Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

computer hijacked


  • This topic is locked This topic is locked

#1
ralph b

ralph b

    Member

  • Member
  • PipPip
  • 19 posts
Hello All...

I could really use some help removing some adware. Any suggestions would be really appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 8:58:12 PM, on 8/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\8a34geem\8a34geem.exe
C:\WINNT\System32\njywxkb.exe
C:\WINNT\msresearch.exe
C:\WINNT\System32\Dazaya.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\T3duZXIA\command.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\wshnetbs.exe
C:\WINNT\System32\installer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\8a34geem\14119133.exe
C:\Program Files\8a34geem\8a34geem1\8a34geem1.exe
C:\Program Files\8a34geem\8a34geem.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: (no name) - {00000000-0000-438C-BD70-D4B38C3E3EDD} - C:\Program Files\8a34geem\8a34geem.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O2 - BHO: SDWin32 Class - {3F52A3E6-9820-4CB1-8699-17B2DA296C8E} - C:\WINNT\System32\wkppb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: sextension - {CC8C8F4F-F2E8-404B-A43D-5CC57876A008} - C:\WINNT\Downloaded Program Files\sextension.dll (file missing)
O4 - HKLM\..\Run: [8a34geem] C:\Program Files\8a34geem\8a34geem.exe
O4 - HKLM\..\Run: [msresearch] C:\WINNT\msresearch.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\System32\Dazaya.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\System32\wintask.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [iexplore] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\System32\exp.exe
O4 - HKLM\..\Run: [Dinst] C:\WINNT\dinst.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINNT\system32\cxtpls_loader.EXE" /HideUninstall /HideDir /PC= CP.AOP /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [3s5P32R] sccec6.exe
O4 - HKLM\..\Run: [ejrzbh] C:\WINNT\System32\njywxkb.exe r
O4 - HKCU\..\Run: [wshnetbs] C:\WINNT\System32\wshnetbs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IBuFRSdtS] safertrm.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywa...r2501031120.EXE
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: StillImage - C:\WINNT\system32\duskperf.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\T3duZXIA\command.exe
O23 - Service: Installer Service (Installer) - Unknown owner - C:\WINNT\System32\installer.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe



Adobe Acrobat 5.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20020929.1)
AOL Instant Messenger
CC_ccStart
ccCommon
Comet Toolbar
Command
Do More 7.0
DVD
Easy CD Creator 5 Basic
Gateway Rhapsody
Golden Palace Casino NEW
GTW V.92 Voicemodem
HijackThis 1.99.1
Intel® Extreme Graphics Driver
Intel® PRO Ethernet Adapter and Software
InterActual Player
Internet Explorer Q822925
iPod for Windows 2005-06-26
iTunes
J2SE Runtime Environment 5.0 Update 3
LimeWire 4.9.11
LiveUpdate 2.6 (Symantec Corporation)
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft AntiSpyware
Microsoft Learning and Research Plus Support Files
Microsoft Office XP Standard for Students and Teachers
Microsoft Picture It! Express 7.0
Microsoft Works 7.0
MSN Internet Software
MSN Messenger 5.0
MUSICMATCH® Jukebox
Netscape (7.1)
Norton AntiVirus Parent MSI
OIN
Outlook Express Update Q330994
PC-Doctor for Windows
pressplay
Quicken 2003 New User Edition
QuickTime
RealPlayer Basic
Select CashBack
sextension
Shockwave
SymNet
Synaptics TouchPad
TContext
The ABI Network- A Division of Direct Revenue
Update for Windows XP (KB898461)
Viewpoint Media Player (Remove Only)
WebSearch Tools
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817287
Windows XP Hotfix (SP2) Q817606
WinPhlash
Yahoo! Anti-Spy
Yahoo! Toolbar


Thanks...
Ralph
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi ralph b and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.

a. Click on My Controls at the top right hand corner of the window.
b. In the left hand column, click "View Topics"
c. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

A. Close ALL windows except HJT

B. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

C. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

  • 0

#3
ralph b

ralph b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thank you for the quick reply, I really appreciate your assistance.

Logfile of HijackThis v1.99.1
Scan saved at 8:59:10 AM, on 8/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\T3duZXIA\command.exe
C:\WINNT\System32\installer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...d=11789944&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...d=11789944&id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...d=11789944&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...d=11789944&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.sho...d=16154559&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywa...r2501031120.EXE
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: URL - C:\WINNT\system32\mhidle.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\T3duZXIA\command.exe
O23 - Service: Installer Service (Installer) - Unknown owner - C:\WINNT\System32\installer.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
You have the latest version of VX2.
  • Download L2mfix from one of these two locations:

    http://www.atribune....oads/l2mfix.exe
    http://www.downloads....org/l2mfix.exe

  • Save the file to your desktop and double click l2mfix.exe.
  • Click the Install button to extract the files and follow the prompts, then OPEN the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #"1" for Run Find Log by typing 1 and then pressing Enter.
  • This will scan your computer and it may appear as if nothing is happening, then, after a minute or 2, Notepad will open with a log.
  • Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!


Regards,

Trevuren

  • 0

#5
ralph b

ralph b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
10:43 AM 8/12/2005L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\mhidle.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DE8B549E-4412-23FD-1C32-264B0B36F9AE}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{A7103921-4682-4E40-BFA8-834223AE8582}"=""
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A7103921-4682-4E40-BFA8-834223AE8582}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A7103921-4682-4E40-BFA8-834223AE8582}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A7103921-4682-4E40-BFA8-834223AE8582}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A7103921-4682-4E40-BFA8-834223AE8582}\InprocServer32]
@="C:\\WINNT\\system32\\mhidle.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
atl71.dll Wed Aug 10 2005 11:52:56p A.... 89,088 87.00 K
atmtd.dll Thu Aug 11 2005 3:34:32a A.... 687,592 671.48 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
cyycs.dll Thu Aug 11 2005 11:17:12p A.... 98,816 96.50 K
duskperf.dll Wed Aug 10 2005 11:40:22p ..S.R 417,792 408.00 K
ejnda.dll Thu Aug 11 2005 9:09:00a A.... 0 0.00 K
gccoll~1.dll Tue Jul 12 2005 3:35:14p A.... 126,680 123.71 K
gcunco~1.dll Tue Jul 12 2005 3:35:10p A.... 95,448 93.21 K
gwfspi~1.dll Wed Aug 3 2005 10:33:38a A.... 23,304 22.76 K
hashlib.dll Tue Jul 12 2005 3:35:14p A.... 117,976 115.21 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
iuwrk.dll Fri Aug 12 2005 7:34:56a A.... 0 0.00 K
legitc~1.dll Wed Aug 3 2005 10:33:42a A.... 520,456 508.26 K
mhidle.dll Fri Aug 12 2005 8:46:58a ..S.R 417,792 408.00 K
mscsubs.dll Thu Aug 11 2005 6:05:08p ..S.R 417,792 408.00 K
msrev01.dll Fri Aug 5 2005 1:25:20p A.... 50 0.05 K
msrev41.dll Fri Aug 5 2005 1:21:04p A.... 92 0.09 K
owjsel.dll Fri Aug 12 2005 7:23:44a ..S.R 417,792 408.00 K
spnceng.dll Fri Aug 12 2005 8:49:06a ..S.R 417,792 408.00 K
uwiplat.dll Fri Aug 12 2005 7:44:54a ..S.R 417,792 408.00 K
wirelanb.dll Fri Aug 12 2005 7:34:28a A.... 417,792 408.00 K
wkppb.dll Thu Aug 11 2005 4:40:12a A.... 98,816 96.50 K
wnvdmoe.dll Thu Aug 11 2005 6:27:54p ..S.R 417,792 408.00 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:16:30a A.... 173,536 169.47 K

30 items found: 30 files (7 H/S), 0 directories.
Total of file sizes: 7,838,126 bytes 7.47 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
guard.tmp Thu Aug 11 2005 9:03:42a ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is BC78-57B4

Directory of C:\WINNT\System32

08/12/2005 08:49 AM 417,792 spnceng.dll
08/12/2005 08:46 AM 417,792 mhidle.dll
08/12/2005 07:44 AM 417,792 uwiplat.dll
08/12/2005 07:23 AM 417,792 owjsel.dll
08/11/2005 11:10 PM <DIR> dllcache
08/11/2005 06:27 PM 417,792 wnvdmoe.dll
08/11/2005 06:05 PM 417,792 mscsubs.dll
08/11/2005 09:03 AM 417,792 guard.tmp
08/10/2005 11:40 PM 417,792 duskperf.dll
05/07/2004 12:27 PM 316,776 6so4svc.dll
05/07/2004 12:27 PM 316,776 6vo4svc.cpy.dll
05/07/2004 12:27 PM 316,776 6do4svc.dll
05/07/2004 12:27 PM 316,776 6so4svc.cpy.dll
05/07/2004 12:27 PM 316,776 6co4svc.dll
05/07/2004 12:27 PM 316,776 6no4svc.cpy.dll
05/07/2004 12:27 PM 316,776 6ro4svc.dll
05/07/2004 12:27 PM 316,776 2qdsrch.dll
05/07/2004 12:27 PM 316,776 2adsrch.dll
05/07/2004 12:27 PM 316,776 atvapi32.dll
05/07/2004 12:27 PM 316,776 2ddsrch.dll
05/07/2004 12:27 PM 316,776 2cdsrch.dll
05/07/2004 12:27 PM 316,776 anptif.dll
05/13/2003 09:28 AM <DIR> Microsoft
09/30/1999 07:21 PM 166,672 mstext35.dll
09/28/1999 09:42 PM 1,050,896 msjet35.dll
09/09/1999 10:06 PM 252,688 msexcl35.dll
09/09/1999 10:06 PM 168,720 msltus35.dll
08/25/1999 02:57 PM 415,504 msrepl35.dll
06/10/1999 09:34 AM 24,848 msjter35.dll
06/10/1999 09:34 AM 123,664 msjint35.dll
06/07/1999 06:59 PM 250,128 mspdox35.dll
04/25/1999 05:00 PM 368,912 Vbar332.dll
04/25/1999 05:00 PM 287,504 Msxbse35.dll
04/25/1999 05:00 PM 252,176 Msrd2x35.dll
32 File(s) 10,822,136 bytes
2 Dir(s) 32,030,691,328 bytes free
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Close any programs you have open since this step requires a reboot.
  • From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing "2" and then pressing ENTER.
  • Then press any key to reboot your computer.
  • After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer.
  • When it's finished, Notepad will open with a log.
  • Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Regards,

Trevuren

  • 0

#7
ralph b

ralph b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:04:54 AM, on 8/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\T3duZXIA\command.exe
C:\WINNT\System32\installer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...d=11789944&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...d=11789944&id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...d=11789944&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...d=11789944&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.sho...d=16154559&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywa...r2501031120.EXE
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\T3duZXIA\command.exe
O23 - Service: Installer Service (Installer) - Unknown owner - C:\WINNT\System32\installer.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

L2Mfix 1.03a

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Owner\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1528 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1964 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\duskperf.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\duskperf.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lqk.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lqk.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mhidle.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mhidle.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mscsubs.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mscsubs.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\owjsel.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\owjsel.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\uwiplat.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\uwiplat.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wnvdmoe.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\wnvdmoe.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\duskperf.dll
Successfully Deleted: C:\WINNT\system32\duskperf.dll
deleting: C:\WINNT\system32\duskperf.dll
Successfully Deleted: C:\WINNT\system32\duskperf.dll
deleting: C:\WINNT\system32\lqk.dll
Successfully Deleted: C:\WINNT\system32\lqk.dll
deleting: C:\WINNT\system32\lqk.dll
Successfully Deleted: C:\WINNT\system32\lqk.dll
deleting: C:\WINNT\system32\mhidle.dll
Successfully Deleted: C:\WINNT\system32\mhidle.dll
deleting: C:\WINNT\system32\mhidle.dll
Successfully Deleted: C:\WINNT\system32\mhidle.dll
deleting: C:\WINNT\system32\mscsubs.dll
Successfully Deleted: C:\WINNT\system32\mscsubs.dll
deleting: C:\WINNT\system32\mscsubs.dll
Successfully Deleted: C:\WINNT\system32\mscsubs.dll
deleting: C:\WINNT\system32\owjsel.dll
Successfully Deleted: C:\WINNT\system32\owjsel.dll
deleting: C:\WINNT\system32\owjsel.dll
Successfully Deleted: C:\WINNT\system32\owjsel.dll
deleting: C:\WINNT\system32\uwiplat.dll
Successfully Deleted: C:\WINNT\system32\uwiplat.dll
deleting: C:\WINNT\system32\uwiplat.dll
Successfully Deleted: C:\WINNT\system32\uwiplat.dll
deleting: C:\WINNT\system32\wnvdmoe.dll
Successfully Deleted: C:\WINNT\system32\wnvdmoe.dll
deleting: C:\WINNT\system32\wnvdmoe.dll
Successfully Deleted: C:\WINNT\system32\wnvdmoe.dll
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp


Zipping up files for submission:
adding: duskperf.dll (164 bytes security) (deflated 48%)
adding: lqk.dll (164 bytes security) (deflated 48%)
adding: mhidle.dll (164 bytes security) (deflated 48%)
adding: mscsubs.dll (164 bytes security) (deflated 48%)
adding: owjsel.dll (164 bytes security) (deflated 48%)
adding: uwiplat.dll (164 bytes security) (deflated 48%)
adding: wnvdmoe.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 22%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 83%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 75%)
adding: test.txt (164 bytes security) (deflated 84%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 80%)
adding: backregs/A7103921-4682-4E40-BFA8-834223AE8582.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 50%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: duskperf.dll
deleting local copy: duskperf.dll
deleting local copy: lqk.dll
deleting local copy: lqk.dll
deleting local copy: mhidle.dll
deleting local copy: mhidle.dll
deleting local copy: mscsubs.dll
deleting local copy: mscsubs.dll
deleting local copy: owjsel.dll
deleting local copy: owjsel.dll
deleting local copy: uwiplat.dll
deleting local copy: uwiplat.dll
deleting local copy: wnvdmoe.dll
deleting local copy: wnvdmoe.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINNT\system32\duskperf.dll
C:\WINNT\system32\duskperf.dll
C:\WINNT\system32\lqk.dll
C:\WINNT\system32\lqk.dll
C:\WINNT\system32\mhidle.dll
C:\WINNT\system32\mhidle.dll
C:\WINNT\system32\mscsubs.dll
C:\WINNT\system32\mscsubs.dll
C:\WINNT\system32\owjsel.dll
C:\WINNT\system32\owjsel.dll
C:\WINNT\system32\uwiplat.dll
C:\WINNT\system32\uwiplat.dll
C:\WINNT\system32\wnvdmoe.dll
C:\WINNT\system32\wnvdmoe.dll
C:\WINNT\system32\guard.tmp
C:\WINNT\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A7103921-4682-4E40-BFA8-834223AE8582}"=-
[-HKEY_CLASSES_ROOT\CLSID\{A7103921-4682-4E40-BFA8-834223AE8582}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
PLEASE DO THE FOLLOWING:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

1. Download ewido security suite (it is a free version of the program).
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit ewido.
  • DO NOT RUN IT YET.
NOTE:If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


2. Download CleanUp
  • Install the program
  • DO NOT RUN IT YET
3. Download this file: Nailfix Utility
  • Save it to your desktop.
  • DO NOT RUN IT YET
4. Download dsrfix.zip
  • Save it to your desktop.
  • Unzip dsrfix.zip and extract it to your desktop.
  • This will create a new folder on your desktop named dsrfix.
  • DO NOT USE IT YET.
5. REBOOT into SafeMode.


How to use the F8 method to Start Your Computer in Safe Mode*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.
6. Once in Safe Mode, please double-click on nailfix.exe.
  • Click "Next" in the setup
  • Make sure "Run Nailfix" is checked
  • Click "Finish"
  • Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
7. Open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
8. Now scan with HJT and place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...d=11789944&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...d=11789944&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...d=11789944&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...d=11789944&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.sho...d=16154559&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywa...r2501031120.EXE
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\T3duZXIA\command.exe
O23 - Service: Installer Service (Installer) - Unknown owner - C:\WINNT\System32\installer.exe





Close all open windows except for HJT, then click the Fix Checked button and EXIT HJT.

9. Open the folder dsrfix on your desktop.
  • Double-Click on dsrfix.bat
  • A window will pop up briefly then close, this is normal.
10. Enable show hidden files and folders:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK
11. Now using Windows Explorer (Windows key + E) locate and DELETE the following files and folders (with all their content), if they are still present.


C:\WINNT\T3duZXIA<===Folder
C:\WINNT\System32\installer.exe
C:\WINNT\web\related.htm


12. Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
13. REBOOT your computer back into Normal Mode

14. Run HJT, SCAN and post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply

Regards,

Trevuren

  • 0

#9
ralph b

ralph b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I'm having a problem adding the ewido report to my reply, I'll get a program not-responding if I try to post it. Any suggestions?

Logfile of HijackThis v1.99.1
Scan saved at 1:53:07 PM, on 8/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINNT\System32\Tvxefk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\msresearch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\installer.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\wshnetbs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {00000000-0000-41B4-8342-B49A3B1D3F04} - C:\Program Files\8a34geem\8a34geem.dll (file missing)
O4 - HKLM\..\Run: [ttupt] C:\WINNT\ttupt.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\System32\Tvxefk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msresearch] C:\WINNT\msresearch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [iexplore] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [8a34geem] C:\Program Files\8a34geem\8a34geem.exe
O4 - HKCU\..\Run: [wshnetbs] C:\WINNT\System32\wshnetbs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\T3duZXIA\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Installer Service (Installer) - Unknown owner - C:\WINNT\System32\installer.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===>Installer Service
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


B. We will now delete the service:

1. Open HJT

2. Click on Config>>Misc Tools>>Delete an NT Service

3. Copy/Paste Installer in the space provided and click OK

4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Using Windows Explorer, locate and DELETE the following file (if it still is present):

C:\WINNT\System32\installer.exe

7. REBOOT back into Normal Mode

8. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0

Advertisements


#11
ralph b

ralph b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Logfile of HijackThis v1.99.1
Scan saved at 8:16:32 PM, on 8/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Outvirus\finio404.exe
C:\WINNT\System32\kerlegih.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINNT\System32\Tvxefk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\msresearch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wshnetbs.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINNT\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {00000000-0000-41B4-8342-B49A3B1D3F04} - C:\Program Files\8a34geem\8a34geem.dll (file missing)
O4 - HKLM\..\Run: [ttupt] C:\WINNT\ttupt.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\System32\Tvxefk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msresearch] C:\WINNT\msresearch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [iexplore] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [8a34geem] C:\Program Files\8a34geem\8a34geem.exe
O4 - HKCU\..\Run: [wshnetbs] C:\WINNT\System32\wshnetbs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\T3duZXIA\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#12
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===>Command Service
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


B. We will now delete the service:

1. Open HJT

2. Click on Config>>Misc Tools>>Delete an NT Service

3. Copy/Paste cmdService in the space provided and click OK

4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Using Windows Explorer, locate and DELETE the following file (if it still is present):

C:\WINNT\T3duZXIA<===Folder

7. REBOOT back into Normal Mode

8. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0

#13
ralph b

ralph b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK, I did the following but ran into trouble

Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find the service.
===>Command Service

Click once on the service to highlight it.

Click Stop - There was no stop option, only "start the service".
  • 0

#14
ralph b

ralph b

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I continued and completed from step A-6

Logfile of HijackThis v1.99.1
Scan saved at 10:30:57 PM, on 8/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Outvirus\finio404.exe
C:\WINNT\System32\kerlegih.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINNT\System32\Tvxefk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\msresearch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\wshnetbs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINNT\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {00000000-0000-41B4-8342-B49A3B1D3F04} - C:\Program Files\8a34geem\8a34geem.dll (file missing)
O4 - HKLM\..\Run: [ttupt] C:\WINNT\ttupt.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\System32\Tvxefk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msresearch] C:\WINNT\msresearch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [iexplore] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [8a34geem] C:\Program Files\8a34geem\8a34geem.exe
O4 - HKCU\..\Run: [wshnetbs] C:\WINNT\System32\wshnetbs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#15
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===> .NET Framework Service
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


B. We will now delete the service:

1. Open HJT

2. Click on Config>>Misc Tools>>Delete an NT Service

3. Copy/Paste .NET Connection Service in the space provided and click OK

4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Using Windows Explorer, locate and DELETE the following file (if it still is present):

C:\WINNT\svchost.exe

7. REBOOT back into Normal Mode

8. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP