Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Runtime Error! Please Help

Started by maverick32 , Mar 16 2005 02:26 AM

Please log in to reply

#16
don77

Posted 18 April 2005 - 07:56 PM

Malware Expert

Retired Staff
18,526 posts

Hi Markus,
Very sorry about that,,, I don't even want to explain, :tazz:

Anyway what I need you to do is,

Good deal on the Admin logs,

Now on this one i need you to go to Add/Remove programs and look for and remove
WhenU save or Savenow, and anything else you don't recogonize.

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

O4 - HKCU\..\Run: [ClockSync] D:\PROGRA~1\CLOCKS~1\Sync.exe /q

Next Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD

D:\PROGRA~1\CLOCKS~1\Sync.exe

Restart your computer,

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.
Now run a scan with it please, Have it fix all it finds,

Restart your computer, Restart HJT
Post back a fresh log please from the current user your working under now

#17
maverick32

Posted 18 April 2005 - 11:23 PM

Member

Topic Starter
Member
15 posts

Hi Don,

things kind a got worse... when I logged back in under the Admin account it started installing some software (I believe virtual bouncer being one of them)...
I went on and followed your directions...

I have a general question... would it be best to clean the Admin account first or would it best to clean up the infected user account first???

in any way here is the hijackThis log from the user account:
Logfile of HijackThis v1.99.1
Scan saved at 10:16:36 PM, on 4/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\Explorer.EXE
D:\WINNT\system32\rundll32.exe
D:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
J:\quicktime_win2000\qttask.exe
D:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
D:\PROGRA~1\mcafee.com\agent\mcagent.exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
D:\Documents and Settings\burki\n20050308.EXE
D:\WINNT\system32\internat.exe
D:\Program Files\Messenger\msmsgs.exe
J:\SierraImaging\Image Expert\IXApplet.exe
D:\Program Files\Iomega\Tools\IMGICON.EXE
H:\Palm\hotsync.exe
D:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
d:\progra~1\mcafee.com\vso\mcvsftsn.exe
D:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\WINNT\Downloaded Program Files\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - D:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\winnt\downloaded program files\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DeluxeCD] D:\WINNT\System32\cdplayer.exe -tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "J:\quicktime_win2000\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] J:\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] d:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] D:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [tsvcin] D:\Documents and Settings\burki\n20050308.EXE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MSMSGS] D:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [AIM] H:\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = H:\Palm\hotsync.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Camio Viewer.lnk = J:\SierraImaging\Image Expert\IXApplet.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = D:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O4 - Global Startup: Iomega Icons.lnk = D:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: Iomega Startup Options.lnk = D:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: IomegaWare.lnk = D:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuikSync.lnk = D:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
O8 - Extra context menu item: &Google Search - res://d:\winnt\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://d:\winnt\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\winnt\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\winnt\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\winnt\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - H:\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - H:\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .asx: H:\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: H:\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {8433A16D-1B78-11D4-8006-00D0B725EB0B} (Yahoo! FinanceVision (History)) - http://dl1.yahoo.com/dl/fv/fv.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com...id/MSSurVid.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn....ior/Outside.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.c.../zoomify305.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - D:\WINNT\System32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - D:\WINNT\System32\hserver.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - J:\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - d:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - D:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - D:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Iomega Corporation - D:\WINNT\System32\ZipToA.exe

#18
don77

Posted 19 April 2005 - 08:51 AM

Malware Expert

Retired Staff
18,526 posts

Please Download
Silent Runners
Please create a folder for it please, Then double click on the program, It will save a notebook file in the same folder, Open that, copy, paste the log back to this thread please

#19
maverick32

Posted 19 April 2005 - 10:12 AM

Member

Topic Starter
Member
15 posts

under which account??? Admin or user account??? or does it matter???

#20
don77

Posted 19 April 2005 - 10:20 AM

Malware Expert

Retired Staff
18,526 posts

Admin will be fine

#21
maverick32

Posted 19 April 2005 - 10:17 PM

Member

Topic Starter
Member
15 posts

I ran Silent Runners and got this output:
"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"MSMSGS" = "D:\Program Files\Messenger\msmsgs.exe /background" [MS]
"NvMediaCenter" = "RUNDLL32.EXE D:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"POINTER" = "point32.exe" [MS]
"DeluxeCD" = "D:\WINNT\System32\cdplayer.exe -tray" [MS]
"NvCplDaemon" = "RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"TkBellExe" = ""D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""J:\quicktime_win2000\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = "J:\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"VSOCheckTask" = ""d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask" ["Networks Associates Technology, Inc"]
"VirusScan Online" = ""d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"" ["Networks Associates Technology, Inc"]
"MCAgentExe" = "d:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "D:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"]
"MPFExe" = "D:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]
"tsvcin" = "D:\Documents and Settings\burki\n20050308.EXE" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "D:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{c7745760-8ead-11ce-b750-02608ca5202c}" = "IomegaWare for Windows NT"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Iomega\Iomegaware\IMGMENU.dll" ["Iomega Corp."]
"{c7745761-8ead-11ce-b750-02608ca5202c}" = "IomegaWare for Windows NT"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Iomega\Iomegaware\Imgprop.Dll" ["Iomega Corp."]
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}" = "Registered ActiveX Controls"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{D545EBD1-BD92-11CF-8772-00A0C9039735}" = "Developer Studio Components"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{E0D79300-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "H:\WinZip\wzshlext.dll" [null data]
"{E0D79301-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "H:\WinZip\wzshlext.dll" [null data]
"{E0D79302-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "H:\WinZip\wzshlext.dll" [null data]
"{f802f260-519b-11d1-bb5d-0060974c6013}" = "ICQ Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "H:\ICQ\ICQShell.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "H:\WinRAR\rarext.dll" [null data]
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" = "ShimLayer Property Page"
-> {CLSID}\InProcServer32\(Default) = "D:\WINNT\apppatch\slayerui.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "D:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "D:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{0A205B4C-E796-4C64-8CD2-AFBA4D412EE5}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "D:\WINNT\system32\cprtmgr.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "NVDESK32.DLL" [file not found]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! application/x-icq\CLSID = "{db40c160-09a1-11d3-baf2-000000000000}"
-> {CLSID}\InProcServer32\(Default) = "H:\ICQ\IExplorerMime.dll" [empty string]

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "D:\WINNT\system32\ssflwbox.scr" [MS]

Startup items in "charlie" & "All Users" startup folders:
---------------------------------------------------------

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader.exe" -> shortcut to: "D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Camio Viewer" -> shortcut to: "J:\SierraImaging\Image Expert\IXApplet.exe" ["Sierra Imaging"]
"Iomega Backup Scheduler" -> shortcut to: "D:\Program Files\Iomega\Iomega Backup\dtiom98.exe /sc" ["Iomega Corporation"]
"Iomega Icons" -> shortcut to: "D:\Program Files\Iomega\Tools\IMGICON.EXE" ["Iomega Corp."]
"Iomega Startup Options" -> shortcut to: "D:\Program Files\Iomega\Tools\IMGSTART.EXE" ["Iomega Corporation"]
"IomegaWare" -> shortcut to: "D:\Program Files\Iomega\Iomegaware\COMMANDER.EXE /startup" [empty string]
"Microsoft Office" -> shortcut to: "D:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"QuikSync" -> shortcut to: "D:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE NoStartUp" ["Iomega"]

Enabled Scheduled Tasks:
------------------------

"McAfee.com Update Check (TRINITY-burki)" -> launches: "D:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["McAfee, Inc"]
"McAfee.com Update Check (TRINITY-charlie)" -> launches: "D:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["McAfee, Inc"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "d:\winnt\downloaded program files\googletoolbar2.dll" ["Google Inc."]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {CLSID}\(Default) = "Yahoo! Companion"
-> {CLSID}\InProcServer32\(Default) = "D:\WINNT\Downloaded Program Files\ycomp5_1_6_0.dll" ["Yahoo! Inc."]

"{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D}"
-> {CLSID}\(Default) = "REALBAR"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll" ["Visicom Media"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {CLSID}\(Default) = "Yahoo! Companion"
-> {CLSID}\InProcServer32\(Default) = "D:\WINNT\Downloaded Program Files\ycomp5_1_6_0.dll" ["Yahoo! Inc."]

"{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D}"
-> {CLSID}\(Default) = "REALBAR"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll" ["Visicom Media"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "d:\winnt\downloaded program files\googletoolbar2.dll" ["Google Inc."]

"{BA52B914-B692-46C4-B683-905236F6F655}"
-> {CLSID}\(Default) = "McAfee VirusScan"
-> {CLSID}\InProcServer32\(Default) = "d:\progra~1\mcafee.com\vso\mcvsshl.dll" ["Networks Associates Technology, Inc"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "H:\YAHOO!\MESSEN~1\YPAGER.EXE" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "MSN Messenger Service"
"Exec" = "D:\Program Files\Messenger\MSMSGS.EXE" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Houdini License Client, HoudiniServer, "D:\WINNT\System32\hserver.exe" ["Side Effects Software Inc."]
Houdini License Server, HoudiniLicenseServer, "D:\WINNT\System32\sesinetd.exe" ["Side Effects Software Inc."]
McAfee Personal Firewall Service, MpfService, "D:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe" ["McAfee Corporation"]
McAfee.com McShield, McShield, "d:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["Network Associates, Inc."]
McAfee.com VirusScan Online Realtime Engine, MCVSRte, "d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe /Embedding" ["Networks Associates Technology, Inc"]
NVIDIA Display Driver Service, NVSvc, "D:\WINNT\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Simple TCP/IP Services, SimpTcp, "D:\WINNT\System32\tcpsvcs.exe" [MS]
SNMP Service, SNMP, "D:\WINNT\System32\snmp.exe" [MS]

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

#22
don77

Posted 20 April 2005 - 09:23 PM

Malware Expert

Retired Staff
18,526 posts

Do the following under the Admin account please
Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

#23
maverick32

Posted 20 April 2005 - 11:54 PM

Member

Topic Starter
Member
15 posts

here is the log:
L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A2405B60-738C-A9E1-E6B7-B9B5D2C24358}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{c7745760-8ead-11ce-b750-02608ca5202c}"="IomegaWare for Windows NT"
"{c7745761-8ead-11ce-b750-02608ca5202c}"="IomegaWare for Windows NT"
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}"="Registered ActiveX Controls"
"{D545EBD1-BD92-11CF-8772-00A0C9039735}"="Developer Studio Components"
"{E0D79300-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79301-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79302-84BE-11CE-9641-444553540000}"="WinZip"
"{c2c1d8a0-016a-11d1-a7fa-444553540000}"="Shell Extension Sample"
"{f802f260-519b-11d1-bb5d-0060974c6013}"="ICQ Shell Extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="ShimLayer Property Page"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{0A205B4C-E796-4C64-8CD2-AFBA4D412EE5}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0A205B4C-E796-4C64-8CD2-AFBA4D412EE5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0A205B4C-E796-4C64-8CD2-AFBA4D412EE5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0A205B4C-E796-4C64-8CD2-AFBA4D412EE5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0A205B4C-E796-4C64-8CD2-AFBA4D412EE5}\InprocServer32]
@="D:\\WINNT\\system32\\cprtmgr.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

D:\WINNT\SYSTEM32\
bx549.dll Mon Mar 14 2005 9:34:56p ..S.R 232,736 227.28 K
cjcui.dll Tue Mar 15 2005 12:35:18p ..S.R 233,248 227.78 K
ckral.dll Thu Mar 10 2005 1:34:12a ..S.R 232,736 227.28 K
cprtmgr.dll Tue Mar 15 2005 12:35:12p ..S.R 233,248 227.78 K
ctmsnap.dll Thu Mar 10 2005 8:19:12a ..S.R 232,736 227.28 K
ddd9.dll Thu Mar 10 2005 8:19:30a ..S.R 232,736 227.28 K
dgghelp.dll Thu Mar 10 2005 1:34:40a ..S.R 232,736 227.28 K
dhvxc32f.dll Thu Mar 10 2005 8:19:50a ..S.R 232,736 227.28 K
dodiagn.dll Sun Mar 13 2005 9:34:26a ..S.R 232,736 227.28 K
dsrgres.dll Sun Mar 13 2005 9:33:54a ..S.R 232,736 227.28 K
dusenh.dll Thu Mar 10 2005 1:35:10a ..S.R 232,736 227.28 K
dyusic.dll Mon Apr 18 2005 7:55:36a ..S.R 233,248 227.78 K
fcxshell.dll Thu Mar 10 2005 8:20:22a ..S.R 232,736 227.28 K
gaedit.dll Thu Mar 10 2005 1:29:06a ..S.R 232,736 227.28 K
ibqsock.dll Thu Mar 10 2005 8:20:48a ..S.R 232,736 227.28 K
igl_gif.dll Tue Mar 15 2005 10:03:26p ..S.R 233,248 227.78 K
igsperf.dll Thu Mar 10 2005 8:27:20a ..S.R 232,736 227.28 K
iml_png.dll Wed Mar 16 2005 12:57:20a ..S.R 233,248 227.78 K
ipqcprt.dll Thu Mar 10 2005 1:35:42a ..S.R 232,736 227.28 K
iteshare.dll Tue Apr 12 2005 11:17:18p ..S.R 233,248 227.78 K
ius.dll Wed Apr 13 2005 7:38:58a ..S.R 233,248 227.78 K
izetcplc.dll Thu Mar 10 2005 1:35:56a ..S.R 232,736 227.28 K
jkproxy.dll Thu Mar 10 2005 1:36:16a ..S.R 232,736 227.28 K
joeg1x32.dll Tue Mar 15 2005 12:31:00a ..S.R 232,736 227.28 K
khdbr.dll Mon Apr 18 2005 10:12:56p ..S.R 233,248 227.78 K
lccalui.dll Thu Mar 10 2005 8:28:20a ..S.R 232,736 227.28 K
mbvcp60.dll Thu Mar 10 2005 8:29:26a ..S.R 232,736 227.28 K
mcgdmgr.dll Tue Feb 15 2005 11:34:18a A.... 277,616 271.11 K
mcinsctl.dll Mon Mar 7 2005 3:05:30p A.... 341,568 333.56 K
mdidlpm.dll Mon Apr 18 2005 9:21:16p ..S.R 233,248 227.78 K
mlxoci.dll Sun Mar 13 2005 9:30:14a ..S.R 232,736 227.28 K
mpvcp50.dll Thu Mar 10 2005 8:22:38a ..S.R 232,736 227.28 K
mshtml.dll Thu Jan 27 2005 4:35:12p A.... 2,806,272 2.68 M
mtxbde40.dll Mon Mar 14 2005 9:38:26p ..S.R 232,736 227.28 K
mvencode.dll Thu Mar 10 2005 8:28:56a ..S.R 232,736 227.28 K
mxt2fw95.dll Tue Mar 15 2005 11:09:26p ..S.R 233,248 227.78 K
nmtid.dll Mon Apr 18 2005 9:48:08p ..S.R 233,248 227.78 K
npwrssv.dll Tue Mar 15 2005 11:04:20p ..S.R 233,248 227.78 K
ocslb400.dll Mon Mar 14 2005 8:46:40a ..S.R 232,736 227.28 K
ooesvr32.dll Thu Mar 10 2005 1:25:42a ..S.R 232,736 227.28 K
oxbcjt32.dll Thu Mar 10 2005 1:25:32a ..S.R 232,736 227.28 K
qmsf.dll Thu Mar 10 2005 8:17:04a ..S.R 232,736 227.28 K
qyjava~1.dll Tue Mar 15 2005 11:29:00p ..S.R 233,248 227.78 K
sacpack.dll Tue Mar 15 2005 12:34:16a ..S.R 232,736 227.28 K
slclient.dll Sat Apr 2 2005 9:48:40a ..S.R 233,248 227.78 K
sxclient.dll Sat Mar 19 2005 9:44:30a ..S.R 233,248 227.78 K
tffflt.dll Mon Apr 18 2005 9:36:52p ..... 233,248 227.78 K
uhandlg.dll Thu Mar 10 2005 8:24:52a ..S.R 232,736 227.28 K
wxnhttp.dll Tue Mar 15 2005 12:34:54a ..S.R 232,736 227.28 K

49 items found: 49 files (45 H/S), 0 directories.
Total of file sizes: 14,139,504 bytes 13.48 M
Locate .tmp files:

D:\WINNT\SYSTEM32\
guard.tmp Thu Mar 10 2005 8:30:26a ..S.R 232,736 227.28 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 232,736 bytes 227.28 K
**********************************************************************************
Directory Listing of system files:
Volume in drive D is Win2k
Volume Serial Number is 74F5-16A2

Directory of D:\WINNT\System32

04/18/2005 10:12p 233,248 khdbr.dll
04/18/2005 09:48p 233,248 nmtid.dll
04/18/2005 09:21p 233,248 mdidlpm.dll
04/18/2005 07:55a 233,248 dyusic.dll
04/13/2005 07:38a 233,248 ius.dll
04/12/2005 11:17p 233,248 iteshare.dll
04/02/2005 09:48a 233,248 slclient.dll
03/19/2005 09:44a 233,248 sxclient.dll
03/16/2005 12:57a 233,248 iml_png.dll
03/15/2005 11:28p 233,248 QYJavaNative.dll
03/15/2005 11:09p 233,248 MXT2FW95.DLL
03/15/2005 11:04p 233,248 npwrssv.dll
03/15/2005 10:03p 233,248 igl_gif.dll
03/15/2005 12:35p 233,248 cjcui.dll
03/15/2005 12:35p 233,248 cprtmgr.dll
03/15/2005 12:34a 232,736 wxnhttp.dll
03/15/2005 12:34a 232,736 sacpack.dll
03/15/2005 12:30a 232,736 joeg1x32.dll
03/14/2005 09:38p 232,736 mtxbde40.dll
03/14/2005 09:34p 232,736 bx549.dll
03/14/2005 08:46a 232,736 ocslb400.dll
03/14/2005 08:37a <DIR> dllcache
03/13/2005 09:34a 232,736 dodiagn.dll
03/13/2005 09:33a 232,736 dsrgres.dll
03/13/2005 09:30a 232,736 mlxoci.dll
03/10/2005 08:30a 232,736 guard.tmp
03/10/2005 08:29a 232,736 mbvcp60.dll
03/10/2005 08:28a 232,736 mvencode.dll
03/10/2005 08:28a 232,736 lccalui.dll
03/10/2005 08:27a 232,736 iGsperf.dll
03/10/2005 08:24a 232,736 uhandlg.dll
03/10/2005 08:22a 232,736 mpvcp50.dll
03/10/2005 08:20a 232,736 ibqsock.dll
03/10/2005 08:20a 232,736 fCxshell.dll
03/10/2005 08:19a 232,736 DhvXc32f.dll
03/10/2005 08:19a 232,736 dDd9.dll
03/10/2005 08:19a 232,736 ctmsnap.dll
03/10/2005 08:17a 232,736 qMsf.dll
03/10/2005 01:36a 232,736 jkproxy.dll
03/10/2005 01:35a 232,736 izetcplc.dll
03/10/2005 01:35a 232,736 ipqcprt.dll
03/10/2005 01:35a 232,736 dusenh.dll
03/10/2005 01:34a 232,736 dgghelp.dll
03/10/2005 01:34a 232,736 ckral.dll
03/10/2005 01:29a 232,736 gaedit.dll
03/10/2005 01:25a 232,736 ooesvr32.dll
03/10/2005 01:25a 232,736 oxbcjt32.dll
46 File(s) 10,713,536 bytes
1 Dir(s) 419,049,472 bytes free

#24
don77

Posted 21 April 2005 - 04:24 AM

Malware Expert

Retired Staff
18,526 posts

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

#25
maverick32

Posted 21 April 2005 - 09:27 AM

Member

Topic Starter
Member
15 posts

After running l2mfix and rebooting I got a pop-up window about "Windows File Protection" asking me the following:
Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files.
Insert your Windows 2000 Professional CD.

What shall I do???

here is the log from l2mfix:
L2Mfix 1.03

Running From:
D:\Documents and Settings\Administrator\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

D:\Documents and Settings\Administrator\Desktop\l2mfix
System Rebooted!

Running From:
D:\Documents and Settings\Administrator\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1144 'explorer.exe'
Killing PID 1144 'explorer.exe'
Error 0x5 : Access is denied.

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1516 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: D:\WINNT\system32\bx549.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\cjcui.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\ckral.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\cprtmgr.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\ctmsnap.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\dDd9.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\dgghelp.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\DhvXc32f.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\dodiagn.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\dsrgres.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\dusenh.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\dyusic.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\fCxshell.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\gaedit.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\ibqsock.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\igl_gif.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\iGsperf.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\iml_png.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\ipqcprt.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\iteshare.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\ius.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\izetcplc.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\jkproxy.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\joeg1x32.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\khdbr.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\lccalui.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\mbvcp60.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\mdidlpm.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\mlxoci.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\mpvcp50.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\mtxbde40.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\mvencode.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\MXT2FW95.DLL
1 file(s) copied.
Backing Up: D:\WINNT\system32\nmtid.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\npwrssv.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\ocslb400.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\ooesvr32.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\oxbcjt32.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\qMsf.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\QYJavaNative.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\sacpack.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\slclient.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\sxclient.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\tffflt.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\uhandlg.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\wxnhttp.dll
1 file(s) copied.
Backing Up: D:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: D:\WINNT\system32\bx549.dll
Successfully Deleted: D:\WINNT\system32\bx549.dll
deleting: D:\WINNT\system32\cjcui.dll
Successfully Deleted: D:\WINNT\system32\cjcui.dll
deleting: D:\WINNT\system32\ckral.dll
Successfully Deleted: D:\WINNT\system32\ckral.dll
deleting: D:\WINNT\system32\cprtmgr.dll
Successfully Deleted: D:\WINNT\system32\cprtmgr.dll
deleting: D:\WINNT\system32\ctmsnap.dll
Successfully Deleted: D:\WINNT\system32\ctmsnap.dll
deleting: D:\WINNT\system32\dDd9.dll
Successfully Deleted: D:\WINNT\system32\dDd9.dll
deleting: D:\WINNT\system32\dgghelp.dll
Successfully Deleted: D:\WINNT\system32\dgghelp.dll
deleting: D:\WINNT\system32\DhvXc32f.dll
Successfully Deleted: D:\WINNT\system32\DhvXc32f.dll
deleting: D:\WINNT\system32\dodiagn.dll
Successfully Deleted: D:\WINNT\system32\dodiagn.dll
deleting: D:\WINNT\system32\dsrgres.dll
Successfully Deleted: D:\WINNT\system32\dsrgres.dll
deleting: D:\WINNT\system32\dusenh.dll
Successfully Deleted: D:\WINNT\system32\dusenh.dll
deleting: D:\WINNT\system32\dyusic.dll
Successfully Deleted: D:\WINNT\system32\dyusic.dll
deleting: D:\WINNT\system32\fCxshell.dll
Successfully Deleted: D:\WINNT\system32\fCxshell.dll
deleting: D:\WINNT\system32\gaedit.dll
Successfully Deleted: D:\WINNT\system32\gaedit.dll
deleting: D:\WINNT\system32\ibqsock.dll
Successfully Deleted: D:\WINNT\system32\ibqsock.dll
deleting: D:\WINNT\system32\igl_gif.dll
Successfully Deleted: D:\WINNT\system32\igl_gif.dll
deleting: D:\WINNT\system32\iGsperf.dll
Successfully Deleted: D:\WINNT\system32\iGsperf.dll
deleting: D:\WINNT\system32\iml_png.dll
Successfully Deleted: D:\WINNT\system32\iml_png.dll
deleting: D:\WINNT\system32\ipqcprt.dll
Successfully Deleted: D:\WINNT\system32\ipqcprt.dll
deleting: D:\WINNT\system32\iteshare.dll
Successfully Deleted: D:\WINNT\system32\iteshare.dll
deleting: D:\WINNT\system32\ius.dll
Successfully Deleted: D:\WINNT\system32\ius.dll
deleting: D:\WINNT\system32\izetcplc.dll
Successfully Deleted: D:\WINNT\system32\izetcplc.dll
deleting: D:\WINNT\system32\jkproxy.dll
Successfully Deleted: D:\WINNT\system32\jkproxy.dll
deleting: D:\WINNT\system32\joeg1x32.dll
Successfully Deleted: D:\WINNT\system32\joeg1x32.dll
deleting: D:\WINNT\system32\khdbr.dll
Successfully Deleted: D:\WINNT\system32\khdbr.dll
deleting: D:\WINNT\system32\lccalui.dll
Successfully Deleted: D:\WINNT\system32\lccalui.dll
deleting: D:\WINNT\system32\mbvcp60.dll
Successfully Deleted: D:\WINNT\system32\mbvcp60.dll
deleting: D:\WINNT\system32\mdidlpm.dll
Successfully Deleted: D:\WINNT\system32\mdidlpm.dll
deleting: D:\WINNT\system32\mlxoci.dll
Successfully Deleted: D:\WINNT\system32\mlxoci.dll
deleting: D:\WINNT\system32\mpvcp50.dll
Successfully Deleted: D:\WINNT\system32\mpvcp50.dll
deleting: D:\WINNT\system32\mtxbde40.dll
Successfully Deleted: D:\WINNT\system32\mtxbde40.dll
deleting: D:\WINNT\system32\mvencode.dll
Successfully Deleted: D:\WINNT\system32\mvencode.dll
deleting: D:\WINNT\system32\MXT2FW95.DLL
Successfully Deleted: D:\WINNT\system32\MXT2FW95.DLL
deleting: D:\WINNT\system32\nmtid.dll
Successfully Deleted: D:\WINNT\system32\nmtid.dll
deleting: D:\WINNT\system32\npwrssv.dll
Successfully Deleted: D:\WINNT\system32\npwrssv.dll
deleting: D:\WINNT\system32\ocslb400.dll
Successfully Deleted: D:\WINNT\system32\ocslb400.dll
deleting: D:\WINNT\system32\ooesvr32.dll
Successfully Deleted: D:\WINNT\system32\ooesvr32.dll
deleting: D:\WINNT\system32\oxbcjt32.dll
Successfully Deleted: D:\WINNT\system32\oxbcjt32.dll
deleting: D:\WINNT\system32\qMsf.dll
Successfully Deleted: D:\WINNT\system32\qMsf.dll
deleting: D:\WINNT\system32\QYJavaNative.dll
Successfully Deleted: D:\WINNT\system32\QYJavaNative.dll
deleting: D:\WINNT\system32\sacpack.dll
Successfully Deleted: D:\WINNT\system32\sacpack.dll
deleting: D:\WINNT\system32\slclient.dll
Successfully Deleted: D:\WINNT\system32\slclient.dll
deleting: D:\WINNT\system32\sxclient.dll
Successfully Deleted: D:\WINNT\system32\sxclient.dll
deleting: D:\WINNT\system32\tffflt.dll
Successfully Deleted: D:\WINNT\system32\tffflt.dll
deleting: D:\WINNT\system32\uhandlg.dll
Successfully Deleted: D:\WINNT\system32\uhandlg.dll
deleting: D:\WINNT\system32\wxnhttp.dll
Successfully Deleted: D:\WINNT\system32\wxnhttp.dll
deleting: D:\WINNT\system32\guard.tmp
Successfully Deleted: D:\WINNT\system32\guard.tmp

Zipping up files for submission:
adding: bx549.dll (152 bytes security) (deflated 4%)
adding: cjcui.dll (152 bytes security) (deflated 4%)
adding: ckral.dll (152 bytes security) (deflated 4%)
adding: cprtmgr.dll (152 bytes security) (deflated 4%)
adding: ctmsnap.dll (152 bytes security) (deflated 4%)
adding: dDd9.dll (152 bytes security) (deflated 4%)
adding: dgghelp.dll (152 bytes security) (deflated 4%)
adding: DhvXc32f.dll (152 bytes security) (deflated 4%)
adding: dodiagn.dll (152 bytes security) (deflated 4%)
adding: dsrgres.dll (152 bytes security) (deflated 4%)
adding: dusenh.dll (152 bytes security) (deflated 4%)
adding: dyusic.dll (152 bytes security) (deflated 4%)
adding: fCxshell.dll (152 bytes security) (deflated 4%)
adding: gaedit.dll (152 bytes security) (deflated 4%)
adding: ibqsock.dll (152 bytes security) (deflated 4%)
adding: igl_gif.dll (152 bytes security) (deflated 4%)
adding: iGsperf.dll (152 bytes security) (deflated 4%)
adding: iml_png.dll (152 bytes security) (deflated 4%)
adding: ipqcprt.dll (152 bytes security) (deflated 4%)
adding: iteshare.dll (152 bytes security) (deflated 4%)
adding: ius.dll (152 bytes security) (deflated 4%)
adding: izetcplc.dll (152 bytes security) (deflated 4%)
adding: jkproxy.dll (152 bytes security) (deflated 4%)
adding: joeg1x32.dll (152 bytes security) (deflated 4%)
adding: khdbr.dll (152 bytes security) (deflated 4%)
adding: lccalui.dll (152 bytes security) (deflated 4%)
adding: mbvcp60.dll (152 bytes security) (deflated 4%)
adding: mdidlpm.dll (152 bytes security) (deflated 4%)
adding: mlxoci.dll (152 bytes security) (deflated 4%)
adding: mpvcp50.dll (152 bytes security) (deflated 4%)
adding: mtxbde40.dll (152 bytes security) (deflated 4%)
adding: mvencode.dll (152 bytes security) (deflated 4%)
adding: MXT2FW95.DLL (152 bytes security) (deflated 4%)
adding: nmtid.dll (152 bytes security) (deflated 4%)
adding: npwrssv.dll (152 bytes security) (deflated 4%)
adding: ocslb400.dll (152 bytes security) (deflated 4%)
adding: ooesvr32.dll (152 bytes security) (deflated 4%)
adding: oxbcjt32.dll (152 bytes security) (deflated 4%)
adding: qMsf.dll (152 bytes security) (deflated 4%)
adding: QYJavaNative.dll (152 bytes security) (deflated 4%)
adding: sacpack.dll (152 bytes security) (deflated 4%)
adding: slclient.dll (152 bytes security) (deflated 4%)
adding: sxclient.dll (152 bytes security) (deflated 4%)
adding: tffflt.dll (152 bytes security) (deflated 4%)
adding: uhandlg.dll (152 bytes security) (deflated 4%)
adding: wxnhttp.dll (152 bytes security) (deflated 4%)
adding: guard.tmp (152 bytes security) (deflated 4%)
adding: clear.reg (152 bytes security) (deflated 22%)
adding: echo.reg (152 bytes security) (deflated 10%)
adding: direct.txt (152 bytes security) (stored 0%)
adding: lo2.txt (152 bytes security) (deflated 86%)
adding: readme.txt (152 bytes security) (deflated 49%)
adding: report.txt (152 bytes security) (deflated 69%)
adding: test.txt (152 bytes security) (deflated 83%)
adding: test2.txt (152 bytes security) (stored 0%)
adding: test3.txt (152 bytes security) (stored 0%)
adding: test5.txt (152 bytes security) (stored 0%)
adding: xfind.txt (152 bytes security) (deflated 77%)
adding: backregs/0A205B4C-E796-4C64-8CD2-AFBA4D412EE5.reg (152 bytes security) (deflated 70%)
adding: backregs/shell.reg (152 bytes security) (deflated 74%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: bx549.dll
deleting local copy: cjcui.dll
deleting local copy: ckral.dll
deleting local copy: cprtmgr.dll
deleting local copy: ctmsnap.dll
deleting local copy: dDd9.dll
deleting local copy: dgghelp.dll
deleting local copy: DhvXc32f.dll
deleting local copy: dodiagn.dll
deleting local copy: dsrgres.dll
deleting local copy: dusenh.dll
deleting local copy: dyusic.dll
deleting local copy: fCxshell.dll
deleting local copy: gaedit.dll
deleting local copy: ibqsock.dll
deleting local copy: igl_gif.dll
deleting local copy: iGsperf.dll
deleting local copy: iml_png.dll
deleting local copy: ipqcprt.dll
deleting local copy: iteshare.dll
deleting local copy: ius.dll
deleting local copy: izetcplc.dll
deleting local copy: jkproxy.dll
deleting local copy: joeg1x32.dll
deleting local copy: khdbr.dll
deleting local copy: lccalui.dll
deleting local copy: mbvcp60.dll
deleting local copy: mdidlpm.dll
deleting local copy: mlxoci.dll
deleting local copy: mpvcp50.dll
deleting local copy: mtxbde40.dll
deleting local copy: mvencode.dll
deleting local copy: MXT2FW95.DLL
deleting local copy: nmtid.dll
deleting local copy: npwrssv.dll
deleting local copy: ocslb400.dll
deleting local copy: ooesvr32.dll
deleting local copy: oxbcjt32.dll
deleting local copy: qMsf.dll
deleting local copy: QYJavaNative.dll
deleting local copy: sacpack.dll
deleting local copy: slclient.dll
deleting local copy: sxclient.dll
deleting local copy: tffflt.dll
deleting local copy: uhandlg.dll
deleting local copy: wxnhttp.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************
D:\WINNT\system32\bx549.dll
D:\WINNT\system32\cjcui.dll
D:\WINNT\system32\ckral.dll
D:\WINNT\system32\cprtmgr.dll
D:\WINNT\system32\ctmsnap.dll
D:\WINNT\system32\dDd9.dll
D:\WINNT\system32\dgghelp.dll
D:\WINNT\system32\DhvXc32f.dll
D:\WINNT\system32\dodiagn.dll
D:\WINNT\system32\dsrgres.dll
D:\WINNT\system32\dusenh.dll
D:\WINNT\system32\dyusic.dll
D:\WINNT\system32\fCxshell.dll
D:\WINNT\system32\gaedit.dll
D:\WINNT\system32\ibqsock.dll
D:\WINNT\system32\igl_gif.dll
D:\WINNT\system32\iGsperf.dll
D:\WINNT\system32\iml_png.dll
D:\WINNT\system32\ipqcprt.dll
D:\WINNT\system32\iteshare.dll
D:\WINNT\system32\ius.dll
D:\WINNT\system32\izetcplc.dll
D:\WINNT\system32\jkproxy.dll
D:\WINNT\system32\joeg1x32.dll
D:\WINNT\system32\khdbr.dll
D:\WINNT\system32\lccalui.dll
D:\WINNT\system32\mbvcp60.dll
D:\WINNT\system32\mdidlpm.dll
D:\WINNT\system32\mlxoci.dll
D:\WINNT\system32\mpvcp50.dll
D:\WINNT\system32\mtxbde40.dll
D:\WINNT\system32\mvencode.dll
D:\WINNT\system32\MXT2FW95.DLL
D:\WINNT\system32\nmtid.dll
D:\WINNT\system32\npwrssv.dll
D:\WINNT\system32\ocslb400.dll
D:\WINNT\system32\ooesvr32.dll
D:\WINNT\system32\oxbcjt32.dll
D:\WINNT\system32\qMsf.dll
D:\WINNT\system32\QYJavaNative.dll
D:\WINNT\system32\sacpack.dll
D:\WINNT\system32\slclient.dll
D:\WINNT\system32\sxclient.dll
D:\WINNT\system32\tffflt.dll
D:\WINNT\system32\uhandlg.dll
D:\WINNT\system32\wxnhttp.dll
D:\WINNT\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{0A205B4C-E796-4C64-8CD2-AFBA4D412EE5}"=-
[-HKEY_CLASSES_ROOT\CLSID\{0A205B4C-E796-4C64-8CD2-AFBA4D412EE5}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
here is the log from HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 8:21:29 AM, on 04/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\System32\sesinetd.exe
D:\WINNT\System32\hserver.exe
d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
D:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\tcpsvcs.exe
D:\WINNT\System32\snmp.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\Program Files\Microsoft Hardware\Mouse\point32.exe
d:\PROGRA~1\mcafee.com\vso\mcshield.exe
J:\quicktime_win2000\qttask.exe
J:\iTunes\iTunesHelper.exe
D:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
J:\iPod\bin\iPodService.exe
d:\program files\mcafee.com\agent\mcagent.exe
D:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
D:\Documents and Settings\burki\n20050308.EXE
D:\WINNT\system32\internat.exe
D:\Program Files\Messenger\msmsgs.exe
J:\SierraImaging\Image Expert\IXApplet.exe
D:\Program Files\Iomega\Tools\IMGICON.EXE
D:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
d:\progra~1\mcafee.com\vso\mcvsftsn.exe
D:\WINNT\explorer.exe
D:\WINNT\system32\wuauclt.exe
D:\WINNT\system32\NOTEPAD.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINNT\explorer.exe
D:\Program Files\Hijack This\HijackThis.exe

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\WINNT\Downloaded Program Files\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - D:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\winnt\downloaded program files\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DeluxeCD] D:\WINNT\System32\cdplayer.exe -tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "J:\quicktime_win2000\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] J:\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] D:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [tsvcin] D:\Documents and Settings\burki\n20050308.EXE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MSMSGS] D:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Camio Viewer.lnk = J:\SierraImaging\Image Expert\IXApplet.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = D:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O4 - Global Startup: Iomega Icons.lnk = D:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: Iomega Startup Options.lnk = D:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: IomegaWare.lnk = D:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuikSync.lnk = D:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - H:\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - H:\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .asx: H:\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: H:\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {8433A16D-1B78-11D4-8006-00D0B725EB0B} (Yahoo! FinanceVision (History)) - http://dl1.yahoo.com/dl/fv/fv.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com...id/MSSurVid.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn....ior/Outside.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.c.../zoomify305.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - D:\WINNT\System32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - D:\WINNT\System32\hserver.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - J:\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - d:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - D:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - D:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Iomega Corporation - D:\WINNT\System32\ZipToA.exe

#26
don77

Posted 22 April 2005 - 07:26 PM

Malware Expert

Retired Staff
18,526 posts

Hi maverick32
Still having a problem with "Windows File Protection" ?

Please set your system to show
all files; please see here if you're unsure how to do this.
Close all programs leaving only HijackThis running. Place a check mark next to the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [tsvcin] D:\Documents and Settings\burki\n20050308.EXE

Click on Fix Checked when finished and exit HijackThis.
Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

D:\Documents and Settings\burki\n20050308.EXE
Exit Explorer, and reboot as normal afterwards.

If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
D:\Documents and Settings\burki\n20050308.EXE
The program will ask you if you want to reboot; say Yes.

Let the system reboot.

Post back a fresh HijackThis log and we will take another look.

#27
maverick32

Posted 24 April 2005 - 11:43 AM

Member

Topic Starter
Member
15 posts

Hi Don,
I successfully deleted the file and no longer get the "Windows File Protection" message... here is the new Hijack Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:39:18 AM, on 04/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\System32\sesinetd.exe
D:\WINNT\System32\hserver.exe
d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
D:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\tcpsvcs.exe
D:\WINNT\System32\snmp.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
d:\PROGRA~1\mcafee.com\vso\mcshield.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\WINNT\System32\svchost.exe
J:\quicktime_win2000\qttask.exe
J:\iTunes\iTunesHelper.exe
D:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
D:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\WINNT\system32\internat.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINNT\system32\RUNDLL32.EXE
J:\iPod\bin\iPodService.exe
J:\SierraImaging\Image Expert\IXApplet.exe
D:\Program Files\Iomega\Tools\IMGICON.EXE
D:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
d:\progra~1\mcafee.com\vso\mcvsftsn.exe
D:\WINNT\explorer.exe
D:\Program Files\Hijack This\HijackThis.exe
D:\WINNT\system32\wuauclt.exe

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\WINNT\Downloaded Program Files\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - D:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\winnt\downloaded program files\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DeluxeCD] D:\WINNT\System32\cdplayer.exe -tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "J:\quicktime_win2000\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] J:\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] D:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MSMSGS] D:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Camio Viewer.lnk = J:\SierraImaging\Image Expert\IXApplet.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = D:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O4 - Global Startup: Iomega Icons.lnk = D:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: Iomega Startup Options.lnk = D:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: IomegaWare.lnk = D:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuikSync.lnk = D:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - H:\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - H:\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .asx: H:\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: H:\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {8433A16D-1B78-11D4-8006-00D0B725EB0B} (Yahoo! FinanceVision (History)) - http://dl1.yahoo.com/dl/fv/fv.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com...id/MSSurVid.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn....ior/Outside.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.c.../zoomify305.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - D:\WINNT\System32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - D:\WINNT\System32\hserver.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - J:\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - d:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - D:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - D:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Iomega Corporation - D:\WINNT\System32\ZipToA.exe

#28
don77

Posted 24 April 2005 - 11:49 AM

Malware Expert

Retired Staff
18,526 posts

Great News ! maverick32
Looks clean
How is it running now ?

Please use the following suggestion to help prevent reinfection

Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster

Keep Ad-aware and Spybot handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,

For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program
Download and install Cleanup
Run "Cleanup" and when it has finished, Reboot

Remeber to Check Windows for updates

#29
maverick32

Posted 24 April 2005 - 11:54 AM

Member

Topic Starter
Member
15 posts

I also noticed a suspicous file:
D:\Documents and Settings\burki\MTE1Mzc6ODoxMg.exe

and did a little bit of research and it appears that might be a malicious virus... any idea how to deal with this???

#30
don77

Posted 24 April 2005 - 12:03 PM

Malware Expert

Retired Staff
18,526 posts

Yep, Needs to go
Reboot to safe mode serach for and delete it,

Next -
Please run these two online scans. Make sure they are set to clean automatically:

TrendMicro's HouseCall
ActiveScan

You should try to delete any files that these scanners are unable to clean. Make sure you check the 'Disinfect automatically' option in Active scan, and check the “Auto Clean” option in TrendMicro, Then let us know if its working better and what the scans found.

Let us know what they find