coltm4carbine Posted December 21, 2005 Share Posted December 21, 2005 OMG! It's in my computer too but I don't understand a thing you said sorry, maybe it's because i am not using my canned speech. Glad to see I'm not the only one with winfixer problems. Mine happened AFTER I installed Foxfire (read it on a post someplace that it was better than IE). I've removed that, I think, and am using IE now but winfixer keeps butting in. Also, Adaware never picked it up and Spybot does only sometimes. I'm also running Norton which did zip. well the files are usually different for each vundo (usually random). Post a HJT log and i see if anyone replies- if not i kill vundo first. Also! I needed to download an "XP Home Files" thing, which over-wrote some files in my system32. I hope that's okay.. Which files? Some variants of CWS deletes some windows files (i got the files on a disk). I have a look @ the log- having bit of problem with this comp. p.s change your title- not very nice. Anyone can reply if they want. Some people might even notice things i didn't. longest l2m log i've seen... do this first to see what else needs to be done. Close any programs you have open since this step requires a reboot. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log. IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so! Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder. Link to comment Share on other sites More sharing options...
astagarden Posted December 21, 2005 Share Posted December 21, 2005 Thanks for trying to help me, techs. Sir - not to worry, I didn't try to copy what Colt told you to do because I know my limitations here. I'm clueless. :? Colt - I'd send you my HJT log, but don't know what it is or how to do it. I just wandered into this forum to see if winfixer was a problem for others and to maybe get a quick fix. Thanks for the offer though. :) I downloaded Xoftspy last night and that seems to have fixed it, as well as other stuff that snuck in. It cost, but at least it's fixed. I hope. :D Link to comment Share on other sites More sharing options...
Sir_Itchlot Posted December 21, 2005 Author Share Posted December 21, 2005 L2MFix Log: L2mfix Beta 121605 Creating Account. The command completed successfully. Adding Administrative privleges. The command completed successfully. Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful Running From: C:\WINDOWS\system32 Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 [email protected] Killing PID 540 'smss[Caution: ExecutableFile]' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 [email protected] Killing PID 628 'winlogon[Caution: ExecutableFile]' Killing PID 628 'winlogon[Caution: ExecutableFile]' Killing PID 628 'winlogon[Caution: ExecutableFile]' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 [email protected] Killing PID 1636 'explorer[Caution: ExecutableFile]' Killing PID 1636 'explorer[Caution: ExecutableFile]' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 [email protected] Error, Cannot find a process with an image name of rundll32[Caution: ExecutableFile] Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful Granting SeDebugPrivilege to Administrateurs ... failed (GetAccountSid(Administrateurs)=1332 Granting SeDebugPrivilege to AdministratÃÆÃâÃâ÷rer ... failed (GetAccountSid(AdministratÃÆÃâÃâ÷rer)=1332 Granting SeDebugPrivilege to Administradores ... failed (GetAccountSid(Administradores)=1332 Granting SeDebugPrivilege to Amministratore ... failed (GetAccountSid(Amministratore)=1332 Granting SeDebugPrivilege to Administratoren ... failed (GetAccountSid(Administratoren)=1332 Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! moving: C:\WINDOWS\system32\guard.tmp Successfully Moved: C:\WINDOWS\system32\guard.tmp Restoring Windows Update Certificates.: The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] @="" "DLLName"="igfxsrvc.dll" "Asynchronous"=dword:00000001 "Impersonate"=dword:00000001 "Unlock"="WinlogonUnlockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljji] "Asynchronous"=dword:00000001 "DllName"="C:\\WINDOWS\\system32\\mljji.dll" "Impersonate"=dword:00000000 "Startup"="SysLogon" "Logoff"="SysLogoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 The following are the files found: **************************************************************************** C:\WINDOWS\system32\guard.tmp Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" **************************************************************************** Desktop.ini Contents: **************************************************************************** **************************************************************************** Checking for L2MFix account(0=no 1=yes): 0 adding: dlls/guard.tmp (124 bytes security) (deflated 3%) adding: backregs/notibac.reg (164 bytes security) (deflated 87%) adding: backregs/shell.reg (164 bytes security) (deflated 73%) Also! Before the reboot (after the L2MFix), it said to fix missing file 020 in HJT... Just incase you miss that, thought I'd let you know. Link to comment Share on other sites More sharing options...
wcerforlyfe Posted December 21, 2005 Share Posted December 21, 2005 i have winfixer too, i just click out of it and dont worry about it lol http://www.turnpoint.net/wireless/cantennahowto.html Link to comment Share on other sites More sharing options...
coltm4carbine Posted December 21, 2005 Share Posted December 21, 2005 this isn't really gd for my health it's almost 1am in here... using HJT (i make it more detailed in the morning) download HijackThis 1.99.1 from http://www.merijn.org to it's own folder. extract it and run it. DON'T FIX ANYTHING. Click "save log" when the scan has finished. Notepad will open. Copy and paste the log and post it on the forum. Wait for someone to give you a fix for it. Look at the stickies for a better tutorial (soz to sound rude- i wanna sleep). =================== I downloaded Xoftspy last night and that seems to have fixed it, as well as other stuff that snuck in. It cost, but at least it's fixed. I hope. Mate (if u don't mind me calling u that), you are making it worst for yourself. Uninstall xoftspy. It's a rogue antispyware program (fake). ==================== Sir- i take a look at it in the morning. Also the missing o20 is basically vundo (I am being lazy). go offline, open HJT and fix these (the vundo entries): O2 - BHO: (no name) - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - (no file) O20 - Winlogon Notify: mljji - C:\WINDOWS\system32\mljji.dll (file missing) fyi the vx2/l2m file is gaurd.tmp. I get you a tool to delete it on reboot. (there are a few more (should be anyway) so wait till i post in the morning) Link to comment Share on other sites More sharing options...
Sir_Itchlot Posted December 21, 2005 Author Share Posted December 21, 2005 go offline, open HJT and fix these (the vundo entries): O2 - BHO: (no name) - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - (no file) O20 - Winlogon Notify: mljji - C:\WINDOWS\system32\mljji.dll (file missing) Done. ...Which programs can I delete now? I feel uneasy with them.. ie. vundofix, l2mfix... Link to comment Share on other sites More sharing options...
astagarden Posted December 22, 2005 Share Posted December 22, 2005 WHAT??? :shock: You're joking, right? ARGHHH......someone just shoot me now, quick!! Link to comment Share on other sites More sharing options...
coltm4carbine Posted December 22, 2005 Share Posted December 22, 2005 sir-do what you just did to each of your accounts (shouldn't need to but just incase-no need to post a log) Close any programs you have open since this step requires a reboot. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log. IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so! Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder. after that please post a new HJT log. l2m/vx2 should now be gone from all accounts. Which programs can I delete now? I feel uneasy with them.. ie. vundofix, l2mfix I get you to delete them at the end (remind me). They should be ok as long as you don't go around running them (this includes getting your sister away from your computer). asta- no i am not joking. Link to comment Share on other sites More sharing options...
Sir_Itchlot Posted December 22, 2005 Author Share Posted December 22, 2005 sir-do what you just did to each of your accounts (shouldn't need to but just incase-no need to post a log) Done.. well, none of them had either of the files. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log. L2MFIX LOG - Also, it still told me to fix the missing 020 in HJT.. But it's not there in any of the accounts. L2mfix Beta 121605 Creating Account. The command completed successfully. Adding Administrative privleges. The command completed successfully. Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful Running From: C:\WINDOWS\system32 Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 [email protected] Killing PID 544 'smss[Caution: ExecutableFile]' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 [email protected] Killing PID 632 'winlogon[Caution: ExecutableFile]' Killing PID 632 'winlogon[Caution: ExecutableFile]' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 [email protected] Killing PID 2000 'explorer[Caution: ExecutableFile]' Killing PID 2000 'explorer[Caution: ExecutableFile]' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 [email protected] Error, Cannot find a process with an image name of rundll32[Caution: ExecutableFile] Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful Granting SeDebugPrivilege to Administrateurs ... failed (GetAccountSid(Administrateurs)=1332 Granting SeDebugPrivilege to AdministratÃÆÃâÃâ÷rer ... failed (GetAccountSid(AdministratÃÆÃâÃâ÷rer)=1332 Granting SeDebugPrivilege to Administradores ... failed (GetAccountSid(Administradores)=1332 Granting SeDebugPrivilege to Amministratore ... failed (GetAccountSid(Amministratore)=1332 Granting SeDebugPrivilege to Administratoren ... failed (GetAccountSid(Administratoren)=1332 Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Restoring Windows Update Certificates.: The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] @="" "DLLName"="igfxsrvc.dll" "Asynchronous"=dword:00000001 "Impersonate"=dword:00000001 "Unlock"="WinlogonUnlockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 The following are the files found: **************************************************************************** Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" **************************************************************************** Desktop.ini Contents: **************************************************************************** **************************************************************************** Checking for L2MFix account(0=no 1=yes): 0 adding: dlls/guard.tmp (124 bytes security) (deflated 3%) adding: backregs/notibac.reg (164 bytes security) (deflated 87%) adding: backregs/shell.reg (164 bytes security) (deflated 73%) Link to comment Share on other sites More sharing options...
Sir_Itchlot Posted December 22, 2005 Author Share Posted December 22, 2005 HJT LOG - I Noticed there's a few new files since the last time.. Logfile of HijackThis v1.99.1 Scan saved at 3:55:47 PM, on 22/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss[Caution: ExecutableFile] C:\WINDOWS\system32\winlogon[Caution: ExecutableFile] C:\WINDOWS\system32\services[Caution: ExecutableFile] C:\WINDOWS\system32\lsass[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\WINDOWS\Explorer[Caution: ExecutableFile] C:\WINDOWS\System32\hkcmd[Caution: ExecutableFile] C:\Program Files\CyberLink\PowerDVD\DVDLauncher[Caution: ExecutableFile] C:\Program Files\Java\j2re1.4.2_03\bin\jusched[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB[Caution: ExecutableFile] C:\Program Files\MSN Messenger\msnmsgr[Caution: ExecutableFile] C:\WINDOWS\system32\wuauclt[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\Documents and Settings\Mitch\Desktop\Spyware Removal Programs\HijackThis[Caution: ExecutableFile] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant ... gn=wdz0605 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.accoona.com/search_assistant ... gn=wdz0605 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1; R3 - Default URLSearchHook is missing O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {06a34ccb-f185-40c4-b367-15f01a0d7996} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing) O2 - BHO: (no name) - {19ca005a-8716-4e8d-b232-70451fe73635} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing) O2 - BHO: (no name) - {2393728b-6ffd-45b7-89a5-9f9b490d000e} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing) O2 - BHO: (no name) - {49c5f9e3-63fc-4ced-a16c-77bea61396f5} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing) O2 - BHO: LinkTracker Class - {85A77577-A8CA-41b7-AA1E-DDAD4C0B12B1} - C:\WINDOWS\system32\hlwin.dll O2 - BHO: (no name) - {91e6dc04-6d5c-404f-8699-c1a5d73b2090} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing) O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing) O2 - BHO: (no name) - {e16b8728-c829-40bf-8aa8-c1bb2e387fcb} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray[Caution: ExecutableFile] O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd[Caution: ExecutableFile] O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher[Caution: ExecutableFile]" O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService[Caution: ExecutableFile]" O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched[Caution: ExecutableFile] O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan[Caution: ExecutableFile] O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile] O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: ExecutableFile]" -atboottime O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB[Caution: ExecutableFile] O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]" /background O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr[Caution: ExecutableFile]" /background O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] (file missing) O15 - Trusted Zone: http://ny.contentmatch.net (HKLM) O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... 0.0.15.cab O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares ... cracks.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Filter: text/html - {03974811-C15F-462c-B6B0-2D2336AA57D0} - C:\WINDOWS\system32\hlwin.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile] O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile] O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc[Caution: ExecutableFile] Link to comment Share on other sites More sharing options...
coltm4carbine Posted December 23, 2005 Share Posted December 23, 2005 yeh, me too. lol. least most of the junk is out of your system. go offline and fix these (you can leave the accoona if you have set them): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant ... gn=wdz0605 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.accoona.com/search_assistant ... gn=wdz0605 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca <-did you set this? if not fix it. R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s R3 - Default URLSearchHook is missing O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O2 - BHO: (no name) - {06a34ccb-f185-40c4-b367-15f01a0d7996} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing) O2 - BHO: (no name) - {19ca005a-8716-4e8d-b232-70451fe73635} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing) O2 - BHO: (no name) - {2393728b-6ffd-45b7-89a5-9f9b490d000e} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing) O2 - BHO: (no name) - {49c5f9e3-63fc-4ced-a16c-77bea61396f5} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing) O2 - BHO: LinkTracker Class - {85A77577-A8CA-41b7-AA1E-DDAD4C0B12B1} - C:\WINDOWS\system32\hlwin.dll O2 - BHO: (no name) - {91e6dc04-6d5c-404f-8699-c1a5d73b2090} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing) O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing) O2 - BHO: (no name) - {e16b8728-c829-40bf-8aa8-c1bb2e387fcb} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing) O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... 0.0.15.cab O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares ... cracks.cab O18 - Filter: text/html - {03974811-C15F-462c-B6B0-2D2336AA57D0} - C:\WINDOWS\system32\hlwin.dll then reboot your computer into safemode. find and delete these files/folders (if you have any problems deleting some of these tell me): C:\WINDOWS\system32\gdbrdwsw.dll C:\WINDOWS\system32\hlwin.dll C:\Program Files\Accoona reboot into normal mode. Right click Here and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. right click on it and select Install. post a new hjt log. Link to comment Share on other sites More sharing options...
Sir_Itchlot Posted December 23, 2005 Author Share Posted December 23, 2005 go offline and fix these Done. then reboot your computer into safemode. find and delete these files/folders (if you have any problems deleting some of these tell me): C:\WINDOWS\system32\gdbrdwsw.dll C:\WINDOWS\system32\hlwin.dll C:\Program Files\Accoona Err.. I couldn't find any of them. I looked in the folders manually, and tried to "Search" for them. I'm not going to do the next step yet.. Link to comment Share on other sites More sharing options...
Albosky Posted December 23, 2005 Share Posted December 23, 2005 C:\WINDOWS\system32\gdbrdwsw.dll C:\WINDOWS\system32\hlwin.dll C:\Program Files\Accoona Err.. I couldn't find any of them. I looked in the folders manually, and tried to "Search" for them. I'm not going to do the next step yet.. O2 - BHO: (no name) - {91e6dc04-6d5c-404f-8699-c1a5d73b2090} - C:\WINDOWS\system32\gdbrdwsw.dll (file missing) O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing) you arent going to find them as stated by your HJT log , just remove the entries referencing them :) I like to fart silently but deadly in movie theatersArd Choille says (11:41 PM):I wouldn't dare tell you what to do m'dear Link to comment Share on other sites More sharing options...
coltm4carbine Posted December 24, 2005 Share Posted December 24, 2005 opps my bad; make sure you can show hidden files and folders. and then try again. and as albosky said some of them are missing. I just put them there incase of a bug in HJT. after that rehide your system files. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now