Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hijack this log [resolved]

Started by darkfyre , Feb 28 2005 12:09 PM

This topic is locked

#1
darkfyre

Posted 28 February 2005 - 12:09 PM

Member

Member
10 posts

Hello. I have a variant of vx2, and I am incapable of removing it. It is making me miserable, and any help you might render me in this situation would be greatly appreciated. I am including my hijack this log, as well as an l2mfix log. Thanks for your time and consideration.

Logfile of HijackThis v1.99.1
Scan saved at 4:43:10 PM, on 2/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Documents and Settings\Darkfyre\Desktop\Firefox Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [otuonrv] c:\windows\system32\otuonrv.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106151126093
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: c:\windows\system32\hlpj.dll
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\o2pq0c75ef.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

And as for the l2mfix log:

L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n44sleh71h4.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{86F0278D-50B3-42F7-82E8-183190557902}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{A68865DD-EE3C-4442-9BE9-1BAB2576E3FA}"="NOMAD Explorer"
"{BBA7EB3F-97AB-4EBD-BCA2-C3C8DBED444F}"="Notmad Explorer Zen"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{BCAAACCD-308C-459C-B742-EB0E9AF7F6B0}"=""
"{7E8C631E-8A7D-4C24-93D0-2CBAEC91ECA6}"=""
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{27B99CE2-C2DA-4055-B5CE-A226E853EC03}"=""
"{DAB568CA-7932-4425-950E-CCCF584918BC}"=""
"{BDA6081F-2132-48CA-AB11-E7974E0625C0}"=""
"{36518101-49AC-42CB-8E4C-40C1F328A565}"="Rad2 Extension"
"{5380C14E-C0A1-4D66-87DB-5995E6FF4623}"="Rad Extension"
"{75B8D633-9021-442C-9EA4-FF4BE72CE20F}"="NRad2 Extension"
"{C6844A1E-2C59-415A-84B3-C6A458372779}"="RadType Extension"
"{D00900BC-23F7-4FD6-BFA2-8232112C5C49}"="NRad Extension"
"{D2FD83AE-994A-4D4B-9097-2C9E11ED85F0}"="RadClkr Extension"
"{7700EB62-DB7C-47AF-A092-04376CA1D24C}"="RadMnu Extension"
"{98DB5983-8591-4B5D-96C5-40CDEA9C2A3C}"=""
"{48D1FD1E-A7FA-41F1-B701-6247BC7FC17E}"=""
"{7CA86422-B768-4DAE-B903-E7B2B114E070}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BCAAACCD-308C-459C-B742-EB0E9AF7F6B0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BCAAACCD-308C-459C-B742-EB0E9AF7F6B0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BCAAACCD-308C-459C-B742-EB0E9AF7F6B0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BCAAACCD-308C-459C-B742-EB0E9AF7F6B0}\InprocServer32]
@="C:\\WINDOWS\\system32\\qagrprxy.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7E8C631E-8A7D-4C24-93D0-2CBAEC91ECA6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7E8C631E-8A7D-4C24-93D0-2CBAEC91ECA6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7E8C631E-8A7D-4C24-93D0-2CBAEC91ECA6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7E8C631E-8A7D-4C24-93D0-2CBAEC91ECA6}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{27B99CE2-C2DA-4055-B5CE-A226E853EC03}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{27B99CE2-C2DA-4055-B5CE-A226E853EC03}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{27B99CE2-C2DA-4055-B5CE-A226E853EC03}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{27B99CE2-C2DA-4055-B5CE-A226E853EC03}\InprocServer32]
@="C:\\WINDOWS\\system32\\dwcpmon.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DAB568CA-7932-4425-950E-CCCF584918BC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DAB568CA-7932-4425-950E-CCCF584918BC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DAB568CA-7932-4425-950E-CCCF584918BC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DAB568CA-7932-4425-950E-CCCF584918BC}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BDA6081F-2132-48CA-AB11-E7974E0625C0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BDA6081F-2132-48CA-AB11-E7974E0625C0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BDA6081F-2132-48CA-AB11-E7974E0625C0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BDA6081F-2132-48CA-AB11-E7974E0625C0}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{98DB5983-8591-4B5D-96C5-40CDEA9C2A3C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{98DB5983-8591-4B5D-96C5-40CDEA9C2A3C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{98DB5983-8591-4B5D-96C5-40CDEA9C2A3C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{98DB5983-8591-4B5D-96C5-40CDEA9C2A3C}\InprocServer32]
@="C:\\WINDOWS\\system32\\dccprop.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{48D1FD1E-A7FA-41F1-B701-6247BC7FC17E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{48D1FD1E-A7FA-41F1-B701-6247BC7FC17E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{48D1FD1E-A7FA-41F1-B701-6247BC7FC17E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{48D1FD1E-A7FA-41F1-B701-6247BC7FC17E}\InprocServer32]
@="C:\\WINDOWS\\system32\\kkdlt.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7CA86422-B768-4DAE-B903-E7B2B114E070}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7CA86422-B768-4DAE-B903-E7B2B114E070}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7CA86422-B768-4DAE-B903-E7B2B114E070}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7CA86422-B768-4DAE-B903-E7B2B114E070}\InprocServer32]
@="C:\\WINDOWS\\system32\\mjihnd.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
akcore.dll Fri Jan 14 2005 2:59:06p A.... 188,416 184.00 K
browseui.dll Tue Dec 7 2004 5:41:16p A.... 1,017,856 994.00 K
cdfview.dll Tue Dec 7 2004 5:43:02p A.... 143,360 140.00 K
chasio.dll Tue Jan 18 2005 3:06:34p ..S.R 222,800 217.58 K
cmdlin~1.dll Sun Feb 20 2005 9:23:26p A.... 43,520 42.50 K
dergres.dll Wed Jan 19 2005 12:32:28p ..S.R 226,099 220.80 K
docore.dll Mon Jan 24 2005 11:11:40p A.... 151,552 148.00 K
dosync.dll Mon Feb 21 2005 9:54:26p A.... 114,688 112.00 K
dwcpmon.dll Sun Feb 20 2005 3:10:28p ..S.R 222,518 217.30 K
e6202g~1.dll Wed Jan 19 2005 10:19:52a ..S.R 223,221 217.99 K
fpj203~1.dll Mon Feb 28 2005 12:36:12p ..S.R 223,319 218.08 K
fpn603~1.dll Tue Jan 18 2005 3:46:42p ..S.R 223,379 218.14 K
fpr203~1.dll Thu Jan 13 2005 10:52:40p ..S.R 224,017 218.77 K
gp42l3~1.dll Sun Jan 30 2005 11:17:10a ..S.R 222,829 217.61 K
gp6ql3~1.dll Mon Jan 24 2005 9:45:42p ..... 223,157 217.93 K
hysetup.dll Sun Feb 20 2005 2:57:26p ..S.R 225,806 220.51 K
idrop.dll Fri Jan 14 2005 10:56:08p ..S.R 224,586 219.32 K
iepeers.dll Tue Dec 7 2004 11:51:58a A.... 236,032 230.50 K
ifengine.dll Mon Feb 21 2005 1:02:20p ..S.R 225,353 220.07 K
ilshlpr.dll Sun Feb 20 2005 9:15:46p ..S.R 224,501 219.24 K
ir6ml5~1.dll Thu Feb 24 2005 7:32:58a ..S.R 224,037 218.79 K
j62qlg~1.dll Tue Jan 25 2005 11:18:04p ..... 225,650 220.36 K
jt4u07~1.dll Fri Jan 14 2005 3:35:58p ..S.R 225,533 220.25 K
jt6u07~1.dll Mon Jan 24 2005 9:38:42p ..... 224,124 218.87 K
k4js0e~1.dll Mon Feb 21 2005 10:48:06p ..S.R 223,586 218.34 K
lofax11n.dll Sat Jan 15 2005 12:06:26p ..S.R 224,499 219.23 K
lvjm09~1.dll Tue Feb 22 2005 8:39:40a ..S.R 223,461 218.22 K
lvpq09~1.dll Fri Jan 14 2005 4:38:58p ..S.R 224,586 219.32 K
lwcalui.dll Sun Feb 20 2005 2:38:14p ..S.R 224,124 218.87 K
mjihnd.dll Mon Feb 28 2005 12:38:44p ..... 224,782 219.51 K
mol_mtf.dll Sun Feb 20 2005 3:12:42p ..S.R 222,692 217.47 K
mshtml.dll Thu Jan 27 2005 3:35:12p A.... 2,806,272 2.68 M
n08ola~1.dll Tue Feb 1 2005 5:07:52p ..S.R 225,865 220.57 K
n44sle~1.dll Mon Feb 28 2005 12:08:10p ..S.R 224,782 219.51 K
nrad.dll Wed Feb 2 2005 4:56:40a A.S.. 180,224 176.00 K
oem.dll Tue Dec 7 2004 3:02:02a A.S.. 53,248 52.00 K
ole32.dll Fri Jan 14 2005 12:33:52a A.... 1,258,496 1.20 M
olecli32.dll Fri Jan 14 2005 12:33:52a A.... 68,608 67.00 K
olecnv32.dll Fri Jan 14 2005 12:33:52a A.... 35,328 34.50 K
oveacc.dll Sat Jan 15 2005 8:47:30a ..S.R 225,668 220.38 K
pgop713x.dll Sat Jan 15 2005 8:40:44a ..S.R 224,727 219.46 K
qidwipes.dll Tue Jan 18 2005 3:17:24p ..S.R 223,429 218.19 K
rad.dll Wed Feb 2 2005 6:22:28a A.S.. 442,368 432.00 K
radclkr.dll Wed Feb 2 2005 6:25:14a A.S.. 118,784 116.00 K
radenu.dll Tue Dec 7 2004 3:28:32a A.S.. 61,440 60.00 K
radesp.dll Tue Dec 7 2004 3:29:02a A.S.. 61,440 60.00 K
radexe.dll Wed Feb 2 2005 4:58:12a A.S.. 212,992 208.00 K
radfra.dll Tue Dec 7 2004 3:30:48a A.S.. 65,536 64.00 K
radhun.dll Tue Dec 7 2004 3:33:02a A.S.. 61,440 60.00 K
radita.dll Tue Dec 7 2004 3:33:24a A.S.. 65,536 64.00 K
radmnu.dll Wed Feb 2 2005 6:24:36a A.S.. 528,384 516.00 K
radnlb.dll Tue Dec 7 2004 3:35:10a A.S.. 61,440 60.00 K
radplk.dll Sun Dec 19 2004 7:52:48p A.S.. 61,440 60.00 K
radregs.dll Wed Feb 2 2005 4:59:12a A.S.. 65,536 64.00 K
radtype.dll Wed Feb 2 2005 4:59:46a A.S.. 163,909 160.07 K
rbcss.dll Fri Jan 14 2005 10:52:30p ..S.R 224,586 219.32 K
rpcss.dll Fri Jan 14 2005 12:33:52a A.... 284,672 278.00 K
shdocvw.dll Tue Dec 7 2004 5:34:48p A.... 1,337,344 1.27 M
shell32.dll Tue Dec 21 2004 3:55:12p A.... 8,443,904 8.05 M
shlwapi.dll Tue Dec 7 2004 6:11:50p A.... 402,432 393.00 K
sintf16.dll Fri Jan 7 2005 12:19:22p A.... 12,067 11.78 K
sintf32.dll Fri Jan 7 2005 12:19:22p A.... 17,212 16.81 K
sintfnt.dll Fri Jan 7 2005 12:19:22p A.... 21,840 21.33 K
spmsg.dll Tue Nov 30 2004 2:46:38p ..... 7,168 7.00 K
sporder.dll Fri Jan 14 2005 2:59:06p A.... 8,464 8.27 K
srvsvc.dll Tue Dec 7 2004 2:34:38p A.... 79,872 78.00 K
u2rulc~1.dll Mon Jan 24 2005 9:53:28p ..... 224,124 218.87 K
urlmon.dll Tue Dec 7 2004 4:37:46p A.... 495,104 483.50 K
user32.dll Tue Dec 28 2004 8:31:44p A.... 574,464 561.00 K
ustheme.dll Sat Jan 15 2005 11:16:06a ..S.R 222,800 217.58 K
vrtest.dll Tue Jan 18 2005 3:38:48p ..S.R 225,999 220.70 K
wininet.dll Tue Dec 7 2004 4:37:02p A.... 590,336 576.50 K
xpsp2res.dll Wed Dec 1 2004 9:46:38a A.... 594,432 580.50 K

73 items found: 73 files (43 H/S), 0 directories.
Total of file sizes: 28,537,795 bytes 27.21 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Mon Feb 28 2005 12:39:44p A.... 224,782 219.51 K

1 item found: 1 file, 0 directories.
Total of file sizes: 224,782 bytes 219.51 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is E0EB-3431

Directory of C:\WINDOWS\System32

02/28/2005 12:36 PM 223,319 fpj2031oe.dll
02/28/2005 12:08 PM 224,782 n44sleh71h4.dll
02/24/2005 07:32 AM 224,037 ir6ml5j11.dll
02/22/2005 08:39 AM 223,461 lvjm0911e.dll
02/21/2005 10:48 PM 223,586 k4js0e17eh.dll
02/21/2005 01:02 PM 225,353 ifengine.dll
02/20/2005 09:15 PM 224,501 iLshlpr.dll
02/20/2005 03:12 PM 222,692 mol_mtf.dll
02/20/2005 03:10 PM 222,518 dwcpmon.dll
02/20/2005 02:57 PM 225,806 hysetup.dll
02/20/2005 02:38 PM 224,124 lwcalui.dll
02/16/2005 02:51 PM <DIR> dllcache
02/02/2005 06:25 AM 118,784 RadClkR.dll
02/02/2005 06:24 AM 528,384 RadMnu.dll
02/02/2005 06:22 AM 442,368 Rad.dll
02/02/2005 04:59 AM 163,909 RadType.dll
02/02/2005 04:59 AM 65,536 RadRegs.dll
02/02/2005 04:58 AM 212,992 RadExe.dll
02/02/2005 04:57 AM 98,304 RadClock.exe
02/02/2005 04:56 AM 180,224 NRad.dll
02/01/2005 05:07 PM 225,865 n08olal31dq.dll
01/30/2005 11:17 AM 222,829 gp42l3ho1.dll
01/19/2005 12:32 PM 226,099 dergres.dll
01/19/2005 10:19 AM 223,221 e6202gfmg62a2.dll
01/18/2005 03:46 PM 223,379 fpn6035se.dll
01/18/2005 03:38 PM 225,999 vrtest.dll
01/18/2005 03:17 PM 223,429 qidwipes.dll
01/18/2005 03:06 PM 222,800 CHASIO.DLL
01/15/2005 12:06 PM 224,499 lofax11n.dll
01/15/2005 11:16 AM 222,800 ustheme.dll
01/15/2005 08:47 AM 225,668 oveacc.dll
01/15/2005 08:40 AM 224,727 Pgop713x.dll
01/14/2005 10:56 PM 224,586 idrop.dll
01/14/2005 10:52 PM 224,586 rbcss.dll
01/14/2005 04:38 PM 224,586 lvpq0975e.dll
01/14/2005 03:35 PM 225,533 jt4u07h9e.dll
01/13/2005 10:52 PM 224,017 fpr2039oe.dll
12/29/2004 10:43 PM 1,403 Probe.inf
12/29/2004 10:43 PM 18,492 RadProbe.sys
12/19/2004 07:52 PM 61,440 RadPlk.dll
12/07/2004 03:35 AM 61,440 RadNlb.dll
12/07/2004 03:33 AM 65,536 RadIta.dll
12/07/2004 03:33 AM 61,440 RadHun.dll
12/07/2004 03:30 AM 65,536 RadFra.dll
12/07/2004 03:29 AM 61,440 RadEsp.dll
12/07/2004 03:28 AM 61,440 RadEnu.dll
12/07/2004 03:02 AM 53,248 OEM.dll
11/28/2004 12:05 AM 61,440 RadDeu.dll
11/04/2004 05:46 AM 9,315 radregs.inf
08/04/2004 12:40 PM <DIR> Microsoft
04/18/2004 10:30 AM 1,104 Ahn9.ew7
12/04/2002 06:37 PM 10,752 Thumbs.db
05/10/2000 11:00 PM 397,312 Msrdo20.dll
03/13/2000 11:00 PM 151,552 Rdocurs.dll
52 File(s) 9,232,193 bytes
2 Dir(s) 15,794,171,904 bytes free

#2
Dragon

Posted 28 February 2005 - 02:16 PM

All Around Computer Nut

Retired Staff
2,682 posts

good job for using that log,

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

#3
darkfyre

Posted 28 February 2005 - 04:08 PM

Member

Topic Starter
Member
10 posts

Thanks for your attention and help. First, here's the new l2mfix log:

L2Mfix 1.02b

Running From:
C:\Documents and Settings\Darkfyre\Desktop\Firefox Downloads\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C access for really "Everyone"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Darkfyre\Desktop\Firefox Downloads\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Darkfyre\Desktop\Firefox Downloads\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1912 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\CHASIO.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dergres.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dwcpmon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\e6202gfmg62a2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpj2031oe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpn6035se.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpr2039oe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp42l3ho1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gp6ql3j51.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hysetup.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\idrop.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ifengine.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iLshlpr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir6ml5j11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j62qlgf5162.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jt4u07h9e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jt6u07j9e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k4js0e17eh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lofax11n.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvjm0911e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvpq0975e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lwcalui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mol_mtf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n08olal31dq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oveacc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\Pgop713x.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qidwipes.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rbcss.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\u2rulc991f.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ustheme.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vrtest.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\CHASIO.DLL
Successfully Deleted: C:\WINDOWS\system32\CHASIO.DLL
deleting: C:\WINDOWS\system32\dergres.dll
Successfully Deleted: C:\WINDOWS\system32\dergres.dll
deleting: C:\WINDOWS\system32\dwcpmon.dll
Successfully Deleted: C:\WINDOWS\system32\dwcpmon.dll
deleting: C:\WINDOWS\system32\e6202gfmg62a2.dll
Successfully Deleted: C:\WINDOWS\system32\e6202gfmg62a2.dll
deleting: C:\WINDOWS\system32\fpj2031oe.dll
Successfully Deleted: C:\WINDOWS\system32\fpj2031oe.dll
deleting: C:\WINDOWS\system32\fpn6035se.dll
Successfully Deleted: C:\WINDOWS\system32\fpn6035se.dll
deleting: C:\WINDOWS\system32\fpr2039oe.dll
Successfully Deleted: C:\WINDOWS\system32\fpr2039oe.dll
deleting: C:\WINDOWS\system32\gp42l3ho1.dll
Successfully Deleted: C:\WINDOWS\system32\gp42l3ho1.dll
deleting: C:\WINDOWS\system32\gp6ql3j51.dll
Successfully Deleted: C:\WINDOWS\system32\gp6ql3j51.dll
deleting: C:\WINDOWS\system32\hysetup.dll
Successfully Deleted: C:\WINDOWS\system32\hysetup.dll
deleting: C:\WINDOWS\system32\idrop.dll
Successfully Deleted: C:\WINDOWS\system32\idrop.dll
deleting: C:\WINDOWS\system32\ifengine.dll
Successfully Deleted: C:\WINDOWS\system32\ifengine.dll
deleting: C:\WINDOWS\system32\iLshlpr.dll
Successfully Deleted: C:\WINDOWS\system32\iLshlpr.dll
deleting: C:\WINDOWS\system32\ir6ml5j11.dll
Successfully Deleted: C:\WINDOWS\system32\ir6ml5j11.dll
deleting: C:\WINDOWS\system32\j62qlgf5162.dll
Successfully Deleted: C:\WINDOWS\system32\j62qlgf5162.dll
deleting: C:\WINDOWS\system32\jt4u07h9e.dll
Successfully Deleted: C:\WINDOWS\system32\jt4u07h9e.dll
deleting: C:\WINDOWS\system32\jt6u07j9e.dll
Successfully Deleted: C:\WINDOWS\system32\jt6u07j9e.dll
deleting: C:\WINDOWS\system32\k4js0e17eh.dll
Successfully Deleted: C:\WINDOWS\system32\k4js0e17eh.dll
deleting: C:\WINDOWS\system32\lofax11n.dll
Successfully Deleted: C:\WINDOWS\system32\lofax11n.dll
deleting: C:\WINDOWS\system32\lvjm0911e.dll
Successfully Deleted: C:\WINDOWS\system32\lvjm0911e.dll
deleting: C:\WINDOWS\system32\lvpq0975e.dll
Successfully Deleted: C:\WINDOWS\system32\lvpq0975e.dll
deleting: C:\WINDOWS\system32\lwcalui.dll
Successfully Deleted: C:\WINDOWS\system32\lwcalui.dll
deleting: C:\WINDOWS\system32\mol_mtf.dll
Successfully Deleted: C:\WINDOWS\system32\mol_mtf.dll
deleting: C:\WINDOWS\system32\n08olal31dq.dll
Successfully Deleted: C:\WINDOWS\system32\n08olal31dq.dll
deleting: C:\WINDOWS\system32\oveacc.dll
Successfully Deleted: C:\WINDOWS\system32\oveacc.dll
deleting: C:\WINDOWS\system32\Pgop713x.dll
Successfully Deleted: C:\WINDOWS\system32\Pgop713x.dll
deleting: C:\WINDOWS\system32\qidwipes.dll
Successfully Deleted: C:\WINDOWS\system32\qidwipes.dll
deleting: C:\WINDOWS\system32\rbcss.dll
Successfully Deleted: C:\WINDOWS\system32\rbcss.dll
deleting: C:\WINDOWS\system32\u2rulc991f.dll
Successfully Deleted: C:\WINDOWS\system32\u2rulc991f.dll
deleting: C:\WINDOWS\system32\ustheme.dll
Successfully Deleted: C:\WINDOWS\system32\ustheme.dll
deleting: C:\WINDOWS\system32\vrtest.dll
Successfully Deleted: C:\WINDOWS\system32\vrtest.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: CHASIO.DLL (140 bytes security) (deflated 3%)
adding: dergres.dll (140 bytes security) (deflated 5%)
adding: dwcpmon.dll (140 bytes security) (deflated 3%)
adding: e6202gfmg62a2.dll (140 bytes security) (deflated 4%)
adding: fpj2031oe.dll (140 bytes security) (deflated 4%)
adding: fpn6035se.dll (140 bytes security) (deflated 4%)
adding: fpr2039oe.dll (140 bytes security) (deflated 4%)
adding: gp42l3ho1.dll (140 bytes security) (deflated 3%)
adding: gp6ql3j51.dll (140 bytes security) (deflated 4%)
adding: hysetup.dll (140 bytes security) (deflated 5%)
adding: idrop.dll (140 bytes security) (deflated 4%)
adding: ifengine.dll (140 bytes security) (deflated 5%)
adding: iLshlpr.dll (140 bytes security) (deflated 4%)
adding: ir6ml5j11.dll (140 bytes security) (deflated 4%)
adding: j62qlgf5162.dll (140 bytes security) (deflated 5%)
adding: jt4u07h9e.dll (140 bytes security) (deflated 4%)
adding: jt6u07j9e.dll (140 bytes security) (deflated 4%)
adding: k4js0e17eh.dll (140 bytes security) (deflated 4%)
adding: lofax11n.dll (140 bytes security) (deflated 4%)
adding: lvjm0911e.dll (140 bytes security) (deflated 4%)
adding: lvpq0975e.dll (140 bytes security) (deflated 4%)
adding: lwcalui.dll (140 bytes security) (deflated 4%)
adding: mol_mtf.dll (140 bytes security) (deflated 3%)
adding: n08olal31dq.dll (140 bytes security) (deflated 5%)
adding: oveacc.dll (140 bytes security) (deflated 5%)
adding: Pgop713x.dll (140 bytes security) (deflated 4%)
adding: qidwipes.dll (140 bytes security) (deflated 4%)
adding: rbcss.dll (140 bytes security) (deflated 4%)
adding: u2rulc991f.dll (140 bytes security) (deflated 4%)
adding: ustheme.dll (140 bytes security) (deflated 3%)
adding: vrtest.dll (140 bytes security) (deflated 5%)
adding: guard.tmp (140 bytes security) (deflated 4%)
adding: clear.reg (140 bytes security) (deflated 62%)
adding: echo.reg (140 bytes security) (deflated 12%)
adding: desktop.ini (140 bytes security) (deflated 14%)
adding: direct.txt (140 bytes security) (stored 0%)
adding: lo2.txt (140 bytes security) (deflated 84%)
adding: readme.txt (140 bytes security) (deflated 49%)
adding: report.txt (140 bytes security) (deflated 68%)
adding: test.txt (140 bytes security) (deflated 80%)
adding: test2.txt (140 bytes security) (deflated 43%)
adding: test3.txt (140 bytes security) (deflated 43%)
adding: test5.txt (140 bytes security) (deflated 43%)
adding: xfind.txt (140 bytes security) (deflated 75%)
adding: backregs/27B99CE2-C2DA-4055-B5CE-A226E853EC03.reg (140 bytes security) (deflated 70%)
adding: backregs/48D1FD1E-A7FA-41F1-B701-6247BC7FC17E.reg (140 bytes security) (deflated 70%)
adding: backregs/7CA86422-B768-4DAE-B903-E7B2B114E070.reg (140 bytes security) (deflated 70%)
adding: backregs/7E8C631E-8A7D-4C24-93D0-2CBAEC91ECA6.reg (140 bytes security) (deflated 70%)
adding: backregs/98DB5983-8591-4B5D-96C5-40CDEA9C2A3C.reg (140 bytes security) (deflated 70%)
adding: backregs/BCAAACCD-308C-459C-B742-EB0E9AF7F6B0.reg (140 bytes security) (deflated 70%)
adding: backregs/BDA6081F-2132-48CA-AB11-E7974E0625C0.reg (140 bytes security) (deflated 70%)
adding: backregs/DAB568CA-7932-4425-950E-CCCF584918BC.reg (140 bytes security) (deflated 70%)
adding: backregs/shell.reg (140 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for really "Everyone"

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: CHASIO.DLL
deleting local copy: dergres.dll
deleting local copy: dwcpmon.dll
deleting local copy: e6202gfmg62a2.dll
deleting local copy: fpj2031oe.dll
deleting local copy: fpn6035se.dll
deleting local copy: fpr2039oe.dll
deleting local copy: gp42l3ho1.dll
deleting local copy: gp6ql3j51.dll
deleting local copy: hysetup.dll
deleting local copy: idrop.dll
deleting local copy: ifengine.dll
deleting local copy: iLshlpr.dll
deleting local copy: ir6ml5j11.dll
deleting local copy: j62qlgf5162.dll
deleting local copy: jt4u07h9e.dll
deleting local copy: jt6u07j9e.dll
deleting local copy: k4js0e17eh.dll
deleting local copy: lofax11n.dll
deleting local copy: lvjm0911e.dll
deleting local copy: lvpq0975e.dll
deleting local copy: lwcalui.dll
deleting local copy: mol_mtf.dll
deleting local copy: n08olal31dq.dll
deleting local copy: oveacc.dll
deleting local copy: Pgop713x.dll
deleting local copy: qidwipes.dll
deleting local copy: rbcss.dll
deleting local copy: u2rulc991f.dll
deleting local copy: ustheme.dll
deleting local copy: vrtest.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\CHASIO.DLL
C:\WINDOWS\system32\dergres.dll
C:\WINDOWS\system32\dwcpmon.dll
C:\WINDOWS\system32\e6202gfmg62a2.dll
C:\WINDOWS\system32\fpj2031oe.dll
C:\WINDOWS\system32\fpn6035se.dll
C:\WINDOWS\system32\fpr2039oe.dll
C:\WINDOWS\system32\gp42l3ho1.dll
C:\WINDOWS\system32\gp6ql3j51.dll
C:\WINDOWS\system32\hysetup.dll
C:\WINDOWS\system32\idrop.dll
C:\WINDOWS\system32\ifengine.dll
C:\WINDOWS\system32\iLshlpr.dll
C:\WINDOWS\system32\ir6ml5j11.dll
C:\WINDOWS\system32\j62qlgf5162.dll
C:\WINDOWS\system32\jt4u07h9e.dll
C:\WINDOWS\system32\jt6u07j9e.dll
C:\WINDOWS\system32\k4js0e17eh.dll
C:\WINDOWS\system32\lofax11n.dll
C:\WINDOWS\system32\lvjm0911e.dll
C:\WINDOWS\system32\lvpq0975e.dll
C:\WINDOWS\system32\lwcalui.dll
C:\WINDOWS\system32\mol_mtf.dll
C:\WINDOWS\system32\n08olal31dq.dll
C:\WINDOWS\system32\oveacc.dll
C:\WINDOWS\system32\Pgop713x.dll
C:\WINDOWS\system32\qidwipes.dll
C:\WINDOWS\system32\rbcss.dll
C:\WINDOWS\system32\u2rulc991f.dll
C:\WINDOWS\system32\ustheme.dll
C:\WINDOWS\system32\vrtest.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BCAAACCD-308C-459C-B742-EB0E9AF7F6B0}"=-
"{7E8C631E-8A7D-4C24-93D0-2CBAEC91ECA6}"=-
"{27B99CE2-C2DA-4055-B5CE-A226E853EC03}"=-
"{DAB568CA-7932-4425-950E-CCCF584918BC}"=-
"{BDA6081F-2132-48CA-AB11-E7974E0625C0}"=-
"{98DB5983-8591-4B5D-96C5-40CDEA9C2A3C}"=-
"{48D1FD1E-A7FA-41F1-B701-6247BC7FC17E}"=-
"{7CA86422-B768-4DAE-B903-E7B2B114E070}"=-
[-HKEY_CLASSES_ROOT\CLSID\{BCAAACCD-308C-459C-B742-EB0E9AF7F6B0}]
[-HKEY_CLASSES_ROOT\CLSID\{7E8C631E-8A7D-4C24-93D0-2CBAEC91ECA6}]
[-HKEY_CLASSES_ROOT\CLSID\{27B99CE2-C2DA-4055-B5CE-A226E853EC03}]
[-HKEY_CLASSES_ROOT\CLSID\{DAB568CA-7932-4425-950E-CCCF584918BC}]
[-HKEY_CLASSES_ROOT\CLSID\{BDA6081F-2132-48CA-AB11-E7974E0625C0}]
[-HKEY_CLASSES_ROOT\CLSID\{98DB5983-8591-4B5D-96C5-40CDEA9C2A3C}]
[-HKEY_CLASSES_ROOT\CLSID\{48D1FD1E-A7FA-41F1-B701-6247BC7FC17E}]
[-HKEY_CLASSES_ROOT\CLSID\{7CA86422-B768-4DAE-B903-E7B2B114E070}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{86F0278D-50B3-42F7-82E8-183190557902}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{86F0278D-50B3-42F7-82E8-183190557902}</IDone>
<IDtwo>VT01</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

And next, here's the new hi-jack this log:

Logfile of HijackThis v1.99.1
Scan saved at 5:00:56 PM, on 2/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\isrvs\desktop.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Darkfyre\Desktop\Firefox Downloads\HijackThis.exe

R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [otuonrv] c:\windows\system32\otuonrv.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106151126093
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: c:\windows\system32\hlpj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Thanks again for your time and consideration.

Oh yeah, and finally, every time I reboot, there's this peksy program running called "Desktop Search," that has a little "slide-up" box running right above my system tray with an input box and a magnifying glass. I for sure don't want it, and I'm not able to get rid of it. Any ideas?

Thanks.

#4
Dragon

Posted 28 February 2005 - 04:12 PM

All Around Computer Nut

Retired Staff
2,682 posts

please follow this link http://castlecops.com/post106277.html and do as exactly as it says
After that go to add/remove programs and seach and remove any files that have this name in it.

wintools

then, Please look over the Following Entries I have listed, run Hijack This again and check them and then, making sure you have No Internet Explorer Windows open, including this one, Press the "Fix Checked" Button with HijackThis.

Reboot If I have specified below, and Post a Fresh HijackThis log.

R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [otuonrv] c:\windows\system32\otuonrv.exe
O20 - AppInit_DLLs: c:\windows\system32\hlpj.dll
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\o2pq0c75ef.dll
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

After this, Reboot and Delete the following files:

C:\PROGRA~1\VBouncer
C:\WINDOWS\System32\wsxsvc
C:\WINDOWS\isrvs
c:\windows\system32\otuonrv.exe
c:\windows\system32\hlpj.dll
C:\WINDOWS\system32\o2pq0c75ef.dll

Note: Make sure you have Set Windows to show Hidden Files & Folders before you Start Sending Them to us For Analysis, or you're deleting them. This can be done by looking at the instructions at This Webpage http://www.xtra.co.n...1916458,00.html

To Delete These Files/Folders, You Will need to Boot into Safe Mode. This can be done by tapping F8 while your machine restarts.
then post a fresh Hijack This log

Edited by Efwis, 28 February 2005 - 04:19 PM.

#5
darkfyre

Posted 28 February 2005 - 08:58 PM

Member

Topic Starter
Member
10 posts

Thanks again for your help. Judging from my (admittedly amature) perusal of this hi-jack this log, it looks like all that crap is off my machine. I'm posting it anyway, for your more trained opinion. Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 9:56:11 PM, on 2/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Darkfyre\Desktop\Firefox Downloads\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106151126093
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O19 - User stylesheet: (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

#6
Dragon

Posted 28 February 2005 - 09:09 PM

All Around Computer Nut

Retired Staff
2,682 posts

running Hijack this again, and making sure all windows, including this one, are closed fix the following entries.

O19 - User stylesheet: (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Were you able to find and delete WToolsS.exe from your machine? if it wasn't in Add/remove programs then find and delete this file in safe mode.

C:\Program Files\WinTools

#7
darkfyre

Posted 28 February 2005 - 09:21 PM

Member

Topic Starter
Member
10 posts

Nope, I wasn't able to. I'll try the safemode thing now, though.

#8
darkfyre

Posted 28 February 2005 - 09:46 PM

Member

Topic Starter
Member
10 posts

So, I reran hi-jack this, and clicked on the fix 023 wintools thing, then rebooted in safe mode. Problem is, C:\Program Files\Common Files\WinTools doesn't seem to exist. So I can't delete WToolsS.exe. What's worse, when I did a search for that exact file, it returned nothing. So, I assumed hi-jack this took care of it, and returned to windows. On running hi-jack this again, I got the following log:

Logfile of HijackThis v1.99.1
Scan saved at 10:42:30 PM, on 2/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eMule\emule.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Darkfyre\Desktop\Firefox Downloads\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106151126093
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Which clearly still has it. So, I'm rather at a loss for how to procede. Thanks for your help in this regard.

#9
Dragon

Posted 01 March 2005 - 07:44 AM

All Around Computer Nut

Retired Staff
2,682 posts

Download and unzip cwsserviceremove to your desktop. use either link below:
http://computercops....ownload&id=3002
http://www.mytechsup...rviceremove.zip

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

WinTools for IE service (WinToolsSvc)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next step.

Reboot into SafeMode.

Double click on the cwsserviceremove and when asked to merge say yes.
Reboot into normal modeand post a fresh Hijack This log to see how we did.

Are you still having problems?

Edited by Efwis, 01 March 2005 - 07:46 AM.

#10
darkfyre

Posted 01 March 2005 - 09:28 AM

Member

Topic Starter
Member
10 posts

New Hi-jack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:27:06 AM, on 3/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\imapi.exe
C:\Documents and Settings\Darkfyre\Desktop\Firefox Downloads\HijackThis.exe

O1 - Hosts: 62.75.224.159 www.bns1.net
O1 - Hosts: 62.75.224.159 www.bns2.net
O1 - Hosts: 62.75.224.159 www.bns3.net
O1 - Hosts: 62.75.224.159 www.bns4.net
O1 - Hosts: 62.75.224.159 www.bns5.net
O1 - Hosts: 62.75.224.159 www.bns6.net
O1 - Hosts: 62.75.224.159 www.bns7.net
O1 - Hosts: 62.75.224.159 www.bns8.net
O1 - Hosts: 62.75.224.159 www.cms1.net
O1 - Hosts: 62.75.224.159 www.cms2.net
O1 - Hosts: 62.75.224.159 www.cms3.net
O1 - Hosts: 62.75.224.159 www.cms4.net
O1 - Hosts: 62.75.224.159 www.cms5.net
O1 - Hosts: 62.75.224.159 www.cms6.net
O1 - Hosts: 62.75.224.159 www.cms7.net
O1 - Hosts: 62.75.224.159 www.cms8.net
O1 - Hosts: 62.75.224.159 www.rg1.com
O1 - Hosts: 62.75.224.159 www.rg2.com
O1 - Hosts: 62.75.224.159 www.rg3.com
O1 - Hosts: 62.75.224.159 www.rg4.com
O1 - Hosts: 62.75.224.159 www.rg5.com
O1 - Hosts: 62.75.224.159 www.rg6.com
O1 - Hosts: 62.75.224.159 www.rg7.com
O1 - Hosts: 62.75.224.159 www.rg8.com
O1 - Hosts: 62.75.224.159 jcms.cydoor.com
O1 - Hosts: 62.75.224.159 cydoor.com
O1 - Hosts: 62.75.224.159 jnova.cjt1.net
O1 - Hosts: 62.75.224.159 jcontent.bns1.m7z.net
O1 - Hosts: 62.75.224.159 j.2004CMS.com
O1 - Hosts: 62.75.224.159 2004CMS.com
O1 - Hosts: 62.75.224.159 bns1.m7z.net
O1 - Hosts: 62.75.224.159 m7z.net
O1 - Hosts: 62.75.224.159 jcontent.bns1.net
O1 - Hosts: 62.75.224.159 jbns2.cydoor.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106151126093
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe

It looks like it's been taken care of. And I have not been experiencing the popups or crashes I'd been having before. Thanks for your help, everything seems to be fixed.

#11
Dragon

Posted 01 March 2005 - 09:31 AM

All Around Computer Nut

Retired Staff
2,682 posts

did you put in all those hosts? I don't remember seeing all of them in your previous logs.

#12
darkfyre

Posted 01 March 2005 - 12:56 PM

Member

Topic Starter
Member
10 posts

I don't know where they came from, or what they're for. In fact, I don't even know what hosts are for. (But I can see where in the hi-jack log you're talking about.)

#13
Dragon

Posted 01 March 2005 - 01:05 PM

All Around Computer Nut

Retired Staff
2,682 posts

Download the Hoster from here http://members.aol.c...bee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.

Then post a fresh Hijack this log

#14
darkfyre

Posted 01 March 2005 - 06:29 PM

Member

Topic Starter
Member
10 posts

I've run that program. Here's the new hi-jack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:27:06 AM, on 3/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\imapi.exe
C:\Documents and Settings\Darkfyre\Desktop\Firefox Downloads\HijackThis.exe

O1 - Hosts: 62.75.224.159 www.bns1.net
O1 - Hosts: 62.75.224.159 www.bns2.net
O1 - Hosts: 62.75.224.159 www.bns3.net
O1 - Hosts: 62.75.224.159 www.bns4.net
O1 - Hosts: 62.75.224.159 www.bns5.net
O1 - Hosts: 62.75.224.159 www.bns6.net
O1 - Hosts: 62.75.224.159 www.bns7.net
O1 - Hosts: 62.75.224.159 www.bns8.net
O1 - Hosts: 62.75.224.159 www.cms1.net
O1 - Hosts: 62.75.224.159 www.cms2.net
O1 - Hosts: 62.75.224.159 www.cms3.net
O1 - Hosts: 62.75.224.159 www.cms4.net
O1 - Hosts: 62.75.224.159 www.cms5.net
O1 - Hosts: 62.75.224.159 www.cms6.net
O1 - Hosts: 62.75.224.159 www.cms7.net
O1 - Hosts: 62.75.224.159 www.cms8.net
O1 - Hosts: 62.75.224.159 www.rg1.com
O1 - Hosts: 62.75.224.159 www.rg2.com
O1 - Hosts: 62.75.224.159 www.rg3.com
O1 - Hosts: 62.75.224.159 www.rg4.com
O1 - Hosts: 62.75.224.159 www.rg5.com
O1 - Hosts: 62.75.224.159 www.rg6.com
O1 - Hosts: 62.75.224.159 www.rg7.com
O1 - Hosts: 62.75.224.159 www.rg8.com
O1 - Hosts: 62.75.224.159 jcms.cydoor.com
O1 - Hosts: 62.75.224.159 cydoor.com
O1 - Hosts: 62.75.224.159 jnova.cjt1.net
O1 - Hosts: 62.75.224.159 jcontent.bns1.m7z.net
O1 - Hosts: 62.75.224.159 j.2004CMS.com
O1 - Hosts: 62.75.224.159 2004CMS.com
O1 - Hosts: 62.75.224.159 bns1.m7z.net
O1 - Hosts: 62.75.224.159 m7z.net
O1 - Hosts: 62.75.224.159 jcontent.bns1.net
O1 - Hosts: 62.75.224.159 jbns2.cydoor.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106151126093
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe

#15
Dragon

Posted 01 March 2005 - 06:52 PM

All Around Computer Nut

Retired Staff
2,682 posts

Hello

Please look over the Following Entries I have listed, run Hijack This again and check them and then, making sure you have No Internet Explorer Windows open, including this one, Press the "Fix Checked" Button with HijackThis.

Reboot If I have specified below, and Post a Fresh HijackThis log.

O1 - Hosts: 62.75.224.159 www.bns1.net
O1 - Hosts: 62.75.224.159 www.bns2.net
O1 - Hosts: 62.75.224.159 www.bns3.net
O1 - Hosts: 62.75.224.159 www.bns4.net
O1 - Hosts: 62.75.224.159 www.bns5.net
O1 - Hosts: 62.75.224.159 www.bns6.net
O1 - Hosts: 62.75.224.159 www.bns7.net
O1 - Hosts: 62.75.224.159 www.bns8.net
O1 - Hosts: 62.75.224.159 www.cms1.net
O1 - Hosts: 62.75.224.159 www.cms2.net
O1 - Hosts: 62.75.224.159 www.cms3.net
O1 - Hosts: 62.75.224.159 www.cms4.net
O1 - Hosts: 62.75.224.159 www.cms5.net
O1 - Hosts: 62.75.224.159 www.cms6.net
O1 - Hosts: 62.75.224.159 www.cms7.net
O1 - Hosts: 62.75.224.159 www.cms8.net
O1 - Hosts: 62.75.224.159 www.rg1.com
O1 - Hosts: 62.75.224.159 www.rg2.com
O1 - Hosts: 62.75.224.159 www.rg3.com
O1 - Hosts: 62.75.224.159 www.rg4.com
O1 - Hosts: 62.75.224.159 www.rg5.com
O1 - Hosts: 62.75.224.159 www.rg6.com
O1 - Hosts: 62.75.224.159 www.rg7.com
O1 - Hosts: 62.75.224.159 www.rg8.com
O1 - Hosts: 62.75.224.159 jcms.cydoor.com
O1 - Hosts: 62.75.224.159 cydoor.com
O1 - Hosts: 62.75.224.159 jnova.cjt1.net
O1 - Hosts: 62.75.224.159 jcontent.bns1.m7z.net
O1 - Hosts: 62.75.224.159 j.2004CMS.com
O1 - Hosts: 62.75.224.159 2004CMS.com
O1 - Hosts: 62.75.224.159 bns1.m7z.net
O1 - Hosts: 62.75.224.159 m7z.net
O1 - Hosts: 62.75.224.159 jcontent.bns1.net
O1 - Hosts: 62.75.224.159 jbns2.cydoor.com

After this, download and unzip the attached file and save it to
C:\windows\system32\drivers\etc

as when presented the warning hit yes

then reboot and post a fresh log

Edited by Efwis, 01 March 2005 - 06:53 PM.