Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

stupid vx2


  • Please log in to reply
7 replies to this topic

#1 ERDIANE

ERDIANE

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 06 February 2005 - 05:09 PM

Logfile of HijackThis v1.99.0
Scan saved at 11:40:35 AM, on 2/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\minilog.exe
C:\WINNT\Mixer.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AIM95\aim.exe
C:\WINNT\system32\viydnnn.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S1T0A2.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Common Files\EPSON\EBAPI\EBRR.EXE
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
C:\Program Files\WinZip\WINZIP32.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8000
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Program Files\Netscape\Users\ultibum\prefs.js)
O3 - Toolbar: (no name) - {12E6908F-AC5E-440D-B990-2FC6E641F51D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {FA16AF0F-0F5A-4DF8-BEDC-644B3FA5547B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [WebInstall2] C:\DOCUME~1\THELIP~1\LOCALS~1\Temp\ins13A8.tmp /R /NT /A
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [G.exe] C:\documents and settings\the lippincott's\local settings\temp\G.exe
O4 - HKLM\..\Run: [avqshyv] C:\WINNT\vukr.exe
O4 - HKLM\..\Run: [KDW7SD.exe] C:\documents and settings\the lippincott's\local settings\temp\KDW7SD.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [G] C:\documents and settings\the lippincott's\local settings\temp\G.exe
O4 - HKLM\..\Run: [KDW7SD] C:\documents and settings\the lippincott's\local settings\temp\KDW7SD.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Rxagik] C:\WINNT\Meruoq.exe
O4 - HKLM\..\Run: [ntechin] C:\WINNT\system32\n20050308.exe
O4 - HKLM\..\Run: [qt2V36i] wzcctrac.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AutoLoaderqEtp1IXlKKbJ] "C:\WINNT\system32\wzcctrac.exe" /HideDir /HideUninstall /PC="CP.BIG" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Zaqgn] C:\WINNT\system32\viydnnn.exe
O4 - HKCU\..\Run: [bAt9RWGnR] wmitsrv.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon...oad/tgctlcm.cab
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/imcupdatefiles/whistlesilent611.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15ac0622c7f462e70116/netzip/RdxIE6.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partner...lim/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...lim/install.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ibdcharts/ocx/plotwon.ocx
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.16/ttinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1000/...uditControl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86685AA8-BA72-4904-A26B-6C3B9F74FBDA}: NameServer = 68.2.16.25,68.2.16.30
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Basic Logging Client - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\minilog.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe

hello...........not sure if i'm in the right place for this. trying to get rid of the vx2 virus. can anyone help? i've run ad aware se, and it can't get rid of it.

Edited by ERDIANE, 06 February 2005 - 05:34 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:03 AM

Posted 06 February 2005 - 10:10 PM

Please follow these steps in order to clean your computer of Malware which can include Viruses, Trojans, Worms, Spyware, Hijackers and Dialers.

Step 1:
Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what it finds. This is to gaurantee that you find the most malware you can installed on your computer.

Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.

Spybot

Ad-aware

If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer.

Using Spybot - Search & Destroy to remove Spyware, Malware, & Hijackers from Your Computer.


When you scan with both programs, fix everything that it finds.

When you are done with the scan and fixing the items. Please continue with the next step.

Step 2:

It is important that you run Spybot and Adaware before you proceed with this step. Fixing enties with Hijackthis may leave behind unwanted files on your computer if the previous step was not done first.

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis Download Site

Save this file into the directory you made previously and then run the program. Click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post here, and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial on using HijackThis you can click on the link below:

Using HijackThis to Remove Spyware, Browser Hijackers, and Dialers

#3 ERDIANE

ERDIANE
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 07 February 2005 - 07:03 PM

i've run sbybot and adaware SE. I've tried vx2finder.exe. I have zone alarm pro, i've run avg free. Adaware is the only one that finds the vx2 thing, but can't fix it. Here's the log file I ran today..........hope you can help! :thumbsup:

Logfile of HijackThis v1.99.0
Scan saved at 5:30:45 PM, on 2/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\minilog.exe
C:\WINNT\Mixer.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AIM95\aim.exe
C:\WINNT\system32\viydnnn.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinZip\WINZIP32.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8000
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Program Files\Netscape\Users\ultibum\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {12E6908F-AC5E-440D-B990-2FC6E641F51D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {FA16AF0F-0F5A-4DF8-BEDC-644B3FA5547B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [WebInstall2] C:\DOCUME~1\THELIP~1\LOCALS~1\Temp\ins13A8.tmp /R /NT /A
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [G.exe] C:\documents and settings\the lippincott's\local settings\temp\G.exe
O4 - HKLM\..\Run: [avqshyv] C:\WINNT\vukr.exe
O4 - HKLM\..\Run: [KDW7SD.exe] C:\documents and settings\the lippincott's\local settings\temp\KDW7SD.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [G] C:\documents and settings\the lippincott's\local settings\temp\G.exe
O4 - HKLM\..\Run: [KDW7SD] C:\documents and settings\the lippincott's\local settings\temp\KDW7SD.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Rxagik] C:\WINNT\Meruoq.exe
O4 - HKLM\..\Run: [ntechin] C:\WINNT\system32\n20050308.exe
O4 - HKLM\..\Run: [qt2V36i] wzcctrac.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AutoLoaderqEtp1IXlKKbJ] "C:\WINNT\system32\wzcctrac.exe" /HideDir /HideUninstall /PC="CP.BIG" /ShowLegalNote="nonbranded"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Zaqgn] C:\WINNT\system32\viydnnn.exe
O4 - HKCU\..\Run: [bAt9RWGnR] wmitsrv.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon...oad/tgctlcm.cab
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/imcupdatefiles/whistlesilent611.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15ac0622c7f462e70116/netzip/RdxIE6.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partner...lim/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...lim/install.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ibdcharts/ocx/plotwon.ocx
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.16/ttinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1000/...uditControl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86685AA8-BA72-4904-A26B-6C3B9F74FBDA}: NameServer = 68.2.16.25,68.2.16.30
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Basic Logging Client - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\minilog.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe

#4 ERDIANE

ERDIANE
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 07 February 2005 - 07:28 PM

BTW, I also ran an l2mfix, and this is the log file from there: being a rather newbie, I have no idea what this means. :thumbsup:

L2MFIX find log 1.02a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\lvlq0935e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{46BD6E66-486B-413D-8318-498A4B99FFB0}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{1E60E08D-D28B-4743-AC9C-38B6C42019BC}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{B7CFB8ED-1023-46D5-A1D4-C12E06B2BA53}"=""
"{16785748-FA90-4735-8155-9906647686DA}"=""
"{74075671-F3BE-4E9E-9B1B-CE2FC4549B7B}"=""
"{3902D7C5-D00F-4EB6-8647-B7307BAB511E}"=""
"{7E6E6708-CAC4-45C3-95E1-8EA2A0BBB9AC}"=""
"{8C29FB15-32FB-4233-BABC-56076906B17B}"=""
"{C1408F0B-F103-4D55-8970-6C3C434C12D8}"=""
"{C0261017-5658-41CC-8CD5-CE069388AE0A}"=""
"{90D5E394-27CF-40AE-A232-8997C71F22FA}"=""
"{4B073131-5729-4399-B606-E8B79DD52324}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1E60E08D-D28B-4743-AC9C-38B6C42019BC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1E60E08D-D28B-4743-AC9C-38B6C42019BC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1E60E08D-D28B-4743-AC9C-38B6C42019BC}\Implemented

Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1E60E08D-D28B-4743-AC9C-38B6C42019BC}\InprocServer32]
@="C:\\WINNT\\system32\\DJTLIPI.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B7CFB8ED-1023-46D5-A1D4-C12E06B2BA53}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B7CFB8ED-1023-46D5-A1D4-C12E06B2BA53}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B7CFB8ED-1023-46D5-A1D4-C12E06B2BA53}\Implemented

Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B7CFB8ED-1023-46D5-A1D4-C12E06B2BA53}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{16785748-FA90-4735-8155-9906647686DA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{16785748-FA90-4735-8155-9906647686DA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{16785748-FA90-4735-8155-9906647686DA}\Implemented

Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{16785748-FA90-4735-8155-9906647686DA}\InprocServer32]
@="C:\\WINNT\\system32\\MUSTDFMT.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{74075671-F3BE-4E9E-9B1B-CE2FC4549B7B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{74075671-F3BE-4E9E-9B1B-CE2FC4549B7B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{74075671-F3BE-4E9E-9B1B-CE2FC4549B7B}\Implemented

Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{74075671-F3BE-4E9E-9B1B-CE2FC4549B7B}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3902D7C5-D00F-4EB6-8647-B7307BAB511E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3902D7C5-D00F-4EB6-8647-B7307BAB511E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3902D7C5-D00F-4EB6-8647-B7307BAB511E}\Implemented

Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3902D7C5-D00F-4EB6-8647-B7307BAB511E}\InprocServer32]
@="C:\\WINNT\\system32\\mfrmsg.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7E6E6708-CAC4-45C3-95E1-8EA2A0BBB9AC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7E6E6708-CAC4-45C3-95E1-8EA2A0BBB9AC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7E6E6708-CAC4-45C3-95E1-8EA2A0BBB9AC}\Implemented

Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7E6E6708-CAC4-45C3-95E1-8EA2A0BBB9AC}\InprocServer32]
@="C:\\WINNT\\system32\\sbndcmsg.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8C29FB15-32FB-4233-BABC-56076906B17B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C29FB15-32FB-4233-BABC-56076906B17B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C29FB15-32FB-4233-BABC-56076906B17B}\Implemented

Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C29FB15-32FB-4233-BABC-56076906B17B}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C1408F0B-F103-4D55-8970-6C3C434C12D8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C1408F0B-F103-4D55-8970-6C3C434C12D8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C1408F0B-F103-4D55-8970-6C3C434C12D8}\Implemented

Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C1408F0B-F103-4D55-8970-6C3C434C12D8}\InprocServer32]
@="C:\\WINNT\\system32\\QQENCLIB.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C0261017-5658-41CC-8CD5-CE069388AE0A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C0261017-5658-41CC-8CD5-CE069388AE0A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C0261017-5658-41CC-8CD5-CE069388AE0A}\Implemented

Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C0261017-5658-41CC-8CD5-CE069388AE0A}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{90D5E394-27CF-40AE-A232-8997C71F22FA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{90D5E394-27CF-40AE-A232-8997C71F22FA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{90D5E394-27CF-40AE-A232-8997C71F22FA}\Implemented

Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{90D5E394-27CF-40AE-A232-8997C71F22FA}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4B073131-5729-4399-B606-E8B79DD52324}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4B073131-5729-4399-B606-E8B79DD52324}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4B073131-5729-4399-B606-E8B79DD52324}\Implemented

Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4B073131-5729-4399-B606-E8B79DD52324}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
master.dll Wed Jan 26 2005 5:06:44p A.... 400 0.39 K
mustdfmt.dll Sun Jan 30 2005 8:16:38p A.... 229,736 224.35 K
dbeml.dll Thu Jan 27 2005 4:54:14a ..S.R 229,736 224.35 K
mvw3prt.dll Sun Jan 30 2005 8:27:20p ..S.R 230,876 225.46 K
hypertrm.dll Tue Nov 16 2004 3:47:02a A.... 576,784 563.27 K
sbndcmsg.dll Sun Jan 30 2005 8:45:22p A.... 230,876 225.46 K
lvjo09~1.dll Tue Feb 1 2005 7:10:56p ..S.R 229,337 223.96 K
skndcmsg.dll Tue Feb 1 2005 7:10:58p ..S.R 229,018 223.65 K
shdocvw.dll Thu Nov 11 2004 11:20:56p A.... 1,332,224 1.27 M
lvlq09~1.dll Sun Feb 6 2005 12:05:42p ..... 231,692 226.26 K
dpnput.dll Wed Feb 2 2005 8:41:12a ..S.R 229,018 223.65 K
lvnq09~1.dll Mon Feb 7 2005 2:15:46p ..S.R 232,251 226.80 K
user32.dll Wed Dec 29 2004 2:14:10a A.... 380,688 371.77 K
sp3res.dll Thu Dec 2 2004 7:27:18a A.... 6,272,512 5.98 M
datast~1.dll Sun Nov 21 2004 4:00:50p A.... 51,162 49.96 K
adaamon.dll Fri Jan 21 2005 4:01:46p A.... 229,736 224.35 K
hvok95.dll Sat Jan 22 2005 5:48:36p ..S.R 229,736 224.35 K
n62ulg~1.dll Sat Jan 22 2005 5:48:36p ..S.R 231,662 226.23 K
rcpilib.dll Tue Jan 25 2005 1:44:48a ..S.R 229,736 224.35 K
j6l4lg~1.dll Sat Jan 22 2005 6:19:54p ..S.R 231,172 225.75 K
s6pulg~1.dll Tue Jan 25 2005 1:44:48a ..S.R 231,712 226.28 K

21 items found: 21 files (11 H/S), 0 directories.
Total of file sizes: 12,070,064 bytes 11.51 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
guard.tmp Mon Feb 7 2005 2:21:48p ..S.R 231,692 226.26 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 231,692 bytes 226.26 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 3B42-1BD7

Directory of C:\WINNT\System32

02/07/2005 02:21p 231,692 guard.tmp
02/07/2005 02:15p 232,251 lvnq0955e.dll
02/02/2005 08:41a 229,018 dpnput.dll
02/01/2005 07:10p 229,018 skndcmsg.dll
02/01/2005 07:10p 229,337 lvjo0913e.dll
01/30/2005 08:27p 230,876 mvw3prt.dll
01/27/2005 09:54p 512 Ovbl73I.j9r
01/27/2005 04:54a 229,736 dbeml.dll
01/26/2005 05:51p 512 Pul9X4.31m
01/25/2005 01:44a 231,712 s6pulg7916.dll
01/25/2005 01:44a 229,736 rCpilib.dll
01/24/2005 12:55a 512 Hmdq.5cb
01/22/2005 06:19p 231,172 j6l4lg3q16.dll
01/22/2005 05:48p 231,662 n62ulgf9162.dll
01/22/2005 05:48p 229,736 Hvok95.dll
01/03/2005 09:13p 512 Diam4yYT.0w1
12/26/2004 01:57p 512 Hmeq.5cc
12/21/2004 11:52p 512 XcuGfSS.57q
12/15/2004 10:50p 512 Ntk8V.3i1
12/14/2004 10:31p 512 HotEkc.006
12/12/2004 09:26p 512 Qxcn74j.lat
12/12/2004 03:39p 512 ZfwJhVUP.8s0
12/11/2004 01:38a 512 OihM.ixb
11/27/2004 09:52p 512 Jogs6.fez
11/26/2004 09:51p 512 Cjo9f.x88
11/24/2004 10:47p 512 Lqi77.ggb
11/15/2004 02:56a 512 ZevIhUUP.8r9
11/13/2004 06:14a 512 Xwh34U2.6c7
11/11/2004 07:44a 512 Ntk8V.331
11/09/2004 07:57p 512 Mri8T.2gb
10/30/2004 08:38a 512 BgxKjWWR.9t0
10/26/2004 06:32p 512 Qwn9Y4.42n
10/26/2004 06:21p 512 AfxJiVVQ.8s0
10/25/2004 11:20a 512 Iofs6.edy
10/24/2004 11:55a 512 Cjo9g.x88
10/21/2004 02:37p 512 Wdi7.06p
10/21/2004 02:20p 512 Oku513R.049
10/18/2004 02:15p 512 Sxp0A5.53p
10/02/2004 10:18p 512 Mrj8U.3h0
09/30/2004 09:55p 512 Otk8V3.31k
09/29/2004 08:54a 512 AfxJiWVQ.9t0
09/25/2004 07:09a 512 Rugw.1a6
09/24/2004 12:17a 512 Jofs6.eez
09/22/2004 05:59p 512 OzlSbM.wiz
09/20/2004 05:20p 512 WbsFeR6.4to
09/19/2004 11:40a 512 VarEdQ6.4sn
09/15/2004 08:50a 512 VchsZQoq.fxd
09/15/2004 07:50a 512 YdvHgUTO.8r9
09/14/2004 02:11a 512 Kph77.ffa
09/12/2004 08:34a 512 GnsDk.b90
09/12/2004 08:34a 512 NuzK63G.h8p
09/12/2004 08:34a 512 JqvGne.017
09/08/2004 10:04a 512 OihL.ixb
09/06/2004 07:10p 512 NhfK.gwa
09/05/2004 08:10p 512 CizmkYXS.9v1
09/05/2004 07:07p 512 SxpBA5.53p
09/04/2004 06:53p 512 Nsj8V.3i1
09/01/2004 07:48a 512 Pwbm73i.j9r
09/01/2004 01:44a 512 Suhw.1aq
08/30/2004 01:42a 512 VbsFdR6.4so
08/26/2004 04:53p 512 AgxKiWVQ.9t0
08/25/2004 05:45a 512 BgxKjWVQ.9t0
08/23/2004 09:43p 512 Fkbo.4az
08/19/2004 07:46a 512 VchsYQoq.fxd
08/19/2004 01:47a 1,104 ChzlkYXS.9v1
08/15/2004 09:44a 1,104 LkhAX92.xd2
08/14/2004 08:12a 1,104 KrwH5f.127
08/13/2004 01:18a 512 Kpg77.ffa
08/12/2004 06:16a 512 Ejan.4zz
08/10/2004 07:51p 1,104 IpuFmd.017
08/10/2004 07:51p 1,104 HotElc.006
08/10/2004 07:51p 1,104 Pwbm74i.k9s
08/08/2004 06:35p 1,104 Bin9f.w88
11/27/2003 07:48p 1,020 UarEcQ6.4rn
11/21/2003 03:16p 1,020 BgykjWWR.9t0
01/01/2001 08:30p <DIR> dllcache
75 File(s) 2,803,362 bytes
1 Dir(s) 4,063,985,664 bytes free

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:03 AM

Posted 08 February 2005 - 07:19 PM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

#6 ERDIANE

ERDIANE
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 10 February 2005 - 02:14 PM

ok, here is the fix that I ran , I will post this, then run a new hijack this log and post that also.

L2Mfix 1.02a

Running From:
C:\Documents and Settings\The Lippincott's\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\The Lippincott's\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\The Lippincott's\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1120 'explorer.exe'
Killing PID 1120 'explorer.exe'
Error 0x5 : Access is denied.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1300 'rundll32.exe'
Killing PID 1508 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\MUSTDFMT.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\mfjtes40.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dbeml.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mvw3prt.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dbuiext.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\sbndcmsg.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lvjo0913e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\skndcmsg.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dpnput.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\m628lgfu1628.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\aDaamon.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\Hvok95.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\n62ulgf9162.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rCpilib.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\j6l4lg3q16.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\s6pulg7916.dll
1 file(s) copied.
deleting: C:\WINNT\system32\MUSTDFMT.DLL
Successfully Deleted: C:\WINNT\system32\MUSTDFMT.DLL
deleting: C:\WINNT\system32\mfjtes40.dll
Successfully Deleted: C:\WINNT\system32\mfjtes40.dll
deleting: C:\WINNT\system32\dbeml.dll
Successfully Deleted: C:\WINNT\system32\dbeml.dll
deleting: C:\WINNT\system32\mvw3prt.dll
Successfully Deleted: C:\WINNT\system32\mvw3prt.dll
deleting: C:\WINNT\system32\dbuiext.dll
Successfully Deleted: C:\WINNT\system32\dbuiext.dll
deleting: C:\WINNT\system32\sbndcmsg.dll
Successfully Deleted: C:\WINNT\system32\sbndcmsg.dll
deleting: C:\WINNT\system32\lvjo0913e.dll
Successfully Deleted: C:\WINNT\system32\lvjo0913e.dll
deleting: C:\WINNT\system32\skndcmsg.dll
Successfully Deleted: C:\WINNT\system32\skndcmsg.dll
deleting: C:\WINNT\system32\dpnput.dll
Successfully Deleted: C:\WINNT\system32\dpnput.dll
deleting: C:\WINNT\system32\m628lgfu1628.dll
Successfully Deleted: C:\WINNT\system32\m628lgfu1628.dll
deleting: C:\WINNT\system32\aDaamon.dll
Successfully Deleted: C:\WINNT\system32\aDaamon.dll
deleting: C:\WINNT\system32\Hvok95.dll
Successfully Deleted: C:\WINNT\system32\Hvok95.dll
deleting: C:\WINNT\system32\n62ulgf9162.dll
Successfully Deleted: C:\WINNT\system32\n62ulgf9162.dll
deleting: C:\WINNT\system32\rCpilib.dll
Successfully Deleted: C:\WINNT\system32\rCpilib.dll
deleting: C:\WINNT\system32\j6l4lg3q16.dll
Successfully Deleted: C:\WINNT\system32\j6l4lg3q16.dll
deleting: C:\WINNT\system32\s6pulg7916.dll
Successfully Deleted: C:\WINNT\system32\s6pulg7916.dll

Desktop.ini sucessfully removed


Zipping up files for submission:
adding: MUSTDFMT.DLL (deflated 5%)
adding: mfjtes40.dll (deflated 4%)
adding: dbeml.dll (deflated 5%)
adding: mvw3prt.dll (deflated 5%)
adding: dbuiext.dll (deflated 4%)
adding: sbndcmsg.dll (deflated 5%)
adding: lvjo0913e.dll (deflated 5%)
adding: skndcmsg.dll (deflated 4%)
adding: dpnput.dll (deflated 4%)
adding: m628lgfu1628.dll (deflated 6%)
adding: aDaamon.dll (deflated 5%)
adding: Hvok95.dll (deflated 5%)
adding: n62ulgf9162.dll (deflated 5%)
adding: rCpilib.dll (deflated 5%)
adding: j6l4lg3q16.dll (deflated 5%)
adding: s6pulg7916.dll (deflated 5%)
adding: echo.reg (deflated 9%)
adding: clear.reg (deflated 67%)
adding: desktop.ini (deflated 13%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 71%)
adding: lo2.txt (deflated 80%)
adding: test2.txt (deflated 47%)
adding: test3.txt (deflated 47%)
adding: test5.txt (deflated 47%)
adding: test.txt (deflated 75%)
adding: xfind.txt (deflated 67%)
adding: backregs/shell.reg (deflated 74%)
adding: backregs/1E60E08D-D28B-4743-AC9C-38B6C42019BC.reg (deflated 70%)
adding: backregs/B7CFB8ED-1023-46D5-A1D4-C12E06B2BA53.reg (deflated 70%)
adding: backregs/16785748-FA90-4735-8155-9906647686DA.reg (deflated 70%)
adding: backregs/74075671-F3BE-4E9E-9B1B-CE2FC4549B7B.reg (deflated 70%)
adding: backregs/3902D7C5-D00F-4EB6-8647-B7307BAB511E.reg (deflated 70%)
adding: backregs/7E6E6708-CAC4-45C3-95E1-8EA2A0BBB9AC.reg (deflated 70%)
adding: backregs/8C29FB15-32FB-4233-BABC-56076906B17B.reg (deflated 70%)
adding: backregs/C1408F0B-F103-4D55-8970-6C3C434C12D8.reg (deflated 70%)
adding: backregs/C0261017-5658-41CC-8CD5-CE069388AE0A.reg (deflated 70%)
adding: backregs/90D5E394-27CF-40AE-A232-8997C71F22FA.reg (deflated 70%)
adding: backregs/4B073131-5729-4399-B606-E8B79DD52324.reg (deflated 70%)
adding: backregs/18B06CD1-98B1-4D71-8EF6-E9CB25052CB7.reg (deflated 70%)
adding: backregs/6F82DE14-51DF-415E-AA6C-9D717E93408F.reg (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: MUSTDFMT.DLL
deleting local copy: mfjtes40.dll
deleting local copy: dbeml.dll
deleting local copy: mvw3prt.dll
deleting local copy: dbuiext.dll
deleting local copy: sbndcmsg.dll
deleting local copy: lvjo0913e.dll
deleting local copy: skndcmsg.dll
deleting local copy: dpnput.dll
deleting local copy: m628lgfu1628.dll
deleting local copy: aDaamon.dll
deleting local copy: Hvok95.dll
deleting local copy: n62ulgf9162.dll
deleting local copy: rCpilib.dll
deleting local copy: j6l4lg3q16.dll
deleting local copy: s6pulg7916.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINNT\system32\MUSTDFMT.DLL
C:\WINNT\system32\mfjtes40.dll
C:\WINNT\system32\dbeml.dll
C:\WINNT\system32\mvw3prt.dll
C:\WINNT\system32\dbuiext.dll
C:\WINNT\system32\sbndcmsg.dll
C:\WINNT\system32\lvjo0913e.dll
C:\WINNT\system32\skndcmsg.dll
C:\WINNT\system32\dpnput.dll
C:\WINNT\system32\m628lgfu1628.dll
C:\WINNT\system32\aDaamon.dll
C:\WINNT\system32\Hvok95.dll
C:\WINNT\system32\n62ulgf9162.dll
C:\WINNT\system32\rCpilib.dll
C:\WINNT\system32\j6l4lg3q16.dll
C:\WINNT\system32\s6pulg7916.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{1E60E08D-D28B-4743-AC9C-38B6C42019BC}"=-
"{B7CFB8ED-1023-46D5-A1D4-C12E06B2BA53}"=-
"{16785748-FA90-4735-8155-9906647686DA}"=-
"{74075671-F3BE-4E9E-9B1B-CE2FC4549B7B}"=-
"{3902D7C5-D00F-4EB6-8647-B7307BAB511E}"=-
"{7E6E6708-CAC4-45C3-95E1-8EA2A0BBB9AC}"=-
"{8C29FB15-32FB-4233-BABC-56076906B17B}"=-
"{C1408F0B-F103-4D55-8970-6C3C434C12D8}"=-
"{C0261017-5658-41CC-8CD5-CE069388AE0A}"=-
"{90D5E394-27CF-40AE-A232-8997C71F22FA}"=-
"{4B073131-5729-4399-B606-E8B79DD52324}"=-
"{18B06CD1-98B1-4D71-8EF6-E9CB25052CB7}"=-
"{6F82DE14-51DF-415E-AA6C-9D717E93408F}"=-
[-HKEY_CLASSES_ROOT\CLSID\{1E60E08D-D28B-4743-AC9C-38B6C42019BC}]
[-HKEY_CLASSES_ROOT\CLSID\{B7CFB8ED-1023-46D5-A1D4-C12E06B2BA53}]
[-HKEY_CLASSES_ROOT\CLSID\{16785748-FA90-4735-8155-9906647686DA}]
[-HKEY_CLASSES_ROOT\CLSID\{74075671-F3BE-4E9E-9B1B-CE2FC4549B7B}]
[-HKEY_CLASSES_ROOT\CLSID\{3902D7C5-D00F-4EB6-8647-B7307BAB511E}]
[-HKEY_CLASSES_ROOT\CLSID\{7E6E6708-CAC4-45C3-95E1-8EA2A0BBB9AC}]
[-HKEY_CLASSES_ROOT\CLSID\{8C29FB15-32FB-4233-BABC-56076906B17B}]
[-HKEY_CLASSES_ROOT\CLSID\{C1408F0B-F103-4D55-8970-6C3C434C12D8}]
[-HKEY_CLASSES_ROOT\CLSID\{C0261017-5658-41CC-8CD5-CE069388AE0A}]
[-HKEY_CLASSES_ROOT\CLSID\{90D5E394-27CF-40AE-A232-8997C71F22FA}]
[-HKEY_CLASSES_ROOT\CLSID\{4B073131-5729-4399-B606-E8B79DD52324}]
[-HKEY_CLASSES_ROOT\CLSID\{18B06CD1-98B1-4D71-8EF6-E9CB25052CB7}]
[-HKEY_CLASSES_ROOT\CLSID\{6F82DE14-51DF-415E-AA6C-9D717E93408F}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{46BD6E66-486B-413D-8318-498A4B99FFB0}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{46BD6E66-486B-413D-8318-498A4B99FFB0}</IDone>
<IDtwo>AD</IDtwo>
<VERSION>200</VERSION>
****************************************************************************


#7 ERDIANE

ERDIANE
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 10 February 2005 - 02:16 PM

ok, here is the new hijack this log. holding my breath.

Logfile of HijackThis v1.99.0
Scan saved at 12:46:19 PM, on 2/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\minilog.exe
C:\WINNT\Mixer.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AIM95\aim.exe
C:\WINNT\system32\viydnnn.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinZip\WINZIP32.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8000
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Program Files\Netscape\Users\ultibum\prefs.js)
O3 - Toolbar: (no name) - {12E6908F-AC5E-440D-B990-2FC6E641F51D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {FA16AF0F-0F5A-4DF8-BEDC-644B3FA5547B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [WebInstall2] C:\DOCUME~1\THELIP~1\LOCALS~1\Temp\ins13A8.tmp /R /NT /A
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [G.exe] C:\documents and settings\the lippincott's\local settings\temp\G.exe
O4 - HKLM\..\Run: [avqshyv] C:\WINNT\vukr.exe
O4 - HKLM\..\Run: [KDW7SD.exe] C:\documents and settings\the lippincott's\local settings\temp\KDW7SD.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [G] C:\documents and settings\the lippincott's\local settings\temp\G.exe
O4 - HKLM\..\Run: [KDW7SD] C:\documents and settings\the lippincott's\local settings\temp\KDW7SD.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Rxagik] C:\WINNT\Meruoq.exe
O4 - HKLM\..\Run: [ntechin] C:\WINNT\system32\n20050308.exe
O4 - HKLM\..\Run: [qt2V36i] wzcctrac.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AutoLoaderqEtp1IXlKKbJ] "C:\WINNT\system32\wzcctrac.exe" /HideDir /HideUninstall /PC="CP.BIG" /ShowLegalNote="nonbranded"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Zaqgn] C:\WINNT\system32\viydnnn.exe
O4 - HKCU\..\Run: [bAt9RWGnR] wmitsrv.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon...oad/tgctlcm.cab
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/imcupdatefiles/whistlesilent611.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15ac0622c7f462e70116/netzip/RdxIE6.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partner...lim/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...lim/install.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ibdcharts/ocx/plotwon.ocx
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.16/ttinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1000/...uditControl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86685AA8-BA72-4904-A26B-6C3B9F74FBDA}: NameServer = 68.2.16.25,68.2.16.30
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Basic Logging Client - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\minilog.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:03 AM

Posted 10 February 2005 - 10:33 PM

I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory:

C:\WINNT\system32\n20050308.exe
C:\documents and settings\the lippincott's\local settings\temp\KDW7SD.exe
C:\documents and settings\the lippincott's\local settings\temp\G.exe
C:\WINNT\Meruoq.exe


To copy the files simply navigate to the directory they are in and right click on them and then click on copy. Then paste these files into the c:\submit directory. Once the files are all copied I need you to zip the folder. If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a compressed folder. You will now see a file called submit.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that. Then go to http://www.bleepingcomputer.com/submit-malware.php, fill in the required fields, and browse to the file. Then click on the Send File button.


Do you know what this entry is? If not fix it with the ones below:

O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z


Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O3 - Toolbar: (no name) - {12E6908F-AC5E-440D-B990-2FC6E641F51D} - (no file)
O3 - Toolbar: (no name) - {FA16AF0F-0F5A-4DF8-BEDC-644B3FA5547B} - (no file)
O4 - HKLM\..\Run: [WebInstall2] C:\DOCUME~1\THELIP~1\LOCALS~1\Temp\ins13A8.tmp /R /NT /A
O4 - HKLM\..\Run: [G.exe] C:\documents and settings\the lippincott's\local settings\temp\G.exe
O4 - HKLM\..\Run: [avqshyv] C:\WINNT\vukr.exe
O4 - HKLM\..\Run: [KDW7SD.exe] C:\documents and settings\the lippincott's\local settings\temp\KDW7SD.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [G] C:\documents and settings\the lippincott's\local settings\temp\G.exe
O4 - HKLM\..\Run: [KDW7SD] C:\documents and settings\the lippincott's\local settings\temp\KDW7SD.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Rxagik] C:\WINNT\Meruoq.exe
O4 - HKLM\..\Run: [ntechin] C:\WINNT\system32\n20050308.exe
O4 - HKLM\..\Run: [qt2V36i] wzcctrac.exe
O4 - HKLM\..\Run: [AutoLoaderqEtp1IXlKKbJ] "C:\WINNT\system32\wzcctrac.exe" /HideDir /HideUninstall /PC="CP.BIG" /ShowLegalNote="nonbranded"
O4 - HKCU\..\Run: [Zaqgn] C:\WINNT\system32\viydnnn.exe
O4 - HKCU\..\Run: [bAt9RWGnR] wmitsrv.exe
O4 - Startup: PowerReg SchedulerV2.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15ac0622c7f462e70116/netzip/RdxIE6.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...lim/install.cab

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\DOCUME~1\THELIP~1\LOCALS~1\Temp\ins13A8.tmp /R /NT /A
C:\documents and settings\the lippincott's\local settings\temp\G.exe
C:\WINNT\vukr.exe
C:\documents and settings\the lippincott's\local settings\temp\KDW7SD.exe
C:\documents and settings\the lippincott's\local settings\temp\G.exe
C:\documents and settings\the lippincott's\local settings\temp\KDW7SD.exe
C:\WINNT\Meruoq.exe
C:\WINNT\system32\n20050308.exe
c:\winnt\system32\wzcctrac.exe
C:\WINNT\system32\wzcctrac.exe
C:\WINNT\system32\viydnnn.exe
c:\winnt\system32\wmitsrv.exe

Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users