Nasty guard.tmp :(

Question

Neo130 0 Newbie Poster

18 Years Ago

Greetings, i have gotten a nasty guard.tmp virus/spyware (Look2Me)

I have managed to delete most of the dirt, but there is still one dll file that i cant get rid of.

Also i get a message when i start my computer "something from rundll.exe having problems starting guard.tmp"

This is my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 13:03:31, on 2006-07-13
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Neo\Skrivbord\procexp.exe
C:\Program\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\WINDOWS\explorerneo130.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Winamp\Winamp.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program\WinRAR\WinRAR.exe
C:\DOCUME~1\Neo\LOKALA~1\Temp\Rar$EX00.078\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL="http://www.theneonet.com/"]http://www.theneonet.com/[/URL]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 219.239.110.9:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F2 - REG:system.ini: Shell=explorerneo130.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &NeoTrace It! - C:\Program\NEOTRA~1\NTXcontext.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\Program\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [URL="http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab"]http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[/URL]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - [URL="http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab"]http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab[/URL]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [URL="http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150723373499"]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150723373499[/URL]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [URL="http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab"]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/URL]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [URL="http://acs.pandasoftware.com/activescan/as5free/asinst.cab"]http://acs.pandasoftware.com/activescan/as5free/asinst.cab[/URL]
O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15) - [URL="http://www.flatcast.com/de/download/NpFv415.dll"]http://www.flatcast.com/de/download/NpFv415.dll[/URL]
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\q4nu0e59eh.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmVv\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program\TuneUp Utilities 2006\WinStylerThemeSvc.exe





and this is the l2mfix log



L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\q4nu0e59eh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{48127A52-5296-42B0-3BBB-8452C8627526}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Egenskapsf”rteckning f”r multimediefiler"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Hantering av ICM-skanner"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-s„kerhetssida"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Egenskapssida f”r OLE-dokumentfiler"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell-till„gg f”r delning"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelstill„gg f”r bildsk„rmskort"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelstill„gg f”r bildsk„rm"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelstill„gg f”r bildsk„rmspanorering"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-s„kerhetssida"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilitetssida"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Diskkopiering - till„gg"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell-till„gg f”r Microsoft Windows Network-objekt"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Hantering av ICM-bildsk„rm"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Hantering av ICM-skrivare"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell-till„gg f”r filkomprimering"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Shell-till„gg f”r webbutskrift"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Snabbmeny f”r kryptering"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Portf”lj"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal-ikontill„gg"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Skrivars„kerhetssida"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell-till„gg f”r delning"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-till„gg"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Till„gg f”r kryptografisk signering"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="N„tverksanslutningar"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="N„tverksanslutningar"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Skannrar och kameror"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Skannrar och kameror"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Skannrar och kameror"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Skannrar och kameror"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Skannrar och kameror"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell-till„gg f”r Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft-datal„nk"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Schemalagda aktiviteter"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Aktivitetsf„ltet och Start-menyn"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="S”k"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hj„lp och support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hj„lp och support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="K”r..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-post"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrationsverktyg"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adress"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Parsning f”r adressf„lt"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Globala mappinst„llningar"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft-tj„nst f”r tidigare adresser (URL)"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Tidigare"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Tillf„lliga Internet-filer"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Tillf„lliga Internet-filer"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="V„lkomstsk„rm f”r Internet Explorer 4.0 Suite"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Mappen ActiveX Cache"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Mappen Subscriptions"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Programhanteraren"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Uppr„knare f”r installerade program"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extraherare f”r GDI+-filminiatyrer"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Information om miniatyrer (DOC-filer)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extraherare f”r HTML-miniatyrer"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Webbpubliceringsguiden"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Guiden Best„ll foton via Internet"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objekt f”r webbpubliceringsguiden"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Guiden Skaffa Passport"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Anv„ndarkonton"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Kanalfil"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Kanalgenv„g"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offlinefiler"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Efter &personer..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"="TuneUp Shredder Shell Context Menu Extension"
"{B327765E-D724-4347-8B16-78AE18552FC3}"="NeroDigitalIconHandler"
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}"="NeroDigitalPropSheetHandler"
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{07DB3182-A883-4B83-A9F4-ABCEF129C50E}"=""
"{A37A16B6-5E65-433E-81B8-B273533E663D}"=""
"{F31072B9-FBE7-4A54-B169-35210292F575}"=""
"{1E4FEF4A-E7EF-4949-B8A2-42A08B54E55F}"=""
"{4E49BDB6-A4BF-41C4-8FE0-AC345783EF40}"=""
"{8498643F-333D-43BB-8BFB-2D62CFB58A84}"=""
"{3CBFCD64-4FA0-443B-970E-38A624F4084E}"=""
"{4C0FE050-3616-4081-AF5E-83F0DA8D2811}"=""
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{8498643F-333D-43BB-8BFB-2D62CFB58A84}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{8498643F-333D-43BB-8BFB-2D62CFB58A84}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{8498643F-333D-43BB-8BFB-2D62CFB58A84}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{8498643F-333D-43BB-8BFB-2D62CFB58A84}\InprocServer32]
@="C:\\WINDOWS\\system32\\Sgncor11.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{3CBFCD64-4FA0-443B-970E-38A624F4084E}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{3CBFCD64-4FA0-443B-970E-38A624F4084E}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{3CBFCD64-4FA0-443B-970E-38A624F4084E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{3CBFCD64-4FA0-443B-970E-38A624F4084E}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{4C0FE050-3616-4081-AF5E-83F0DA8D2811}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4C0FE050-3616-4081-AF5E-83F0DA8D2811}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4C0FE050-3616-4081-AF5E-83F0DA8D2811}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{4C0FE050-3616-4081-AF5E-83F0DA8D2811}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
   6to4svc.dll    Fri  2006-05-19  14.40.46   A....         95 232    93,00 K
   ati2cqag.dll   Wed  2006-06-07  22.35.18   A....        286 720   280,00 K
   ati2dvag.dll   Wed  2006-06-07  23.09.12   A....        260 096   254,00 K
   ati2edxx.dll   Wed  2006-06-07  23.04.26   A....         41 984    41,00 K
   ati2evxx.dll   Wed  2006-06-07  23.04.18   A....         61 440    60,00 K
   ati3duag.dll   Wed  2006-06-07  22.56.32   A....      2 754 784     2,63 M
   atiddc.dll     Wed  2006-06-07  23.02.58   A....         53 248    52,00 K
   atidemgr.dll   Wed  2006-06-07  22.38.22   A....        290 816   284,00 K
   atiiiexx.dll   Wed  2006-06-07  23.07.42   A....        307 200   300,00 K
   atikvmag.dll   Wed  2006-06-07  22.40.38   A....        204 800   200,00 K
   atioglx1.dll   Wed  2006-06-07  22.46.06   A....      6 684 672     6,38 M
   atioglxx.dll   Wed  2006-06-07  22.43.40   A....      5 050 368     4,82 M
   atipdlxx.dll   Wed  2006-06-07  23.04.48   A....        114 688   112,00 K
   atitvo32.dll   Wed  2006-06-07  22.39.38   A....         17 408    17,00 K
   ativvaxx.dll   Wed  2006-06-07  22.51.36   A....      1 751 488     1,67 M
   dhcpcsvc.dll   Fri  2006-05-19  14.40.46   A....        103 424   101,00 K
   divx.dll       Thu  2006-06-15  23.55.04   A....        620 180   605,64 K
   divxwm~1.dll   Wed  2006-04-19   2.04.54   A....         12 288    12,00 K
   divx_x~1.dll   Thu  2006-06-15  23.55.04   A....        778 240   760,00 K
   divx_x~2.dll   Thu  2006-06-15  23.55.04   A....        778 240   760,00 K
   divx_x~3.dll   Thu  2006-06-15  23.55.04   A....        761 856   744,00 K
   dnsapi.dll     Fri  2006-05-19  14.40.46   A....        140 288   137,00 K
   dpl100.dll     Thu  2006-05-25   0.46.44   A....         90 112    88,00 K
   dpu10.dll      Thu  2006-05-25   0.46.44   A....        294 912   288,00 K
   dpu11.dll      Thu  2006-05-25   0.46.44   A....        294 912   288,00 K
   dpugui10.dll   Thu  2006-05-25   0.46.52   A....         53 248    52,00 K
   dpugui11.dll   Thu  2006-05-25   0.46.44   A....        593 920   580,00 K
   dpus11.dll     Thu  2006-05-25   0.46.44   A....        344 064   336,00 K
   dpv11.dll      Thu  2006-05-25   0.46.44   A....         57 344    56,00 K
   dtu100.dll     Thu  2006-05-25   0.46.44   A....        200 704   196,00 K
   dxtmsft.dll    Fri  2006-04-28  10.57.16   A....        351 744   343,50 K
   en0ql1~1.dll   Thu  2006-07-13  12.22.18   ..S.R        235 511   229,99 K
   i260lc~1.dll   Thu  2006-07-13  12.21.18   ..S.R        236 573   231,03 K
   inetmib1.dll   Fri  2006-05-19  14.40.46   A....         31 232    30,50 K
   iphlpapi.dll   Fri  2006-05-19  14.40.46   A....         83 456    81,50 K
   ipsecsnp.dll   Sun  2006-05-14  11.33.06   A....        335 360   327,50 K
   ipsecsvc.dll   Sun  2006-05-14  11.33.06   A....        159 232   155,50 K
   ipsmsnap.dll   Sun  2006-05-14  11.33.06   A....        365 056   356,50 K
   ipv6mon.dll    Fri  2006-05-19  14.40.46   A....         54 272    53,00 K
   jgdw400.dll    Fri  2006-05-26  22.19.50   A....        163 840   160,00 K
   jscript.dll    Thu  2006-05-18   8.27.06   A....        458 752   448,00 K
   jsproxy.dll    Fri  2006-04-28  10.58.48   A....         12 288    12,00 K
   legitc~1.dll   Wed  2006-05-17  11.23.38   .....        579 888   566,30 K
   libdivx.dll    Thu  2006-05-25   0.43.44   A....      1 044 480  1020,00 K
   lvpq09~1.dll   Thu  2006-07-13  12.48.44   ..S.R        236 090   230,55 K
   mshtml.dll     Fri  2006-05-19  16.10.50   A....      2 702 848     2,57 M
   msssc.dll      Mon  2006-06-19  15.05.36   A....             44     0,04 K
   oakley.dll     Sun  2006-05-14  11.33.06   A....        258 048   252,00 K
   oemdspif.dll   Wed  2006-06-07  23.04.38   A....         77 824    76,00 K
   polstore.dll   Sun  2006-05-14  11.33.06   A....         98 304    96,00 K
   px.dll         Tue  2006-05-16  22.23.54   .....        430 080   420,00 K
   pxdrv.dll      Tue  2006-05-16  22.23.54   .....        450 560   440,00 K
   pxmas.dll      Tue  2006-05-16  22.23.54   .....        176 128   172,00 K
   pxsfs.dll      Tue  2006-05-16  22.23.54   .....      1 257 472     1,20 M
   pxwave.dll     Tue  2006-05-16  22.23.56   .....        339 968   332,00 K
   q4nu0e~1.dll   Thu  2006-07-13   2.31.42   A....        235 511   229,99 K
   qt-dx331.dll   Thu  2006-05-25   0.47.12   A....      3 596 288     3,43 M
   rasmans.dll    Thu  2006-06-22  13.03.12   A....        169 984   166,00 K
   regobj.dll     Sun  2006-07-02   0.10.38   A....         40 448    39,50 K
   shdocvw.dll    Fri  2006-05-26  15.52.10   A....      1 339 904     1,28 M
   socketx.dll    Sat  2006-07-01  12.16.44   A....        114 688   112,00 K
   ssldivx.dll    Thu  2006-05-25   0.43.44   A....        200 704   196,00 K
   unicows.dll    Thu  2006-05-25   0.43.40   A....        245 408   239,66 K
   urlmon.dll     Mon  2006-05-08  12.33.12   A....        461 824   451,00 K
   vxblock.dll    Tue  2006-05-16  22.23.56   .....         28 672    28,00 K
   wininet.dll    Fri  2006-04-28  15.10.36   A....        577 536   564,00 K
   winipsec.dll   Sun  2006-05-14  11.33.06   A....         29 184    28,50 K
   wmp.dll        Sat  2006-04-29   6.07.48   A....      5 533 696     5,28 M
   ws2_32.dll     Fri  2006-05-19  14.40.46   A....         70 656    69,00 K
   wship6.dll     Fri  2006-05-19  14.40.46   A....         13 312    13,00 K
   xpob2res.dll   Fri  2006-05-19  10.52.06   A....        165 888   162,00 K
71 items found:  71 files (3 H/S), 0 directories.
   Total of file sizes:  46 061 429 bytes     43,93 M
Locate .tmp files:
C:\WINDOWS\SYSTEM32\
   guard.tmp      Thu  2006-07-13  12.51.44   ..S.R        235 511   229,99 K
1 item found:  1 file (1 H/S), 0 directories.
   Total of file sizes:  235 511 bytes    229,99 K
**********************************************************************************
Directory Listing of system files:
 Volymen i enhet C har ingen etikett.
 Volymens serienummer „r 7495-B9A8
 Inneh†ll i katalogen C:\WINDOWS\System32
2006-07-13  12:51    <KAT>          ..
2006-07-13  12:51    <KAT>          .
2006-07-13  12:51           235ÿ511 guard.tmp
2006-07-13  12:48           236ÿ090 lvpq0975e.dll
2006-07-13  12:22           235ÿ511 en0ql1d51.dll
2006-07-13  12:21           236ÿ573 i260lcjm1foa.dll
2006-07-13  01:09    <KAT>          dllcache
2006-06-19  15:15    <KAT>          Microsoft
2002-09-09  23:08           175ÿ104 winlog.exe
               5 fil(er)           1ÿ118ÿ789 byte
               4 katalog(er)  103ÿ143ÿ174ÿ144 byte ledigt

Could someone helo me out? =)

oh..and sorry if i didnt introduce myself when im new here :/
but these popups ARE getting annoying

windows-virus

Edited 11 Years Ago by Reverend Jim because: Fixed formatting

2 Contributors
3 Replies
179 Views
1 Day Discussion Span
Latest Post 18 Years Ago Latest Post by Neo130

kylethedarkn 23 A.K.A. The Laughing Man

18 Years Ago

First move HJT to a permanent folder such as C:\HJT or something similar. Now run HJT and check the following.
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_2.2.1.87.cab
O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15) - http://www.flatcast.com/de/download/NpFv415.dll
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\q4nu0e59eh.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmVv\command.exe (file missing)
Close all other windows and click fix checked.

Go to Start>>Run and type services.msc in the box and hit enter. Now look through the service for a service named Command Service. Right click it and go to properties. Where it says start up type change it to disable.
Now run HJT again and click on config and then misc tools>>Delete an NT service. Type Command Service in and hit enter. If that doesn't work type cmdsercice into the box and hit enter.

Please download and install ewido anti-spyware tool

Close all other Applications Select language click Ok
Click I Agree
Click next
Click Install
Click Finish
Wait Ewido will open main screen automatically.
Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
This in very important to get updates
When updating has finished. Close Ewido.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

Next, please reboot your computer in Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear use arrow up to highlight
Select the first option, to run Windows in Safe Mode hit enter.
For additional help in booting into Safe Mode, see the following site: HERE
You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while ewido performs its scan!

Open Ewido
Click on scanner top of Ewido sceen
Click on Settings
Under How to Act click on Recommended Action choose Quarantine
Under How to scan all boxes should be selected
Under Possibly unwanted software all boxes should be selected
On right side under Reports: click on Automatically generate report after every scan.
Under What to scan select scan every file
Click On scan Tab
Click on Complete system scan
Let the program scan the machine It can take awhile give it time.
When scan has finished At bottom of screen click Apply all Actions
Click Save report
Click Save Report as (Save as window's screen should pop up.)
Click desktop
Click Save
Exit ewido

Now while still in safe mode delete the following files and folders using My Computer if they exist.
C:\WINDOWS\system32\q4nu0e59eh.dll
C:\WINDOWS\TmVv\

Reboot back to normal mode and post a new HJT log with the Ewido log.
Still having problems?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Neo130 0 Newbie Poster · Answer 1 · 2006-07-13T20:34:05+00:00

err ok...a little edit...all the weird files are back again "guard.tmp etc"

i have searched this forum for answers and tried alot of those that were given....but nothing has worked yet.

Can somebody please help me? :(

Neo130 0 Newbie Poster · Answer 2 · 2006-07-15T02:56:09+00:00

Neo130 0 Newbie Poster

18 Years Ago

Thx! :D