Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Web-Nexus and Random 6 Letter .exe


  • Please log in to reply

#16
Brines

Brines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Here's my Panda ActiveScan log:


Incident Status Location

Virus:Trj/Qoologic.G Disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nciu.exe
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[amdiosrv.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[ayptif.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[iietppui.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[kcdusx.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[kscom.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[lVprxy.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[mhvidc32.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[mic40u.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[moicda.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[msc40.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[mvi.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[mvrapi.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[myhtmled.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[npwddi.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[qidit.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[rfgsvc.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[sbi_ci.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[smrstr.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[svcbase.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[swsinv.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[wcnrnr.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[wtnsta.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\backup.zip[guard.tmp]
Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\Vaughn Brines\My Documents\Devin\progsiened\backups\backup-20050530-120847-347.inf
Virus:Trj/Qoologic.G Disinfected C:\Documents and Settings\Vaughn Brines\My Documents\Devin\progsiened\backups\backup-20050715-172338-415-nciu.exe
Adware:Adware/AdBehavior No disinfected C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\Quarantine\Quarantine - 07-04-2005 - 10-11-27.SBU[{4F83B33C-9CF6-4C7C-9B1E-A7928E5C4481}]
Adware:Adware/BookedSpace No disinfected C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\Quarantine\Quarantine - 07-04-2005 - 10-11-27.SBU[{75E6F442-0801-4C3D-9DD5-DCE7BB9B639E}]
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\Quarantine\Quarantine - 07-04-2005 - 10-11-27.SBU[{E435ACFB-E3F9-44C4-82FE-D4BC6DB80960}]
Adware:Adware/AdBehavior No disinfected C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\Quarantine\Quarantine - 07-04-2005 - 10-11-27.SBU[{E5780AC7-806C-4D4A-B6B4-BF1B25D49B24}]
Virus:Trj/Qhost.BM Disinfected C:\Program Files\TDS3\dcsres.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\bundle_mediamotor1004.exe
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\pcs_0010.exe
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\pcs_0015.exe
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\pcs_0029.exe
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\pcs_0029.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\Downloaded Program Files\pcs_0010.exe
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\Downloaded Program Files\pcs_0015.exe
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\Downloaded Program Files\pcs_0029.exe
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\system32\datadx.dll
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\system32\dwhadsg.dll
Virus:Trj/Qoologic.G Disinfected C:\WINDOWS\system32\jlbqjn.exe
Virus:Trj/Qoologic.G Disinfected C:\WINDOWS\system32\pykgp.dat


It deleted the viruses it found, but not the spyware.
  • 0

Advertisements


#17
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Panda is fine and we will just have to see whats going on with the rights!

Right-Click Here and Click "Save As" to download DelDomains.inf to your desktop.

Right Click DelDomains.inf on your desktop and select "Install"

It will perform a silent process>Give it a minute to run!


Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.


Because we cant get the VB Script to run and I cant see anything,we are gonna wing it!

Last lets get a hefty Reg Cleaner and move out all dead registry entries!

RegSupreme Pro 1.1.0.32
http://majorgeeks.co..._Pro_d4256.html

Once downloaded and launched,Click Yes to Update the Cache-> Click "Registry Cleaner"-> Click "Aggresive" and "Start"-> Fix everything it finds-> Name the Backup it creates and Save it somewhere safe!

Wait until Safe Mode to run this Registry Cleaner!


Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Copy&Paste the list of Files below onto Notepad-> Open Pocket Killbox-> Highlight the list of files on Notepad and press Ctrl+C to Copy-> In Killbox,Click File-> Paste from Clipboard!

That should load Killbox up with all the files from the list-> Click the down arrow next to the entry in Killbox and you should see the entire list!

If not,Copy&Paste them in one at a time!

C:\WINDOWS\loqdl.dll
C:\WINDOWS\bundle_mediamotor1004.exe
C:\WINDOWS\SYSTEM32\conres.cpl
C:\WINDOWS\system32\datadx.dll
C:\WINDOWS\system32\jlbqjn.exe
C:\WINDOWS\system32\dwhadsg.dll
C:\WINDOWS\system32\jlbqjn.exe
C:\WINDOWS\system32\bqmxban.exe
C:\WINDOWS\system32\pykgp.dat
C:\WINDOWS\system32\jkarj.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nciu.exe
C:\WINDOWS\Downloaded Program Files\pcs_0029.exe
C:\WINDOWS\Downloaded Program Files\pcs_0015.exe
C:\WINDOWS\Downloaded Program Files\pcs_0010.exe
C:\WINDOWS\Downloaded Program Files\m67m.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.2
C:\WINDOWS\Downloaded Program Files\CONFLICT.1


If they paste into Killbox from Notepad-> put a tick by "Delete on Reboot" and Click the Red Circle with the White X in the Middle to Delete!

If not,as you paste each in-> put a tick by "Delete on Reboot" and Click the Red Circle with the White X in the Middle to Delete!

Click "Yes" to Confirm

Click "No" to Reboot

Once at the last file

Click "Yes" to Confirm

Click "Yes" to Reboot


If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.


Restart in Safe Mode!


Run those files through Killbox again and be sure none survived!

This put a tick by these when available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"



Open HijackThis and put a check next to these

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\jlbqjn.exe reg_run

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab

O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx

Make sure all Windows and Browsers are Closed and Click "Fix Checked"!


Now Run the Registry Cleaner just as described above!


From the WinPFind Folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

Once the Scan is Complete-> Restart back in Normal Mode!


Post a fresh HijackThis log along with the log from WinPFind located in the WinPFind Folder(WinPFind.txt)


Edit: Ha...Found the Scripting Page!

http://www.microsoft...&displaylang=en

That should settle the VB error you got and you should be able to run the TrackQoo Script!

Edited by Cretemonster, 18 July 2005 - 12:18 PM.

  • 0

#18
Brines

Brines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Just so you know, Panda already got rid of the Qoo problem. But thanks anyway. I have to go right now, I'll do this all later. I got Kaspersky working, so I'm letting that scan for now.


EDIT: Actually, Kaspersky just found Qoo again. Here's the log:

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Monday, July 18, 2005 15:08:14
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 18/07/2005
Kaspersky Anti-Virus database records: 130925
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\VAUGHN~1\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 13509
Number of viruses found: 2
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 1119 sec

Infected Object Name - Virus Name
C:\WINDOWS\system32\bqmxban.exe Infected: Trojan-Downloader.Win32.Qoologic.n
C:\WINDOWS\system32\conres.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
C:\WINDOWS\system32\datadx.dll Infected: Trojan-Downloader.Win32.Qoologic.p
C:\WINDOWS\system32\dwhadsg.dll Infected: Trojan-Downloader.Win32.Qoologic.n
C:\WINDOWS\system32\jkarj.dll Infected: Trojan-Downloader.Win32.Qoologic.n
C:\DOCUME~1\VAUGHN~1\LOCALS~1\Temp\239.tmp Infected: Trojan-Downloader.Win32.Qoologic.n

Scan process completed.


It only did critical areas, so I'll have to scan again later, but I don't really think it fixed Qoo. I'll be using the Track Qoo 1 in a moment.

Edited by Brines, 18 July 2005 - 01:10 PM.

  • 0

#19
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
LMAO!!!! I was about to post to the Panda Comment when I looked and i recommend using those directions unless you just want some of this stuff back!

Qoo may be gone in the files but it lives strong in the registry!
  • 0

#20
Brines

Brines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Track Qoo 1 still doesn't work, even after the Microsoft thing. How do I go about deleting those registry keys? I could probably figure it out, but I'll let you help me instead. :tazz:

WinPFind:


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! C:\MLT-gone_away-www.theoffspring.info.mpeg
UPX! C:\offspring-pinkpop2001-2-interview-www.theoffspring.info.avi
FSG! C:\offspring-pinkpop2001-2-interview-www.theoffspring.info.avi
FSG! C:\the_offspring-11-self_esteem_(muchmusic_intimate_&_interactive)-www.theoffspring.info.part1.rar
UPX! C:\win.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
SAHAgent C:\WINDOWS\system32\6lgtcarq.ini
SAHAgent C:\WINDOWS\system32\70tovmto.ini
SAHAgent C:\WINDOWS\system32\8ms71gun.ini
SAHAgent C:\WINDOWS\system32\bln02nqv.ini
aspack C:\WINDOWS\system32\CDWriterXP.ocx
PEC2 C:\WINDOWS\system32\dfrg.msc
SAHAgent C:\WINDOWS\system32\gah95on6.ini
SAHAgent C:\WINDOWS\system32\h1p313qg.ini
PECompact2 C:\WINDOWS\system32\MRT.exe
aspack C:\WINDOWS\system32\MRT.exe
aspack C:\WINDOWS\system32\ntdll.dll
Umonitor C:\WINDOWS\system32\rasdlg.dll
winsync C:\WINDOWS\system32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! C:\WINDOWS\system32\drivers\avg7core.sys
FSG! C:\WINDOWS\system32\drivers\avg7core.sys
aspack C:\WINDOWS\system32\drivers\avg7core.sys
PTech C:\WINDOWS\system32\drivers\mtlstrm.sys

Checking the Windows folder for system and hidden files within the last 60 days...
7/18/2005 C:\WINDOWS\LastGood\INF\oem9.inf
7/18/2005 C:\WINDOWS\LastGood\INF\oem9.PNF
7/18/2005 C:\WINDOWS\system32\AuxDrv32b_d.oxc
7/18/2005 C:\WINDOWS\system32\config\default.LOG
7/18/2005 C:\WINDOWS\system32\config\SAM.LOG
7/18/2005 C:\WINDOWS\system32\config\SECURITY.LOG
7/18/2005 C:\WINDOWS\system32\config\software.LOG
7/18/2005 C:\WINDOWS\system32\config\system.LOG
6/17/2005 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
7/11/2005 C:\WINDOWS\Tasks\RUTASK.job
7/18/2005 C:\WINDOWS\Tasks\SA.DAT
6/18/2005 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
6/18/2005 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
6/18/2005 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8UGQ918F\desktop.ini
6/18/2005 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\9JTLMEFG\desktop.ini
6/18/2005 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C1E3GT6V\desktop.ini
6/18/2005 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S8FDNIGB\desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Checking Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\SV1
SV1 =

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fkxsfynm
{727fe28b-6f8e-4dc1-ba85-eaad40f72950} = C:\WINDOWS\system32\jkarj.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3
{E8ADA3E1-CE9B-44A0-A165-997304EF4E18} = C:\WINDOWS\system32\tds3shl.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
LTMSG LTMSG.exe 7
AVG7_EMC C:\Program Files\Grisoft\AVG Free\avgemc.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
SmcService C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
nwiz nwiz.exe /install
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.14 - Log file written to "WinPFind.Txt" in the WinPFind folder.









Logfile of HijackThis v1.99.1
Scan saved at 4:36:17 PM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\jre\bin\java.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Vaughn Brines\My Documents\Devin\progsiened\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AVG7_EMC] C:\Program Files\Grisoft\AVG Free\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com...cpConnCheck.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn....v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1112891736921
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{273FFE4E-BAD7-4AB8-946F-08987352374E}: NameServer = 205.171.3.65 205.171.2.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{273FFE4E-BAD7-4AB8-946F-08987352374E}: NameServer = 205.171.3.65 205.171.2.65
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Microsoft Registry Viewer (dumpreg) - Unknown owner - C:\WINDOWS\dumpreg.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
  • 0

#21
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Did you run the Deldomains file I had you download?

Copy&Paste the Code below into a blank Notepad page


REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fkxsfynm]

[-HKEY_CLASSES_ROOT\CLSID\{727fe28b-6f8e-4dc1-ba85-eaad40f72950}]

Once Pasted to Notepad-> Click File-> Save As-> Name it Remv.reg and Save it to the Desktop!

Double Click the Reg File and Allow it to Merge into the Registry!


Have HijackThis fix these

O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone


Make sure you Run the DelDomains File I had you download to ensure those are gone!


Good thing you used WinPFind because the entire Notify key is trashed!


Open up the l2mfix and Select Option 4 and let it do its thing!


Delete any of these that exist

C:\WINDOWS\system32\6lgtcarq.ini

C:\WINDOWS\system32\70tovmto.ini

C:\WINDOWS\system32\8ms71gun.ini

C:\WINDOWS\system32\bln02nqv.ini

C:\WINDOWS\system32\gah95on6.ini

C:\WINDOWS\system32\h1p313qg.ini

C:\WINDOWS\system32\jkarj.dll


Everything else looks peachy to me...Whatcha think?

Edited by Cretemonster, 18 July 2005 - 03:38 PM.

  • 0

#22
Brines

Brines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
The Reg thing didn't work, it gave me this error when I tried to open it:

Cannot import C:\Documents and Settings\Vaughn Brines\Desktop\Remv.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor.

Step 4 gives me these 2 logs:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001





Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000



All files deleted except the last one, it's gone I assume. I have a couple more questions. Panda Scanner found some spyware/adware/etc that it doesn't delete. Is all of that gone after you told me what to do? The log is in post 16 of this page. Also, how do I stop from getting this crap in the future? I have Sygate firewall, but apparently it's not doing the trick. Any other programs I should use?
  • 0

#23
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
LMAO!!!! :tazz:

Check my Edited Post!!!

I left the little part of REGEDIT 4 out by accident!

What happens when you are in a hurry to eat!

You so dam fast respinding I couldnt get back and edit it fast enough!

Some Help to prevent this in the future!

Look Down....See those 3 little black links,there is a welth of Info in those!

A fellow poster (Metallica) has a page of his own that tells it all!

http://metallica.geekstogo.com/

Make sure to get Spyware Blaster,its in that link as well the one below!

Here is a link anyways
SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

Look through all those links and you will see the way to prevent this in the future!

Just between me and you!

Its mostly Common Sense,if its seems to good to be true,then it probably is!

Anything free comes with a price!!

Keep Windows Updated along with the Firewall and Resident AV and any add ons like Spyware Blaster!


If you insist on using Internet Explorer,Use the link in Metallicas page to get IE Spyad!

I personally use Mozillas Firefox for Browsing and ThunderBird for Email!


Any other questions,Cause I am starving and going to go eat! ;)


Let me know if the PC seems Happier!
  • 0

#24
Brines

Brines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Okay, seems like everything's cleared up. Thanks a lot. Everything works right now. Enjoy the food! I'll be back eventually...

Thanks
Devin
  • 0

#25
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Take Care Devin!

I will be here!
  • 0

Advertisements


#26
Brines

Brines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Do you have msn?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP