Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Help! Fatal System Error... what's this mean??
Goto page 1, 2  Next
 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics
View previous topic :: View next topic  
Author Message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Wed Mar 09, 2005 3:02 pm    Post subject: Help! Fatal System Error... what's this mean?? Reply with quote

My computer, the last fews days, will randomly shut windows XP down, and send me to a blue screen with this message:

STOP: c00021a {Fatal System Error} The Windows Logon Process terminated unexpectedly with a system status of oxc0000005 (0x00000000 0x00000000)
The system has been shut down

When I get this I have to shut the computer off and restart it to get back to windows. It has only been doing this about 2-3days and probably about 3-5 times in that time span... what do I do?

I've got Windows XP home edition, Internet Explorer version 6.0
I don't know if you want/need it but my hijack file is below. Also, just FYI Incredimail is my e-mail program so I can't delete otherwise I'll loose my e-mail program. Any help is very much appreciated. Thank you!

Michelle



Logfile of HijackThis v1.99.0
Scan saved at 6:01:20 PM, on 3/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\Gateway\2portalmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Tvtjwo.exe
C:\WINDOWS\system32\Urjelq.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hhsicons.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackTHIS\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Tvtjwo.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Urjelq.exe
O4 - HKLM\..\Run: [nsvcin] C:\Program Files\Common Files\System\MAPI\1033\nt\n20050308.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [voehrn] c:\windows\system32\voehrn.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Ly4qRijFW] hhsicons.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Thu Mar 10, 2005 12:34 am    Post subject: Reply with quote

You have a look2me infection along with a few other problems.

We'll start with the look2me infection first.


http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Thu Mar 10, 2005 10:05 am    Post subject: ... Reply with quote

Not sure if this is all correct. When I ran it I got this error:

C:/Windows/system32/cmd.exe
C:/WINDOWS/SYSTEM32/AUTOEXEC.NT
The system file is not suitable for running MS-DOS and Microsoft Windows application. Choose 'close' to terminate the application.


However, a minute later this log came up. I'm not sure if it finished running but I will post it here anyways.

Thank you... I'll await further instructions. I apprecaite all the help

L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DateTime]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enrsl1971.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplore]
"Startup"="expF4"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
"MaxWait"=dword:00000001
"DllName"=hex(2):32,00,64,00,6d,00,33,00,64,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{79A4DF28-10E4-EC4B-B421-328C1B2F46F3}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5FA02C8D-7D3D-4AD0-BE2A-10D90A366CC8}"=""
"{1FA44F69-02A6-4269-87E8-2610CA9FA077}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5FA02C8D-7D3D-4AD0-BE2A-10D90A366CC8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5FA02C8D-7D3D-4AD0-BE2A-10D90A366CC8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5FA02C8D-7D3D-4AD0-BE2A-10D90A366CC8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5FA02C8D-7D3D-4AD0-BE2A-10D90A366CC8}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1FA44F69-02A6-4269-87E8-2610CA9FA077}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1FA44F69-02A6-4269-87E8-2610CA9FA077}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1FA44F69-02A6-4269-87E8-2610CA9FA077}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1FA44F69-02A6-4269-87E8-2610CA9FA077}\InprocServer32]
@="C:\\WINDOWS\\system32\\jc4207hoe.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Thu Mar 10, 2005 2:24 pm    Post subject: Reply with quote

Yep that's correct. Here's the removal part.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Thu Mar 10, 2005 3:06 pm    Post subject: ... Reply with quote

Ok here is what I've got. I really appreciate you walking me through this nice and slow... otherwise I'd probably get confused, lol. Thanks much!



This is the l2mfix.bat notepad file:

L2Mfix 1.02b

Running From:
C:\Documents and Settings\Michelle\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Michelle\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Michelle\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 612 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1632 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\h0l20a3oed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir6ul5j91.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j00s0ad7ed0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j62qlgf5162.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jt2q07f5e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jt4207hoe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k0pm0a71ed.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt20l7fm1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kudinbe1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m428lefu1h28.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n88o0il3e8q.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q868liju18o8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wdadefui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wmdmtp.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\h0l20a3oed.dll
Successfully Deleted: C:\WINDOWS\system32\h0l20a3oed.dll
deleting: C:\WINDOWS\system32\ir6ul5j91.dll
Successfully Deleted: C:\WINDOWS\system32\ir6ul5j91.dll
deleting: C:\WINDOWS\system32\j00s0ad7ed0.dll
Successfully Deleted: C:\WINDOWS\system32\j00s0ad7ed0.dll
deleting: C:\WINDOWS\system32\j62qlgf5162.dll
Successfully Deleted: C:\WINDOWS\system32\j62qlgf5162.dll
deleting: C:\WINDOWS\system32\jt2q07f5e.dll
Successfully Deleted: C:\WINDOWS\system32\jt2q07f5e.dll
deleting: C:\WINDOWS\system32\jt4207hoe.dll
Successfully Deleted: C:\WINDOWS\system32\jt4207hoe.dll
deleting: C:\WINDOWS\system32\k0pm0a71ed.dll
Successfully Deleted: C:\WINDOWS\system32\k0pm0a71ed.dll
deleting: C:\WINDOWS\system32\kt20l7fm1.dll
Successfully Deleted: C:\WINDOWS\system32\kt20l7fm1.dll
deleting: C:\WINDOWS\system32\kudinbe1.dll
Successfully Deleted: C:\WINDOWS\system32\kudinbe1.dll
deleting: C:\WINDOWS\system32\m428lefu1h28.dll
Successfully Deleted: C:\WINDOWS\system32\m428lefu1h28.dll
deleting: C:\WINDOWS\system32\n88o0il3e8q.dll
Successfully Deleted: C:\WINDOWS\system32\n88o0il3e8q.dll
deleting: C:\WINDOWS\system32\q868liju18o8.dll
Successfully Deleted: C:\WINDOWS\system32\q868liju18o8.dll
deleting: C:\WINDOWS\system32\wdadefui.dll
Successfully Deleted: C:\WINDOWS\system32\wdadefui.dll
deleting: C:\WINDOWS\system32\wmdmtp.dll
Successfully Deleted: C:\WINDOWS\system32\wmdmtp.dll

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: h0l20a3oed.dll (164 bytes security) (deflated 5%)
adding: ir6ul5j91.dll (164 bytes security) (deflated 5%)
adding: j00s0ad7ed0.dll (164 bytes security) (deflated 5%)
adding: j62qlgf5162.dll (164 bytes security) (deflated 5%)
adding: jt2q07f5e.dll (164 bytes security) (deflated 5%)
adding: jt4207hoe.dll (164 bytes security) (deflated 5%)
adding: k0pm0a71ed.dll (164 bytes security) (deflated 5%)
adding: kt20l7fm1.dll (164 bytes security) (deflated 5%)
adding: kudinbe1.dll (164 bytes security) (deflated 5%)
adding: m428lefu1h28.dll (164 bytes security) (deflated 5%)
adding: n88o0il3e8q.dll (164 bytes security) (deflated 4%)
adding: q868liju18o8.dll (164 bytes security) (deflated 4%)
adding: wdadefui.dll (164 bytes security) (deflated 5%)
adding: wmdmtp.dll (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 36%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: desktop.ini (164 bytes security) (deflated 14%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 81%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 65%)
adding: test.txt (164 bytes security) (deflated 76%)
adding: test2.txt (164 bytes security) (deflated 14%)
adding: test3.txt (164 bytes security) (deflated 14%)
adding: test5.txt (164 bytes security) (deflated 14%)
adding: xfind.txt (164 bytes security) (deflated 68%)
adding: backregs/1FA44F69-02A6-4269-87E8-2610CA9FA077.reg (164 bytes security) (deflated 70%)
adding: backregs/5FA02C8D-7D3D-4AD0-BE2A-10D90A366CC8.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"
Warning (option /rge) - There is no ACE to remove!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: h0l20a3oed.dll
deleting local copy: ir6ul5j91.dll
deleting local copy: j00s0ad7ed0.dll
deleting local copy: j62qlgf5162.dll
deleting local copy: jt2q07f5e.dll
deleting local copy: jt4207hoe.dll
deleting local copy: k0pm0a71ed.dll
deleting local copy: kt20l7fm1.dll
deleting local copy: kudinbe1.dll
deleting local copy: m428lefu1h28.dll
deleting local copy: n88o0il3e8q.dll
deleting local copy: q868liju18o8.dll
deleting local copy: wdadefui.dll
deleting local copy: wmdmtp.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplore]
"Startup"="expF4"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
"MaxWait"=dword:00000001
"DllName"=hex(2):32,00,64,00,6d,00,33,00,64,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MSSYCLM]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gp40l3hm1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\h0l20a3oed.dll
C:\WINDOWS\system32\ir6ul5j91.dll
C:\WINDOWS\system32\j00s0ad7ed0.dll
C:\WINDOWS\system32\j62qlgf5162.dll
C:\WINDOWS\system32\jt2q07f5e.dll
C:\WINDOWS\system32\jt4207hoe.dll
C:\WINDOWS\system32\k0pm0a71ed.dll
C:\WINDOWS\system32\kt20l7fm1.dll
C:\WINDOWS\system32\kudinbe1.dll
C:\WINDOWS\system32\m428lefu1h28.dll
C:\WINDOWS\system32\n88o0il3e8q.dll
C:\WINDOWS\system32\q868liju18o8.dll
C:\WINDOWS\system32\wdadefui.dll
C:\WINDOWS\system32\wmdmtp.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{5FA02C8D-7D3D-4AD0-BE2A-10D90A366CC8}"=-
"{1FA44F69-02A6-4269-87E8-2610CA9FA077}"=-
[-HKEY_CLASSES_ROOT\CLSID\{5FA02C8D-7D3D-4AD0-BE2A-10D90A366CC8}]
[-HKEY_CLASSES_ROOT\CLSID\{1FA44F69-02A6-4269-87E8-2610CA9FA077}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{27F2408D-DBCC-4B28-A8CE-F0B6C1B4C61D}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{27F2408D-DBCC-4B28-A8CE-F0B6C1B4C61D}</IDone>
<IDtwo>VT09</IDtwo>
<VERSION>200</VERSION>
****************************************************************************






Here's the hijack this file:

Logfile of HijackThis v1.99.0
Scan saved at 6:04:14 PM, on 3/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\vouguv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\Gateway\2portalmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\windows\system32\voehrn.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\hhsicons.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\windows\system32\calc.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\ImapiRox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HijackTHIS\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Tvtjwo.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Urjelq.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [voehrn] c:\windows\system32\voehrn.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Ly4qRijFW] hhsicons.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Thu Mar 10, 2005 4:42 pm    Post subject: Reply with quote

We are going to need to remove what remains in your log in steps.

There is a newer version of Hijackthis, if you could please download the newest version and delete the old.
http://www.downloads.subratam.org/hijackthis.zip



First go to your Add/Remove Programs Panel
Click Start > Control Panel > Add/Remove Programs

Uninstall the Following, if you don't see the items listed don't worry about it.
Delfin Media Viewer
eZula
AdTools or WinAdTools

Now download the following program LSPFix

1. Unzip and run LSPFix.
2. Check 'I know what I'm doing'.
3. Select aklsp.dll & dolsp.dll .
4. Click the right-pointing 'arrows' and move all instances of inetadpt.dll and nothing else to the Remove (RHS) side
5. Click the 'Finished' button. (if you exit with the X at top right nothing happens)
6. Now delete c:\windows\system32\aklsp.dll & c:\windows\system32\dolsp.dll

Lets stop here post a fresh Hijackthis log and what remains we'll remove.
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Fri Mar 11, 2005 2:12 pm    Post subject: ... Reply with quote

Ok, I followed the steps you gave me. First, none of those programs were in the add/remove program so I couldn't remove them. Second, I could not delete those 2 files: c:\windows\system32\aklsp.dll & c:\windows\system32\dolsp.dll

the computer wouldn't allow me to delete them - it gave the access denied error thing. What should I do to delete them?



Logfile of HijackThis v1.99.1
Scan saved at 5:10:12 PM, on 3/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\Gateway\2portalmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\Tvtjwo.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\windows\system32\voehrn.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\vouguv.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\hhsicons.exe
C:\PROGRA~1\ezula\mmod.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\packager.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Michelle\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Tvtjwo.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Urjelq.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [voehrn] c:\windows\system32\voehrn.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Ly4qRijFW] hhsicons.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\ezPopStub.exe /UninstPOP2 C:\Program Files\Web Offer
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: iexplore - 2dm3d.dll (file missing)
O20 - Winlogon Notify: OfficeUpdate - C:\WINDOWS\system32\hrn0055me.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Sat Mar 12, 2005 3:18 am    Post subject: Reply with quote

Ctrl+Alt+Delete Once and end the following.
C:\WINDOWS\system32\Tvtjwo.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\WINDOWS\system32\voehrn.exe
C:\WINDOWS\system32\vouguv.exe
C:\WINDOWS\system32\hhsicons.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\Program Files\ezula\mmod.exe


Close all your running programs. Run hijackthis and place a check next to the following.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Tvtjwo.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Urjelq.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [voehrn] c:\windows\system32\voehrn.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [Ly4qRijFW] hhsicons.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: iexplore - 2dm3d.dll (file missing)
O20 - Winlogon Notify: OfficeUpdate - C:\WINDOWS\system32\hrn0055me.dll

close all your internet explorer windows and click fix in hijackthis.

Now locate the following files and folders and delete them.

Files:
C:\WINDOWS\farmmext.exe
C:\WINDOWS\system32\Tvtjwo.exe
C:\WINDOWS\system32\Urjelq.exe
C:\WINDOWS\system32\voehrn.exe
C:\WINDOWS\system32\vouguv.exe
C:\WINDOWS\system32\hhsicons.exe

Folders:
C:\WINDOWS\isrvs
C:\WINDOWS\system32\wsxsvc
C:\WINDOWS\system32\vmss
C:\Program Files\AdTools Service
C:\Program Files\ezula

Download the following CWshredder, Ad-aware, & Spy-Bot.

  • Updating Ad-aware:
    Double-Click the Desktop Icon > Click 'Check For Updates Now' > Click 'Connect'
  • Updating Spybot:
    Double-Click the Desktop Icon > Click Update > Drop-Down Box UniDo(Europe) > Select Pure-Elite(USA) or EON (AU) > Click 'Search for Updates' > Click 'Download Updates'

Now rebooot into safe mode (press f8 during reboot, select safe mode) and DON'T reconnect to the net.

  • Double-Click CWShredder and click 'Fix'
    • Close CWShredder


  • Open Ad-aware and make the following changes to the settings in Ad-aware.
    • Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
      check: "Unload recognized processes during scanning."
    • Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
      Check: "Let Windows remove files in use at next reboot."
Press 'Proceed'

Click 'Start'
  • Select option 'Use Custom scanning options'
  • Click 'Activate in-depth scan'
  • Click 'Select drives\folders to scan' Select the active partition which is usually C:
Click 'Customize'
  • Make sure the following are all are Checked:
    • 'Scan Within Archives'
    • 'Scan Active Processes'
    • 'Scan Registry'
    • 'Deep Scan Registry'
    • 'Scan My IE Favorites For Banned URL'S
    • 'Scan My Hosts File'
Click 'Proceed'

  • Now click "Next" to let Ad-aware scan your drives.
  • Once Ad-aware has completed its scan click 'Next' > Now Click 'Scan Summary' > Click All the Boxes with a Green Check Mark
  • Now Click 'Next' and Finally Click 'OK'


Close Out Ad-Aware

Open Spybot.
  • Click 'Search & Destroy'
  • Click 'Check for problems' (the program will now search your HDD)
  • Make sure all findings are checked and click 'Fix Selected Problems'


Close SpyBot and Reboot!

Once complete post a fresh log in your thread.
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Sat Mar 12, 2005 11:24 am    Post subject: ........ Reply with quote

Ok, I followed the directions with just a few problems:

C:\WINDOWS\system32\voehrn.exe – I can’t delete this one plus I can’t “end process” on it either, it stays there and won’t end

C:\WINDOWS\system32\vouguv.exe – can’t find this one

C:\WINDOWS\isrvs – can’t delete

C:\WINDOWS\system32\wsxsvc - can’t delete

C:\WINDOWS\system32\vmss - can’t delete


I'm not sure what to do about the above folders.
Here is my new hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 2:22:48 PM, on 3/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\Gateway\2portalmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system32\voehrn.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\windows\system32\calc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\PROGRA~1\eZula\mmod.exe
C:\PROGRA~1\WEBOFF~1\wo.exe
C:\DOCUME~1\Michelle\LOCALS~1\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [voehrn] c:\windows\system32\voehrn.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\lv2o09f3e.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Sat Mar 12, 2005 2:18 pm    Post subject: Reply with quote

THe dolsp.dll has returned. Download LSPFix

1. Unzip and run LSPFix.
2. Check 'I know what I'm doing'.
3. Select inetadpt.dll.
4. Click the right-pointing 'arrows' and move all instances of inetadpt.dll and nothing else to the Remove (RHS) side
5. Click the 'Finished' button. (if you exit with the X at top right nothing happens)
6. Boot into safe mode and delete C:\windows\system32\dolsp.dll
in safe mode.

Now Download the the FindQoologic-Narrator.zip and save it to your Desktop.
(Link below)

Extract (unzip) the files inside into their own folder called FindQoologic.

Open the FindQoologic folder.

Locate and double-click the Activesetup.vbs file to run it.
Please wait until a "Finished" message appears.


When the set-up is complete a file named "Activesetup components[Machine ID][date].txt" will have been saved in the FindQoologic folder.

Locate and double-click the Find-Qoologic.bat to run it.



The tool will open a DOS window and begin to check your system.
When it is finished a text file will open in Notepad called "file.txt".

Save this text file in the FindQoologic folder.

Close the DOS box If on win 98 or me.


Locate the "Activesetup components[Machine ID][date].txt" file and the file you saved.


Copy and paste the contents of both reports into your next post.


http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981


Are you still getting pop-ups?
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Sat Mar 12, 2005 2:42 pm    Post subject: ... Reply with quote

Hi! First thing, yes I am getting pop-ups... lots and lots of them actually. I even have a pop up blocker (through google searchbar) and it's not helping though it does block some.

The only other problem is that I'm not sure how the DOS stuff runs cause everytime my computer boots up, it pops up with some DOS program thing and tells me there's some sort of error and to either close or ignore it (though if you click ignore, it just pops back up with the same question about close or ignore). When I ran the DOS stuff in Safe mode it still did the same thing.

The other thing I'm noticing is that random junk is installing itself - i.e. virtual bouncer, cashback, search the web stuff, 180 search assistant, web offer... things like this - I get rid of them and they come back... I generally uninstall them through Control Pannel's add/remove program then I go to my computer and search for them to delete the folders but they still come back Sad Don't know if that's helpful to any of the problems with my computer. Thanks much!


Here's the activesetup component file:

"Find activesetup", version1, launched at: 17:32
Operating System: Windows XP SP2


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
"ba7f84aa-181a-4b26-b276-25b9cfb144b4\(Default)" = ""
\StubPath = "C:\WINDOWS\system32\lmuaul.exe" [null data]



Here's the other one:
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\IMMenuShellExt
<NO NAME> REG_SZ {F8984111-38B6-11D5-8725-0050DA2761C4}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mkyxym
<NO NAME> REG_SZ {cbb46157-b958-439d-bf16-9209958ba7b7}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
<NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Sun Mar 13, 2005 1:26 am    Post subject: Reply with quote

That log's clean. Download the zip file courtesy of Zupe here and unzip it to your desktop.
http://ralphcaddell.com/Uploads/FindIt_NT-2K-XP.zip

Go into the FindIt folder that you unzipped and doubleclick the Find.bat file to run it. It will take a few minutes to run so you will have to be patient. Save the results and post them into your next response.
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Mon Mar 14, 2005 10:10 am    Post subject: ... Reply with quote

Here's the log you asked for... also I'm getting an insane amount of pop ups... for example, yesterday, within 20 minutes had about 20-25 pop ups... and the same thing is happening today. I can't close them as fast as they come up. What does this mean and how do I get rid of them?
Also, do you want another hijackthis log?


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Michelle\Local Settings\Temp\Temporary Internet Files\Content.IE5\SJJJEC59\FindIt_NT-2K-XP[1]\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E2EA-C980

Directory of C:\WINDOWS\System32

03/14/2005 12:41 PM <DIR> dllcache
03/14/2005 12:10 PM 232,839 ktdit.dll
03/14/2005 12:09 PM 235,570 m664lgjq16oe.dll
03/14/2005 12:07 PM 235,570 wjnetmgr.dll
03/14/2005 12:07 PM 232,839 h0l2la3o1d.dll
03/12/2005 06:46 PM 233,222 duraw.dll
03/12/2005 05:35 PM 235,570 hgojwia.dll
03/12/2005 04:57 PM 235,570 mdhtmler.dll
03/12/2005 02:07 PM 232,996 l44qleh51h4.dll
03/11/2005 05:01 PM 235,625 dn2601fse.dll
03/10/2005 05:59 PM 235,570 isetres.dll
03/10/2005 12:44 PM 234,694 jt6m07j1e.dll
03/09/2005 07:53 PM 232,736 f22mlcf11f2.dll
11/26/2004 09:20 AM 32 {EFE794E2-8DA1-4330-8EFD-06359B0D515C}.dat
03/30/2004 01:32 PM 56 09EA61389A.sys
03/17/2004 12:34 AM <DIR> Microsoft
14 File(s) 2,812,889 bytes
2 Dir(s) 16,516,972,544 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E2EA-C980

Directory of C:\WINDOWS\System32

03/14/2005 12:41 PM <DIR> dllcache
03/12/2005 12:10 PM <DIR> vmss
03/12/2005 12:10 PM <DIR> wsxsvc
03/04/2005 04:11 PM 110,592 sysmonnt.exe
11/26/2004 09:20 AM 32 {EFE794E2-8DA1-4330-8EFD-06359B0D515C}.dat
07/12/2004 06:12 PM 292,994 msbb.log
07/09/2004 09:10 PM 3,100,134 msbb_kyf.dat
07/08/2004 09:04 AM 38 msbbau.dat
03/30/2004 01:32 PM 56 09EA61389A.sys
03/17/2004 12:05 AM 488 logonui.exe.manifest
03/17/2004 12:05 AM 488 WindowsLogon.manifest
03/17/2004 12:05 AM 749 ncpa.cpl.manifest
03/17/2004 12:05 AM 749 cdplayer.exe.manifest
03/17/2004 12:05 AM 749 wuaucpl.cpl.manifest
03/17/2004 12:05 AM 749 nwc.cpl.manifest
03/17/2004 12:05 AM 749 sapi.cpl.manifest
13 File(s) 3,508,567 bytes
3 Dir(s) 16,516,841,472 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is E2EA-C980

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is E2EA-C980

Directory of C:\WINDOWS\System32

09/03/2002 11:29 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 16,516,907,008 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F9722683-6701-AB3E-67FC-4B5735A2167B}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\h0l2la3o1d.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\iupnpi.dll: updates.qoologic.com
C:\WINDOWS\system32\lmuaul.exe: updates.qoologic.com
C:\WINDOWS\system32\lzuqul.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\installer.exe: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\vouguv.exe: .aspack
C:\WINDOWS\system32\wyukuw.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kpgigk.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"2wSysTray"="C:\\Program Files\\2Wire\\Gateway\\2portalmon.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"Desktop Search"="C:\\WINDOWS\\isrvs\\desktop.exe"
"ffis"="C:\\WINDOWS\\isrvs\\ffisearch.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"voehrn"="c:\\windows\\system32\\voehrn.exe"
"farmmext"="C:\\WINDOWS\\farmmext.exe"
"Dvx"="C:\\WINDOWS\\system32\\wsxsvc\\wsxsvc.exe"
"vmss"="C:\\WINDOWS\\system32\\vmss\\vmss.exe"
"winupdtl"="C:\\WINDOWS\\system32\\winupdt.exe"
"msw"="C:\\Documents and Settings\\All Users\\Application Data\\msw\\MSW.exe"
"h3vyfnee"="C:\\Program Files\\h3vyfnee\\h3vyfnee.exe"
"Narrator"="C:\\WINDOWS\\system32\\vouguv.exe"
"AutoUpdater"="\"C:\\Program Files\\AutoUpdate\\AutoUpdate.exe\""
"49nk3sP"="smslibnt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Tue Mar 15, 2005 11:44 pm    Post subject: Reply with quote

Okay my apologies for taking so long to respond. Some how you still have remaints of look2me, so we need to run the first part again.

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Sat Mar 19, 2005 8:34 am    Post subject: ... Reply with quote

Sorry it took me a while to respond. I've been rather ill (and still am) but I needed to check some stuff on here. Well, the computer is giving me lots and lots of problems - millions of pop ups, those pop ups keep freezing so it takes me forever just to do one thing, and things are randomly installing themselves on my computer - like dating icons, casino icons, etc... I don't know if that's all due to that look2me thing you told me about or not...

Thank you... I'll try to check back as soon as possible.

Here's the log you asked for:
L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\fisrch.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{AB9C6F1D-F281-B4B0-0BF5-64CEC3FCD788}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{97611893-C75C-45B3-807D-CD146FA791FD}"=""
"{C347C3A2-B3D6-4500-AC0B-B24137BC4A8D}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{97611893-C75C-45B3-807D-CD146FA791FD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{97611893-C75C-45B3-807D-CD146FA791FD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{97611893-C75C-45B3-807D-CD146FA791FD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{97611893-C75C-45B3-807D-CD146FA791FD}\InprocServer32]
@="C:\\WINDOWS\\system32\\ds2601fse.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C347C3A2-B3D6-4500-AC0B-B24137BC4A8D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C347C3A2-B3D6-4500-AC0B-B24137BC4A8D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C347C3A2-B3D6-4500-AC0B-B24137BC4A8D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C347C3A2-B3D6-4500-AC0B-B24137BC4A8D}\InprocServer32]
@="C:\\WINDOWS\\system32\\it50_qc.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is E2EA-C980

Directory of C:\WINDOWS\System32

03/19/2005 11:31 AM <DIR> dllcache
03/19/2005 11:24 AM 601 TBPS.ini
03/19/2005 11:15 AM 233,248 it50_qc.dll
03/19/2005 11:15 AM 233,865 jtj6071se.dll
03/17/2005 09:08 AM 417,792 r?ndll.exe
03/15/2005 01:47 PM 235,570 ds2601fse.dll
03/15/2005 09:21 AM 232,839 hr6q05j5e.dll
03/14/2005 10:50 PM 235,570 j40sled71h0.dll
03/14/2005 12:07 PM 235,570 wjnetmgr.dll
03/12/2005 06:46 PM 233,222 duraw.dll
03/12/2005 05:35 PM 235,570 hgojwia.dll
03/12/2005 04:57 PM 235,570 mdhtmler.dll
03/12/2005 02:07 PM 232,996 l44qleh51h4.dll
03/11/2005 05:01 PM 235,625 dn2601fse.dll
03/10/2005 05:59 PM 235,570 isetres.dll
03/10/2005 12:44 PM 234,694 jt6m07j1e.dll
03/09/2005 07:53 PM 232,736 f22mlcf11f2.dll
11/26/2004 09:20 AM 32 {EFE794E2-8DA1-4330-8EFD-06359B0D515C}.dat
03/30/2004 01:32 PM 56 09EA61389A.sys
03/17/2004 12:34 AM <DIR> Microsoft
18 File(s) 3,701,126 bytes
2 Dir(s) 16,233,136,128 bytes free
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Sat Mar 19, 2005 1:14 pm    Post subject: Reply with quote

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Sun Mar 20, 2005 11:32 am    Post subject: ... Reply with quote

Well, just a few minutes ago as I was trying to type a reply to you and post the logs, my computer gave out again and sent me to that blue screen with the Fatal System Error - it hasn't done that in a while but it did it today (along with the millions of pop up ads that I can't get rid of and stuff downloading itself onto my computer)... I just wish that whatever was happening to my computer would stop but I appreciate all your help and hardwork. Thanks again!

Well, here are the logs you requested:

L2Mfix 1.02b

Running From:
C:\Documents and Settings\Michelle\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Michelle\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Michelle\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 588 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2028 'rundll32.exe'
Killing PID 1620 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
updating: clear.reg (164 bytes security) (deflated 22%)
updating: echo.reg (164 bytes security) (deflated 9%)
updating: direct.txt (164 bytes security) (stored 0%)
updating: lo2.txt (164 bytes security) (deflated 73%)
updating: readme.txt (164 bytes security) (deflated 49%)
updating: report.txt (164 bytes security) (deflated 65%)
updating: test.txt (164 bytes security) (deflated 76%)
updating: test2.txt (164 bytes security) (stored 0%)
updating: test3.txt (164 bytes security) (stored 0%)
updating: test5.txt (164 bytes security) (stored 0%)
updating: log.txt (164 bytes security) (deflated 79%)
updating: backregs/1FA44F69-02A6-4269-87E8-2610CA9FA077.reg (164 bytes

security) (deflated 70%)
updating: backregs/5FA02C8D-7D3D-4AD0-BE2A-10D90A366CC8.reg (164 bytes

security) (deflated 70%)
updating: backregs/shell.reg (164 bytes security) (deflated 73%)
updating: backregs/97611893-C75C-45B3-807D-CD146FA791FD.reg (164 bytes

security) (deflated 70%)
updating: backregs/C347C3A2-B3D6-4500-AC0B-B24137BC4A8D.reg (164 bytes

security) (deflated 70%)
adding: backregs/8E9A87AD-FC7F-46B1-B17E-66E17319B75C.reg (164 bytes

security) (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"
Warning (option /rge) - There is no ACE to remove!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful


The following Is the Current Export of the Winlogon notify key:
**********************************************************************

******
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\SideBySide]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\azau0i19e8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
**********************************************************************

******

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
**********************************************************************

******
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell

Extensions\Approved]
"{8E9A87AD-FC7F-46B1-B17E-66E17319B75C}"=-
[-HKEY_CLASSES_ROOT\CLSID\{8E9A87AD-FC7F-46B1-B17E-66E17319B75C}]
"SV1"=""
**********************************************************************

******
Desktop.ini Contents:
**********************************************************************

******
**********************************************************************

******




Logfile of HijackThis v1.99.1
Scan saved at 2:29:34 PM, on 3/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\vouguv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\Gateway\2portalmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system32\voehrn.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\WINDOWS\system32\winupdt.exe
C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
C:\WINDOWS\system32\smslibnt.exe
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\win32092-48792947.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\windows\system32\packager.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system\urdhjsbr.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\sysmonnt.exe
C:\WINDOWS\system32\shiet40.exe
C:\Documents and Settings\Michelle\Application Data\eetu.exe
C:\WINDOWS\system32\r?ndll.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\Common Files\WinTools\WSup.exe
c:\PROGRA~1\Toolbar\WSG.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\ImapiRox.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Michelle\LOCALS~1\Temp\Temporary Directory 7 for

hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.websearch.com/ie.aspx?tb_id=50216
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =

http://www.websearch.com/ie.aspx?tb_id=50216
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =

res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://www.websearch.com/ie.aspx?tb_id=50216
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} -

C:\PROGRA~1\Toolbar\toolbar.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} -

C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -

C:\WINDOWS\systb.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} -

C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} -

C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} -

C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} -

C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator

5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec

Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [voehrn] c:\windows\system32\voehrn.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [msw] C:\Documents and Settings\All Users\Application

Data\msw\MSW.exe
O4 - HKLM\..\Run: [h3vyfnee] C:\Program Files\h3vyfnee\h3vyfnee.exe
O4 - HKLM\..\Run: [49nk3sP] smslibnt.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Vjmmby.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application

Data\msw\BMan1.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitemks32.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [win32092-48792947] C:\WINDOWS\win32092-48792947.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft

ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O4 - HKCU\..\Run: [Ly4qRijFW] shiet40.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Michelle\Application Data\eetu.exe
O4 - HKCU\..\Run: [Remgf] C:\WINDOWS\system32\r?ndll.exe
O4 - HKCU\..\Run: [mzrq] C:\PROGRA~1\COMMON~1\mzrq\mzrqm.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program

Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite -

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft

ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft

ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -

http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio

Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}

(PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility

Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan5

3.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} -

C:\PROGRA~1\Toolbar\toolbar.dll
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - (no file)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\azau0i19e8.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. -

C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation -

C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner -

C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program

Files\Common Files\WinTools\WToolsS.exe
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Sun Mar 20, 2005 1:04 pm    Post subject: Reply with quote

Hi,

You've got to get yourself some anti-virus protection or you're never going to get clean. Please download http://www.kaspersky.com anti-virus software and update to the newest file definitions. It's free for 30-days that will assist us in removing all the garbage on your system.

Now that you have some Anti-Virus protection, please Run all your scans in safe mode. To boot into safe mode during a reboot, press f8 and select safe mode. Run a couple of scans


open hijackthis 1.99.1
click go to misc tools section
click open unistall manager
you'll see a list of programs in the add/remove programs
click on save list...
it'll save as uninstall_list.txt

You should see entries for Delfin Media Viewer and Wintools. If you do please uninstall them. There are probably more we can uninstall, I just need a list to see what's there.

Download the following Cleanup!, CWshredder, Ad-aware, & Spy-Bot.

  • Updating Ad-aware:
    Double-Click the Desktop Icon > Click 'Check For Updates Now' > Click 'Connect'
  • Updating Spybot:
    Double-Click the Desktop Icon > Click Update > Drop-Down Box UniDo(Europe) > Select Pure-Elite(USA) or EON (AU) > Click 'Search for Updates' > Click 'Download Updates'

Now rebooot into safe mode (press f8 during reboot, select safe mode) and DON'T reconnect to the net.

  • Double-Click CWShredder and click 'Fix'
    • Close CWShredder


  • Open Ad-aware and make the following changes to the settings in Ad-aware.
    • Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
      check: "Unload recognized processes during scanning."
    • Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
      Check: "Let Windows remove files in use at next reboot."
Press 'Proceed'

Click 'Start'
  • Select option 'Use Custom scanning options'
  • Click 'Activate in-depth scan'
  • Click 'Select drives\folders to scan' Select the active partition which is usually C:
Click 'Customize'
  • Make sure the following are all are Checked:
    • 'Scan Within Archives'
    • 'Scan Active Processes'
    • 'Scan Registry'
    • 'Deep Scan Registry'
    • 'Scan My IE Favorites For Banned URL'S
    • 'Scan My Hosts File'
Click 'Proceed'

  • Now click "Next" to let Ad-aware scan your drives.
  • Once Ad-aware has completed its scan click 'Next' > Now Click 'Scan Summary' > Click All the Boxes with a Green Check Mark
  • Now Click 'Next' and Finally Click 'OK'


Close Out Ad-Aware

Open Spybot.
  • Click 'Search & Destroy'
  • Click 'Check for problems' (the program will now search your HDD)
  • Make sure all findings are checked and click 'Fix Selected Problems'


Close SpyBot and Reboot!

Once complete post a fresh Hijackthis log in your thread.
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Sun Mar 20, 2005 7:30 pm    Post subject: ... Reply with quote

Ok, as for anti virus protection, I have Norton Antivirus. I've used Kaspersky in the past so it won't let me do the trial version again Sad Hopefully Norton is good... I just realized Norton isn't working right now so I'll have to uninstall and reinstall it tomorrow morning. It worked about a week or 2 weeks ago when I used it last so I'm not sure what happened between then and now.
Also, second problem - I could not boot up in safe mode. I restarted my computer, pressed F8 and got to the black screen, selected Safe Mode, and it went to start up but every time I did this (about 3 times) it froze on the black screen with all the computer words right before booting up should occur (hope that all made sense)... anyways, I followed your instructions and did all those thing in regular Windows XP instead of safe mode... here's what I have:

This is the uninstall list from Hijack this that you told me to save:

2Wire Gateway
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
AOL Instant Messenger
Backup Dell-Installed Programs
Cakewalk Pro Audio 8.0
CleanUp!
D-helper Web Driver
DMVlite
Easy CD Creator 5 Basic
eminem2.zip
eminemtheme1.zip
Games
Google Toolbar for Internet Explorer
HijackThis 1.99.1
hp instant support
hp psc 700 series
HPChanger Uninstall
IncrediMail Xe
J2SE Runtime Environment 5.0 Update 1
KERclink
LimeWire 4.4.1
LiveReg (Symantec Corporation)
Macromedia Shockwave Player
Microsoft ActiveSync 3.7
Microsoft Data Access Components KB870669
Microsoft Office 2000 SR-1 Small Business
MSN Messenger 6.2
Network Play System (Patching)
Norton AntiVirus 2003
Norton WMI Update
Paint Shop Pro 7
Spybot - Search & Destroy 1.3
System Monitor for Windows 98/NT/XP/2000/2003
Ventrilo
Viewpoint Manager (Remove Only)
Win-dh
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WordPerfect Office 11




Here's the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:30:01 PM, on 3/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\Gateway\2portalmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\winupdt.exe
C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\win32092-48792947.exe
C:\WINDOWS\system32\imakpart.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe
C:\WINDOWS\system\urdhjsbr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\sysmonnt.exe
C:\WINDOWS\system32\iasencen.exe
C:\Documents and Settings\Michelle\Application Data\eetu.exe
C:\WINDOWS\system32\r?ndll.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Michelle\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [voehrn] c:\windows\system32\voehrn.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [msw] C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
O4 - HKLM\..\Run: [h3vyfnee] C:\Program Files\h3vyfnee\h3vyfnee.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Vjmmby.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [win32092-48792947] C:\WINDOWS\win32092-48792947.exe
O4 - HKLM\..\Run: [49nk3sP] imakpart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteneo32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O4 - HKCU\..\Run: [Ly4qRijFW] iasencen.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Michelle\Application Data\eetu.exe
O4 - HKCU\..\Run: [Remgf] C:\WINDOWS\system32\r?ndll.exe
O4 - HKCU\..\Run: [mzrq] C:\PROGRA~1\COMMON~1\mzrq\mzrqm.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Mon Mar 21, 2005 1:27 am    Post subject: Reply with quote

Go into your Add/Remove Programs screen and unistall the following.
KERclink
DMVlite

Close all your running programs, run Hijackthis and place a check next to the following.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [voehrn] c:\windows\system32\voehrn.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [msw] C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
O4 - HKLM\..\Run: [h3vyfnee] C:\Program Files\h3vyfnee\h3vyfnee.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Vjmmby.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [win32092-48792947] C:\WINDOWS\win32092-48792947.exe
O4 - HKLM\..\Run: [49nk3sP] imakpart.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteneo32.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O4 - HKCU\..\Run: [Ly4qRijFW] iasencen.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Michelle\Application Data\eetu.exe
O4 - HKCU\..\Run: [Remgf] C:\WINDOWS\system32\r?ndll.exe
O4 - HKCU\..\Run: [mzrq] C:\PROGRA~1\COMMON~1\mzrq\mzrqm.exe
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - (no file)

now close all your Internet Explorer windows, and click fix in Hijackthis.


Now download the killbox
http://www.downloads.subratam.org/KillBox.zip

Unzip the file to your desktop, double-click the program

Select the Delete on reboot option.

C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the NO button.

Perform the same procedure on the following files until you reach the last one; A second dialog box will ask you if you want to REBOOT now. Press the NO button.

c:\windows\system32\voehrn.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\system32\winupdt.exe
C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\win32092-48792947.exe
C:\WINDOWS\system32\imakpart.exe
C:\\Documents and Settings\All Users\Application Data\msw\BMan.exe
C:\WINDOWS\system\urdhjsbr.exe
C:\WINDOWS\system32\sysmonnt.exe
C:\WINDOWS\system32\iasencen.exe
C:\Documents and Settings\Michelle\Application Data\eetu.exe
C:\WINDOWS\system32\r?ndll.exe
C:\WINDOWS\System32\msiexec.exe
c:\windows\system32\voehrn.exe
C:\WINDOWS\farmmext.exe

Post a fresh Hijackthis log once complete.
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Mon Mar 21, 2005 6:47 am    Post subject: ... Reply with quote

Ok, I followed all your steps, plus I got Norton Antivirus working. I did a scan on my drives and there were no viruses!

Hopefully all is clean... just got to find a way to stop the incessant pop-up ads with some sort of blocker. (If you have tips, they are welcome). Thank you!


Logfile of HijackThis v1.99.1
Scan saved at 9:45:44 AM, on 3/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\Gateway\2portalmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\system32\bitsprx2.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\Xhrmy.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Michelle\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {AA1EBAC8-7C2E-5ED9-2A2C-08C2CF2247B7} - C:\WINDOWS\system32\ztghxwlm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [b29ee913c569] C:\WINDOWS\system32\bitsprx2.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteneo32.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Mon Mar 21, 2005 1:21 pm    Post subject: Reply with quote

Weird cause you have just a couple more new items, possibly just left over reminants.

Well do the same as before, with Hijackthis and the killbox.

First, go back to your Add/Remove Programs panel and uninstall
InternetOptimizer
SurfSideKick

Close all your running programs, run Hijackthis and place a check next to the following.

R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {AA1EBAC8-7C2E-5ED9-2A2C-08C2CF2247B7} - C:\WINDOWS\system32\ztghxwlm.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [b29ee913c569] C:\WINDOWS\system32\bitsprx2.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteneo32.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - (no file)

close ALL your internet explorer windows, and click fix in hijackthis.

Now run the killbox.

Select the Delete on reboot option.

C:\WINDOWS\system32\bitsprx2.exe
Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the NO button.

Perform the same procedure on the following files until you reach the last one; A second dialog box will ask you if you want to REBOOT now. Press the YES button. If you computer doesn't reboot, please reboot manually.


C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\ffisearch.exe
C:\WINDOWS\system32\eliteneo32.exe
C:\WINDOWS\Xhrmy.exe

Now locate this file, and delete it

File:
AUNPS2.DLL <-- search for it.

Post a fresh Hijackthis log in your thread once complete. I can stop the pop-ups, but we just need to get the log cleaned up. You're almost clean too, so don't give up.
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Tue Mar 22, 2005 6:31 am    Post subject: ... Reply with quote

Hi! I am very glad that my computer is almost clean! I can't thank you enough. Smile Smile Smile Smile

I followed all your steps, and I'll post the hijack log below... but it seems that some of the files you told me to check off on the hijack log and fix are still there and I tried to fix them twice... not sure why they're so stubborn or how to get rid of them

Logfile of HijackThis v1.99.1
Scan saved at 9:28:49 AM, on 3/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\Gateway\2portalmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Michelle\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {AA1EBAC8-7C2E-5ED9-2A2C-08C2CF2247B7} - C:\WINDOWS\system32\ztghxwlm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteneo32.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [mzrq] C:\PROGRA~1\COMMON~1\mzrq\mzrqm.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Tue Mar 22, 2005 1:52 pm    Post subject: Reply with quote

We need to remove that dolsp.dll file, please LSPFix

1. Unzip and run LSPFix.
2. Check 'I know what I'm doing'.
3. Select dolsp.dll.
4. Click the right-pointing 'arrows' and move all instances of inetadpt.dll and nothing else to the Remove (RHS) side
5. Click the 'Finished' button. (if you exit with the X at top right nothing happens)
6. Now locate c:\windows\system32\dolsp.dll and delete it

If you can't delete it, Right-Click on the File > Go To Properties > Make sure Read-Only is not check > If it is, uncheck and try to delete.

Next, please run the following online scan, and run a Norton scan
http://housecall.trendmicro.com/housecall/start_corp.asp

Try to boot into safe mode, we've cleaned a lot out. Are you now able to boot into safe mode? Let me know, you're getting close to being clean, very close.
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Wed Mar 23, 2005 5:45 pm    Post subject: . Reply with quote

Well I did everything...
Here's the problem I ran into... I used the Housecall and it came with an error saying "clean failed: TROJ-LESER.A" I did this twice and it happened both times... not sure what all that means.
I also ran Norton and it came up clean, no viruses in my system! Smile

I tried to boot in safe mode but it still didn't work and froze up with the same thing - where all those words whiz by, it stops and stays there without booting up fully... not sure why that is.

I don't know if you want another one but here's a new Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:41:42 PM, on 3/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\Gateway\2portalmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\r?ndll.exe
C:\Documents and Settings\Michelle\Local Settings\Temp\_AZTMP0_\HijackThis.exe

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {AA1EBAC8-7C2E-5ED9-2A2C-08C2CF2247B7} - C:\WINDOWS\system32\ztghxwlm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteneo32.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [mzrq] C:\PROGRA~1\COMMON~1\mzrq\mzrqm.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Wed Mar 23, 2005 7:58 pm    Post subject: Reply with quote

Something else is causing the safe mode problem. I am going to have you run a series of programs to see if we can clean what Hijackthis can't see. The first program is called dllcompare.

Please download Dllcompare from here:

http://www.bleepingcomputer.com/dllcompare.php

When it has downlaoded, run the program and click on the Run Locate.com button. When that has completed, click on the compare button. When that completed click on the make log button. Then post the contents of that log as a reply to this post
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Thu Mar 24, 2005 6:50 am    Post subject: . Reply with quote

Here is the log... I hope it's not something too bad. Thanks Wink


* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\dn2601~1.dll Fri Mar 11 2005 5:01:48p ..S.R 235,625 230.10 K
C:\WINDOWS\SYSTEM32\dnnm01~1.dll Sun Mar 20 2005 2:24:18p ..S.R 233,248 227.78 K
C:\WINDOWS\SYSTEM32\ds2601~1.dll Tue Mar 15 2005 1:47:22p ..S.R 235,570 230.05 K
C:\WINDOWS\SYSTEM32\duraw.dll Sat Mar 12 2005 6:46:24p ..S.R 233,222 227.75 K
C:\WINDOWS\SYSTEM32\f22mlc~1.dll Wed Mar 9 2005 7:53:44p ..S.R 232,736 227.28 K
C:\WINDOWS\SYSTEM32\hgojwia.dll Sat Mar 12 2005 5:35:06p ..S.R 235,570 230.05 K
C:\WINDOWS\SYSTEM32\hr6q05~1.dll Tue Mar 15 2005 9:21:30a ..S.R 232,839 227.38 K
C:\WINDOWS\SYSTEM32\irpql5~1.dll Sun Mar 20 2005 9:23:02p ..S.R 233,248 227.78 K
C:\WINDOWS\SYSTEM32\isetres.dll Thu Mar 10 2005 5:59:08p ..S.R 235,570 230.05 K
C:\WINDOWS\SYSTEM32\j40sle~1.dll Mon Mar 14 2005 10:50:44p ..S.R 235,570 230.05 K
C:\WINDOWS\SYSTEM32\jt6m07~1.dll Thu Mar 10 2005 12:44:16p ..S.R 234,694 229.19 K
C:\WINDOWS\SYSTEM32\l44qle~1.dll Sat Mar 12 2005 2:07:30p ..S.R 232,996 227.54 K
C:\WINDOWS\SYSTEM32\m8ju0i~1.dll Sun Mar 20 2005 1:56:02p ..S.R 233,865 228.38 K
C:\WINDOWS\SYSTEM32\mdhtmler.dll Sat Mar 12 2005 4:57:10p ..S.R 235,570 230.05 K
C:\WINDOWS\SYSTEM32\mivbvm50.dll Sun Mar 20 2005 2:23:18p ..S.R 233,248 227.78 K
C:\WINDOWS\SYSTEM32\searddlg.dll Sun Mar 20 2005 2:11:18p ..S.R 233,248 227.78 K
C:\WINDOWS\SYSTEM32\wjnetmgr.dll Mon Mar 14 2005 12:07:28p ..S.R 235,570 230.05 K
C:\WINDOWS\SYSTEM32\wovadve.dll Sun Mar 20 2005 1:50:58p ..S.R 233,865 228.38 K
________________________________________________

1,301 items found: 1,301 files (18 H/S), 0 directories.
Total of file sizes: 266,134,755 bytes 253.80 M

Administrator Account = True

--------------------End log---------------------
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Thu Mar 24, 2005 2:06 pm    Post subject: Reply with quote

Bah, it doesn't give me the full line name. No, I am sorry they don't look good. Sad

Download the zip file courtesy of Zupe http://ralphcaddell.com/Uploads/FindIt_NT-2K-XP.zip and unzip it to your desktop.

Go into the FindIt folder that you unzipped and doubleclick the Find.bat file to run it. It will take a few minutes to run so you will have to be patient. Save the results and post them into your next response.
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Fri Mar 25, 2005 8:20 am    Post subject: . Reply with quote

I can't seem to get the thing to run and give me a log. I downloaded it and unzipped it but when I click the find.bat file it just pops up with a small black screen for about 2 seconds and all I get the chance to read on it is "File Not Found" There's another sentence above it but it goes by too quickly for me to read it. Not sure what to do now... Sad
Oh, I tried running this find.bat file about 3-4 times but nothing is coming up... I waited for about 45minutes to see if the log would pop up, but it never showed.
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Sat Mar 26, 2005 12:56 am    Post subject: Reply with quote

Have you looked in the findit! folder for the log?
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Sat Mar 26, 2005 7:01 am    Post subject: ... Reply with quote

No, I didn't know that it could be there. Here's what I found (don't know if any of this is the log or not).

A file named Hidden:

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E2EA-C980

Directory of C:\WINDOWS\System32

03/25/2005 12:17 PM <DIR> dllcache
03/20/2005 09:52 PM <DIR> vmss
03/17/2005 09:08 AM 417,792 r?ndll.exe
11/26/2004 09:20 AM 32 {EFE794E2-8DA1-4330-8EFD-06359B0D515C}.dat
07/12/2004 06:12 PM 292,994 msbb.log
07/09/2004 09:10 PM 3,100,134 msbb_kyf.dat
07/08/2004 09:04 AM 38 msbbau.dat
03/30/2004 01:32 PM 56 09EA61389A.sys
03/17/2004 12:05 AM 488 logonui.exe.manifest
03/17/2004 12:05 AM 488 WindowsLogon.manifest
03/17/2004 12:05 AM 749 cdplayer.exe.manifest
03/17/2004 12:05 AM 749 sapi.cpl.manifest
03/17/2004 12:05 AM 749 wuaucpl.cpl.manifest
03/17/2004 12:05 AM 749 ncpa.cpl.manifest
03/17/2004 12:05 AM 749 nwc.cpl.manifest
13 File(s) 3,815,767 bytes
2 Dir(s) 16,157,114,368 bytes free



A file named Notify:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001



A file named System:

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E2EA-C980

Directory of C:\WINDOWS\System32

03/25/2005 12:17 PM <DIR> dllcache
03/20/2005 09:23 PM 233,248 irpql5751.dll
03/20/2005 02:24 PM 233,248 dnnm0151e.dll
03/20/2005 02:23 PM 233,248 mivbvm50.dll
03/20/2005 02:11 PM 233,248 searddlg.dll
03/20/2005 01:56 PM 233,865 m8ju0i19e8.dll
03/20/2005 01:50 PM 233,865 WOVADVE.DLL
03/17/2005 09:08 AM 417,792 r?ndll.exe
03/15/2005 01:47 PM 235,570 ds2601fse.dll
03/15/2005 09:21 AM 232,839 hr6q05j5e.dll
03/14/2005 10:50 PM 235,570 j40sled71h0.dll
03/14/2005 12:07 PM 235,570 wjnetmgr.dll
03/12/2005 06:46 PM 233,222 duraw.dll
03/12/2005 05:35 PM 235,570 hgojwia.dll
03/12/2005 04:57 PM 235,570 mdhtmler.dll
03/12/2005 02:07 PM 232,996 l44qleh51h4.dll
03/11/2005 05:01 PM 235,625 dn2601fse.dll
03/10/2005 05:59 PM 235,570 isetres.dll
03/10/2005 12:44 PM 234,694 jt6m07j1e.dll
03/09/2005 07:53 PM 232,736 f22mlcf11f2.dll
11/26/2004 09:20 AM 32 {EFE794E2-8DA1-4330-8EFD-06359B0D515C}.dat
03/30/2004 01:32 PM 56 09EA61389A.sys
03/17/2004 12:34 AM <DIR> Microsoft
21 File(s) 4,634,134 bytes
2 Dir(s) 16,157,179,904 bytes free


I hope one of these is it. Smile
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Sun Mar 27, 2005 3:59 am    Post subject: Reply with quote

My apologies for taking so long to respond.


Please download the killbox
http://www.downloads.subratam.org/KillBox.zip

Unzip the Killbox to your desktop, double-click the program

Select the Delete on reboot option.

Now copy and paste the following line into the 'Full Pate to Delete File' Box
C:\WINDOWS\System32\r?ndll.exe


Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the NO button.

Perform the same procedure on the following files until you reach the last one; A second dialog box will ask you if you want to REBOOT now. Press the YES button.

C:\WINDOWS\System32\irpql5751.dll
C:\WINDOWS\System32\dnnm0151e.dll
C:\WINDOWS\System32\mivbvm50.dll
C:\WINDOWS\System32\searddlg.dll
C:\WINDOWS\System32\m8ju0i19e8.dll
C:\WINDOWS\System32\ds2601fse.dll
C:\WINDOWS\System32\hr6q05j5e.dll
C:\WINDOWS\System32\j40sled71h0.dll
C:\WINDOWS\System32\wjnetmgr.dll
C:\WINDOWS\System32\duraw.dll
C:\WINDOWS\System32\hgojwia.dll
C:\WINDOWS\System32\mdhtmler.dll
C:\WINDOWS\System32\l44qleh51h4.dll
C:\WINDOWS\System32\dn2601fse.dll
C:\WINDOWS\System32\isetres.dll
C:\WINDOWS\System32\jt6m07j1e.dll
C:\WINDOWS\system32\iupnpi.dll
C:\WINDOWS\system32\lmuaul.exe
C:\WINDOWS\system32\lzuqul.dll
C:\WINDOWS\system32\vouguv.exe
C:\DOCUMEMENTS AND SETTINGS\ALLUSERS\STARTMENU\Programs\Startup\kpgigk.exe
C:\WINDOWS\System32\f22mlcf11f2.dll Reboot Here

If your computer doesn't pleaes reboot the computer manually.


Now locate the following folders and delete them
C:\PROGRAM FILES\Web Offer
C:\WINDOWS\system32\vmss
C:\Documents and Settings\All Users\Application Data\msw

After you've delete those file, please update Ad-Aware, Spy-Bot and Norton and run Full scans. Delete anything they may find.

Once complete please post a fresh Hijackthis log and a Findit! log.
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Sun Mar 27, 2005 3:22 pm    Post subject: ... Reply with quote

Ok! Smile

Here's the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:19:10 PM, on 3/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\Gateway\2portalmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Michelle\Local Settings\Temp\_AZTMP4_\HijackThis.exe

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {AA1EBAC8-7C2E-5ED9-2A2C-08C2CF2247B7} - C:\WINDOWS\system32\ztghxwlm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteneo32.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [mzrq] C:\PROGRA~1\COMMON~1\mzrq\mzrqm.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


File named Hidden:

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E2EA-C980

Directory of C:\WINDOWS\System32

03/25/2005 12:17 PM <DIR> dllcache
03/20/2005 09:52 PM <DIR> vmss
03/17/2005 09:08 AM 417,792 r?ndll.exe
11/26/2004 09:20 AM 32 {EFE794E2-8DA1-4330-8EFD-06359B0D515C}.dat
07/12/2004 06:12 PM 292,994 msbb.log
07/09/2004 09:10 PM 3,100,134 msbb_kyf.dat
07/08/2004 09:04 AM 38 msbbau.dat
03/30/2004 01:32 PM 56 09EA61389A.sys
03/17/2004 12:05 AM 488 logonui.exe.manifest
03/17/2004 12:05 AM 488 WindowsLogon.manifest
03/17/2004 12:05 AM 749 cdplayer.exe.manifest
03/17/2004 12:05 AM 749 sapi.cpl.manifest
03/17/2004 12:05 AM 749 wuaucpl.cpl.manifest
03/17/2004 12:05 AM 749 ncpa.cpl.manifest
03/17/2004 12:05 AM 749 nwc.cpl.manifest
13 File(s) 3,815,767 bytes
2 Dir(s) 15,968,763,904 bytes free



File named Notify:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001



File named System:

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E2EA-C980

Directory of C:\WINDOWS\System32

03/25/2005 12:17 PM <DIR> dllcache
03/20/2005 01:50 PM 233,865 WOVADVE.DLL
03/17/2005 09:08 AM 417,792 r?ndll.exe
11/26/2004 09:20 AM 32 {EFE794E2-8DA1-4330-8EFD-06359B0D515C}.dat
03/30/2004 01:32 PM 56 09EA61389A.sys
03/17/2004 12:34 AM <DIR> Microsoft
4 File(s) 651,745 bytes
2 Dir(s) 15,968,829,440 bytes free


Hope it looks good Wink
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Mon Mar 28, 2005 12:44 am    Post subject: Reply with quote

Yes you're steadily improving. Just a couple remain.

Double-click the Killbox

Select the Delete on reboot option.

Now copy and paste the following line into the 'Full Path to Delete File' Box

C:\WINDOWS\System32\r?ndll.exe

Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the NO button.

Perform the same procedure on the following files until you reach the last one; A second dialog box will ask you if you want to REBOOT now. Press the YES button.
C:\WINDOWS\System32\WOVADVE.DLL Reboot Here

If your computer doesn't reboot, please manually reboot.

Now that you're back in normal mode. I want to see how much we can remove with Microsoft's anti-spy, please download the program, make sure you have the lastest updates and perform a full scan.
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Once complete please post a fresh Hijackthis and findit! logs.
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Mon Mar 28, 2005 7:47 am    Post subject: ... Reply with quote

That Microsoft program is really awesome! It found lots of stuff, I think it was about 40 or 42 items.

Here's the hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 10:45:23 AM, on 3/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\Gateway\2portalmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ESTsoft\ALZip\ALZip.exe
C:\Documents and Settings\Michelle\Local Settings\Temp\_AZTMP6_\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {AA1EBAC8-7C2E-5ED9-2A2C-08C2CF2247B7} - C:\WINDOWS\system32\ztghxwlm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteneo32.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [mzrq] C:\PROGRA~1\COMMON~1\mzrq\mzrqm.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Hidden:
------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E2EA-C980

Directory of C:\WINDOWS\System32

03/25/2005 12:17 PM <DIR> dllcache
03/20/2005 09:52 PM <DIR> vmss
03/17/2005 09:08 AM 417,792 r?ndll.exe
11/26/2004 09:20 AM 32 {EFE794E2-8DA1-4330-8EFD-06359B0D515C}.dat
03/30/2004 01:32 PM 56 09EA61389A.sys
03/17/2004 12:05 AM 488 logonui.exe.manifest
03/17/2004 12:05 AM 488 WindowsLogon.manifest
03/17/2004 12:05 AM 749 cdplayer.exe.manifest
03/17/2004 12:05 AM 749 sapi.cpl.manifest
03/17/2004 12:05 AM 749 wuaucpl.cpl.manifest
03/17/2004 12:05 AM 749 nwc.cpl.manifest
03/17/2004 12:05 AM 749 ncpa.cpl.manifest
10 File(s) 422,601 bytes
2 Dir(s) 15,791,030,272 bytes free



Notify:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001




System:

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E2EA-C980

Directory of C:\WINDOWS\System32

03/25/2005 12:17 PM <DIR> dllcache
03/17/2005 09:08 AM 417,792 r?ndll.exe
11/26/2004 09:20 AM 32 {EFE794E2-8DA1-4330-8EFD-06359B0D515C}.dat
03/30/2004 01:32 PM 56 09EA61389A.sys
03/17/2004 12:34 AM <DIR> Microsoft
3 File(s) 417,880 bytes
2 Dir(s) 15,791,095,808 bytes free
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Mon Mar 28, 2005 11:51 am    Post subject: Reply with quote

First, make sure you can view all hidden files and folders, use this link for help.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Make sure all your running programs are closed, run Hijackthis and place a check next to the following.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {AA1EBAC8-7C2E-5ED9-2A2C-08C2CF2247B7} - C:\WINDOWS\system32\ztghxwlm.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteneo32.exe
O4 - HKCU\..\Run: [mzrq] C:\PROGRA~1\COMMON~1\mzrq\mzrqm.exe
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - (no file)

close all your internet browsers and click fix in Hijackthis

Now Click Start > Go to Run > type explorer hit enter > Click on 'My Computer' > Click on 'Local Disk (CSmile > Click on 'Windows' > Click on 'System32'

Look for the following folder and delete it.
C:\WINDOWS\System32\vmss

Look for the following file and a delete it.
C:\WINDOWS\System32\rundll.exe

Now locate the following folder
C:\PROGRAM FILES

Look for the following folder and delete it.
C:\PROGRAM FILES\COMMON FILES\mzrq


Close Explorer

Download and install the program Registrar Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"etbrun" = C:\windows\system32\eliteneo32.exe"


Once complete please post a fresh Hijackthis log in your thread.
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Mon Mar 28, 2005 3:34 pm    Post subject: ... Reply with quote

Ok, everything's done

Well, I downloaded registry lite and entered in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to the address field but I could not find: "etbrun" = C:\windows\system32\eliteneo32.exe"
at all... I even tried to find it using the search that registry lite has. I wasn't sure if not being able to find it was cause it's not there or that I missed it.

Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:31:16 PM, on 3/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\Gateway\2portalmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\r?ndll.exe
C:\Documents and Settings\Michelle\Local Settings\Temp\_AZTMP2_\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Mon Mar 28, 2005 5:46 pm    Post subject: Reply with quote

Wow! Your log is starting to look great. However, there's one item, we need to take care of first.

You can uninstall the reglite program, what I think happened is Microsoft' Antispy took care of most of the problem.

To take care of the one last problem file. Run the Killbox

Make sure the 'Delete on Reboot' option is selected.

In the 'Full Path to delete File' copy and paste the following.

C:\WINDOWS\system32\rundll.exe

Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the YES button.

If your computer doesn't reboot please reboot manually. Once complete please post a fresh Hijackthis and findit! log.

One quick question, how is your computer running? Are you experiencing any problems?
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
SweetLD215
Junior Member


Joined: 10 Feb 2005
Last Visit: 08 Sep 2010
Posts: 26

PostPosted: Tue Mar 29, 2005 12:07 pm    Post subject: . Reply with quote

My computer seems to be running well, even some of the pop ups have gone away, though sometimes when I step away I still come back to 5-10 popups but that's better that 20-30!

The only other odd thing that happened is when I booted up I got one of those "end processes" send error report/don't send error report things (hope that made sense) this is what it said:
Generic Host Process for Win32 Services encountered a problem and needed to close.
Error signature
szAppName : svchost.exe szAppVer : 0.0.0.0 szModName : unknown
szModVer : 0.0.0.0 offset : 00000000


Here's the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 3:02:55 PM, on 3/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\Gateway\2portalmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Michelle\Local Settings\Temp\_AZTMP4_\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Hidden:

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E2EA-C980

Directory of C:\WINDOWS\System32

03/29/2005 01:21 AM <DIR> dllcache
03/17/2005 09:08 AM 417,792 r?ndll.exe
11/26/2004 09:20 AM 32 {EFE794E2-8DA1-4330-8EFD-06359B0D515C}.dat
03/30/2004 01:32 PM 56 09EA61389A.sys
03/17/2004 12:05 AM 488 logonui.exe.manifest
03/17/2004 12:05 AM 488 WindowsLogon.manifest
03/17/2004 12:05 AM 749 sapi.cpl.manifest
03/17/2004 12:05 AM 749 cdplayer.exe.manifest
03/17/2004 12:05 AM 749 wuaucpl.cpl.manifest
03/17/2004 12:05 AM 749 nwc.cpl.manifest
03/17/2004 12:05 AM 749 ncpa.cpl.manifest
10 File(s) 422,601 bytes
1 Dir(s) 16,041,377,792 bytes free




System:

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E2EA-C980

Directory of C:\WINDOWS\System32

03/29/2005 01:21 AM <DIR> dllcache
11/26/2004 09:20 AM 32 {EFE794E2-8DA1-4330-8EFD-06359B0D515C}.dat
03/30/2004 01:32 PM 56 09EA61389A.sys
03/17/2004 12:34 AM <DIR> Microsoft
2 File(s) 88 bytes
2 Dir(s) 16,041,443,328 bytes free



Notify:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001



I hope this is looking perfect! You are so kind and helpful, and I cannot tell you how much I appreciate it! Very Happy Very Happy Very Happy Very Happy
Back to top
View user's profile Send private message Visit poster's website
QuietFusion
Warrior


Joined: 09 Mar 2005
Last Visit: 13 Jul 2005
Posts: 79

PostPosted: Tue Mar 29, 2005 1:35 pm    Post subject: Reply with quote

The killbox doesn't seem to be working on that file. It's still in your findit log.

Lets scrap the killbox and try something else.

Click Start > go to 'Run' > type explorer and hit enter > Click 'My Computer' > Click 'Local Disk (C: )' > Click 'Windows' > Scroll Down and Click 'System32'

In the right-pane scroll down a look for either rundll.exe or r?ndll.exe, however don't touch rundll32.exe this is a valid MS file that you need.

Once your find either rundll.exe or r?ndll.exe manually delete the file and close out explorer.



I want to run a different program to see if it's clean. In the end, you shouldn't have any pop-ups no matter how long you're away from the computer. So we'll keep digging to find what's causing the pop-ups.


Download the the FindQoologic-Narrator.zip and save it to your Desktop. (Link below)


    Extract (unzip) the files inside into their own folder called FindQoologic.
    Open the FindQoologic folder.
    Locate and double-click the Activesetup.vbs file to run it. Please wait until a "Finished" message appears.
    • When the set-up is complete a file named "Activesetup components[Machine ID][date].txt" will have been saved in the FindQoologic folder.
    Locate and double-click the Find-Qoologic.bat to run it.
    • The tool will open a DOS window and begin to check your system.
    • When it is finished a text file will open in Notepad called "file.txt".
    • Save this text file in the FindQoologic folder.
    • Close the DOS box If on win 98 or me.
    Locate the "Activesetup components[Machine ID][date].txt" file and the file you saved.
    • Copy and paste the contents of both reports into your next post.


http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981


Please post the qoologic and a fresh findit logs, but not a hijackthis log in your next reply.
_________________
You want security? Disable Javascript and ActiveX!!
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics All times are GMT - 8 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group