Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer and other pop-ups


  • Please log in to reply

#1
motoras

motoras

    New Member

  • Member
  • Pip
  • 9 posts
Hi

I read some topics with different info and I DL Adaware and SpyBot and MS AntiSpy and I already had HiJack and I run all, and my log from HiJack is:

Logfile of HijackThis v1.97.7
Scan saved at 1:09:20 AM, on 08/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\liviu\Desktop\HijackThis.exe

O2 - BHO: (no name) - {150FA182-8314-EB34-E962-1BF74DC30EC5} - (no file)
O2 - BHO: (no name) - {83B7B02E-3E64-536B-1A75-0D6191479F87} - (no file)



I fixed a lot of problems, but I still have problems with winfixer and www.123popup.com or something like this and www.searc-h.com or simillar and makes me anxious....:tazz:

Please, help me....
Motoras

Edited by motoras, 15 August 2005 - 11:06 PM.

  • 0

Advertisements


#2
motoras

motoras

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I had an old version of HJ, so I downloaded the new one and here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 10:11:12 AM, on 08/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\HJ\HijackThis.exe

O2 - BHO: (no name) - {150FA182-8314-EB34-E962-1BF74DC30EC5} - (no file)
O2 - BHO: (no name) - {83B7B02E-3E64-536B-1A75-0D6191479F87} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.tl81.com (HKLM)
O15 - Trusted IP range: 81.222.131.50 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/plain - {04EECE80-FEA9-45E2-A503-D2CE7D072E0C} - C:\WINDOWS\System32\lopnfj.dll
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\dcdskmgr.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Maybe I can get some help...I feel going crazy :tazz:
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Download L2mfix from one of these two locations:
http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Close any programs you have open since this step requires a reboot.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!


Regards,
  • 0

#4
motoras

motoras

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here is the log:

L2Mfix 1.03b

Running From:
C:\Documents and Settings\liviu\Desktop\l3mfix\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\liviu\Desktop\l3mfix\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\liviu\Desktop\l3mfix\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1924 'explorer.exe'
Killing PID 1924 'explorer.exe'
Killing PID 1924 'explorer.exe'
Killing PID 1924 'explorer.exe'
Killing PID 1924 'explorer.exe'
Killing PID 1924 'explorer.exe'
Killing PID 1924 'explorer.exe'
Killing PID 1924 'explorer.exe'
Killing PID 1924 'explorer.exe'
Killing PID 1924 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2012 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\azl71.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\azl71.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\clmpstui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\clmpstui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cstdll.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cstdll.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dcdskmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dcdskmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dgeml.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dgeml.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\doccp106.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\doccp106.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gnmf32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gnmf32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iOsnap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iOsnap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kfdhu.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kfdhu.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktdhu.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktdhu.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kxdhu.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kxdhu.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lDngwrbk.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lDngwrbk.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nhwrsja.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nhwrsja.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\npwrseng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\npwrseng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rhipxmib.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rhipxmib.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smclogon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smclogon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sOfrslv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sOfrslv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swcrt70.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swcrt70.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\waaueng1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\waaueng1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wlnbrand.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wlnbrand.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wqhisn.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wqhisn.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtfeman.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtfeman.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wthbth.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wthbth.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\azl71.dll
Successfully Deleted: C:\WINDOWS\system32\azl71.dll
deleting: C:\WINDOWS\system32\azl71.dll
Successfully Deleted: C:\WINDOWS\system32\azl71.dll
deleting: C:\WINDOWS\system32\clmpstui.dll
Successfully Deleted: C:\WINDOWS\system32\clmpstui.dll
deleting: C:\WINDOWS\system32\clmpstui.dll
Successfully Deleted: C:\WINDOWS\system32\clmpstui.dll
deleting: C:\WINDOWS\system32\cstdll.dll
Successfully Deleted: C:\WINDOWS\system32\cstdll.dll
deleting: C:\WINDOWS\system32\cstdll.dll
Successfully Deleted: C:\WINDOWS\system32\cstdll.dll
deleting: C:\WINDOWS\system32\dcdskmgr.dll
Successfully Deleted: C:\WINDOWS\system32\dcdskmgr.dll
deleting: C:\WINDOWS\system32\dcdskmgr.dll
Successfully Deleted: C:\WINDOWS\system32\dcdskmgr.dll
deleting: C:\WINDOWS\system32\dgeml.dll
Successfully Deleted: C:\WINDOWS\system32\dgeml.dll
deleting: C:\WINDOWS\system32\dgeml.dll
Successfully Deleted: C:\WINDOWS\system32\dgeml.dll
deleting: C:\WINDOWS\system32\doccp106.dll
Successfully Deleted: C:\WINDOWS\system32\doccp106.dll
deleting: C:\WINDOWS\system32\doccp106.dll
Successfully Deleted: C:\WINDOWS\system32\doccp106.dll
deleting: C:\WINDOWS\system32\gnmf32.dll
Successfully Deleted: C:\WINDOWS\system32\gnmf32.dll
deleting: C:\WINDOWS\system32\gnmf32.dll
Successfully Deleted: C:\WINDOWS\system32\gnmf32.dll
deleting: C:\WINDOWS\system32\iOsnap.dll
Successfully Deleted: C:\WINDOWS\system32\iOsnap.dll
deleting: C:\WINDOWS\system32\iOsnap.dll
Successfully Deleted: C:\WINDOWS\system32\iOsnap.dll
deleting: C:\WINDOWS\system32\kfdhu.dll
Successfully Deleted: C:\WINDOWS\system32\kfdhu.dll
deleting: C:\WINDOWS\system32\kfdhu.dll
Successfully Deleted: C:\WINDOWS\system32\kfdhu.dll
deleting: C:\WINDOWS\system32\ktdhu.dll
Successfully Deleted: C:\WINDOWS\system32\ktdhu.dll
deleting: C:\WINDOWS\system32\ktdhu.dll
Successfully Deleted: C:\WINDOWS\system32\ktdhu.dll
deleting: C:\WINDOWS\system32\kxdhu.dll
Successfully Deleted: C:\WINDOWS\system32\kxdhu.dll
deleting: C:\WINDOWS\system32\kxdhu.dll
Successfully Deleted: C:\WINDOWS\system32\kxdhu.dll
deleting: C:\WINDOWS\system32\lDngwrbk.dll
Successfully Deleted: C:\WINDOWS\system32\lDngwrbk.dll
deleting: C:\WINDOWS\system32\lDngwrbk.dll
Successfully Deleted: C:\WINDOWS\system32\lDngwrbk.dll
deleting: C:\WINDOWS\system32\nhwrsja.dll
Successfully Deleted: C:\WINDOWS\system32\nhwrsja.dll
deleting: C:\WINDOWS\system32\nhwrsja.dll
Successfully Deleted: C:\WINDOWS\system32\nhwrsja.dll
deleting: C:\WINDOWS\system32\npwrseng.dll
Successfully Deleted: C:\WINDOWS\system32\npwrseng.dll
deleting: C:\WINDOWS\system32\npwrseng.dll
Successfully Deleted: C:\WINDOWS\system32\npwrseng.dll
deleting: C:\WINDOWS\system32\rhipxmib.dll
Successfully Deleted: C:\WINDOWS\system32\rhipxmib.dll
deleting: C:\WINDOWS\system32\rhipxmib.dll
Successfully Deleted: C:\WINDOWS\system32\rhipxmib.dll
deleting: C:\WINDOWS\system32\smclogon.dll
Successfully Deleted: C:\WINDOWS\system32\smclogon.dll
deleting: C:\WINDOWS\system32\smclogon.dll
Successfully Deleted: C:\WINDOWS\system32\smclogon.dll
deleting: C:\WINDOWS\system32\sOfrslv.dll
Successfully Deleted: C:\WINDOWS\system32\sOfrslv.dll
deleting: C:\WINDOWS\system32\sOfrslv.dll
Successfully Deleted: C:\WINDOWS\system32\sOfrslv.dll
deleting: C:\WINDOWS\system32\swcrt70.DLL
Successfully Deleted: C:\WINDOWS\system32\swcrt70.DLL
deleting: C:\WINDOWS\system32\swcrt70.DLL
Successfully Deleted: C:\WINDOWS\system32\swcrt70.DLL
deleting: C:\WINDOWS\system32\waaueng1.dll
Successfully Deleted: C:\WINDOWS\system32\waaueng1.dll
deleting: C:\WINDOWS\system32\waaueng1.dll
Successfully Deleted: C:\WINDOWS\system32\waaueng1.dll
deleting: C:\WINDOWS\system32\wlnbrand.dll
Successfully Deleted: C:\WINDOWS\system32\wlnbrand.dll
deleting: C:\WINDOWS\system32\wlnbrand.dll
Successfully Deleted: C:\WINDOWS\system32\wlnbrand.dll
deleting: C:\WINDOWS\system32\wqhisn.dll
Successfully Deleted: C:\WINDOWS\system32\wqhisn.dll
deleting: C:\WINDOWS\system32\wqhisn.dll
Successfully Deleted: C:\WINDOWS\system32\wqhisn.dll
deleting: C:\WINDOWS\system32\wtfeman.dll
Successfully Deleted: C:\WINDOWS\system32\wtfeman.dll
deleting: C:\WINDOWS\system32\wtfeman.dll
Successfully Deleted: C:\WINDOWS\system32\wtfeman.dll
deleting: C:\WINDOWS\system32\wthbth.dll
Successfully Deleted: C:\WINDOWS\system32\wthbth.dll
deleting: C:\WINDOWS\system32\wthbth.dll
Successfully Deleted: C:\WINDOWS\system32\wthbth.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: azl71.dll (164 bytes security) (deflated 48%)
adding: clmpstui.dll (164 bytes security) (deflated 48%)
adding: cstdll.dll (164 bytes security) (deflated 48%)
adding: dcdskmgr.dll (164 bytes security) (deflated 48%)
adding: dgeml.dll (164 bytes security) (deflated 48%)
adding: doccp106.dll (164 bytes security) (deflated 48%)
adding: gnmf32.dll (164 bytes security) (deflated 48%)
adding: iOsnap.dll (164 bytes security) (deflated 48%)
adding: kfdhu.dll (164 bytes security) (deflated 48%)
adding: ktdhu.dll (164 bytes security) (deflated 48%)
adding: kxdhu.dll (164 bytes security) (deflated 48%)
adding: lDngwrbk.dll (164 bytes security) (deflated 48%)
adding: nhwrsja.dll (164 bytes security) (deflated 48%)
adding: npwrseng.dll (164 bytes security) (deflated 48%)
adding: rhipxmib.dll (164 bytes security) (deflated 48%)
adding: smclogon.dll (164 bytes security) (deflated 48%)
adding: sOfrslv.dll (164 bytes security) (deflated 48%)
adding: swcrt70.DLL (164 bytes security) (deflated 48%)
adding: waaueng1.dll (164 bytes security) (deflated 48%)
adding: wlnbrand.dll (164 bytes security) (deflated 48%)
adding: wqhisn.dll (164 bytes security) (deflated 48%)
adding: wtfeman.dll (164 bytes security) (deflated 48%)
adding: wthbth.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 46%)
adding: echo.reg (164 bytes security) (deflated 11%)
adding: direct.txt (164 bytes security) (deflated 2%)
adding: lo2.txt (164 bytes security) (deflated 89%)
adding: readme.txt (164 bytes security) (deflated 50%)
adding: test.txt (164 bytes security) (deflated 90%)
adding: test2.txt (164 bytes security) (deflated 27%)
adding: test3.txt (164 bytes security) (deflated 27%)
adding: test5.txt (164 bytes security) (deflated 27%)
adding: xfind.txt (164 bytes security) (deflated 87%)
adding: backregs/20F32C0C-98B7-497E-9F77-86E300C256DE.reg (164 bytes security) (deflated 70%)
adding: backregs/A1BAF422-45EA-458F-9FAB-EF068B926FD8.reg (164 bytes security) (deflated 70%)
adding: backregs/F635FE72-ABF9-43E0-B9F4-249F0CC5932D.reg (164 bytes security) (deflated 69%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: azl71.dll
deleting local copy: azl71.dll
deleting local copy: clmpstui.dll
deleting local copy: clmpstui.dll
deleting local copy: cstdll.dll
deleting local copy: cstdll.dll
deleting local copy: dcdskmgr.dll
deleting local copy: dcdskmgr.dll
deleting local copy: dgeml.dll
deleting local copy: dgeml.dll
deleting local copy: doccp106.dll
deleting local copy: doccp106.dll
deleting local copy: gnmf32.dll
deleting local copy: gnmf32.dll
deleting local copy: iOsnap.dll
deleting local copy: iOsnap.dll
deleting local copy: kfdhu.dll
deleting local copy: kfdhu.dll
deleting local copy: ktdhu.dll
deleting local copy: ktdhu.dll
deleting local copy: kxdhu.dll
deleting local copy: kxdhu.dll
deleting local copy: lDngwrbk.dll
deleting local copy: lDngwrbk.dll
deleting local copy: nhwrsja.dll
deleting local copy: nhwrsja.dll
deleting local copy: npwrseng.dll
deleting local copy: npwrseng.dll
deleting local copy: rhipxmib.dll
deleting local copy: rhipxmib.dll
deleting local copy: smclogon.dll
deleting local copy: smclogon.dll
deleting local copy: sOfrslv.dll
deleting local copy: sOfrslv.dll
deleting local copy: swcrt70.DLL
deleting local copy: swcrt70.DLL
deleting local copy: waaueng1.dll
deleting local copy: waaueng1.dll
deleting local copy: wlnbrand.dll
deleting local copy: wlnbrand.dll
deleting local copy: wqhisn.dll
deleting local copy: wqhisn.dll
deleting local copy: wtfeman.dll
deleting local copy: wtfeman.dll
deleting local copy: wthbth.dll
deleting local copy: wthbth.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\azl71.dll
C:\WINDOWS\system32\azl71.dll
C:\WINDOWS\system32\clmpstui.dll
C:\WINDOWS\system32\clmpstui.dll
C:\WINDOWS\system32\cstdll.dll
C:\WINDOWS\system32\cstdll.dll
C:\WINDOWS\system32\dcdskmgr.dll
C:\WINDOWS\system32\dcdskmgr.dll
C:\WINDOWS\system32\dgeml.dll
C:\WINDOWS\system32\dgeml.dll
C:\WINDOWS\system32\doccp106.dll
C:\WINDOWS\system32\doccp106.dll
C:\WINDOWS\system32\gnmf32.dll
C:\WINDOWS\system32\gnmf32.dll
C:\WINDOWS\system32\iOsnap.dll
C:\WINDOWS\system32\iOsnap.dll
C:\WINDOWS\system32\kfdhu.dll
C:\WINDOWS\system32\kfdhu.dll
C:\WINDOWS\system32\ktdhu.dll
C:\WINDOWS\system32\ktdhu.dll
C:\WINDOWS\system32\kxdhu.dll
C:\WINDOWS\system32\kxdhu.dll
C:\WINDOWS\system32\lDngwrbk.dll
C:\WINDOWS\system32\lDngwrbk.dll
C:\WINDOWS\system32\nhwrsja.dll
C:\WINDOWS\system32\nhwrsja.dll
C:\WINDOWS\system32\npwrseng.dll
C:\WINDOWS\system32\npwrseng.dll
C:\WINDOWS\system32\rhipxmib.dll
C:\WINDOWS\system32\rhipxmib.dll
C:\WINDOWS\system32\smclogon.dll
C:\WINDOWS\system32\smclogon.dll
C:\WINDOWS\system32\sOfrslv.dll
C:\WINDOWS\system32\sOfrslv.dll
C:\WINDOWS\system32\swcrt70.DLL
C:\WINDOWS\system32\swcrt70.DLL
C:\WINDOWS\system32\waaueng1.dll
C:\WINDOWS\system32\waaueng1.dll
C:\WINDOWS\system32\wlnbrand.dll
C:\WINDOWS\system32\wlnbrand.dll
C:\WINDOWS\system32\wqhisn.dll
C:\WINDOWS\system32\wqhisn.dll
C:\WINDOWS\system32\wtfeman.dll
C:\WINDOWS\system32\wtfeman.dll
C:\WINDOWS\system32\wthbth.dll
C:\WINDOWS\system32\wthbth.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{F635FE72-ABF9-43E0-B9F4-249F0CC5932D}"=-
"{20F32C0C-98B7-497E-9F77-86E300C256DE}"=-
"{A1BAF422-45EA-458F-9FAB-EF068B926FD8}"=-
[-HKEY_CLASSES_ROOT\CLSID\{F635FE72-ABF9-43E0-B9F4-249F0CC5932D}]
[-HKEY_CLASSES_ROOT\CLSID\{20F32C0C-98B7-497E-9F77-86E300C256DE}]
[-HKEY_CLASSES_ROOT\CLSID\{A1BAF422-45EA-458F-9FAB-EF068B926FD8}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


Thanks
  • 0

#5
motoras

motoras

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
And here is the log from HiJack :

Logfile of HijackThis v1.99.1
Scan saved at 7:45:55 PM, on 08/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJ\HijackThis.exe

O2 - BHO: (no name) - {150FA182-8314-EB34-E962-1BF74DC30EC5} - (no file)
O2 - BHO: (no name) - {83B7B02E-3E64-536B-1A75-0D6191479F87} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.tl81.com (HKLM)
O15 - Trusted IP range: 81.222.131.50 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/plain - {04EECE80-FEA9-45E2-A503-D2CE7D072E0C} - C:\WINDOWS\System32\lopnfj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also


Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {150FA182-8314-EB34-E962-1BF74DC30EC5} - (no file)
O2 - BHO: (no name) - {83B7B02E-3E64-536B-1A75-0D6191479F87} - (no file)

O18 - Filter: text/plain - {04EECE80-FEA9-45E2-A503-D2CE7D072E0C} - C:\WINDOWS\System32\lopnfj.dll

Then reboot and post a new HijackThis log.

Regards,
  • 0

#7
motoras

motoras

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Pieter
Thanks for the help
I will do what you told me in the night, because my room and my compuer are not available till then...:tazz:(

And after this I will post a log....Thanks again
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
I can imagine not having access to my room, but my computers (or at least one of them). I shudder at the thought.

Just kidding. I'll check again tomoorow, no problem. :tazz:

Regards,
  • 0

#9
motoras

motoras

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hello Pieter ( or Peter ? )


So, I have done what you told me, the only problem is that when I run HJ with these checked

O2 - BHO: (no name) - {150FA182-8314-EB34-E962-1BF74DC30EC5} - (no file)
O2 - BHO: (no name) - {83B7B02E-3E64-536B-1A75-0D6191479F87} - (no file)

O18 - Filter: text/plain - {04EECE80-FEA9-45E2-A503-D2CE7D072E0C} - C:\WINDOWS\System32\lopnfj.dll

I received the message to close all Internet Explorers Windows and all Windows Explorer windows and to try in these conditions. But I didn't have anything opened, except HJ, so is curious.

As you can see in the HJ log , I still have the first two lines :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 9:56:34 PM, on 08/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\HJ\HijackThis.exe

O2 - BHO: (no name) - {150FA182-8314-EB34-E962-1BF74DC30EC5} - (no file)
O2 - BHO: (no name) - {83B7B02E-3E64-536B-1A75-0D6191479F87} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Thanks again
  • 0

#10
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Copy the part in bold below into notepad and save it as protdefs.reg
Set Filetype to All Files

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{150FA182-8314-EB34-E962-1BF74DC30EC5}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83B7B02E-3E64-536B-1A75-0D6191479F87}]

Confirm you want to merge it with the registry.

Then reboot and post a new HijackThis log.

Regards,
  • 0

Advertisements


#11
motoras

motoras

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
:tazz: Good morning !

So, I've done and here is the log :

Logfile of HijackThis v1.99.1
Scan saved at 8:19:02 AM, on 08/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJ\HijackThis.exe

O2 - BHO: (no name) - {150FA182-8314-EB34-E962-1BF74DC30EC5} - (no file)
O2 - BHO: (no name) - {83B7B02E-3E64-536B-1A75-0D6191479F87} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#12
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
One step closer, but it looks as if your admin permissions for the BHO keys were taken away.

* Download a free copy of Registrar Lite from HERE and install the program.

* Open Registrar Lite and copy and paste the following text into the Address Bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

* Click on the green GO button to the right of the Bar.

* Scroll down the list of available CLSIDs in the right hand pane until you find the one you are looking for. Left click on it to highlight it

* From the top toolbar, choose Security Tab<<Edit<<Permission<<highlight Administrator and click on the ADVANCED button.

* Make sure there is a check mark placed next to :"Inherit from parent the permission entries that apply to the child objects...." Click OK.

* Now click on the RED X on the taskbar to Delete the key.

* Exit the program

Then use protdefs.reg again and post a new log

Regards,
  • 0

#13
motoras

motoras

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Good morning :tazz:

Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 7:53:17 AM, on 08/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\HJ\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Thanks

Cera
  • 0

#14
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
I'm doping my happy dance over here, Cera. :) :tazz: :)

That is one clean log to go!

Please have a look at my site for some tips on how to remove and prevent spyware.

Regards,

Edited by Metallica, 19 August 2005 - 06:05 AM.

  • 0

#15
motoras

motoras

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ohhh, yupii...thanks a lot, Pieter

:) :tazz: :)

You have been great and I will check your website for sure....:)


I feel like drinking a beer, even if is just 8 in the morning :ph34r:)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP