03:18a 551,184 clbcatq.dll
09/05/2005 03:18a 97,552 comrepl.dll
09/05/2005 03:18a 41,744 colbact.dll
09/05/2005 03:18a 242,448 es.dll
09/05/2005 03:18a 957,712 OLE32.DLL
09/05/2005 03:18a 212,240 rpcss.dll
09/02/2005 04:24a 94,480 UMPNPMGR.DLL
Volume in drive D has no label.
Volume Serial Number is C88A-F42B
Directory of D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
12/31/2005 09:37a 618 jusched.log
1 File(s) 618 bytes
0 Dir(s) 60,721,922,048 bytes free
Volume in drive D has no label.
Volume Serial Number is C88A-F42B
Directory of D:\WINNT
12/31/2005 09:37a 2,004,414 WindowsUpdate.log
12/30/2005 12:45a 32,634 SchedLgU.Txt
12/30/2005 12:45a 1,008,438 ShellIconCache
12/29/2005 07:46a 13,732 unmsjvm.log
12/29/2005 07:25a 0 Sti_Trace.log
12/29/2005 07:21a 35,546 ntbtlog.txt
12/28/2005 12:25a 24 prf5d
12/23/2005 11:53p 229,376 outlook.pst
12/23/2005 11:26p 32 pavsig.txt
12/23/2005 09:49p 787 win.ini
12/22/2005 02:40a 0 nsreg.dat
12/22/2005 02:40a 107,132 UninstallFirefox.exe
12/22/2005 02:40a 2,293 mozver.dat
12/04/2005 12:28p 231 SYSTEM.INI
10/02/2005 11:36a 35,280 Administrator.acl
09/28/2005 03:36p 0 iPlayer.INI
07/20/2005 08:59a 57,344 uneng.exe
04/14/2005 05:08p 10,752 hh.exe
03/16/2005 06:56p 7,168 Administrator.pcb
03/04/2005 02:10p 106,496 bdoscandel.exe
03/01/2005 03:30p 453 bdoscandellang.ini
12/30/2004 07:02p 6,144 ArtGalry.cag
12/17/2004 09:06p 31 ?
12/17/2004 08:50p 31 G
08/15/2004 08:12p 316,640 WMSysPr9.prx
08/15/2004 08:10p 23,494 Microsoft Outlook.FAV
08/15/2004 08:10p 681 Win.ipe
08/15/2004 07:36p 22 exchng.ini
08/15/2004 07:36p 4,254 ODBCINST.INI
08/15/2004 07:36p 707 ODBC.INI
08/15/2004 05:40p 288,880 WMSysPrx.prx
08/15/2004 05:39p 395 videoimp.ini
08/15/2004 04:27p 0 control.ini
08/15/2004 04:26p 271 desktop.ini
08/15/2004 04:26p 21,692 folder.htt
08/15/2004 04:24p 36 vb.ini
08/15/2004 04:24p 37 vbaddin.ini
08/15/2004 12:19p 41 ModemDet.txt
08/15/2004 12:15p 231 System.ipe
08/15/2004 12:15p 231 SYSTEM.UNV
06/18/2004 01:40p 33,280 muninst.exe
Volume in drive D has no label.
Volume Serial Number is C88A-F42B
Directory of D:\
12/31/2005 09:41a 0 sys.txt
12/31/2005 09:41a 4,885 systemc.txt
12/31/2005 09:41a 4,885 system.txt
12/31/2005 09:41a 275 systemtempa.txt
12/31/2005 09:40a 275 systemtemp.txt
12/31/2005 09:40a 91,915 system32a.txt
12/31/2005 09:39a 91,915 system32.txt
12/31/2005 09:39a 429 datFind.bat
12/31/2005 09:37a 201,326,592 pagefile.sys
12/23/2005 10:41a 4,030 hijack.log
12/23/2005 10:28a 1,132 ewido.txt
11/13/2005 07:12p 11,321,344 iPod for Windows 2005-10-12.msi
11/13/2005 07:12p 740,864 1033.MST
11/13/2005 07:11p 4,632 0x0409.ini
10/19/2005 02:28p 3,687 data
09/15/2005 01:42p 207 IPH.PH
08/15/2004 08:23p 1,024 system.dat
08/15/2004 12:46p 4,818 ffastun.ffa
08/15/2004 12:46p 110,592 ffastun.ffo
08/15/2004 12:46p 114,688 ffastun.ffl
08/15/2004 12:46p 344,064 ffastun0.ffx
21 File(s) 214,172,253 bytes
0 Dir(s) 60,721,901,568 bytes free
Are we hunting a BHO exploit - or aren't we to sure how whatever crap is left is running.
