Another DMVLite to Nuke - HijackThis Log

Multiple workstations to remove DMVLite from, actually. Here's the logfile from the one I'm currently working on.

-edit- Should probably give more detail on this particular workstation. I have used Spybot S&D and AdAware thus far, and will be attempting to run Windows Updates and install IE6, followed by MS Antispyware Beta while this topic awaits a reply. There is a critical called Huntbar being detected by Spybot which we have been unable to remove, due to a "Spybot.exe has generated an error and must be closed" each time we try to fix that selected problem. This workstation is also having some difficulty with a "Msiexe.exe- DLL Initialization Failed" message that may very very briefly appear about 30 seconds after Windows2000 has made it to desktop, causing an automatic reboot (Automatic Reboot in the System Properties -> Advanced tab -> Startup and Recovery has been disabled to try and combat this problem, but it remains despite that). And, of course, there's that DMVLite pestering us in the Add/Remove programs window.-edit-

-----------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:11:11 AM, on 3/24/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINNT\System32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\AntiHijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = security.wb.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = security.wb.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = security.wb.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O20 - Winlogon Notify: URL - C:\WINNT\system32\guard.tmp (file missing)
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

 

Hi TBecker

You have several infections, let's tackle L2M first
Note: the log is quite large you will need to post it in several posts

Download L2mfix from one of these two locations:
(Version 1.03 03/12/2004)
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!


Note to others, do not use this tool without assistance, the infection is always slightly differant.


Also go here and submit C:\WINNT\Explorer.EXE post back with the findings
Jotti Online malware scan: http://virusscan.jotti.org/

 

Thank you Lonny Jones. Here is the resulting log of the l2fmix Run Find Log scan.

------

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL]
"Asynchronous "=dword:00000000
"DllName "= "C:\\WINNT\\system32\\guard.tmp "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{64BF5578-6CCD-4218-9176-6857FA0F0D6E} "=" "

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046} "= "Multimedia File Property Sheet "
"{176d6597-26d3-11d1-b350-080036a75b03} "= "ICM Scanner Management "
"{1F2E5C40-9550-11CE-99D2-00AA006E086C} "= "NTFS Security Page "
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32} "= "OLE Docfile Property Page "
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6} "= "Shell extensions for sharing "
"{41E300E0-78B6-11ce-849B-444553540000} "= "PlusPack CPL Extension "
"{42071712-76d4-11d1-8b24-00a0c9068ff3} "= "Display Adapter CPL Extension "
"{42071713-76d4-11d1-8b24-00a0c9068ff3} "= "Display Monitor CPL Extension "
"{42071714-76d4-11d1-8b24-00a0c9068ff3} "= "Display Panning CPL Extension "
"{4E40F770-369C-11d0-8922-00A024AB2DBB} "= "DS Security Page "
"{56117100-C0CD-101B-81E2-00AA004AE837} "= "Shell Scrap DataHandler "
"{59099400-57FF-11CE-BD94-0020AF85B590} "= "Disk Copy Extension "
"{59be4990-f85c-11ce-aff7-00aa003ca9f6} "= "Shell extensions for Microsoft Windows Network objects "
"{5DB2625A-54DF-11D0-B6C4-0800091AA605} "= "ICM Monitor Management "
"{675F097E-4C4D-11D0-B6C1-0800091AA605} "= "ICM Printer Management "
"{764BF0E1-F219-11ce-972D-00AA00A14F56} "= "Shell extensions for file compression "
"{77597368-7b15-11d0-a0c2-080036af3f03} "= "Web Printer Shell Extension "
"{7988B573-EC89-11cf-9C00-00AA00A14F56} "= "Disk Quota UI "
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "= "Encryption Context Menu "
"{85BBD920-42A0-1069-A2E4-08002B30309D} "= "Briefcase "
"{88895560-9AA2-1069-930E-00AA0030EBC8} "= "HyperTerminal Icon Ext "
"{BD84B380-8CA2-1069-AB1D-08000948F534} "= "Fonts "
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27} "= "ICC Profile "
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723} "= "Printers Security Page "
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} "= "Shell extensions for sharing "
"{f92e8c40-3d33-11d2-b1aa-080036a75b03} "= "Display TroubleShoot CPL Extension "
"{60254CA5-953B-11CF-8C96-00AA00B8708C} "= "Shell extensions for Windows Script Host "
"{7444C717-39BF-11D1-8CD9-00C04FC29D45} "= "Crypto PKO Extension "
"{7444C719-39BF-11D1-8CD9-00C04FC29D45} "= "Crypto Sign Extension "
"{7007ACC7-3202-11D1-AAD2-00805FC1270E} "= "Network and Dial-up Connections "
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} "= "Tasks Folder Icon Handler "
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} "= "Tasks Folder Shell Extension "
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF} "= "Scheduled Tasks "
"{1A9BA3A0-143A-11CF-8350-444553540000} "= "Shell Favorite Folder "
"{20D04FE0-3AEA-1069-A2D8-08002B30309D} "= "My Computer "
"{86747AC0-42A0-1069-A2E6-08002B30309D} "= "Briefcase Folder "
"{0AFACED1-E828-11D1-9187-B532F1E9575D} "= "Folder Shortcut "
"{12518493-00B2-11d2-9FA5-9E3420524153} "= "Mounted Volume "
"{21B22460-3AEA-1069-A2DC-08002B30309D} "= "File Property Page Extension "
"{B091E540-83E3-11CF-A713-0020AFD79762} "= "File Types Page "
"{FBF23B41-E3F0-101B-8488-00AA003E56F8} "= "MIME File Types Hook "
"{C2FBB630-2971-11d1-A18C-00C04FD75D13} "= "Microsoft CopyTo Service "
"{C2FBB631-2971-11d1-A18C-00C04FD75D13} "= "Microsoft MoveTo Service "
"{13709620-C279-11CE-A49E-444553540000} "= "Shell Automation Service "
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D} "= "Shell Automation Folder View "
"{4622AD11-FF23-11d0-8D34-00A0C90F2719} "= "Start Menu "
"{7BA4C740-9E81-11CF-99D3-00AA004AE837} "= "Microsoft SendTo Service "
"{D969A300-E7FF-11d0-A93B-00A0C90F2719} "= "Microsoft New Object Service "
"{09799AFB-AD67-11d1-ABCD-00C04FC30936} "= "Open With Context Menu Handler "
"{3FC0B520-68A9-11D0-8D77-00C04FD70822} "= "Display Control Panel HTML Extensions "
"{75048700-EF1F-11D0-9888-006097DEACF9} "= "ActiveDesktop "
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11} "= "Folder Options Property Page Extension "
"{57651662-CE3E-11D0-8D77-00C04FC99D61} "= "CmdFileIcon "
"{4657278A-411B-11d2-839A-00C04FD918D0} "= "Shell Drag and Drop helper "
"{A470F8CF-A1E8-4f65-8335-227475AA5C46} "= "Add encryption item to context menus in explorer "
"{5E6AB780-7743-11CF-A12B-00AA004AE837} "= "Microsoft Internet Toolbar "
"{22BF0C20-6DA7-11D0-B373-00A0C9034938} "= "Download Status "
"{568804CA-CBD7-11d0-9816-00C04FD91972} "= "Menu Shell Folder "
"{5b4dae26-b807-11d0-9815-00c04fd91972} "= "Menu Band "
"{8278F931-2A3E-11d2-838F-00C04FD918D0} "= "Tracking Shell Menu "
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972} "= "Menu Site "
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1} "= "Menu Desk Bar "
"{91EA3F8B-C99B-11d0-9815-00C04FD91972} "= "Augmented Shell Folder "
"{6413BA2C-B461-11d1-A18A-080036B11A03} "= "Augmented Merge Shell Folder "
"{F61FFEC1-754F-11d0-80CA-00AA005B4383} "= "BandProxy "
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2} "= "IShellFolderBand "
"{7BA4C742-9E81-11CF-99D3-00AA004AE837} "= "Microsoft BrowserBand "
"{30D02401-6A81-11d0-8274-00C04FD5AE38} "= "Microsoft SearchBand "
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13} "= "In-pane search "
"{07798131-AF23-11d1-9111-00A0C98BA67D} "= "Web Search "
"{0E5CBF21-D15F-11d0-8301-00AA005B4383} "= "&Links "
"{AF4F6510-F982-11d0-8595-00AA004CD6D8} "= "Registry Tree Options Utility "
"{01E04581-4EEE-11d0-BFE9-00AA005B4383} "= "&Address "
"{A08C11D2-A228-11d0-825B-00AA005B4383} "= "Address EditBox "
"{00BB2763-6A77-11D0-A535-00C04FD7D062} "= "Microsoft AutoComplete "
"{7487cd30-f71a-11d0-9ea7-00805f714772} "= "Thumbnail Image "
"{7376D660-C583-11d0-A3A5-00C04FD706EC} "= "TridentImageExtractor "
"{6756A641-DE71-11d0-831B-00AA005B4383} "= "MRU AutoComplete List "
"{00BB2764-6A77-11D0-A535-00C04FD7D062} "= "Microsoft History AutoComplete List "
"{03C036F1-A186-11D0-824A-00AA005B4383} "= "Microsoft Shell Folder AutoComplete List "
"{00BB2765-6A77-11D0-A535-00C04FD7D062} "= "Microsoft Multiple AutoComplete List Container "
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1} "= "Shell Band Site Menu "
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF} "= "Shell DeskBarApp "
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1} "= "Shell DeskBar "
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1} "= "Shell Rebar BandSite "
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C} "= "User Assist "
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} "= "Global Folder Settings "
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E} "= "Favorites Band "
"{0A89A860-D7B1-11CE-8350-444553540000} "= "Shell Automation Inproc Service "
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} "= "Shell DocObject Viewer "
"{FBF23B40-E3F0-101B-8488-00AA003E56F8} "= "InternetShortcut "
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE} "= "Microsoft Url History Service "
"{FF393560-C2A7-11CF-BFF4-444553540000} "= "History "
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933} "= "Temporary Internet Files "
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497} "= "Microsoft Url Search Hook "
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} "= "IE4 Suite Splash Screen "
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13} "= "CDF Extension Copy Hook "
"{131A6951-7F78-11D0-A979-00C04FD705A2} "= "ISFBand OC "
"{9461b922-3c5a-11d2-bf8b-00c04fb93661} "= "Search Assistant OC "
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} "= "The Internet "
"{871C5380-42A0-1069-A2EA-08002B30309D} "= "Internet Name Space "
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} "= "Sendmail service "
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} "= "Sendmail service "
"{88C6C381-2E85-11D0-94DE-444553540000} "= "ActiveX Cache Folder "
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "= "WebCheck "
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} "= "Subscription Mgr "
"{F5175861-2688-11d0-9C5E-00AA00A45957} "= "Subscription Folder "
"{08165EA0-E946-11CF-9C87-00AA005127ED} "= "WebCheckWebCrawler "
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} "= "WebCheckChannelAgent "
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} "= "TrayAgent "
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02} "= "Code Download Agent "
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE} "= "ConnectionAgent "
"{D8BD2030-6FC9-11D0-864F-00AA006809D9} "= "PostAgent "
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} "= "WebCheck SyncMgr Handler "
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} "= "Thumbnails "
"{EAB841A0-9550-11CF-8C16-00805F1408F3} "= "HTML Thumbnail Extractor "
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC} "= "Office Graphics Filters Thumbnail Extractor "
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC} "= "Summary Info Thumbnail handler (DOCFILES) "
"{500202A0-731E-11D0-B829-00C04FD706EC} "= "LNK file thumbnail interface delegator "
"{352EC2B7-8B9A-11D1-B8AE-006008059382} "= "Shell Application Manager "
"{0B124F8C-91F0-11D1-B8B5-006008059382} "= "Installed Apps Enumerator "
"{CFCCC7A0-A282-11D1-9082-006008059382} "= "Darwin App Publisher "
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65} "= "Directory Namespace "
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} "= "Shell properties for a DS object "
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB} "= "Directory Query UI "
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB} "= "Directory Object Find "
"{F020E586-5264-11d1-A532-0000F8757D7E} "= "Directory Start/Search Find "
"{0D45D530-764B-11d0-A1CA-00AA00C16E65} "= "Directory Property UI "
"{62AE1F9A-126A-11D0-A14B-0800361B1103} "= "Directory Context Menu Verbs "
"{450D8FBA-AD25-11D0-98A8-0800361B1103} "= "MyDocs Folder "
"{ECF03A33-103D-11d2-854D-006008059367} "= "MyDocs Copy Hook "
"{ECF03A32-103D-11d2-854D-006008059367} "= "MyDocs Drop Target "
"{4a7ded0a-ad25-11d0-98a8-0800361b1103} "= "MyDocs Properties "
"{750fdf0e-2a26-11d1-a3ea-080036587f03} "= "Offline Files Menu "
"{10CFC467-4392-11d2-8DB4-00C04FA31A66} "= "Offline Files Folder Options "
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} "= "Offline Files Folder "
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717} "= "MMC Icon Handler "
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262} "= ".CAB file viewer "
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433} "= "Channel File "
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434} "= "Channel Shortcut "
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435} "= "Channel Handler Object "
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437} "= "Channel Menu "
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438} "= "Channel Properties "
"{0006F045-0000-0000-C000-000000000046} "= "Microsoft Outlook Custom Icon Handler "
"{E0D79304-84BE-11CE-9641-444553540000} "= "WinZip "
"{E0D79305-84BE-11CE-9641-444553540000} "= "WinZip "
"{E0D79306-84BE-11CE-9641-444553540000} "= "WinZip "
"{B4F441D4-739A-444E-83D4-96C4482A42ED} "=" "
"{8CBEFBC3-C1E4-4869-8EFB-5FCE84358DD9} "=" "
"{FF2873A1-52A1-43DE-BDE7-9E24C9802C83} "=" "
"{9B7182C1-11C1-4EF8-84B5-DD349619F591} "=" "
"{902E6A73-D40F-42B4-A990-E6F462A54083} "=" "
"{AAC7C613-0149-4918-9194-5C42FBA5AB9F} "=" "
"{AD026D6C-5B54-4FA1-A431-CFF624B3CB54} "=" "
"{FAEE5196-10D8-498B-A7A9-B152A82E3007} "=" "
"{A93936A4-78E9-428B-A30D-44B12244E273} "=" "

 

(second half)

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B4F441D4-739A-444E-83D4-96C4482A42ED}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{B4F441D4-739A-444E-83D4-96C4482A42ED}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{B4F441D4-739A-444E-83D4-96C4482A42ED}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{B4F441D4-739A-444E-83D4-96C4482A42ED}\InprocServer32]
@= "C:\\WINNT\\system32\\TRRMMGR.DLL "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8CBEFBC3-C1E4-4869-8EFB-5FCE84358DD9}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{8CBEFBC3-C1E4-4869-8EFB-5FCE84358DD9}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{8CBEFBC3-C1E4-4869-8EFB-5FCE84358DD9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{8CBEFBC3-C1E4-4869-8EFB-5FCE84358DD9}\InprocServer32]
@= "C:\\WINNT\\system32\\DMomExt.dll "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FF2873A1-52A1-43DE-BDE7-9E24C9802C83}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{FF2873A1-52A1-43DE-BDE7-9E24C9802C83}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{FF2873A1-52A1-43DE-BDE7-9E24C9802C83}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{FF2873A1-52A1-43DE-BDE7-9E24C9802C83}\InprocServer32]
@= "C:\\WINNT\\system32\\SLFILSHR.DLL "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9B7182C1-11C1-4EF8-84B5-DD349619F591}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{9B7182C1-11C1-4EF8-84B5-DD349619F591}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{9B7182C1-11C1-4EF8-84B5-DD349619F591}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{9B7182C1-11C1-4EF8-84B5-DD349619F591}\InprocServer32]
@= "C:\\WINNT\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{902E6A73-D40F-42B4-A990-E6F462A54083}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{902E6A73-D40F-42B4-A990-E6F462A54083}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{902E6A73-D40F-42B4-A990-E6F462A54083}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{902E6A73-D40F-42B4-A990-E6F462A54083}\InprocServer32]
@= "C:\\WINNT\\system32\\CTBCATEX.DLL "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AAC7C613-0149-4918-9194-5C42FBA5AB9F}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{AAC7C613-0149-4918-9194-5C42FBA5AB9F}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{AAC7C613-0149-4918-9194-5C42FBA5AB9F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{AAC7C613-0149-4918-9194-5C42FBA5AB9F}\InprocServer32]
@= "C:\\WINNT\\system32\\UDILDLL.DLL "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AD026D6C-5B54-4FA1-A431-CFF624B3CB54}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{AD026D6C-5B54-4FA1-A431-CFF624B3CB54}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{AD026D6C-5B54-4FA1-A431-CFF624B3CB54}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{AD026D6C-5B54-4FA1-A431-CFF624B3CB54}\InprocServer32]
@= "C:\\WINNT\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FAEE5196-10D8-498B-A7A9-B152A82E3007}]
@=" "
"IDEx "= "AD "

[HKEY_CLASSES_ROOT\CLSID\{FAEE5196-10D8-498B-A7A9-B152A82E3007}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{FAEE5196-10D8-498B-A7A9-B152A82E3007}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{FAEE5196-10D8-498B-A7A9-B152A82E3007}\InprocServer32]
@= "C:\\WINNT\\system32\\RTSCHAP.DLL "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A93936A4-78E9-428B-A30D-44B12244E273}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{A93936A4-78E9-428B-A30D-44B12244E273}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{A93936A4-78E9-428B-A30D-44B12244E273}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{A93936A4-78E9-428B-A30D-44B12244E273}\InprocServer32]
@= "C:\\WINNT\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

**********************************************************************************
Files Found are not all bad files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 80CF-B82C

Directory of C:\WINNT\System32

03/21/2005 11:55a 956 TBPS.ini
03/21/2005 10:23a 233,248 j6p00g7me6.dll
03/21/2005 10:23a 234,426 k8pmli7118.dll
03/21/2005 10:16a 233,248 nvl0293mg.dll
03/21/2005 10:16a 233,870 k2260cfsef260.dll
03/20/2005 10:35p 233,248 gp48l3hu1.dll
03/20/2005 10:35p 233,284 f6l00g3me6.dll
03/20/2005 06:22p 233,248 dnru0199e.dll
03/20/2005 06:22p 235,150 l20ulcd91f0.dll
03/19/2005 01:24a 233,248 r2p80c7uef.dll
03/19/2005 01:24a 234,921 gpp6l37s1.dll
03/18/2005 06:36a 233,248 hrjo0513e.dll
03/18/2005 06:36a 233,329 dn8001lme.dll
03/18/2005 12:52a 233,248 dnju0119e.dll
03/18/2005 12:52a 234,388 h04mlah11d4.dll
03/17/2005 11:23p 233,248 c0000admed0a0.dll
03/17/2005 11:22p 233,380 g2lm0c31ef.dll
03/17/2005 04:57p 233,248 aza2lifo182c.dll
03/17/2005 04:57p 233,942 r4r60e9seh.dll
03/17/2005 04:06p 233,248 irp2l57o1.dll
03/17/2005 03:58p 234,644 o6rolg9316.dll
03/17/2005 03:53p 233,248 i206lcds1f06.dll
03/15/2005 09:57p 233,248 SNECLI.DLL
03/15/2005 09:57p 233,248 RDVPSP.DLL
03/15/2005 09:57p 232,736 RNAMSP.DLL
03/15/2005 09:57p 233,248 RTSCHAP.DLL
03/15/2005 09:57p 232,736 PZOFMAP.DLL
03/15/2005 07:00p 232,736 irn4l55q1.dll
03/10/2005 10:15p 234,530 aza4li7q18.dll
03/10/2005 09:52p 233,561 hr2805fue.dll
03/10/2005 09:15p 232,736 h24m0ch1ef4.dll
03/08/2005 07:36p 232,736 iVlmgdev.dll
03/08/2005 07:36p 232,736 HNTPLUG.DLL
03/08/2005 07:36p 225,466 FJCLIENT.DLL
03/08/2005 07:36p 226,032 n66q0gj5e6o.dll
03/03/2005 07:32a 222,789 j26mlcj11fo.dll
03/03/2005 07:21a 225,647 dn8m01l1e.dll
03/03/2005 07:15a 225,828 aza00ghme64a0.dll
03/02/2005 10:14a 223,018 en26l1fs1.dll
03/02/2005 07:10a 226,018 m2nq0c55ef.dll
02/24/2005 08:08p 225,927 dn6401jqe.dll
02/24/2005 07:57p 225,476 d0j00a1med.dll
02/24/2005 07:28p 226,171 hr0s05d7e.dll
02/22/2005 11:17p 224,238 k2lq0c35ef.dll
02/19/2005 08:57p 225,466 g822lifo182c.dll
02/19/2005 08:12p 225,824 p68qlgl516q.dll
02/17/2005 05:14p 225,775 ktlql7351.dll
02/17/2005 08:09a 224,427 lv8m09l1e.dll
02/17/2005 07:57a 225,948 k0jsla171d.dll
02/17/2005 07:37a 224,272 f4l00e3meh.dll
02/16/2005 04:19p 224,661 fp2403fqe.dll
02/16/2005 09:50a 224,941 fp0s03d7e.dll
02/14/2005 10:41p 225,297 mvn0l95m1.dll
02/13/2005 09:02p 224,238 gpj8l31u1.dll
02/12/2005 11:13p 224,588 k0no0a53ed.dll
02/11/2005 06:08p 224,920 q2860clsefq60.dll
02/08/2005 06:40a 224,238 CTBCATEX.DLL
02/08/2005 06:40a 225,037 lvrs0997e.dll
02/08/2005 06:26a 224,238 fpl6033se.dll
02/08/2005 04:39a 226,029 enrsl1971.dll
02/07/2005 09:16p 225,372 g4lmle311h.dll
02/07/2005 09:55a 225,748 i0jqla151d.dll
02/07/2005 09:47a 224,277 lvl0093me.dll
02/06/2005 09:24p 224,994 o6ns0g57e6.dll
02/06/2005 09:09p 224,238 jtnq0755e.dll
02/05/2005 08:27p 224,238 h40q0ed5eh0.dll
02/04/2005 11:21a 224,238 c8000idme80a0.dll
02/04/2005 09:51a 224,238 k0440ahqed4e0.dll
02/04/2005 09:31a 224,238 k2no0c53ef.dll
02/04/2005 09:04a 225,354 e6jmlg1116.dll
02/02/2005 09:37p 224,238 e602lgdo160c.dll
02/02/2005 09:36p 224,238 TRRMMGR.DLL
02/02/2005 09:29p 224,238 lvjo0913e.dll
02/02/2005 05:04a 224,238 en66l1js1.dll
02/01/2005 06:34p 224,238 gp28l3fu1.dll
02/01/2005 01:02a 224,238 jt4807hue.dll
02/01/2005 12:21a 224,238 dn4o01h3e.dll
02/01/2005 12:18a 224,238 en2sl1f71.dll
01/31/2005 03:35p 224,284 g6400ghme64a0.dll
01/31/2005 12:49p 225,540 f20olcd31f0.dll
01/31/2005 07:55a 225,637 mvrol9931.dll
01/31/2005 07:46a 225,996 o8nsli5718.dll
01/31/2005 07:24a 224,238 f2j20c1oef.dll
01/31/2005 05:40a 224,238 s2880cluefq80.dll
01/29/2005 11:58p 224,238 l84q0ih5e84.dll
01/29/2005 11:55p 224,238 n8p4li7q18.dll
01/29/2005 12:09p 224,309 dnp0017me.dll
01/27/2005 07:27a 223,538 f60o0gd3e60.dll
01/17/2005 11:55a 224,337 ir0ml5d11.dll
01/14/2005 07:42a 223,866 l4l60e3seh.dll
01/14/2005 07:13a 224,306 j4p0le7m1h.dll
01/14/2005 06:50a 223,877 hr4605hse.dll
01/14/2005 05:43a 224,603 enpol1731.dll
93 File(s) 20,956,862 bytes
0 Dir(s) 35,553,930,240 bytes free

 

And the result of the scan at virusscan.jotti.org (wasn't sure if all parts were relevant)


Service load: 0% 100%

File: EXPLORER.EXE
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: -

AntiVir No viruses found
Avast No viruses found
AVG Antivirus No viruses found
BitDefender No viruses found
ClamAV No viruses found
Dr.Web No viruses found
F-Prot Antivirus No viruses found
Fortinet No viruses found
Kaspersky Anti-Virus No viruses found
mks_vir No viruses found
NOD32 No viruses found
Norman Virus Control No viruses found

Statistics
Last piece of malware found was Trojan.Agent.Ap.A in r12aimbot unprotected.zip, detected by:

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web Trojan.DragonBot
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus Trojan.Win32.Agent.ap
mks_vir Trojan.Agent.Ap.A
NOD32 X
Norman Virus Control X


Thank you again.

 

Hi, Thanks

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option 4 to Merge Winlogon Notify Defaults, Press enter, wait a few moments
Now select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

Note: once the pc has restarted if a text does not open,
Run Hijackthis and fix just this item
O4 - HKLM\..\Run: [second] C:\Documents and Settings\(username)\second.bat
Open the L2mfix folder and doubleclick the "second.bat" file,
after windows has completly restarted if a text doesnt open look in the L2mfix folder for a log.txt file, post it back here in the next reply.

====================================================
After that has been completed even though your explorer seams OK,
(Ours says MIGHT BE INFECTED/MALWARE also)
Print out this page and Follow the Install and Setup instructions exactly!
http://www.mvps.org/winhelp2002/kav5.htm


Once completed, post a fresh HijackThis log and a KAV 5 full report.
The kav report is so large you will need to do so in several posts
No need to post sections that are in restore/backups or temp folders

 

Hello,

I am sorry for my lack of response, the workstation we were working on seems to have gotten progressively worse. I was able to run options #4 and #2 on l2mfix.bat successfully, and it even ran successfully after the reboot (something which I've noticed Spybot, and now Kaspersky are failing to do). I made a new HijackThis log as you requested too, but before I posted those logs I proceeded to download Kaspersky AntiVirus. I have been unable to receive packets on my LAN connection since downloading it, so I could not get onto the boards to post my logs, nor can I see any other workstations, servers, or printers on the network to transfer the log files to. The computer does have a 3 1/2 floppy though now that I step back to think about it, perhaps I'll transfer the logs to my personal workstation and post them here.

As for Kaspersky, it scanned for about 4 hours and detected 23 viruses, but it has been unable to fully update itself or enable its auto-protection on startup. All significant problems that were occuring before the scan still remain (random automatic restarts between 30 seconds and 15 minutes after reaching desktop, DMVlite in the Add/Remove programs, no reception of packets on the connection). I seem to be stuck though until I find a way to post the log files and/or restore packet reception on the connection.

 

The tutorial here mentions why some have problems if Kaspaerspy is not setup customized, there also the possibility that the nastie is usung a hosts file to block internet access to some sites, also mentioned is a way to manualy update the program.

Net-Integration Forums - How To Disinfect Bube.x Using Kav Personal 5.0: http://forums.net-integration.net/index.php?act=ST&f=32&t=28898&st=0