Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijack this log... Vx2.Look2Me [RESOLVED]

Started by JDawG161 , Jun 20 2005 09:56 PM

  • This topic is locked This topic is locked

#1
JDawG161
Posted 20 June 2005 - 09:56 PM

JDawG161

    Member

  • Member
  • PipPip
  • 14 posts
Followed all the steps on the You_Must_Read_This_Before_Posting_A_Hijackthis_Logit

And just about everything else, and I still get popups
One is always at the URL www.loadingwebsite.com......YYY85.html

Something keeps downloading more adware and trojans to my PC

CWS finds Vx2 but does not remove it. VX2finder doesnt find Vx2. Tried everything... Please help!

Logfile of HijackThis v1.99.1
Scan saved at 10:55:49 PM, on 6/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\misc\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uscc.com/...uscellular.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uscc.com/...uscellular.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINNT\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://encarta.msn.c...al/MSSurVid.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Reinstall - C:\WINNT\system32\fp6q03j5e.dll
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Edited by JDawG161, 22 June 2005 - 10:25 AM.

  • 0

Advertisements

#2
loophole
Posted 23 June 2005 - 10:18 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello :tazz:

Sorry for the delayed response, it has been very busy lately.

Please post a new Hijack log in this
thread and I will help you.

Thanks
  • 0

#3
JDawG161
Posted 24 June 2005 - 11:30 AM

JDawG161

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi :tazz: Thank you very much for your help!

In case it helps, most of the popup URLs are similar to

http://www.loadingwe...rmal/yyy99.html

Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 12:29:37 PM, on 6/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\misc\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uscc.com/...uscellular.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uscc.com/...uscellular.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINNT\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://encarta.msn.c...al/MSSurVid.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...fault/shapo.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINNT\system32\m0460ahsed460.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  • 0

#4
loophole
Posted 24 June 2005 - 12:47 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hey JDawG161 ;)

Lets get you fixed up :tazz:

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Thanks
  • 0

#5
JDawG161
Posted 24 June 2005 - 02:09 PM

JDawG161

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here ya go:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\wgd_ci.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{00F77D94-8A5D-7E74-2C9A-81196C3EA7CB}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}"="Nokia Phone Browser"
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}"="Contact View"
"{78261BF4-36D6-4627-85F9-39B156682795}"="DDE Control Module"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{330417E8-EF62-4047-82BE-D8305CEFF572}"="AMEncShlExt extension"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{FF81843D-039E-4A2F-BC55-7BAEB05FC573}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FF81843D-039E-4A2F-BC55-7BAEB05FC573}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{FF81843D-039E-4A2F-BC55-7BAEB05FC573}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FF81843D-039E-4A2F-BC55-7BAEB05FC573}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FF81843D-039E-4A2F-BC55-7BAEB05FC573}\InprocServer32]
@="C:\\WINNT\\system32\\wgd_ci.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
aatapi.dll Sun Jun 19 2005 11:34:40a ..S.R 234,784 229.28 K
amdcxc32.dll Tue Jun 21 2005 8:14:12p ..S.R 233,487 228.01 K
browseui.dll Mon May 2 2005 3:52:34p A.... 1,019,904 996.00 K
cdfview.dll Mon May 2 2005 3:52:34p A.... 151,040 147.50 K
dumap.dll Wed Jun 22 2005 12:11:52p ..S.R 233,830 228.35 K
fp0s03~1.dll Thu Jun 23 2005 7:34:56p ..S.R 235,273 229.76 K
hhsetup.dll Thu May 26 2005 9:04:28p A.... 41,472 40.50 K
hkink.dll Mon Jun 20 2005 9:10:58p ..S.R 235,667 230.14 K
iepeers.dll Mon May 2 2005 3:52:34p A.... 250,880 245.00 K
inseng.dll Mon May 2 2005 3:52:34p A.... 96,256 94.00 K
itircl.dll Thu May 26 2005 9:04:28p A.... 155,136 151.50 K
itss.dll Thu May 26 2005 9:04:28p A.... 137,216 134.00 K
kcdsg.dll Tue Jun 21 2005 7:14:50p ..S.R 235,223 229.71 K
kwdit.dll Mon Jun 20 2005 10:42:32p ..... 233,361 227.89 K
lcaut13n.dll Thu Jun 16 2005 7:08:00p ..S.R 234,784 229.28 K
lrdwf13n.dll Sun Jun 19 2005 10:08:06p ..S.R 234,894 229.39 K
m0460a~1.dll Thu Jun 23 2005 1:41:30p ..S.R 234,570 229.07 K
mapx16w6.dll Sat May 21 2005 1:43:46p A.... 4,810 4.70 K
mfglibnt.dll Tue Jun 21 2005 8:02:20p ..S.R 235,925 230.39 K
mhcertui.dll Sun Jun 19 2005 10:32:12p ..S.R 233,550 228.07 K
mjieftp.dll Fri Jun 17 2005 8:57:28a ..S.R 236,656 231.11 K
mntlsapi.dll Wed Jun 22 2005 12:15:34p ..S.R 234,533 229.04 K
mshtml.dll Mon May 2 2005 3:52:36p A.... 3,012,608 2.87 M
mshtmled.dll Mon May 2 2005 3:52:36p A.... 448,512 438.00 K
msi.dll Wed May 4 2005 2:45:32p A.... 2,890,240 2.75 M
msrating.dll Mon May 2 2005 3:52:36p A.... 146,432 143.00 K
msvos.dll Tue Apr 26 2005 1:32:44p A.... 114,688 112.00 K
photom~1.dll Sun Apr 10 2005 10:15:24a A.... 201,728 197.00 K
pngfilt.dll Mon May 2 2005 3:52:36p A.... 39,424 38.50 K
pwrfproc.dll Sun Jun 19 2005 10:18:18p ..S.R 234,894 229.39 K
qksname.dll Tue Jun 21 2005 7:56:20p ..S.R 233,658 228.18 K
rcsdlg.dll Thu Jun 23 2005 7:34:56p ..S.R 234,570 229.07 K
shdocvw.dll Mon May 2 2005 3:52:36p A.... 1,483,776 1.41 M
shlwapi.dll Mon May 2 2005 3:52:36p A.... 473,600 462.50 K
sqmpapi.dll Sun Jun 19 2005 8:47:54p ..S.R 235,927 230.39 K
sqndmail.dll Wed Jun 22 2005 12:40:18p ..... 232,821 227.36 K
sznceng.dll Mon Jun 20 2005 10:38:48p ..S.R 233,221 227.75 K
ugerenv.dll Sun Jun 19 2005 10:27:10p ..S.R 235,926 230.39 K
urlmon.dll Mon May 2 2005 3:52:36p A.... 607,744 593.50 K
vsdata.dll Tue Apr 19 2005 6:05:10p A.... 75,528 73.76 K
vsinit.dll Tue Apr 19 2005 6:05:22p A.... 124,680 121.76 K
vsmonapi.dll Tue Apr 19 2005 6:05:30p A.... 108,296 105.76 K
vspubapi.dll Tue Apr 19 2005 6:05:34p A.... 198,408 193.76 K
vsregexp.dll Tue Apr 19 2005 6:05:38p A.... 71,432 69.76 K
vsutil.dll Tue Apr 19 2005 6:05:50p A.... 354,056 345.76 K
vsxml.dll Tue Apr 19 2005 6:06:00p A.... 100,096 97.75 K
wgd_ci.dll Fri Jun 24 2005 2:36:38p A.... 234,272 228.78 K
wininet.dll Mon May 2 2005 3:52:36p A.... 657,920 642.50 K
winsusrm.dll Thu Jun 23 2005 11:14:56a A.... 264 0.26 K
wustream.dll Mon Jun 20 2005 5:05:04p ..S.R 235,667 230.14 K
xesp3res.dll Wed Jun 22 2005 12:34:08p ..S.R 236,724 231.18 K
xpsp3res.dll Mon May 16 2005 7:25:36p ..... 15,360 15.00 K
xwsp3res.dll Mon Jun 20 2005 4:50:02p ..S.R 234,164 228.68 K
zlcomm.dll Tue Apr 19 2005 6:06:20p A.... 75,528 73.76 K
zlcommdb.dll Tue Apr 19 2005 6:06:24p A.... 67,336 65.76 K

55 items found: 55 files (22 H/S), 0 directories.
Total of file sizes: 18,992,751 bytes 18.11 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
guard.tmp Fri Jun 24 2005 2:37:12p A.... 234,608 229.11 K

1 item found: 1 file, 0 directories.
Total of file sizes: 234,608 bytes 229.11 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 8477-C8AA

Directory of C:\WINNT\System32

06/23/2005 07:34 PM 234,570 rCsdlg.dll
06/23/2005 07:34 PM 235,273 fp0s03d7e.dll
06/23/2005 01:41 PM 234,570 m0460ahsed460.dll
06/22/2005 12:34 PM 236,724 xesp3res.dll
06/22/2005 12:15 PM 234,533 mntlsapi.dll
06/22/2005 12:11 PM 233,830 dumap.dll
06/21/2005 08:14 PM 233,487 AMDCXC32.DLL
06/21/2005 08:02 PM 235,925 mfglibnt.dll
06/21/2005 07:56 PM 233,658 qksname.dll
06/21/2005 07:14 PM 235,223 kcdsg.dll
06/20/2005 10:38 PM 233,221 sznceng.dll
06/20/2005 09:10 PM 235,667 hkink.dll
06/20/2005 05:05 PM 235,667 wustream.dll
06/20/2005 04:50 PM 234,164 xwsp3res.dll
06/19/2005 10:32 PM 233,550 mhcertui.dll
06/19/2005 10:27 PM 235,926 ugerenv.dll
06/19/2005 10:18 PM 234,894 pwrfproc.dll
06/19/2005 10:08 PM 234,894 LRDWF13N.DLL
06/19/2005 08:47 PM 235,927 sqmpapi.dll
06/19/2005 05:33 PM <DIR> dllcache
06/19/2005 11:34 AM 234,784 aatapi.dll
06/17/2005 08:57 AM 236,656 mjieftp.dll
06/16/2005 07:07 PM 234,784 LCAUT13n.dll
01/30/2005 05:46 PM 38,912 Thumbs.db
12/17/2004 10:36 AM 224,366 dnns0157e.dll
12/15/2004 04:00 PM 225,416 h0n0la5m1d.dll
12/15/2004 01:41 PM 225,963 ktrql7951.dll
12/08/2004 05:26 PM 223,799 cym.dll
12/07/2004 07:16 PM 225,658 l4j80e1ueh.dll
12/07/2004 07:11 PM 222,974 gplql3351.dll
12/07/2004 06:45 PM 225,596 o2ns0c57ef.dll
12/07/2004 06:39 PM 225,705 dn6801jue.dll
12/07/2004 06:24 PM 224,847 o2nslc571f.dll
12/01/2004 09:11 PM 224,844 dqrpsetu.dll
12/01/2004 03:13 PM 225,095 gp68l3ju1.dll
12/01/2004 02:57 PM 223,844 j2j60c1sef.dll
06/03/2004 04:38 PM 71 SYSDRVREB.SYS
05/12/2003 10:40 AM <DIR> Microsoft
11/01/2002 02:06 PM 32 {C1248350-C897-4F83-9123-E8EDC393A253}.dat
37 File(s) 7,905,049 bytes
2 Dir(s) 21,146,025,984 bytes free
  • 0

#6
loophole
Posted 24 June 2005 - 02:12 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hey JDawG161 :tazz:

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. ;)

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Thanks
  • 0

#7
JDawG161
Posted 25 June 2005 - 05:57 PM

JDawG161

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
:tazz: I regret to inform you that I have worse problems now. I had to lower the defenses on the computer to download the l2mfix (zone alarm was being stubborn), and somehow a virus or trojan got in and corrupted the winnt\system32\config\system file, and what seems to be the registry as well. The computer reset itself and wouldnt boot all the way. I tried to fix it, but now I can't even see the harddrive unless I use a boot disk and run an NTFS reader. It doesn't do me any good since it only reads the drive and not writes to it.

The goal was to copy the SYSTEM,SAM,SECURITY,DEFAULT, files from another identical computer and replace them and hope that it worked. At one point, we had it booting almost all the way but it was come back with a LSASS.exe error saying that the password didn't match. My problems would all be solved if I had the XP PRO. CD. Which I can't locate currently. So I am stuck for fixes, unless you can suggest something. (It was so close to being fixed!!!)

What a mess!

If you can't offer any more assistance for now I can understand. Please let me know, and thanks for your time.
  • 0

#8
Murray S.
Posted 25 June 2005 - 10:02 PM

Murray S.

    Trusted Tech

  • Member
  • PipPipPipPipPipPipPip
  • 4,513 posts
  • MVP
Howdy:

Loophole asked me to take a look at your current problem so they can continue with the malware removal..

Based on what is happening, I strongly suggest you get an XP cd in order to be able to boot into the Recovery Console.. Yours would be best but a friends will do as all you will be doing is running the Repair option from it..

Murray
  • 0

#9
JDawG161
Posted 26 June 2005 - 10:01 AM

JDawG161

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Will an XP Home edition work? I have got plenty of those.
  • 0

#10
Murray S.
Posted 26 June 2005 - 11:07 AM

Murray S.

    Trusted Tech

  • Member
  • PipPipPipPipPipPipPip
  • 4,513 posts
  • MVP
Nope.. not if you're running XP Pro !!

Murray
  • 0

Advertisements

#11
JDawG161
Posted 26 June 2005 - 01:13 PM

JDawG161

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I figured as much. Ok, I am working on finding a copy to use. Can you tell me the steps I will need to take to get back on my feet once I have it? Thank you very much for your help.
  • 0

#12
JDawG161
Posted 26 June 2005 - 04:50 PM

JDawG161

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
OK, without the CD I managed to ge tthe computer to boot into windows, though the display looks like safemode, it appears that the drivers are not being seen. The mouse and keyboard stop working after the initial bios screen, (as soon as XP steps in). Seems like the registry was corrupted. Any idea on how to fix that? Registry mechanic made a backup of the registry, but without windows I wouldnt know how to manaully reenter that.

So close yet so far.
  • 0

#13
Murray S.
Posted 26 June 2005 - 06:10 PM

Murray S.

    Trusted Tech

  • Member
  • PipPipPipPipPipPipPip
  • 4,513 posts
  • MVP
With the XP cd you can get into the Recovery Console.. from there you can run a scanreg /restore..

Murray
  • 0

#14
JDawG161
Posted 26 June 2005 - 07:59 PM

JDawG161

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Windows is up and running and here is the l2mfix log:

L2Mfix 1.03

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- removing existing ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Administrator\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1460 'explorer.exe'
Killing PID 1460 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\aatapi.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\AMDCXC32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\cym.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dn6801jue.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dnns0157e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dqrpsetu.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dumap.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fp0s03d7e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\gp68l3ju1.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\gplql3351.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\h0n0la5m1d.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\hkink.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\j2j60c1sef.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\kcdsg.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ktrql7951.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\kwdit.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\l4j80e1ueh.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\LCAUT13n.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\LRDWF13N.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\m0460ahsed460.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mfglibnt.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mhcertui.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mjieftp.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mntlsapi.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\o2ns0c57ef.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\o2nslc571f.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\pwrfproc.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\qksname.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rCsdlg.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\sqmpapi.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\sqndmail.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\sznceng.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ugerenv.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wgd_ci.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wustream.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\xesp3res.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\xwsp3res.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\aatapi.dll
Successfully Deleted: C:\WINNT\system32\aatapi.dll
deleting: C:\WINNT\system32\AMDCXC32.DLL
Successfully Deleted: C:\WINNT\system32\AMDCXC32.DLL
deleting: C:\WINNT\system32\cym.dll
Successfully Deleted: C:\WINNT\system32\cym.dll
deleting: C:\WINNT\system32\dn6801jue.dll
Successfully Deleted: C:\WINNT\system32\dn6801jue.dll
deleting: C:\WINNT\system32\dnns0157e.dll
Successfully Deleted: C:\WINNT\system32\dnns0157e.dll
deleting: C:\WINNT\system32\dqrpsetu.dll
Successfully Deleted: C:\WINNT\system32\dqrpsetu.dll
deleting: C:\WINNT\system32\dumap.dll
Successfully Deleted: C:\WINNT\system32\dumap.dll
deleting: C:\WINNT\system32\fp0s03d7e.dll
Successfully Deleted: C:\WINNT\system32\fp0s03d7e.dll
deleting: C:\WINNT\system32\gp68l3ju1.dll
Successfully Deleted: C:\WINNT\system32\gp68l3ju1.dll
deleting: C:\WINNT\system32\gplql3351.dll
Successfully Deleted: C:\WINNT\system32\gplql3351.dll
deleting: C:\WINNT\system32\h0n0la5m1d.dll
Successfully Deleted: C:\WINNT\system32\h0n0la5m1d.dll
deleting: C:\WINNT\system32\hkink.dll
Successfully Deleted: C:\WINNT\system32\hkink.dll
deleting: C:\WINNT\system32\j2j60c1sef.dll
Successfully Deleted: C:\WINNT\system32\j2j60c1sef.dll
deleting: C:\WINNT\system32\kcdsg.dll
Successfully Deleted: C:\WINNT\system32\kcdsg.dll
deleting: C:\WINNT\system32\ktrql7951.dll
Successfully Deleted: C:\WINNT\system32\ktrql7951.dll
deleting: C:\WINNT\system32\kwdit.dll
Successfully Deleted: C:\WINNT\system32\kwdit.dll
deleting: C:\WINNT\system32\l4j80e1ueh.dll
Successfully Deleted: C:\WINNT\system32\l4j80e1ueh.dll
deleting: C:\WINNT\system32\LCAUT13n.dll
Successfully Deleted: C:\WINNT\system32\LCAUT13n.dll
deleting: C:\WINNT\system32\LRDWF13N.DLL
Successfully Deleted: C:\WINNT\system32\LRDWF13N.DLL
deleting: C:\WINNT\system32\m0460ahsed460.dll
Successfully Deleted: C:\WINNT\system32\m0460ahsed460.dll
deleting: C:\WINNT\system32\mfglibnt.dll
Successfully Deleted: C:\WINNT\system32\mfglibnt.dll
deleting: C:\WINNT\system32\mhcertui.dll
Successfully Deleted: C:\WINNT\system32\mhcertui.dll
deleting: C:\WINNT\system32\mjieftp.dll
Successfully Deleted: C:\WINNT\system32\mjieftp.dll
deleting: C:\WINNT\system32\mntlsapi.dll
Successfully Deleted: C:\WINNT\system32\mntlsapi.dll
deleting: C:\WINNT\system32\o2ns0c57ef.dll
Successfully Deleted: C:\WINNT\system32\o2ns0c57ef.dll
deleting: C:\WINNT\system32\o2nslc571f.dll
Successfully Deleted: C:\WINNT\system32\o2nslc571f.dll
deleting: C:\WINNT\system32\pwrfproc.dll
Successfully Deleted: C:\WINNT\system32\pwrfproc.dll
deleting: C:\WINNT\system32\qksname.dll
Successfully Deleted: C:\WINNT\system32\qksname.dll
deleting: C:\WINNT\system32\rCsdlg.dll
Successfully Deleted: C:\WINNT\system32\rCsdlg.dll
deleting: C:\WINNT\system32\sqmpapi.dll
Successfully Deleted: C:\WINNT\system32\sqmpapi.dll
deleting: C:\WINNT\system32\sqndmail.dll
Successfully Deleted: C:\WINNT\system32\sqndmail.dll
deleting: C:\WINNT\system32\sznceng.dll
Successfully Deleted: C:\WINNT\system32\sznceng.dll
deleting: C:\WINNT\system32\ugerenv.dll
Successfully Deleted: C:\WINNT\system32\ugerenv.dll
deleting: C:\WINNT\system32\wgd_ci.dll
Successfully Deleted: C:\WINNT\system32\wgd_ci.dll
deleting: C:\WINNT\system32\wustream.dll
Successfully Deleted: C:\WINNT\system32\wustream.dll
deleting: C:\WINNT\system32\xesp3res.dll
Successfully Deleted: C:\WINNT\system32\xesp3res.dll
deleting: C:\WINNT\system32\xwsp3res.dll
Successfully Deleted: C:\WINNT\system32\xwsp3res.dll
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp


Zipping up files for submission:
adding: aatapi.dll (164 bytes security) (deflated 4%)
adding: AMDCXC32.DLL (164 bytes security) (deflated 4%)
adding: cym.dll (164 bytes security) (deflated 4%)
adding: dn6801jue.dll (164 bytes security) (deflated 5%)
adding: dnns0157e.dll (164 bytes security) (deflated 4%)
adding: dqrpsetu.dll (164 bytes security) (deflated 4%)
adding: dumap.dll (164 bytes security) (deflated 4%)
adding: fp0s03d7e.dll (164 bytes security) (deflated 5%)
adding: gp68l3ju1.dll (164 bytes security) (deflated 4%)
adding: gplql3351.dll (164 bytes security) (deflated 3%)
adding: h0n0la5m1d.dll (164 bytes security) (deflated 4%)
adding: hkink.dll (164 bytes security) (deflated 5%)
adding: j2j60c1sef.dll (164 bytes security) (deflated 4%)
adding: kcdsg.dll (164 bytes security) (deflated 5%)
adding: ktrql7951.dll (164 bytes security) (deflated 5%)
adding: kwdit.dll (164 bytes security) (deflated 4%)
adding: l4j80e1ueh.dll (164 bytes security) (deflated 5%)
adding: LCAUT13n.dll (164 bytes security) (deflated 4%)
adding: LRDWF13N.DLL (164 bytes security) (deflated 4%)
adding: m0460ahsed460.dll (164 bytes security) (deflated 5%)
adding: mfglibnt.dll (164 bytes security) (deflated 5%)
adding: mhcertui.dll (164 bytes security) (deflated 4%)
adding: mjieftp.dll (164 bytes security) (deflated 5%)
adding: mntlsapi.dll (164 bytes security) (deflated 5%)
adding: o2ns0c57ef.dll (164 bytes security) (deflated 4%)
adding: o2nslc571f.dll (164 bytes security) (deflated 4%)
adding: pwrfproc.dll (164 bytes security) (deflated 4%)
adding: qksname.dll (164 bytes security) (deflated 4%)
adding: rCsdlg.dll (164 bytes security) (deflated 5%)
adding: sqmpapi.dll (164 bytes security) (deflated 5%)
adding: sqndmail.dll (164 bytes security) (deflated 4%)
adding: sznceng.dll (164 bytes security) (deflated 4%)
adding: ugerenv.dll (164 bytes security) (deflated 5%)
adding: wgd_ci.dll (164 bytes security) (deflated 4%)
adding: wustream.dll (164 bytes security) (deflated 5%)
adding: xesp3res.dll (164 bytes security) (deflated 6%)
adding: xwsp3res.dll (164 bytes security) (deflated 5%)
adding: guard.tmp (164 bytes security) (deflated 4%)
adding: clear.reg (164 bytes security) (deflated 2%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 85%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 66%)
adding: test.txt (164 bytes security) (deflated 81%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 75%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: aatapi.dll
deleting local copy: AMDCXC32.DLL
deleting local copy: cym.dll
deleting local copy: dn6801jue.dll
deleting local copy: dnns0157e.dll
deleting local copy: dqrpsetu.dll
deleting local copy: dumap.dll
deleting local copy: fp0s03d7e.dll
deleting local copy: gp68l3ju1.dll
deleting local copy: gplql3351.dll
deleting local copy: h0n0la5m1d.dll
deleting local copy: hkink.dll
deleting local copy: j2j60c1sef.dll
deleting local copy: kcdsg.dll
deleting local copy: ktrql7951.dll
deleting local copy: kwdit.dll
deleting local copy: l4j80e1ueh.dll
deleting local copy: LCAUT13n.dll
deleting local copy: LRDWF13N.DLL
deleting local copy: m0460ahsed460.dll
deleting local copy: mfglibnt.dll
deleting local copy: mhcertui.dll
deleting local copy: mjieftp.dll
deleting local copy: mntlsapi.dll
deleting local copy: o2ns0c57ef.dll
deleting local copy: o2nslc571f.dll
deleting local copy: pwrfproc.dll
deleting local copy: qksname.dll
deleting local copy: rCsdlg.dll
deleting local copy: sqmpapi.dll
deleting local copy: sqndmail.dll
deleting local copy: sznceng.dll
deleting local copy: ugerenv.dll
deleting local copy: wgd_ci.dll
deleting local copy: wustream.dll
deleting local copy: xesp3res.dll
deleting local copy: xwsp3res.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINNT\system32\aatapi.dll
C:\WINNT\system32\AMDCXC32.DLL
C:\WINNT\system32\cym.dll
C:\WINNT\system32\dn6801jue.dll
C:\WINNT\system32\dnns0157e.dll
C:\WINNT\system32\dqrpsetu.dll
C:\WINNT\system32\dumap.dll
C:\WINNT\system32\fp0s03d7e.dll
C:\WINNT\system32\gp68l3ju1.dll
C:\WINNT\system32\gplql3351.dll
C:\WINNT\system32\h0n0la5m1d.dll
C:\WINNT\system32\hkink.dll
C:\WINNT\system32\j2j60c1sef.dll
C:\WINNT\system32\kcdsg.dll
C:\WINNT\system32\ktrql7951.dll
C:\WINNT\system32\kwdit.dll
C:\WINNT\system32\l4j80e1ueh.dll
C:\WINNT\system32\LCAUT13n.dll
C:\WINNT\system32\LRDWF13N.DLL
C:\WINNT\system32\m0460ahsed460.dll
C:\WINNT\system32\mfglibnt.dll
C:\WINNT\system32\mhcertui.dll
C:\WINNT\system32\mjieftp.dll
C:\WINNT\system32\mntlsapi.dll
C:\WINNT\system32\o2ns0c57ef.dll
C:\WINNT\system32\o2nslc571f.dll
C:\WINNT\system32\pwrfproc.dll
C:\WINNT\system32\qksname.dll
C:\WINNT\system32\rCsdlg.dll
C:\WINNT\system32\sqmpapi.dll
C:\WINNT\system32\sqndmail.dll
C:\WINNT\system32\sznceng.dll
C:\WINNT\system32\ugerenv.dll
C:\WINNT\system32\wgd_ci.dll
C:\WINNT\system32\wustream.dll
C:\WINNT\system32\xesp3res.dll
C:\WINNT\system32\xwsp3res.dll
C:\WINNT\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************



Heres the new Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:56:23 PM, on 6/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\misc\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uscellular.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.uscellular.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uscellular.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: TBT Popup Blocker - {3950E0E8-58DC-467E-9EE4-21A0E0B142C4} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ShowBarObj Class - {79A002FB-C126-462D-B4A7-81D6B42D1666} - F:\BIZZZZ\New Folder\Traffic_Toolbar\ShowMyBar.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: StockBar Class - {07A3D336-90D3-4C90-922D-7257D56434BF} - F:\BIZZZZ\New Folder\Traffic_Toolbar\htmlbar.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Traffic Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Traffic Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)



Thanks a bunch!!
  • 0

#15
loophole
Posted 26 June 2005 - 09:58 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
:tazz: Didn't know if I would hear from you again. Nice job and thanks
again to Murray S.

Ok your log looks pretty good ,a couple things to fix but I need you to run one of these scans to clean up some of the junk your infection leaves behind

run this online virus scan:
ActiveScan if that wont work try this one Kaspersky OnLine Scan

Copy the results of the ActiveScan or the Kaspersky and paste them here with a new hijack log
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP