Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WinFix Won't Die [RESOLVED]


  • This topic is locked This topic is locked

#1
purplefern

purplefern

    New Member

  • Member
  • Pip
  • 4 posts
;)
I Have been working on this for days and i cannot get rid of it. Please Help. Latest Log below is after running Ewido and cleanup for the 10th time. spybot and adware were also run very recently. Neither of them found anything?
Help Please I am Out of things to try.
:tazz:
Logfile of HijackThis v1.99.1
Scan saved at 9:19:53 PM, on 8/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\TapeWare\TWWINSDR.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\unzipped\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O20 - Winlogon Notify: RunOnceEx - C:\WINNT\system32\guard.tmp
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TapeWare - Unknown owner - C:\Program Files\TapeWare\TWWINSDR.EXE
  • 0

Advertisements


#2
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
You have the latest version of VX2. Download L2mfix from

http://www.atribune....oads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#3
purplefern

purplefern

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for your help I did what you instructed and here is the log:

L2Mfix 1.03a

Running From:
C:\DOCUME~1\Dave\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and
above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and
above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and
above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Dave\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Dave\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 648 'explorer.exe'
Killing PID 648 'explorer.exe'
Error 0x5 : Access is denied.

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1172 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\cxodm.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\dwmsadsn.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\hrp6057se.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\hxpasnm0.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\l6n4lg5q16.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mawebdvd.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\p8n80i5ue8.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rKstls.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\rum.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\UQERENV.DLL
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\cxodm.dll
Successfully Deleted: C:\WINNT\system32\cxodm.dll
deleting: C:\WINNT\system32\dwmsadsn.dll
Successfully Deleted: C:\WINNT\system32\dwmsadsn.dll
deleting: C:\WINNT\system32\hrp6057se.dll
Successfully Deleted: C:\WINNT\system32\hrp6057se.dll
deleting: C:\WINNT\system32\hxpasnm0.dll
Successfully Deleted: C:\WINNT\system32\hxpasnm0.dll
deleting: C:\WINNT\system32\l6n4lg5q16.dll
Successfully Deleted: C:\WINNT\system32\l6n4lg5q16.dll
deleting: C:\WINNT\system32\mawebdvd.dll
Successfully Deleted: C:\WINNT\system32\mawebdvd.dll
deleting: C:\WINNT\system32\p8n80i5ue8.dll
Successfully Deleted: C:\WINNT\system32\p8n80i5ue8.dll
deleting: C:\WINNT\system32\rKstls.dll
Successfully Deleted: C:\WINNT\system32\rKstls.dll
deleting: C:\WINNT\system32\rum.dll
Successfully Deleted: C:\WINNT\system32\rum.dll
deleting: C:\WINNT\system32\UQERENV.DLL
Successfully Deleted: C:\WINNT\system32\UQERENV.DLL
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp


Zipping up files for submission:
adding: cxodm.dll (152 bytes security) (deflated 5%)
adding: dwmsadsn.dll (152 bytes security) (deflated 5%)
adding: hrp6057se.dll (152 bytes security) (deflated 5%)
adding: hxpasnm0.dll (152 bytes security) (deflated 5%)
adding: l6n4lg5q16.dll (152 bytes security) (deflated 5%)
adding: mawebdvd.dll (152 bytes security) (deflated 5%)
adding: p8n80i5ue8.dll (152 bytes security) (deflated 5%)
adding: rKstls.dll (152 bytes security) (deflated 4%)
adding: rum.dll (152 bytes security) (deflated 4%)
adding: UQERENV.DLL (152 bytes security) (deflated 5%)
adding: guard.tmp (152 bytes security) (deflated 4%)
adding: clear.reg (152 bytes security) (deflated 36%)
adding: echo.reg (152 bytes security) (deflated 8%)
adding: direct.txt (152 bytes security) (stored 0%)
adding: lo2.txt (152 bytes security) (deflated 79%)
adding: readme.txt (152 bytes security) (deflated 49%)
adding: report.txt (152 bytes security) (deflated 64%)
adding: test.txt (152 bytes security) (deflated 70%)
adding: test2.txt (152 bytes security) (deflated 17%)
adding: test3.txt (152 bytes security) (deflated 17%)
adding: test5.txt (152 bytes security) (deflated 17%)
adding: xfind.txt (152 bytes security) (deflated 62%)
adding: backregs/74068F89-3A03-42BB-9420-7B49DF5B2CB2.reg (152 bytes
security) (deflated 70%)
adding: backregs/E99D0545-C698-4EB3-B580-15AB8E93DB20.reg (152 bytes
security) (deflated 70%)
adding: backregs/shell.reg (152 bytes security) (deflated 75%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and
above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and
above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: cxodm.dll
deleting local copy: dwmsadsn.dll
deleting local copy: hrp6057se.dll
deleting local copy: hxpasnm0.dll
deleting local copy: l6n4lg5q16.dll
deleting local copy: mawebdvd.dll
deleting local copy: p8n80i5ue8.dll
deleting local copy: rKstls.dll
deleting local copy: rum.dll
deleting local copy: UQERENV.DLL
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINNT\system32\cxodm.dll
C:\WINNT\system32\dwmsadsn.dll
C:\WINNT\system32\hrp6057se.dll
C:\WINNT\system32\hxpasnm0.dll
C:\WINNT\system32\l6n4lg5q16.dll
C:\WINNT\system32\mawebdvd.dll
C:\WINNT\system32\p8n80i5ue8.dll
C:\WINNT\system32\rKstls.dll
C:\WINNT\system32\rum.dll
C:\WINNT\system32\UQERENV.DLL
C:\WINNT\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg
folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved]
"{E99D0545-C698-4EB3-B580-15AB8E93DB20}"=-
"{74068F89-3A03-42BB-9420-7B49DF5B2CB2}"=-
[-HKEY_CLASSES_ROOT\CLSID\{E99D0545-C698-4EB3-B580-15AB8E93DB20}]
[-HKEY_CLASSES_ROOT\CLSID\{74068F89-3A03-42BB-9420-7B49DF5B2CB2}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

Thank You again for your help.
  • 0

#4
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Looks like you ran option 2 when I asked you to run option 1. Post a new Hijackthis log here in a reply.
  • 0

#5
purplefern

purplefern

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I could have sworn that I ran option 1 but here is a new log. I hope I didn't do anything to cause more problems. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 3:01:53 PM, on 8/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\TapeWare\TWWINSDR.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINNT\explorer.exe
C:\unzipped\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TapeWare - Unknown owner - C:\Program Files\TapeWare\TWWINSDR.EXE
  • 0

#6
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Your log is clean :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Credit to PGPhantom for canned speech.
  • 0

#7
purplefern

purplefern

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
;) Thank you so much everything seems to be running much better. I really appreciate
your help. Thanks again and I will follow your recomendations for protecting my computer. Thank you :tazz:
  • 0

#8
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP