Gregus

Hopefully this is what you need:


************************************************** ********************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Fri Sep 2 2005 7:52:04p A.... 1,019,904 996.00 K
cdfview.dll Fri Sep 2 2005 7:52:04p A.... 151,040 147.50 K
cdosys.dll Fri Sep 9 2005 9:53:42p A.... 2,067,968 1.97 M
danim.dll Fri Sep 2 2005 7:52:04p A.... 1,053,696 1.00 M
dhmasf.dll Sat Nov 26 2005 11:14:00a ..S.R 235,239 229.72 K
dxtrans.dll Fri Sep 2 2005 7:52:04p A.... 205,312 200.50 K
extmgr.dll Fri Sep 2 2005 7:52:04p ..... 55,808 54.50 K
gdi32.dll Wed Oct 5 2005 11:09:36p A.... 280,064 273.50 K
iepeers.dll Fri Sep 2 2005 7:52:04p A.... 251,392 245.50 K
inseng.dll Fri Sep 2 2005 7:52:04p A.... 96,256 94.00 K
irp2l5~1.dll Sat Nov 26 2005 2:25:38p ..S.R 236,578 231.03 K
kadfo.dll Sat Nov 26 2005 1:30:00p ..S.R 235,383 229.86 K
kkdmon.dll Thu Nov 24 2005 3:10:00p ..S.R 236,916 231.36 K
kpdno1.dll Sat Nov 26 2005 1:17:00p ..S.R 234,842 229.34 K
kwdic.dll Sat Nov 26 2005 10:09:56a ..S.R 233,844 228.36 K
linkinfo.dll Wed Aug 31 2005 9:41:54p A.... 19,968 19.50 K
lxngwrbk.dll Sat Nov 26 2005 2:29:22p ..S.R 236,578 231.03 K
mcdimap.dll Sat Nov 26 2005 12:57:56p ..S.R 234,033 228.55 K
mnupgrd.dll Thu Nov 24 2005 4:28:48p ..S.R 236,007 230.47 K
msctl32.dll Thu Nov 24 2005 12:52:28p A.... 46,592 45.50 K
mshtml.dll Tue Oct 4 2005 4:26:00p A.... 3,015,168 2.88 M
mshtmled.dll Fri Sep 2 2005 7:52:06p A.... 448,512 438.00 K
msrating.dll Fri Sep 2 2005 7:52:06p A.... 146,432 143.00 K
mstime.dll Fri Sep 2 2005 7:52:06p A.... 530,432 518.00 K
msvcp71.dll Thu Nov 24 2005 3:03:40p A.... 499,712 488.00 K
msvcr71.dll Thu Nov 24 2005 3:03:40p A.... 348,160 340.00 K
mycat32.dll Sat Nov 26 2005 2:16:36p ..S.R 236,578 231.03 K
mywmdm.dll Sat Nov 26 2005 12:19:38p ..S.R 236,755 231.20 K
nlxpnt.dll Thu Nov 24 2005 4:42:38p ..S.R 233,545 228.07 K
p48q0e~1.dll Sat Nov 26 2005 2:29:22p ..S.R 237,162 231.60 K
pmrpnsp.dll Thu Nov 24 2005 2:47:26p ..S.R 236,007 230.47 K
pngfilt.dll Fri Sep 2 2005 7:52:06p A.... 39,424 38.50 K
quartz.dll Mon Aug 29 2005 11:54:26p A.... 1,287,168 1.23 M
shdocvw.dll Fri Sep 2 2005 7:52:06p A.... 1,483,776 1.41 M
shell32.dll Thu Sep 22 2005 11:05:30p A.... 8,450,560 8.06 M
shlwapi.dll Fri Sep 2 2005 7:52:06p A.... 473,600 462.50 K
sirenacm.dll Wed Oct 12 2005 5:11:06p A.... 118,784 116.00 K
smbrccsp.dll Thu Nov 24 2005 5:03:32p ..S.R 233,844 228.36 K
urlmon.dll Fri Sep 2 2005 7:52:06p A.... 608,768 594.50 K
wininet.dll Fri Sep 2 2005 7:52:06p A.... 658,432 643.00 K
winsrv.dll Wed Aug 31 2005 9:41:54p A.... 291,840 285.00 K

41 items found: 41 files (15 H/S), 0 directories.
Total of file sizes: 27,182,079 bytes 25.92 M
Locate .tmp files:

No matches found.
************************************************** ********************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is E0D5-C067

Directory of C:\WINDOWS\System32

11/26/2005 02:29 PM 236,578 lXngwrbk.dll
11/26/2005 02:29 PM 237,162 p48q0el5ehq.dll
11/26/2005 02:25 PM 236,578 irp2l57o1.dll
11/26/2005 02:16 PM 236,578 mycat32.dll
11/26/2005 01:29 PM 235,383 kadfo.dll
11/26/2005 01:16 PM 234,842 kpdno1.dll
11/26/2005 12:57 PM 234,033 mcdimap.dll
11/26/2005 12:19 PM 236,755 MYWMDM.dll
11/26/2005 11:13 AM 235,239 dhmasf.dll
11/26/2005 10:09 AM 233,844 kwdic.dll
11/24/2005 05:03 PM 233,844 smbrccsp.dll
11/24/2005 04:42 PM 233,545 nlxpnt.dll
11/24/2005 04:28 PM 236,007 mnupgrd.dll
11/24/2005 03:09 PM 236,916 kkdmon.dll
11/24/2005 02:47 PM 236,007 pmrpnsp.dll
10/22/2005 06:10 AM <DIR> dllcache
01/19/2004 08:54 PM <DIR> Microsoft
15 File(s) 3,533,311 bytes
2 Dir(s) 9,346,920,448 bytes free

Buzz1927

That's what I was looking for.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot.

After the reboot, post a new Hijackthis log, and say how things are now.

__________________
Son of Glyndwr
Mae hen wlad fy nhadau yn annwyl i mi

Gregus

Here we go .. no issues yet. what needs to be removed by hijack?

Logfile of HijackThis v1.99.1
Scan saved at 3:48:26 PM, on 11/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\boobies\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1231305D-FE88-4D1B-B1A2-1427D872D3EE}: NameServer = 216.218.205.19,24.222.0.75
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\irp2l57o1.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

Buzz1927

You in Canada? And what firewall you got?

Run Hijackthis and select "Do a system scan only", place a check by the following entries.

O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\irp2l57o1.dll (file missing)

Close all open windows and browsers, and hit "Fix Checked".

Reboot and post a new Hijackthis log, and answer the questions above.

__________________
Son of Glyndwr
Mae hen wlad fy nhadau yn annwyl i mi

Gregus

I am located in Canada, andi have no firewall, i had gone with out for for 2 years now and only got a virus now because of my own stupidity.

Logfile of HijackThis v1.99.1
Scan saved at 4:01:24 PM, on 11/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\boobies\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1231305D-FE88-4D1B-B1A2-1427D872D3EE}: NameServer = 216.218.205.19,24.222.0.75
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

Buzz1927

The log's clean now.

You should really have a firewall, there's 3 free ones here.
Basic Malware Prevention

__________________
Son of Glyndwr
Mae hen wlad fy nhadau yn annwyl i mi