-greg
Here is a sysinternals shortened autoruns log - autoruns is really cool
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ Ad Muncher d:\program files\ad muncher\admunch.exe
+ iTunesHelper iTunesHelper Module (Not verified) Apple Computer, Inc. d:\program files\itunes\ituneshelper.exe
+ SunJavaUpdateSched Java(TM) 2 Platform Standard Edition binary (Not verified) Sun Microsystems, Inc. d:\program files\java\jre1.5.0_01\bin\jusched.exe
D:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup
+ Adobe Gamma Loader.lnk Adobe Gamma Loader (Not verified) Adobe Systems, Inc. d:\program files\common files\adobe\calibration\adobe gamma loader.exe
+ Adobe Reader Speed Launch.lnk Adobe Acrobat SpeedLauncher (Not verified) Adobe Systems Incorporated d:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ Display Panning CPL Extension File not found: deskpan.dll
+ SmartFTP Shell Extension DLL SmartFTP Shell Extension (Not verified) SmartFTP d:\program files\smartftp\smarthook.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. d:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. d:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. d:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. d:\program files\winzip\wzshlstb.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ PDF Shell Extension PDF Shell Extension (Not verified) Adobe Systems, Inc. d:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ AcroIEHlprObj Class Adobe Acrobat IE Helper Version 7.0 for ActiveX (Verified) Adobe Systems, Incorporated d:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll
HKLM\System\CurrentControlSet\Services
+ MicroService32 Filters Bad Packets File not found: D:\WINNT\msvcrs.exe
HKLM\System\CurrentControlSet\Services
+ GEARAspiWDM CDRom Class Filter Driver (Verified) GEAR Software Inc. d:\winnt\system32\drivers\gearaspiwdm.sys
+ nv4 NVIDIA Compatible Windows 2000 Miniport Driver, Version 6.34 (Not verified) NVIDIA Corporation d:\winnt\system32\drivers\nv4_mini.sys
+ RIOUNIV Rio USB driver (Not verified) Digital Networks North America, Inc. d:\winnt\system32\drivers\riouniv.sys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
+ NVDESK32.DL File not found: NVDESK32.DL
gsgi :)
Finally we found something !
This file doesn´t belong in your system adwerkz.dll It has been there for a while, it might not being active with its friends lost.
Please download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
Once posted do not restart your pc untill suggested
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
Die Hard :)
L2MFIX find log 122705
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Explode"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:
D:\WINNT\SYSTEM32\
adwerkz.dll Fri Oct 21 2005 2:05:50p A.... 184,320 180.00 K
danim.dll Thu Oct 20 2005 7:08:44p A.... 986,112 963.00 K
dxtrans.dll Fri Oct 21 2005 12:49:58p A.... 192,512 188.00 K
gccoll~1.dll Tue Nov 15 2005 12:12:08p A.... 126,680 123.71 K
gcunco~1.dll Tue Nov 15 2005 12:12:06p A.... 95,448 93.21 K
gdi32.dll Fri Oct 7 2005 1:19:38a A.... 233,744 228.27 K
hashlib.dll Tue Nov 15 2005 12:12:08p A.... 117,976 115.21 K
mshtml.dll Tue Nov 22 2005 4:49:10p A.... 2,700,288 2.57 M
mstime.dll Fri Oct 21 2005 12:49:52p ..... 496,640 485.00 K
shdocvw.dll Fri Oct 21 2005 3:17:22p A.... 1,339,392 1.28 M
spmsg.dll Sun Oct 23 2005 10:28:08p ..... 13,536 13.22 K
urlmon.dll Fri Oct 21 2005 12:51:26p A.... 459,776 449.00 K
wininet.dll Fri Oct 21 2005 12:51:36p A.... 575,488 562.00 K
13 items found: 13 files, 0 directories.
Total of file sizes: 7,521,912 bytes 7.17 M
Locate .tmp files:
No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive D has no label.
Volume Serial Number is C88A-F42B
Directory of D:\WINNT\System32
12/29/2005 07:46a <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 60,718,563,328 bytes free
gsgi :)
I do not think this file is active. It´s belonging to an adware,though.
But better be safe than sorry.
Pleae download "KillBox" by Option^Explicit from here: http://www.bleepingcomputer.com/files/killbox.php
Open KillBox and add this line into "Full path of file to delete"
D:\WINNT\SYSTEM32\adwerkz.dll
Then hit the red button with the white "X"
Maybe it will tell you it cant be deleted. Then try this:
Checkmark the box "Delete on reboot", then paste the filepath again into the tool and when prompted to reboot, click "yes".
Die Hard :)