Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HJT log. Threat - unknown [RESOLVED]

Started by kirrill , Jul 21 2005 10:08 AM

  • This topic is locked This topic is locked

#1
kirrill
Posted 21 July 2005 - 10:08 AM

kirrill

    New Member

  • Member
  • Pip
  • 4 posts
Getting intermittent popups, also "buffer overrun" messages mainly from trying to open the Control Panel. M.Soft Spyware Beta keeps detecting something like "unknown.spyware.61", gets rid of it, and finds it again on next reboot. Command Antivirus doesn't detect anything.

Get Winfixer popups. Removed any Winfixer registry entries, Program Files folder, but the popups still come up.

Please see if you can help.

internal.xxxx.corp was edited manually to by me to hide the company name.

Thanks in advance.




Logfile of HijackThis v1.99.1
Scan saved at 8:56:14 AM, on 7/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\vidctrl\vidctrl.exe
C:\WINNT\system32\jorarq.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\atce\trdb.exe
U:\HijackThis\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by
O1 - Hosts: 168.162.75.105 STNPSQL1
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\jorarq.exe reg_run
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.xxxx.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.xxxx.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.xxxx.corp
O20 - Winlogon Notify: Controls Folder - C:\WINNT\system32\CVPBK32.DLL
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avinitnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: schscnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\schscnt.exe

Edited by kirrill, 21 July 2005 - 10:44 AM.

  • 0

Advertisements

#2
tampabelle
Posted 21 July 2005 - 11:10 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
  • 0

#3
kirrill
Posted 21 July 2005 - 12:54 PM

kirrill

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Here are the logs:
WinPFind:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
Umonitor 1/5/2005 5:26:16 PM 251831296 C:\systemstate.bkf

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 7/20/2005 3:39:06 PM 23264 C:\WINNT\icont.exe
abetterinternet.com 7/7/2005 10:18:30 PM 11080 C:\WINNT\jkoao.dll
web-nex 7/7/2005 10:18:30 PM 11080 C:\WINNT\jkoao.dll
ad-w-a-r-e.com 7/7/2005 10:18:30 PM 11080 C:\WINNT\jkoao.dll
UPX! 7/21/2005 1:34:14 PM 82432 C:\WINNT\ru.exe
UPX! 1/9/2004 9:49:20 AM 80384 C:\WINNT\zoeeoyvcq.exe
buddy.exe 1/9/2004 9:49:20 AM 80384 C:\WINNT\zoeeoyvcq.exe

Checking %System% folder...
Umonitor 7/20/2005 9:02:30 PM 417792 C:\WINNT\SYSTEM32\AHLEDIT.DLL
WinShutDown 7/20/2005 9:02:30 PM 417792 C:\WINNT\SYSTEM32\AHLEDIT.DLL
Umonitor 7/7/2005 9:15:52 PM 417792 C:\WINNT\SYSTEM32\cznquery.dll
WinShutDown 7/7/2005 9:15:52 PM 417792 C:\WINNT\SYSTEM32\cznquery.dll
69.59.186.63 7/21/2005 10:51:06 AM 29184 C:\WINNT\SYSTEM32\datadx.dll
209.66.67.134 7/21/2005 10:51:06 AM 29184 C:\WINNT\SYSTEM32\datadx.dll
66.63.167.97 7/21/2005 10:51:06 AM 29184 C:\WINNT\SYSTEM32\datadx.dll
66.63.167.77 7/21/2005 10:51:06 AM 29184 C:\WINNT\SYSTEM32\datadx.dll
web-nex 7/21/2005 10:51:06 AM 29184 C:\WINNT\SYSTEM32\datadx.dll
winsync 7/21/2005 10:51:06 AM 29184 C:\WINNT\SYSTEM32\datadx.dll
rec2_run 7/21/2005 10:51:06 AM 29184 C:\WINNT\SYSTEM32\datadx.dll
Umonitor 6/19/2005 11:44:40 PM 417792 C:\WINNT\SYSTEM32\DECPROP.DLL
WinShutDown 6/19/2005 11:44:40 PM 417792 C:\WINNT\SYSTEM32\DECPROP.DLL
Umonitor 6/21/2005 10:00:52 PM 417792 C:\WINNT\SYSTEM32\dFdref8.dll
WinShutDown 6/21/2005 10:00:52 PM 417792 C:\WINNT\SYSTEM32\dFdref8.dll
69.59.186.63 7/20/2005 10:52:28 AM 26624 C:\WINNT\SYSTEM32\dlgfgaj.dll
209.66.67.134 7/20/2005 10:52:28 AM 26624 C:\WINNT\SYSTEM32\dlgfgaj.dll
web-nex 7/20/2005 10:52:28 AM 26624 C:\WINNT\SYSTEM32\dlgfgaj.dll
winsync 7/20/2005 10:52:28 AM 26624 C:\WINNT\SYSTEM32\dlgfgaj.dll
Umonitor 6/21/2005 9:10:34 PM 417792 C:\WINNT\SYSTEM32\DMSKMON.DLL
WinShutDown 6/21/2005 9:10:34 PM 417792 C:\WINNT\SYSTEM32\DMSKMON.DLL
Umonitor 7/20/2005 4:33:00 PM 417792 C:\WINNT\SYSTEM32\dsgfgaj.dll
WinShutDown 7/20/2005 4:33:00 PM 417792 C:\WINNT\SYSTEM32\dsgfgaj.dll
Umonitor 6/21/2005 9:59:12 PM 417792 C:\WINNT\SYSTEM32\guard.tmp
WinShutDown 6/21/2005 9:59:12 PM 417792 C:\WINNT\SYSTEM32\guard.tmp
Umonitor 6/30/2005 9:02:20 PM 417792 C:\WINNT\SYSTEM32\imfxeud.dll
WinShutDown 6/30/2005 9:02:20 PM 417792 C:\WINNT\SYSTEM32\imfxeud.dll
Umonitor 7/18/2005 12:55:42 AM 417792 C:\WINNT\SYSTEM32\MESLGN32.DLL
WinShutDown 7/18/2005 12:55:42 AM 417792 C:\WINNT\SYSTEM32\MESLGN32.DLL
Umonitor 6/22/2005 9:05:22 PM 417792 C:\WINNT\SYSTEM32\MFSLGN32.DLL
WinShutDown 6/22/2005 9:05:22 PM 417792 C:\WINNT\SYSTEM32\MFSLGN32.DLL
Umonitor 6/21/2005 9:18:18 PM 417792 C:\WINNT\SYSTEM32\MKIDLE.DLL
WinShutDown 6/21/2005 9:18:18 PM 417792 C:\WINNT\SYSTEM32\MKIDLE.DLL
Umonitor 7/18/2005 12:55:46 AM 417792 C:\WINNT\SYSTEM32\MWASTMIB.DLL
WinShutDown 7/18/2005 12:55:46 AM 417792 C:\WINNT\SYSTEM32\MWASTMIB.DLL
Umonitor 7/5/2005 9:12:44 PM 417792 C:\WINNT\SYSTEM32\ORPRT400.DLL
WinShutDown 7/5/2005 9:12:44 PM 417792 C:\WINNT\SYSTEM32\ORPRT400.DLL
Umonitor 1/12/2005 12:39:46 PM 531216 C:\WINNT\SYSTEM32\RASDLG.DLL
Umonitor 7/17/2005 11:33:14 PM 417792 C:\WINNT\SYSTEM32\sdvsvc.dll
WinShutDown 7/17/2005 11:33:14 PM 417792 C:\WINNT\SYSTEM32\sdvsvc.dll
Umonitor 7/20/2005 10:51:02 AM 417792 C:\WINNT\SYSTEM32\TGPI32.DLL
WinShutDown 7/20/2005 10:51:02 AM 417792 C:\WINNT\SYSTEM32\TGPI32.DLL
winsync 7/24/2002 2:00:00 PM 1309184 C:\WINNT\SYSTEM32\WBDBASE.DEU
Umonitor 7/17/2005 11:33:54 PM 417792 C:\WINNT\SYSTEM32\wdw32.dll
WinShutDown 7/17/2005 11:33:54 PM 417792 C:\WINNT\SYSTEM32\wdw32.dll
Umonitor 7/5/2005 4:51:26 PM 417792 C:\WINNT\SYSTEM32\wjpshell.dll
WinShutDown 7/5/2005 4:51:26 PM 417792 C:\WINNT\SYSTEM32\wjpshell.dll
Umonitor 7/17/2005 11:33:46 PM 417792 C:\WINNT\SYSTEM32\wwerrenu.dll
WinShutDown 7/17/2005 11:33:46 PM 417792 C:\WINNT\SYSTEM32\wwerrenu.dll
UPX! 7/7/2005 10:18:30 PM 23040 C:\WINNT\SYSTEM32\zgipinh.dll
KavSvc 7/7/2005 10:18:30 PM 23040 C:\WINNT\SYSTEM32\zgipinh.dll
testpopup 7/7/2005 10:18:30 PM 23040 C:\WINNT\SYSTEM32\zgipinh.dll
web-nex 7/7/2005 10:18:30 PM 23040 C:\WINNT\SYSTEM32\zgipinh.dll
yourkey 7/7/2005 10:18:30 PM 23040 C:\WINNT\SYSTEM32\zgipinh.dll

Checking %System%\Drivers folder and sub-folders...
aspack 3/15/2005 3:47:00 PM 501864 C:\WINNT\SYSTEM32\drivers\css-dvp.sys
qoologic 7/21/2005 1:38:14 PM 1939 C:\WINNT\SYSTEM32\drivers\ETC\hosts
urllogic 7/21/2005 1:38:14 PM 1939 C:\WINNT\SYSTEM32\drivers\ETC\hosts
urllogic 7/21/2005 1:38:14 PM 1939 C:\WINNT\SYSTEM32\drivers\ETC\hosts

Checking the Windows folder for system and hidden files within the last 60 days...
7/21/2005 1:34:14 PM 82432 C:\WINNT\ru.exe
7/4/2005 11:06:58 PM 1195714 C:\WINNT\ShellIconCache
7/21/2005 1:38:40 PM 1024 C:\WINNT\SYSTEM32\CONFIG\DEFAULT.LOG
7/18/2005 7:21:16 AM 1024 C:\WINNT\SYSTEM32\CONFIG\SAM.LOG
7/21/2005 1:38:40 PM 1024 C:\WINNT\SYSTEM32\CONFIG\SECURITY.LOG
7/21/2005 1:44:40 PM 1024 C:\WINNT\SYSTEM32\CONFIG\SOFTWARE.LOG
7/17/2005 11:41:00 PM 336 C:\WINNT\SYSTEM32\Microsoft\Protect\S-1-5-18\23980c35-a27d-4574-b0e5-2f9877a673c5
7/17/2005 11:41:00 PM 24 C:\WINNT\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred
7/18/2005 1:16:56 AM 336 C:\WINNT\SYSTEM32\Microsoft\Protect\S-1-5-18\User\c2d36bff-8b4c-4255-85e3-bb5890faf535
7/18/2005 1:16:56 AM 24 C:\WINNT\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
7/21/2005 1:34:14 PM 188 C:\WINNT\Tasks\RUTASK.job
7/21/2005 1:36:08 PM 6 C:\WINNT\Tasks\SA.DAT

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/5/2005 5:08:56 PM 1568 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
7/21/2005 11:50:12 AM 61952 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ntkd.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\{6C21FCBA-7677-B388-9A14-986B72530026}
=

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\FProtMenu
{4a479be0-3333-11d0-b519-00400519153f} = C:\Program Files\Command Software\Command AntiVirus\avshext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqngnstt
{26144e64-9b38-4f5c-8ae5-3e62defedc5a} = C:\WINNT\system32\jbndn.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\FProtMenu
{4A479BE0-3333-11D0-B519-00400519153F} = C:\Program Files\Command Software\Command AntiVirus\avshext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager mobsync.exe /logon
IgfxTray C:\WINNT\system32\igfxtray.exe
HotKeysCmds C:\WINNT\system32\hkcmd.exe
WinampAgent "C:\Program Files\Winamp3\winampa.exe"
untray C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
dvprpt C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
CSAV_CheckViruses C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
avtray C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
vidctrl C:\WINNT\system32\vidctrl\vidctrl.exe
winsync C:\WINNT\system32\jorarq.exe reg_run
cfgmgr52 RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 1
legalnoticecaption UNAUTHORIZED ACCESS PROHIBITED
legalnoticetext This is a private computer system and is restricted to authorized users only. Individuals attempting unauthorized access will be prosecuted. If unauthorized,terminate access now!!
shutdownwithoutlogon 1
disablecad 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINNT\system32\userinit.exe,
Shell explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck
= C:\WINNT\system32\CVPBK32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Network.ConnectionTray
{7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.2 - Log file written to "WinPFind.Txt" in the WinPFind folder.


Track qoo:

Track qoo:

Track qoo:

Track qoo:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"untray"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\untray.exe"
"dvprpt"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\dvprpt.exe"
"CSAV_CheckViruses"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\vchk.exe"
"avtray"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\avtray.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"vidctrl"="C:\\WINNT\\system32\\vidctrl\\vidctrl.exe"
"winsync"="C:\\WINNT\\system32\\jorarq.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- FProtMenu
{4a479be0-3333-11d0-b519-00400519153f}
C:\Program Files\Command Software\Command AntiVirus\avshext.dll

Subkey --- fqngnstt
{26144e64-9b38-4f5c-8ae5-3e62defedc5a}
C:\WINNT\system32\jbndn.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINNT\system32\shell32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINNT\system32\shell32.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINNT\system32\shell32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINNT\system32\shell32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINNT\system32\shell32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINNT\System32\docprop2.dll

Subkey --- {7f9609be-af9a-11d1-83e0-00c04fb6e984}
C:\WINNT\system32\faxshell.dll

Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
C:\WINNT\System32\docprop2.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Microsoft Office.lnk
ntkd.exe
==============================
C:\Documents and Settings\kirk.gorokhovsky\Start Menu\Programs\Startup

Microsoft Office.lnk
ntkd.exe
==============================
C:\WINNT\SYSTEM32 cpl files


ACCESS.CPL Microsoft Corporation
appwiz.cpl Microsoft Corporation
conres.cpl
DESK.CPL Microsoft Corporation
HDWWIZ.CPL Microsoft Corporation
igfxcpl.cpl Intel Corporation
inetcpl.cpl Microsoft Corporation
INTL.CPL Microsoft Corporation
IRPROPS.CPL Microsoft Corporation
joy.cpl Microsoft Corporation
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
NCPA.CPL Microsoft Corporation
NWC.CPL Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
PROSetp.cpl Intel Corporation
sticpl.cpl Microsoft Corporation
SYSDM.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
wuaucpl.cpl Microsoft Corporation


Cheers!

Edited by kirrill, 21 July 2005 - 12:55 PM.

  • 0

#4
tampabelle
Posted 21 July 2005 - 01:56 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Kirrill,


You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe


Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

#5
kirrill
Posted 21 July 2005 - 03:40 PM

kirrill

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks TampaBelle.

Followed your instructions. Here are the logs:

Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 4:34:21 PM, on 7/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\vidctrl\vidctrl.exe
C:\WINNT\system32\jorarq.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\trdb.exe
C:\Program Files\Command Software\Command AntiVirus\avgui.exe
U:\HijackThis\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by XXXXXX
O1 - Hosts: 168.162.75.105 STNPSQL1
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\jorarq.exe reg_run
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.XXXXX.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.XXXXX.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.XXXXX.corp
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avinitnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: schscnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\schscnt.exe

L2MFIX:
L2MFIX:
L2MFIX:
L2MFIX:

C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 848 'explorer.exe'
Killing PID 848 'explorer.exe'
Error 0x5 : Access is denied.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 980 'rundll32.exe'
Killing PID 1216 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\AHLEDIT.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\AHLEDIT.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\CVPBK32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\CVPBK32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\cznquery.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\cznquery.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\DECPROP.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\DECPROP.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\dFdref8.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dFdref8.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\DMSKMON.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\DMSKMON.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\dsgfgaj.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dsgfgaj.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ibetpp.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ibetpp.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\iClmdev5.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\iClmdev5.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\imfxeud.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\imfxeud.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\KNDSF.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\KNDSF.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\KSDUS.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\KSDUS.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MESLGN32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MESLGN32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MFSLGN32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MFSLGN32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MKIDLE.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MKIDLE.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MWASTMIB.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\MWASTMIB.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\ORPRT400.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\ORPRT400.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\sdvsvc.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\sdvsvc.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\TGPI32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\TGPI32.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\wdw32.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wdw32.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wjpshell.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wjpshell.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wwerrenu.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wwerrenu.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\AHLEDIT.DLL
Successfully Deleted: C:\WINNT\system32\AHLEDIT.DLL
deleting: C:\WINNT\system32\AHLEDIT.DLL
Successfully Deleted: C:\WINNT\system32\AHLEDIT.DLL
deleting: C:\WINNT\system32\CVPBK32.DLL
Successfully Deleted: C:\WINNT\system32\CVPBK32.DLL
deleting: C:\WINNT\system32\CVPBK32.DLL
Successfully Deleted: C:\WINNT\system32\CVPBK32.DLL
deleting: C:\WINNT\system32\cznquery.dll
Successfully Deleted: C:\WINNT\system32\cznquery.dll
deleting: C:\WINNT\system32\cznquery.dll
Successfully Deleted: C:\WINNT\system32\cznquery.dll
deleting: C:\WINNT\system32\DECPROP.DLL
Successfully Deleted: C:\WINNT\system32\DECPROP.DLL
deleting: C:\WINNT\system32\DECPROP.DLL
Successfully Deleted: C:\WINNT\system32\DECPROP.DLL
deleting: C:\WINNT\system32\dFdref8.dll
Successfully Deleted: C:\WINNT\system32\dFdref8.dll
deleting: C:\WINNT\system32\dFdref8.dll
Successfully Deleted: C:\WINNT\system32\dFdref8.dll
deleting: C:\WINNT\system32\DMSKMON.DLL
Successfully Deleted: C:\WINNT\system32\DMSKMON.DLL
deleting: C:\WINNT\system32\DMSKMON.DLL
Successfully Deleted: C:\WINNT\system32\DMSKMON.DLL
deleting: C:\WINNT\system32\dsgfgaj.dll
Successfully Deleted: C:\WINNT\system32\dsgfgaj.dll
deleting: C:\WINNT\system32\dsgfgaj.dll
Successfully Deleted: C:\WINNT\system32\dsgfgaj.dll
deleting: C:\WINNT\system32\ibetpp.dll
Successfully Deleted: C:\WINNT\system32\ibetpp.dll
deleting: C:\WINNT\system32\ibetpp.dll
Successfully Deleted: C:\WINNT\system32\ibetpp.dll
deleting: C:\WINNT\system32\iClmdev5.dll
Successfully Deleted: C:\WINNT\system32\iClmdev5.dll
deleting: C:\WINNT\system32\iClmdev5.dll
Successfully Deleted: C:\WINNT\system32\iClmdev5.dll
deleting: C:\WINNT\system32\imfxeud.dll
Successfully Deleted: C:\WINNT\system32\imfxeud.dll
deleting: C:\WINNT\system32\imfxeud.dll
Successfully Deleted: C:\WINNT\system32\imfxeud.dll
deleting: C:\WINNT\system32\KNDSF.DLL
Successfully Deleted: C:\WINNT\system32\KNDSF.DLL
deleting: C:\WINNT\system32\KNDSF.DLL
Successfully Deleted: C:\WINNT\system32\KNDSF.DLL
deleting: C:\WINNT\system32\KSDUS.DLL
Successfully Deleted: C:\WINNT\system32\KSDUS.DLL
deleting: C:\WINNT\system32\KSDUS.DLL
Successfully Deleted: C:\WINNT\system32\KSDUS.DLL
deleting: C:\WINNT\system32\MESLGN32.DLL
Successfully Deleted: C:\WINNT\system32\MESLGN32.DLL
deleting: C:\WINNT\system32\MESLGN32.DLL
Successfully Deleted: C:\WINNT\system32\MESLGN32.DLL
deleting: C:\WINNT\system32\MFSLGN32.DLL
Successfully Deleted: C:\WINNT\system32\MFSLGN32.DLL
deleting: C:\WINNT\system32\MFSLGN32.DLL
Successfully Deleted: C:\WINNT\system32\MFSLGN32.DLL
deleting: C:\WINNT\system32\MKIDLE.DLL
Successfully Deleted: C:\WINNT\system32\MKIDLE.DLL
deleting: C:\WINNT\system32\MKIDLE.DLL
Successfully Deleted: C:\WINNT\system32\MKIDLE.DLL
deleting: C:\WINNT\system32\MWASTMIB.DLL
Successfully Deleted: C:\WINNT\system32\MWASTMIB.DLL
deleting: C:\WINNT\system32\MWASTMIB.DLL
Successfully Deleted: C:\WINNT\system32\MWASTMIB.DLL
deleting: C:\WINNT\system32\ORPRT400.DLL
Successfully Deleted: C:\WINNT\system32\ORPRT400.DLL
deleting: C:\WINNT\system32\ORPRT400.DLL
Successfully Deleted: C:\WINNT\system32\ORPRT400.DLL
deleting: C:\WINNT\system32\sdvsvc.dll
Successfully Deleted: C:\WINNT\system32\sdvsvc.dll
deleting: C:\WINNT\system32\sdvsvc.dll
Successfully Deleted: C:\WINNT\system32\sdvsvc.dll
deleting: C:\WINNT\system32\TGPI32.DLL
Successfully Deleted: C:\WINNT\system32\TGPI32.DLL
deleting: C:\WINNT\system32\TGPI32.DLL
Successfully Deleted: C:\WINNT\system32\TGPI32.DLL
deleting: C:\WINNT\system32\wdw32.dll
Successfully Deleted: C:\WINNT\system32\wdw32.dll
deleting: C:\WINNT\system32\wdw32.dll
Successfully Deleted: C:\WINNT\system32\wdw32.dll
deleting: C:\WINNT\system32\wjpshell.dll
Successfully Deleted: C:\WINNT\system32\wjpshell.dll
deleting: C:\WINNT\system32\wjpshell.dll
Successfully Deleted: C:\WINNT\system32\wjpshell.dll
deleting: C:\WINNT\system32\wwerrenu.dll
Successfully Deleted: C:\WINNT\system32\wwerrenu.dll
deleting: C:\WINNT\system32\wwerrenu.dll
Successfully Deleted: C:\WINNT\system32\wwerrenu.dll
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp

Desktop.ini sucessfully removed


Zipping up files for submission:
adding: AHLEDIT.DLL (92 bytes security) (deflated 48%)
adding: CVPBK32.DLL (92 bytes security) (deflated 48%)
adding: cznquery.dll (92 bytes security) (deflated 48%)
adding: DECPROP.DLL (92 bytes security) (deflated 48%)
adding: dFdref8.dll (92 bytes security) (deflated 48%)
adding: DMSKMON.DLL (92 bytes security) (deflated 48%)
adding: dsgfgaj.dll (92 bytes security) (deflated 48%)
adding: ibetpp.dll (92 bytes security) (deflated 48%)
adding: iClmdev5.dll (92 bytes security) (deflated 48%)
adding: imfxeud.dll (92 bytes security) (deflated 48%)
adding: KNDSF.DLL (92 bytes security) (deflated 48%)
adding: KSDUS.DLL (92 bytes security) (deflated 48%)
adding: MESLGN32.DLL (92 bytes security) (deflated 48%)
adding: MFSLGN32.DLL (92 bytes security) (deflated 48%)
adding: MKIDLE.DLL (92 bytes security) (deflated 48%)
adding: MWASTMIB.DLL (92 bytes security) (deflated 48%)
adding: ORPRT400.DLL (92 bytes security) (deflated 48%)
adding: sdvsvc.dll (92 bytes security) (deflated 48%)
adding: TGPI32.DLL (92 bytes security) (deflated 48%)
adding: wdw32.dll (92 bytes security) (deflated 48%)
adding: wjpshell.dll (92 bytes security) (deflated 48%)
adding: wwerrenu.dll (92 bytes security) (deflated 48%)
adding: guard.tmp (92 bytes security) (deflated 48%)
adding: VDM16.tmp (92 bytes security) (stored 0%)
adding: VDM17.tmp (92 bytes security) (stored 0%)
adding: VDM7.tmp (92 bytes security) (stored 0%)
adding: VDM71.tmp (92 bytes security) (stored 0%)
adding: VDM72.tmp (92 bytes security) (stored 0%)
adding: VDM8.tmp (92 bytes security) (stored 0%)
adding: VDMB.tmp (92 bytes security) (stored 0%)
adding: VDMC.tmp (92 bytes security) (stored 0%)
adding: clear.reg (92 bytes security) (deflated 52%)
adding: DESKTOP.INI (92 bytes security) (stored 0%)
adding: lo2.txt (92 bytes security) (deflated 90%)
adding: test.txt (92 bytes security) (deflated 88%)
adding: test2.txt (92 bytes security) (deflated 33%)
adding: test3.txt (92 bytes security) (deflated 33%)
adding: test5.txt (92 bytes security) (deflated 33%)
adding: xfind.txt (92 bytes security) (deflated 84%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: AHLEDIT.DLL
deleting local copy: AHLEDIT.DLL
deleting local copy: CVPBK32.DLL
deleting local copy: CVPBK32.DLL
deleting local copy: cznquery.dll
deleting local copy: cznquery.dll
deleting local copy: DECPROP.DLL
deleting local copy: DECPROP.DLL
deleting local copy: dFdref8.dll
deleting local copy: dFdref8.dll
deleting local copy: DMSKMON.DLL
deleting local copy: DMSKMON.DLL
deleting local copy: dsgfgaj.dll
deleting local copy: dsgfgaj.dll
deleting local copy: ibetpp.dll
deleting local copy: ibetpp.dll
deleting local copy: iClmdev5.dll
deleting local copy: iClmdev5.dll
deleting local copy: imfxeud.dll
deleting local copy: imfxeud.dll
deleting local copy: KNDSF.DLL
deleting local copy: KNDSF.DLL
deleting local copy: KSDUS.DLL
deleting local copy: KSDUS.DLL
deleting local copy: MESLGN32.DLL
deleting local copy: MESLGN32.DLL
deleting local copy: MFSLGN32.DLL
deleting local copy: MFSLGN32.DLL
deleting local copy: MKIDLE.DLL
deleting local copy: MKIDLE.DLL
deleting local copy: MWASTMIB.DLL
deleting local copy: MWASTMIB.DLL
deleting local copy: ORPRT400.DLL
deleting local copy: ORPRT400.DLL
deleting local copy: sdvsvc.dll
deleting local copy: sdvsvc.dll
deleting local copy: TGPI32.DLL
deleting local copy: TGPI32.DLL
deleting local copy: wdw32.dll
deleting local copy: wdw32.dll
deleting local copy: wjpshell.dll
deleting local copy: wjpshell.dll
deleting local copy: wwerrenu.dll
deleting local copy: wwerrenu.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINNT\system32\AHLEDIT.DLL
C:\WINNT\system32\AHLEDIT.DLL
C:\WINNT\system32\CVPBK32.DLL
C:\WINNT\system32\CVPBK32.DLL
C:\WINNT\system32\cznquery.dll
C:\WINNT\system32\cznquery.dll
C:\WINNT\system32\DECPROP.DLL
C:\WINNT\system32\DECPROP.DLL
C:\WINNT\system32\dFdref8.dll
C:\WINNT\system32\dFdref8.dll
C:\WINNT\system32\DMSKMON.DLL
C:\WINNT\system32\DMSKMON.DLL
C:\WINNT\system32\dsgfgaj.dll
C:\WINNT\system32\dsgfgaj.dll
C:\WINNT\system32\ibetpp.dll
C:\WINNT\system32\ibetpp.dll
C:\WINNT\system32\iClmdev5.dll
C:\WINNT\system32\iClmdev5.dll
C:\WINNT\system32\imfxeud.dll
C:\WINNT\system32\imfxeud.dll
C:\WINNT\system32\KNDSF.DLL
C:\WINNT\system32\KNDSF.DLL
C:\WINNT\system32\KSDUS.DLL
C:\WINNT\system32\KSDUS.DLL
C:\WINNT\system32\MESLGN32.DLL
C:\WINNT\system32\MESLGN32.DLL
C:\WINNT\system32\MFSLGN32.DLL
C:\WINNT\system32\MFSLGN32.DLL
C:\WINNT\system32\MKIDLE.DLL
C:\WINNT\system32\MKIDLE.DLL
C:\WINNT\system32\MWASTMIB.DLL
C:\WINNT\system32\MWASTMIB.DLL
C:\WINNT\system32\ORPRT400.DLL
C:\WINNT\system32\ORPRT400.DLL
C:\WINNT\system32\sdvsvc.dll
C:\WINNT\system32\sdvsvc.dll
C:\WINNT\system32\TGPI32.DLL
C:\WINNT\system32\TGPI32.DLL
C:\WINNT\system32\wdw32.dll
C:\WINNT\system32\wdw32.dll
C:\WINNT\system32\wjpshell.dll
C:\WINNT\system32\wjpshell.dll
C:\WINNT\system32\wwerrenu.dll
C:\WINNT\system32\wwerrenu.dll
C:\WINNT\system32\guard.tmp
C:\WINNT\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{047E7253-3845-4D80-9933-B5CA9DEFA29A}"=-
"{4EBFED8A-24A6-4F4A-BF9A-B4AC1B03E6C6}"=-
"{E258D564-6539-41C6-AA0C-85694F5E1EA8}"=-
"{7686FCC2-EAF9-483A-9D4A-BB84A035DE01}"=-
[-HKEY_CLASSES_ROOT\CLSID\{047E7253-3845-4D80-9933-B5CA9DEFA29A}]
[-HKEY_CLASSES_ROOT\CLSID\{4EBFED8A-24A6-4F4A-BF9A-B4AC1B03E6C6}]
[-HKEY_CLASSES_ROOT\CLSID\{E258D564-6539-41C6-AA0C-85694F5E1EA8}]
[-HKEY_CLASSES_ROOT\CLSID\{7686FCC2-EAF9-483A-9D4A-BB84A035DE01}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************


Edited by kirrill, 21 July 2005 - 03:42 PM.

  • 0

#6
tampabelle
Posted 21 July 2005 - 04:21 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#7
kirrill
Posted 25 July 2005 - 10:24 AM

kirrill

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Dear Tampabelle.

Wanted to thank you for your help thus far. We have decided to rebuild this machine for reasons other than possible infections / malware. Your help in troubleshooting this computer is still very VERY much appreciated.

Best,

Kirk.
  • 0

#8
tampabelle
Posted 25 July 2005 - 11:26 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Thanx for letting me know Kirk
  • 0

#9
tampabelle
Posted 25 July 2005 - 11:26 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP