Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My Log files (Hijack This, Panda and Ewido) [CLOSED]


  • This topic is locked This topic is locked

#1
Katyara

Katyara

    New Member

  • Member
  • Pip
  • 4 posts
I reading through other people's issues that were similar to my own I took it upon myself to try some of the same maneuvers to fix my Spy/mal ware issues. I'm posting my HijackThis, Panda and Ewido logs for some personalized help becuase I'm still having some problems with random pop-ups. Many thanks in advance to any assistance.

HijackThis
>>
Logfile of HijackThis v1.99.1
Scan saved at 11:55:29 AM, on 7/7/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cusrvc.exe
C:\Program Files\USBancorp\USBancorp VPN Client\cvpnd.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\NALNTSRV.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
H:\HP\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
E:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINNT\system32\dpmw32.exe
H:\HP\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\system32\NWTRAY.EXE
H:\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\WINNT\system32\hukujn.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
H:\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\Trillian\trillian.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\PeDevice\PeDev.exe
C:\PROGRA~1\WinZip\winzip32.exe
H:\exe's\Spy Ware Stuff\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] H:\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [zBrowser Launcher] E:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [HP Software Update] H:\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\hukujn.exe reg_run
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Trillian.lnk = H:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: U.S. Bancorp - VPN Client 4.0.4.lnk = C:\Program Files\USBancorp\USBancorp VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://E:\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://E:\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://E:\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://E:\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: RemindU - file://C:\Program Files\topMoxie\TEMP\upromise_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\topMoxie\TEMP\upromise_script0.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Transaction Management - https://tmm6.care.us...com/Tmm/Tmm.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {335C8923-2DCC-4966-BF36-36C2277D4598} (Siebel Option Pack for IE 7.5.3) - http://prod.commerci...lOptionPack.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} -
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo.../cabs/alien.cab
O16 - DPF: {7B461720-5910-45A3-B617-3B53A972F209} (Pixami-PhotoWorks Upload UI Control) - http://services.phot...SFWUploader.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one...ransferCtrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} -
O20 - Winlogon Notify: CSCSettings - C:\WINNT\system32\CTMCAT.DLL
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\USBancorp\USBancorp VPN Client\cvpnd.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\system32\NALNTSRV.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\system32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:32:10 AM, 7/7/2005
+ Report-Checksum: CD560EB

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\Applications\STC.exe -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Applications\STC.exe\shell -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{05080E6B-A88A-4CFD-8C3D-9B2557670B6E} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{41700749-A109-4254-AF13-BE54011E8783} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{49DB48FF-02B5-4645-B676-94A4DF1AA026} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6E0ED53C-9908-49ED-B055-7CB31B162577} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{830D3AED-2FA9-454F-B266-D931862BBF34} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8C53BD8E-B12D-4C8F-AD0E-C9DDC39D1273} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9BCDD51B-4A7B-446C-8452-D32D38004582} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A986F4DB-792E-4571-8974-0BB6E024766F} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BCCAB53D-0895-40C3-A942-A03538CE227A} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C0F88E9E-DCEB-4655-968A-AE508A677C39} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D7EAC2D8-2D52-4010-A4AD-DFDF60C1706C} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\SWRT01.RT -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\SWRT01.RT\Clsid -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{5E594162-60A9-487D-84B8-DBDD716CB862} -> Spyware.VirtualBouncer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\motoin -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Mvu -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-1202660629-725345543-839522115-500\Software\Mvu -> Spyware.Delfin : Cleaned with backup
C:\WINNT\system32\RFSMAN.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINNT\system32\zxib.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\redit.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINNT\system32\rYsauto.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\SWRT01.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINNT\mqctdyqy.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.1\HDPlugin1015.dll -> Spyware.Browsertoolbar : Cleaned with backup
C:\WINNT\Downloaded Program Files\m67m.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINNT\tdtb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINNT\ISNSYS.dll -> TrojanSpy.Justin : Cleaned with backup
C:\WINNT\optimize.exe -> TrojanDownloader.Dyfuca : Cleaned with backup
C:\WINNT\mm15201518.Stub.exe -> Adware.eZula : Cleaned with backup
C:\WINNT\_MSRSTRT.EXE -> Not-A-Virus.Tool.Reboot : Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.Delfin : Cleaned with backup


::Report End

Panda
>>

Incident Status Location

Adware:Adware/AdBehavior No disinfected C:\WINNT\system32\ncecpop.dll
Adware:Adware/AdBehavior No disinfected C:\WINNT\system32\hukujn.exe
Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rcdc.exe
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/PortalScan No disinfected C:\Program Files\stc
Adware:Adware/SAHAgent No disinfected C:\WINNT\unstall.exe
Adware:Adware/BookedSpace No disinfected C:\WINNT\bsx32
Adware:Adware/VirtualBouncer No disinfected C:\WINNT\system32\InnerVBInstall.log
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\ADMINISTRATOR\Application Data\tvm*.dll
Adware:Adware/DelFinMedia No disinfected Windows Registry
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\ADMINISTRATOR\Application Data\Lycos
Spyware:Spyware/Media-motor No disinfected Windows Registry
Adware:Adware/ImGiant No disinfected C:\Program Files\joystick networks
Adware:Adware/AdBehavior No disinfected C:\WINNT\system32\wyqya.dat
Adware:Adware/AdBehavior No disinfected C:\WINNT\system32\ncecpop.dll
Adware:Adware/AdBehavior No disinfected C:\WINNT\system32\hukujn.exe
Virus:Trj/Downloader.DKB Disinfected C:\WINNT\system32\dqcqnrn.exe
Adware:Adware/AdBehavior No disinfected C:\WINNT\system32\ivrvw.dll
Adware:Adware/VirtualBouncer No disinfected C:\WINNT\system32\INNERADINSTALL.LOG
Adware:Adware/VirtualBouncer No disinfected C:\WINNT\system32\INNERVBINSTALL.LOG
Adware:Adware/Look2Me No disinfected C:\WINNT\system\UpdInst.exe
Spyware:Spyware/Media-motor No disinfected C:\WINNT\Downloaded Program Files\m67m.inf
Adware:Adware/ImGiant No disinfected C:\WINNT\myurlff.exe
Spyware:Spyware/Media-motor No disinfected C:\WINNT\unstall.exe
Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rcdc.exe
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\ADMINISTRATOR\Application Data\tvmcwrd.dll
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\ADMINISTRATOR\Application Data\tvmknwrd.dll
Adware:Adware/VirtualBouncer No disinfected C:\myPcsearch.exe

Thanks - Kat
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Katyara

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\hukujn.exe reg_run
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://E:\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://E:\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://E:\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://E:\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: RemindU - file://C:\Program Files\topMoxie\TEMP\upromise_script0.htm
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\topMoxie\TEMP\upromise_script0.htm (file missing) (HKCU)
O16 - DPF: Transaction Management - https://tmm6.care.us...com/Tmm/Tmm.cab
O16 - DPF: {335C8923-2DCC-4966-BF36-36C2277D4598} (Siebel Option Pack for IE 7.5.3) - http://prod.commerci...lOptionPack.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} -
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo.../cabs/alien.cab
O16 - DPF: {7B461720-5910-45A3-B617-3B53A972F209} (Pixami-PhotoWorks Upload UI Control) - http://services.phot...SFWUploader.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one...ransferCtrl.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} -
O20 - Winlogon Notify: CSCSettings - C:\WINNT\system32\CTMCAT.DLL
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)

Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINNT\system32\hukujn.exe
C:\Program Files\PeDevice\PeDev.dll
C:\WINNT\cfgmgr52.dll,DllRun
C:\WINNT\AUNPS2.DLL,_Run@16
C:\WINNT\system32\exp.exe
C:\WINNT\system32\CTMCAT.DLL
C:\WINNT\System32\ZipToA.exe
C:\WINNT\system32\ncecpop.dll
C:\WINNT\system32\hukujn.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rcdc.exe
C:\Program Files\stc
C:\WINNT\unstall.exe
C:\WINNT\bsx32
C:\WINNT\system32\InnerVBInstall.log
C:\Documents and Settings\ADMINISTRATOR\Application Data\tvm*.dll
C:\Documents and Settings\ADMINISTRATOR\Application Data\Lycos
C:\Program Files\joystick networks
C:\WINNT\system32\wyqya.dat
C:\WINNT\system32\ncecpop.dll
C:\WINNT\system32\hukujn.exe
C:\WINNT\system32\dqcqnrn.exe
C:\WINNT\system32\ivrvw.dll
C:\WINNT\system32\INNERADINSTALL.LOG
C:\WINNT\system32\INNERVBINSTALL.LOG
C:\WINNT\system\UpdInst.exe
C:\WINNT\Downloaded Program Files\m67m.inf
C:\WINNT\myurlff.exe
C:\WINNT\unstall.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rcdc.exe
C:\Documents and Settings\ADMINISTRATOR\Application Data\tvmcwrd.dll
C:\Documents and Settings\ADMINISTRATOR\Application Data\tvmknwrd.dll
C:\myPcsearch.exe
Let the system reboot.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
[B]Please post the logs From Panda, Ewido and HJT.log
We will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
Katyara

Katyara

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
So sorry it took this long to reply. I had to go on vacation :tazz:

I did the above - although I think I might have screwed it up somehow as nothing has really changed. Here are my most current log files. Additionally in your instructions I wasn't able to find the "prefetch" folder you speak off. Also - any entries that mention "Siebel" is an application that I use for work. Thanks in advance for any help.

Logfile of HijackThis v1.99.1
Scan saved at 11:34:14 PM, on 7/11/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cusrvc.exe
C:\Program Files\USBancorp\USBancorp VPN Client\cvpnd.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\NALNTSRV.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\system32\devldr32.exe
H:\HP\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
E:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINNT\system32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
H:\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\WINNT\system32\hukujn.exe
H:\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
H:\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\Trillian\trillian.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\aisr\uatt.exe
C:\WINNT\system32\?ttrib.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\rundll32.exe
H:\exe's\Spy Ware Stuff\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINNT\system32\stlb2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll
O2 - BHO: (no name) - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINNT\system32\stlb2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] H:\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [zBrowser Launcher] E:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [HP Software Update] H:\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\hukujn.exe reg_run
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Awro] C:\Program Files\aisr\uatt.exe
O4 - HKCU\..\Run: [Xap] C:\WINNT\system32\?ttrib.exe
O4 - Startup: Trillian.lnk = H:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: U.S. Bancorp - VPN Client 4.0.4.lnk = C:\Program Files\USBancorp\USBancorp VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Transaction Management -
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {335C8923-2DCC-4966-BF36-36C2277D4598} (Siebel Option Pack for IE 7.5.3) - http://prod.commerci...lOptionPack.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} -
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} -
O16 - DPF: {7B461720-5910-45A3-B617-3B53A972F209} -
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} -
O20 - Winlogon Notify: FONTS - C:\WINNT\system32\wU2time.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINNT\system32\wjhnetbs.dll
O20 - Winlogon Notify: Nls - C:\WINNT\system32\fBxshell.dll
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\USBancorp\USBancorp VPN Client\cvpnd.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\system32\NALNTSRV.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\system32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:29:26 PM, 7/7/2005
+ Report-Checksum: 91E924E4

+ Scan result:

C:\WINNT\system32\ncecpop.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
C:\WINNT\system32\ivrvw.dll -> TrojanDownloader.Qoologic.t : Cleaned with backup
C:\Documents and Settings\ADMINISTRATOR\Cookies\administrator@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\ADMINISTRATOR\Cookies\administrator@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\ADMINISTRATOR\Cookies\administrator@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup


::Report End

I haven't done Panda again becuase I know I did something wrong in the beginning.

Thanks,
Kat
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Katyara

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click [B]l2mfix.exe[/B]. Click the [B]Install[/B] button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click [B]l2mfix.bat[/B] and select option #[B]1[/B] for [B]Run Find Log[/B] by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[COLOR=red]IMPORTANT:  Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/COLOR]

Kc :tazz:
  • 0

#5
Katyara

Katyara

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Here it is:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run-]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\fBxshell.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{EC9DBDB5-C9EC-F35F-9FE4-4F63C47F4CD0}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{1C787DF0-213D-4286-A53A-6141C3AFB85A}"="FileXferMenuExt extension"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{2F25CF20-C569-11D1-B94C-00608CB45480}"="TextPad"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{acb4a560-3606-11d3-aef4-00104bd0f92d}"="KodakShellExtension"
"{2b232f20-fa0d-11d1-8a3e-00c0f64105cd}"="Shuttle Shell Extension for Drive"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{c7745760-8ead-11ce-b750-02608ca5202c}"="IomegaWare Shell Extension"
"{c7745761-8ead-11ce-b750-02608ca5202c}"="IomegaWare Shell Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{AF8DE18D-9065-4102-BC40-EB294A95BB07}"="Novell Connections"
"{04c23aa0-3d34-11d2-b788-008029605ac7}"="NDPS Shell Extension"
"{79E55C5B-49C5-4850-B80D-E03F227FE78C}"=""
"{B531017E-2C10-4661-BB28-9227A2AB5082}"=""
"{ADCEE8BB-4878-4F46-A80A-7F362CAA314F}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{79E55C5B-49C5-4850-B80D-E03F227FE78C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{79E55C5B-49C5-4850-B80D-E03F227FE78C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{79E55C5B-49C5-4850-B80D-E03F227FE78C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{79E55C5B-49C5-4850-B80D-E03F227FE78C}\InprocServer32]
@="C:\\WINNT\\system32\\fBxshell.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B531017E-2C10-4661-BB28-9227A2AB5082}]
@=""
"IDEx"="ST"

[HKEY_CLASSES_ROOT\CLSID\{B531017E-2C10-4661-BB28-9227A2AB5082}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B531017E-2C10-4661-BB28-9227A2AB5082}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B531017E-2C10-4661-BB28-9227A2AB5082}\InprocServer32]
@="C:\\WINNT\\system32\\wU2time.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{ADCEE8BB-4878-4F46-A80A-7F362CAA314F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ADCEE8BB-4878-4F46-A80A-7F362CAA314F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ADCEE8BB-4878-4F46-A80A-7F362CAA314F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ADCEE8BB-4878-4F46-A80A-7F362CAA314F}\InprocServer32]
@="C:\\WINNT\\system32\\urbmon.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Directory Listing of system files:
Volume in drive C is SULLY
Volume Serial Number is E434-AAE4

Directory of C:\WINNT\System32

07/12/2005 02:05a 417,792 urbmon.dll
07/11/2005 11:02p 417,792 it50_qcx.dll
07/11/2005 09:37p 417,792 LWDIS11n.dll
07/11/2005 09:37p 417,792 doquery.dll
07/11/2005 08:08p 417,792 lqlmb11n.dll
07/11/2005 08:08p 417,792 niwdmcpl.dll
07/11/2005 07:05p 417,792 rvcns4.dll
07/11/2005 07:05p 417,792 woninet.dll
07/11/2005 04:52p 417,792 wU2time.dll
07/11/2005 03:46p 417,792 fLxui.dll
07/11/2005 03:46p 417,792 fBxshell.dll
07/11/2005 11:58a 417,792 kvdbe.dll
07/11/2005 11:57a 417,792 inxrtmgr.dll
07/11/2005 10:29a 417,792 rzched20.dll
07/11/2005 10:29a 417,792 rhnd.dll
07/08/2005 11:09p 417,792 guard.tmp
07/08/2005 11:05p 417,792 kgdda.dll
07/07/2005 10:28p 417,792 swripto.dll
07/07/2005 04:18p 417,792 hetplug.dll
06/29/2005 10:34a 401,408 w?crtupd.exe
06/29/2005 10:28a 401,408 ?ttrib.exe
02/17/2002 06:02p <DIR> dllcache
03/21/2001 02:34p 244,232 Msflxgrd.ocx
22 File(s) 8,985,096 bytes
1 Dir(s) 2,692,251,648 bytes free

Kat
  • 0

#6
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Katyara

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!


Credit: Shadowwar, OSC

Kc :tazz:
  • 0

#7
Katyara

Katyara

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
L2Mfix 1.03a

Running From:
C:\Documents and Settings\ADMINISTRATOR\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\ADMINISTRATOR\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\ADMINISTRATOR\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 732 'explorer.exe'
Killing PID 732 'explorer.exe'
Error 0x5 : Access is denied.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1220 'rundll32.exe'
Killing PID 1464 'rundll32.exe'
Killing PID 1616 'rundll32.exe'
Killing PID 1624 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\kgdda.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\kgdda.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\hetplug.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\hetplug.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\swripto.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\swripto.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rhnd.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rhnd.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rzched20.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rzched20.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\inxrtmgr.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\inxrtmgr.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\kvdbe.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\kvdbe.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fBxshell.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fBxshell.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\woninet.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\woninet.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fLxui.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\fLxui.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wU2time.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wU2time.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rvcns4.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rvcns4.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\niwdmcpl.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\niwdmcpl.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lqlmb11n.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lqlmb11n.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\doquery.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\doquery.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\LWDIS11n.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\LWDIS11n.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\it50_qcx.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\it50_qcx.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\kxdbene.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\kxdbene.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\shlb2.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\shlb2.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\kgdda.dll
Successfully Deleted: C:\WINNT\system32\kgdda.dll
deleting: C:\WINNT\system32\kgdda.dll
Successfully Deleted: C:\WINNT\system32\kgdda.dll
deleting: C:\WINNT\system32\hetplug.dll
Successfully Deleted: C:\WINNT\system32\hetplug.dll
deleting: C:\WINNT\system32\hetplug.dll
Successfully Deleted: C:\WINNT\system32\hetplug.dll
deleting: C:\WINNT\system32\swripto.dll
Successfully Deleted: C:\WINNT\system32\swripto.dll
deleting: C:\WINNT\system32\swripto.dll
Successfully Deleted: C:\WINNT\system32\swripto.dll
deleting: C:\WINNT\system32\rhnd.dll
Successfully Deleted: C:\WINNT\system32\rhnd.dll
deleting: C:\WINNT\system32\rhnd.dll
Successfully Deleted: C:\WINNT\system32\rhnd.dll
deleting: C:\WINNT\system32\rzched20.dll
Successfully Deleted: C:\WINNT\system32\rzched20.dll
deleting: C:\WINNT\system32\rzched20.dll
Successfully Deleted: C:\WINNT\system32\rzched20.dll
deleting: C:\WINNT\system32\inxrtmgr.dll
Successfully Deleted: C:\WINNT\system32\inxrtmgr.dll
deleting: C:\WINNT\system32\inxrtmgr.dll
Successfully Deleted: C:\WINNT\system32\inxrtmgr.dll
deleting: C:\WINNT\system32\kvdbe.dll
Successfully Deleted: C:\WINNT\system32\kvdbe.dll
deleting: C:\WINNT\system32\kvdbe.dll
Successfully Deleted: C:\WINNT\system32\kvdbe.dll
deleting: C:\WINNT\system32\fBxshell.dll
Successfully Deleted: C:\WINNT\system32\fBxshell.dll
deleting: C:\WINNT\system32\fBxshell.dll
Successfully Deleted: C:\WINNT\system32\fBxshell.dll
deleting: C:\WINNT\system32\woninet.dll
Successfully Deleted: C:\WINNT\system32\woninet.dll
deleting: C:\WINNT\system32\woninet.dll
Successfully Deleted: C:\WINNT\system32\woninet.dll
deleting: C:\WINNT\system32\fLxui.dll
Successfully Deleted: C:\WINNT\system32\fLxui.dll
deleting: C:\WINNT\system32\fLxui.dll
Successfully Deleted: C:\WINNT\system32\fLxui.dll
deleting: C:\WINNT\system32\wU2time.dll
Successfully Deleted: C:\WINNT\system32\wU2time.dll
deleting: C:\WINNT\system32\wU2time.dll
Successfully Deleted: C:\WINNT\system32\wU2time.dll
deleting: C:\WINNT\system32\rvcns4.dll
Successfully Deleted: C:\WINNT\system32\rvcns4.dll
deleting: C:\WINNT\system32\rvcns4.dll
Successfully Deleted: C:\WINNT\system32\rvcns4.dll
deleting: C:\WINNT\system32\niwdmcpl.dll
Successfully Deleted: C:\WINNT\system32\niwdmcpl.dll
deleting: C:\WINNT\system32\niwdmcpl.dll
Successfully Deleted: C:\WINNT\system32\niwdmcpl.dll
deleting: C:\WINNT\system32\lqlmb11n.dll
Successfully Deleted: C:\WINNT\system32\lqlmb11n.dll
deleting: C:\WINNT\system32\lqlmb11n.dll
Successfully Deleted: C:\WINNT\system32\lqlmb11n.dll
deleting: C:\WINNT\system32\doquery.dll
Successfully Deleted: C:\WINNT\system32\doquery.dll
deleting: C:\WINNT\system32\doquery.dll
Successfully Deleted: C:\WINNT\system32\doquery.dll
deleting: C:\WINNT\system32\LWDIS11n.dll
Successfully Deleted: C:\WINNT\system32\LWDIS11n.dll
deleting: C:\WINNT\system32\LWDIS11n.dll
Successfully Deleted: C:\WINNT\system32\LWDIS11n.dll
deleting: C:\WINNT\system32\it50_qcx.dll
Successfully Deleted: C:\WINNT\system32\it50_qcx.dll
deleting: C:\WINNT\system32\it50_qcx.dll
Successfully Deleted: C:\WINNT\system32\it50_qcx.dll
deleting: C:\WINNT\system32\kxdbene.dll
Successfully Deleted: C:\WINNT\system32\kxdbene.dll
deleting: C:\WINNT\system32\kxdbene.dll
Successfully Deleted: C:\WINNT\system32\kxdbene.dll
deleting: C:\WINNT\system32\shlb2.dll
Successfully Deleted: C:\WINNT\system32\shlb2.dll
deleting: C:\WINNT\system32\shlb2.dll
Successfully Deleted: C:\WINNT\system32\shlb2.dll
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp

Desktop.ini sucessfully removed


Zipping up files for submission:
adding: kgdda.dll (deflated 48%)
adding: hetplug.dll (deflated 48%)
adding: swripto.dll (deflated 48%)
adding: rhnd.dll (deflated 48%)
adding: rzched20.dll (deflated 48%)
adding: inxrtmgr.dll (deflated 48%)
adding: kvdbe.dll (deflated 48%)
adding: fBxshell.dll (deflated 48%)
adding: woninet.dll (deflated 48%)
adding: fLxui.dll (deflated 48%)
adding: wU2time.dll (deflated 48%)
adding: rvcns4.dll (deflated 48%)
adding: niwdmcpl.dll (deflated 48%)
adding: lqlmb11n.dll (deflated 48%)
adding: doquery.dll (deflated 48%)
adding: LWDIS11n.dll (deflated 48%)
adding: it50_qcx.dll (deflated 48%)
adding: kxdbene.dll (deflated 48%)
adding: shlb2.dll (deflated 48%)
adding: guard.tmp (deflated 48%)
adding: echo.reg (deflated 9%)
adding: clear.reg (deflated 46%)
adding: desktop.ini (stored 0%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 64%)
adding: lo2.txt (deflated 87%)
adding: test2.txt (deflated 27%)
adding: test3.txt (deflated 27%)
adding: test5.txt (deflated 27%)
adding: test.txt (deflated 88%)
adding: xfind.txt (deflated 85%)
adding: backregs/shell.reg (deflated 74%)
adding: backregs/79E55C5B-49C5-4850-B80D-E03F227FE78C.reg (deflated 70%)
adding: backregs/B531017E-2C10-4661-BB28-9227A2AB5082.reg (deflated 69%)
adding: backregs/ADCEE8BB-4878-4F46-A80A-7F362CAA314F.reg (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: kgdda.dll
deleting local copy: kgdda.dll
deleting local copy: hetplug.dll
deleting local copy: hetplug.dll
deleting local copy: swripto.dll
deleting local copy: swripto.dll
deleting local copy: rhnd.dll
deleting local copy: rhnd.dll
deleting local copy: rzched20.dll
deleting local copy: rzched20.dll
deleting local copy: inxrtmgr.dll
deleting local copy: inxrtmgr.dll
deleting local copy: kvdbe.dll
deleting local copy: kvdbe.dll
deleting local copy: fBxshell.dll
deleting local copy: fBxshell.dll
deleting local copy: woninet.dll
deleting local copy: woninet.dll
deleting local copy: fLxui.dll
deleting local copy: fLxui.dll
deleting local copy: wU2time.dll
deleting local copy: wU2time.dll
deleting local copy: rvcns4.dll
deleting local copy: rvcns4.dll
deleting local copy: niwdmcpl.dll
deleting local copy: niwdmcpl.dll
deleting local copy: lqlmb11n.dll
deleting local copy: lqlmb11n.dll
deleting local copy: doquery.dll
deleting local copy: doquery.dll
deleting local copy: LWDIS11n.dll
deleting local copy: LWDIS11n.dll
deleting local copy: it50_qcx.dll
deleting local copy: it50_qcx.dll
deleting local copy: kxdbene.dll
deleting local copy: kxdbene.dll
deleting local copy: shlb2.dll
deleting local copy: shlb2.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINNT\system32\kgdda.dll
C:\WINNT\system32\kgdda.dll
C:\WINNT\system32\hetplug.dll
C:\WINNT\system32\hetplug.dll
C:\WINNT\system32\swripto.dll
C:\WINNT\system32\swripto.dll
C:\WINNT\system32\rhnd.dll
C:\WINNT\system32\rhnd.dll
C:\WINNT\system32\rzched20.dll
C:\WINNT\system32\rzched20.dll
C:\WINNT\system32\inxrtmgr.dll
C:\WINNT\system32\inxrtmgr.dll
C:\WINNT\system32\kvdbe.dll
C:\WINNT\system32\kvdbe.dll
C:\WINNT\system32\fBxshell.dll
C:\WINNT\system32\fBxshell.dll
C:\WINNT\system32\woninet.dll
C:\WINNT\system32\woninet.dll
C:\WINNT\system32\fLxui.dll
C:\WINNT\system32\fLxui.dll
C:\WINNT\system32\wU2time.dll
C:\WINNT\system32\wU2time.dll
C:\WINNT\system32\rvcns4.dll
C:\WINNT\system32\rvcns4.dll
C:\WINNT\system32\niwdmcpl.dll
C:\WINNT\system32\niwdmcpl.dll
C:\WINNT\system32\lqlmb11n.dll
C:\WINNT\system32\lqlmb11n.dll
C:\WINNT\system32\doquery.dll
C:\WINNT\system32\doquery.dll
C:\WINNT\system32\LWDIS11n.dll
C:\WINNT\system32\LWDIS11n.dll
C:\WINNT\system32\it50_qcx.dll
C:\WINNT\system32\it50_qcx.dll
C:\WINNT\system32\kxdbene.dll
C:\WINNT\system32\kxdbene.dll
C:\WINNT\system32\shlb2.dll
C:\WINNT\system32\shlb2.dll
C:\WINNT\system32\guard.tmp
C:\WINNT\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{79E55C5B-49C5-4850-B80D-E03F227FE78C}"=-
"{B531017E-2C10-4661-BB28-9227A2AB5082}"=-
"{ADCEE8BB-4878-4F46-A80A-7F362CAA314F}"=-
[-HKEY_CLASSES_ROOT\CLSID\{79E55C5B-49C5-4850-B80D-E03F227FE78C}]
[-HKEY_CLASSES_ROOT\CLSID\{B531017E-2C10-4661-BB28-9227A2AB5082}]
[-HKEY_CLASSES_ROOT\CLSID\{ADCEE8BB-4878-4F46-A80A-7F362CAA314F}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************


Logfile of HijackThis v1.99.1
Scan saved at 10:43:30 PM, on 7/12/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cusrvc.exe
C:\Program Files\USBancorp\USBancorp VPN Client\cvpnd.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\NALNTSRV.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\system32\devldr32.exe
H:\HP\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
E:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINNT\system32\dpmw32.exe
H:\HP\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\system32\NWTRAY.EXE
H:\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\WINNT\system32\hukujn.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\aisr\uatt.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\NaviSearch\bin\nls.exe
H:\exe's\Spy Ware Stuff\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINNT\system32\stlb2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - (no file)
O2 - BHO: (no name) - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINNT\system32\stlb2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] H:\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [zBrowser Launcher] E:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [HP Software Update] H:\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\hukujn.exe reg_run
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Awro] C:\Program Files\aisr\uatt.exe
O4 - HKCU\..\Run: [Xap] C:\WINNT\system32\?ttrib.exe
O4 - Startup: Trillian.lnk = H:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: U.S. Bancorp - VPN Client 4.0.4.lnk = C:\Program Files\USBancorp\USBancorp VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = H:\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Transaction Management -
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {335C8923-2DCC-4966-BF36-36C2277D4598} (Siebel Option Pack for IE 7.5.3) - http://prod.commerci...lOptionPack.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} -
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} -
O16 - DPF: {7B461720-5910-45A3-B617-3B53A972F209} -
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} -
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\USBancorp\USBancorp VPN Client\cvpnd.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\system32\NALNTSRV.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\system32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

Thanks!
Kat
  • 0

#8
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Katyara

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Use windows add remove uninstall the following programs:
C:\Program Files\exactsearch
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\CashBack\bin\cashback.exe

Reboot into Safe Mode: please see here if you are not sure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINNT\system32\stlb2.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - (no file)
O2 - BHO: (no name) - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINNT\system32\stlb2.dll
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\hukujn.exe reg_run
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKCU\..\Run: [Awro] C:\Program Files\aisr\uatt.exe
O4 - HKCU\..\Run: [Xap] C:\WINNT\system32\?ttrib.exe
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} -

Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\Program Files\Media Access\bin\bargains.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\NaviSearch<--Delete the whole folder
C:\Program Files\CashBack<--Delete the whole folder
C:\Program Files\aisr\uatt.exe<--Delete the whole folder
Exit Explorer.

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the [b]full path of file to delete
box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINNT\system32\stlb2.dll
C:\WINNT\system32\nvms.dll
C:\WINNT\system32\msbe.dll
C:\WINNT\system32\hukujn.exe reg_run
C:\WINNT\system32\wintask.exe
Let the system reboot.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
[b]Please post the logs From Panda virus scan and HJT.log
We will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#9
Guest_thatman_*

Guest_thatman_*
  • Guest
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP