Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trusted Sites Problem

Started by criticman , Dec 26 2004 01:08 PM

  • Please log in to reply

#1
criticman
Posted 26 December 2004 - 01:08 PM

criticman

    Member

  • Member
  • PipPip
  • 37 posts
I did my first 'HiJack This' scan a few moments ago and it came up with an unwanted site nicely included into the 'Trusted Sites' section of my 'Internet Options'. Naturally, I was pissed; especially since 'HiJack This' was unable to fix the problem. So I headed for 'Internet Options' with a good pair of scissors and found, when I arrived, that I couldn't get in! It seems to me that this is impossible, so it must be some new jerkface out there holding my system hostage again. Suggestions would be great.
  • 0

Advertisements

#2
Metallica
Posted 26 December 2004 - 01:20 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
To remove all the sites listed in the Restricted Zone

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Regards,

Pieter
  • 0

#3
criticman
Posted 26 December 2004 - 03:05 PM

criticman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

To remove all the sites listed in the Restricted Zone

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Regards,

Pieter

View Post


  • 0

#4
criticman
Posted 26 December 2004 - 03:06 PM

criticman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

To remove all the sites listed in the Restricted Zone

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Regards,

Pieter

View Post


  • 0

#5
criticman
Posted 26 December 2004 - 06:17 PM

criticman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
I just finished my first FindItNT scan. The results are below and need to be deciphered . I'd really appreciate the help.

------- System Files in System32 Directory -------
Volume in drive C has no label.

Directory of C:\WINNT\System32

12/26/2004 03:22p 225,020 guard.tmp
12/26/2004 01:39p 223,882 k408ledu1h08.dll
12/24/2004 11:45a 222,894 TGicHW32.dll
12/24/2004 08:11a 224,842 p84ulih9184.dll
12/23/2004 08:33p 223,577 fp8603lse.dll
12/23/2004 08:05p 222,894 cucdll.dll
12/23/2004 05:02p 222,894 rdutetab.dll
12/23/2004 12:56p 222,894 wfpcore.dll
12/23/2004 12:53p 224,899 mvlsl9371.dll
12/23/2004 11:36a 222,894 DRomExt.dll
12/23/2004 11:27a 222,477 pflstore.dll
12/23/2004 09:16a 226,089 cbmaddin.dll
12/23/2004 08:03a 226,089 k444lehq1h4e.dll
12/23/2004 05:37a 226,089 d20m0cd1ef0.dll
12/23/2004 02:32a 226,089 fpl6033se.dll
12/22/2004 07:44a 224,244 mv6ol9j31.dll
12/22/2004 01:08a 224,033 IWETCOMM.DLL
12/21/2004 02:45p 223,065 wbnscard.dll
12/21/2004 02:29p 223,092 jt2007fme.dll
12/21/2004 06:52a 225,347 dBd9.dll
12/20/2004 10:01p <DIR> dllcache
12/20/2004 02:15a 223,010 kodusr.dll
12/19/2004 07:44p 225,641 DIomExt.dll
12/19/2004 05:17p 222,875 i4lole331h.dll
12/17/2004 09:03p 226,021 fp0u03d9e.dll
12/17/2004 08:58p 226,021 kldit.dll
12/17/2004 03:09p 223,175 mv06l9ds1.dll
12/17/2004 03:02p 223,175 syrialui.dll
12/17/2004 02:20p 226,021 rTsadhlp.dll
12/17/2004 01:53p 225,243 ihsecsnp.dll
12/17/2004 01:53p 225,961 k8js0i17e8.dll
12/17/2004 01:45p 226,006 fp6s03j7e.dll
12/17/2004 01:32p 225,243 RMSSAPI.DLL
12/15/2004 11:43p 226,260 ILLOADER.DLL
12/15/2004 11:13p 222,674 vkrsion.dll
12/15/2004 07:17p 226,267 k4nole531h.dll
12/15/2004 01:15p 226,267 Umzip32.dll
12/12/2004 11:21p 224,789 l46olej31ho.dll
12/11/2004 03:35a 222,892 lPprxy.dll
12/10/2004 07:44p 222,892 mnidpe.dll
12/09/2004 02:33p 223,205 iUsrecst.dll
12/08/2004 11:12p 222,892 cyodm.dll
12/08/2004 06:58p 222,892 OABC32GT.dll
12/08/2004 05:15p 226,064 mhvcr71.dll
12/08/2004 08:42a 226,064 nicpl.dll
12/08/2004 05:45a 222,892 apsnt.dll
12/07/2004 07:38p 222,892 czgmgr32.dll
12/07/2004 01:06p 222,649 pJutoenr.dll
12/07/2004 08:02a 222,439 m8640ijqe8oe0.dll
12/07/2004 01:42a 222,439 RTSAUTO.DLL
12/06/2004 11:37p 222,439 duwave.dll
12/06/2004 10:19p 226,064 mcw3prt.dll
12/06/2004 11:27a 226,064 MZVCP60.DLL
12/06/2004 03:29a 225,887 l8p20i7oe8.dll
12/05/2004 07:43p 226,064 XTNROLL.DLL
12/05/2004 02:41p 225,887 mgcshext.dll
12/04/2004 10:19p 224,928 iJsrecst.dll
12/04/2004 08:20p 225,887 wunfax.dll
12/04/2004 08:09p 224,928 xclehlp.dll
12/04/2004 07:56p 226,287 ozffilt.dll
12/04/2004 07:34p 224,928 ogdbse32.dll
12/04/2004 07:20p 224,928 dstmsft.dll
12/04/2004 07:20p 225,156 g8220ifoe82c0.dll
12/04/2004 07:12p 224,928 rJsmxs.dll
12/04/2004 07:09p 224,780 j4n2le5o1h.dll
12/04/2004 06:55p 224,780 SJDOCVW.DLL
12/04/2004 06:43p 224,780 mlwebdvd.dll
12/04/2004 06:40p 223,090 fpp8037ue.dll
12/04/2004 06:28p 223,090 artapi.dll
12/04/2004 06:19p 223,090 kedfo.dll
12/04/2004 06:16p 224,339 mvjml9111.dll
12/04/2004 05:51p 224,339 LVASRV.DLL
12/04/2004 05:42p 223,090 OKBCTRAC.dll
12/04/2004 05:30p 223,090 mnvcr71.dll
12/04/2004 05:26p 223,090 j46mlej11ho.dll
12/04/2004 03:04p 223,090 mqutilse.dll
12/04/2004 03:04p 224,685 irrql5951.dll
12/04/2004 01:13p 224,728 rncss.dll
12/04/2004 12:55p 225,281 m064lajq1doe.dll
12/03/2004 08:02p 224,728 tkpmon.dll
12/03/2004 08:02p 225,792 i460lejm1hoa.dll
12/03/2004 07:44p 223,048 natman.dll
12/03/2004 07:29p 223,048 en4ul1h91.dll
12/03/2004 07:26p 223,048 dbcapi.dll
12/03/2004 06:15p 223,048 fp4203hoe.dll
12/03/2004 05:04p 223,048 wpwfaxui.dll
12/03/2004 02:37p 223,048 nsmsdba.dll
12/03/2004 01:44p 223,411 ir0ql5d51.dll
12/02/2004 09:17p 223,048 dTdxof.dll
12/02/2004 09:05p 223,048 UFLMON.DLL
12/02/2004 08:59p 223,401 o4480ehueh480.dll
12/02/2004 08:57p 223,401 icxwan.dll
12/02/2004 08:46p 223,048 kodcan.dll
12/02/2004 06:35p 223,048 cgc.dll
12/02/2004 06:33p 225,465 irjsl5171.dll
12/02/2004 01:50a 223,970 fpro0393e.dll
12/01/2004 03:19p 222,938 fpp4037qe.dll
12/01/2004 04:55a 224,979 f00olad31d0.dll
11/30/2004 05:34p 222,938 alifile.dll
11/30/2004 05:32p 225,250 fp0m03d1e.dll
11/30/2004 01:16a 223,143 pnisdecd.dll
11/29/2004 10:15p 225,250 iqengine.dll
11/29/2004 07:24p 225,250 mcr2cenu.dll
11/29/2004 06:56p 225,250 nbmssvc.dll
11/29/2004 06:56p 225,313 fp6003jme.dll
11/29/2004 06:49p 225,250 gkdef.dll
11/29/2004 06:47p 224,141 n06qlaj51do.dll
11/29/2004 06:42p 224,141 assldp.dll
11/29/2004 06:39p 224,141 mtc42.dll
11/29/2004 12:54p 224,970 ir2sl5f71.dll
11/29/2004 12:26a 224,141 rYstls.dll
11/28/2004 05:44p 224,141 nwoglnt.dll
11/28/2004 01:25p 224,141 ioengine.dll
11/28/2004 07:49a 224,141 ctnfmsp.dll
113 File(s) 25,342,048 bytes
1 Dir(s) 5,839,302,656 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 040A-4B16

Directory of C:\WINNT\System32

12/20/2004 10:01p <DIR> dllcache
11/20/2004 04:40a <DIR> GroupPolicy
11/20/2004 03:32a 21,692 folder.htt
11/20/2004 03:32a 271 desktop.ini
2 File(s) 21,963 bytes
2 Dir(s) 5,839,364,096 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 040A-4B16

Directory of C:\WINNT\System32

12/26/2004 03:22p 225,020 guard.tmp
1 File(s) 225,020 bytes
0 Dir(s) 5,839,364,096 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 040A-4B16

Directory of C:\WINNT\System32

12/26/2004 03:22p 225,020 guard.tmp
1 File(s) 225,020 bytes
0 Dir(s) 5,839,360,000 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A58DA8FE-17DA-4CE7-863B-4AE7267EA4E9}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\m428lefu1h28.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------------ Locate.com Results ------------------
C:\WINNT\system32\onnuia.dll: updates.qoologic.com
C:\WINNT\system32\onnuia.txt: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINNT\system32\akkywv.dat: .aspack
C:\WINNT\system32\iccovk.exe: .aspack
C:\WINNT\system32\iccovk.txt: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"Synchronization Manager"="mobsync.exe /logon"



  • 0

#6
Metallica
Posted 27 December 2004 - 08:29 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINNT\System32\k408ledu1h08.dll
C:\WINNT\System32\TGicHW32.dll
C:\WINNT\System32\p84ulih9184.dll
C:\WINNT\System32\fp8603lse.dll
C:\WINNT\System32\cucdll.dll
C:\WINNT\System32\rdutetab.dll
C:\WINNT\System32\wfpcore.dll
C:\WINNT\System32\mvlsl9371.dll
C:\WINNT\System32\DRomExt.dll
C:\WINNT\System32\pflstore.dll
C:\WINNT\System32\cbmaddin.dll
C:\WINNT\System32\k444lehq1h4e.dll
C:\WINNT\System32\d20m0cd1ef0.dll
C:\WINNT\System32\fpl6033se.dll
C:\WINNT\System32\mv6ol9j31.dll
C:\WINNT\System32\IWETCOMM.DLL
C:\WINNT\System32\wbnscard.dll
C:\WINNT\System32\jt2007fme.dll
C:\WINNT\System32\dBd9.dll
C:\WINNT\System32\kodusr.dll
C:\WINNT\System32\DIomExt.dll
C:\WINNT\System32\i4lole331h.dll
C:\WINNT\System32\fp0u03d9e.dll
C:\WINNT\System32\kldit.dll
C:\WINNT\System32\mv06l9ds1.dll
C:\WINNT\System32\syrialui.dll
C:\WINNT\System32\rTsadhlp.dll
C:\WINNT\System32\ihsecsnp.dll
C:\WINNT\System32\k8js0i17e8.dll
C:\WINNT\System32\fp6s03j7e.dll
C:\WINNT\System32\RMSSAPI.DLL
C:\WINNT\System32\ILLOADER.DLL
C:\WINNT\System32\vkrsion.dll
C:\WINNT\System32\k4nole531h.dll
C:\WINNT\System32\Umzip32.dll
C:\WINNT\System32\l46olej31ho.dll
C:\WINNT\System32\lPprxy.dll
C:\WINNT\System32\mnidpe.dll
C:\WINNT\System32\iUsrecst.dll
C:\WINNT\System32\cyodm.dll
C:\WINNT\System32\OABC32GT.dll
C:\WINNT\System32\mhvcr71.dll
C:\WINNT\System32\nicpl.dll
C:\WINNT\System32\apsnt.dll
C:\WINNT\System32\czgmgr32.dll
C:\WINNT\System32\pJutoenr.dll
C:\WINNT\System32\m8640ijqe8oe0.dll
C:\WINNT\System32\RTSAUTO.DLL
C:\WINNT\System32\duwave.dll
C:\WINNT\System32\mcw3prt.dll
C:\WINNT\System32\MZVCP60.DLL
C:\WINNT\System32\l8p20i7oe8.dll
C:\WINNT\System32\XTNROLL.DLL
C:\WINNT\System32\mgcshext.dll
C:\WINNT\System32\iJsrecst.dll
C:\WINNT\System32\wunfax.dll
C:\WINNT\System32\xclehlp.dll
C:\WINNT\System32\ozffilt.dll
C:\WINNT\System32\ogdbse32.dll
C:\WINNT\System32\dstmsft.dll
C:\WINNT\System32\g8220ifoe82c0.dll
C:\WINNT\System32\rJsmxs.dll
C:\WINNT\System32\j4n2le5o1h.dll
C:\WINNT\System32\SJDOCVW.DLL
C:\WINNT\System32\mlwebdvd.dll
C:\WINNT\System32\ fpp8037ue.dll
C:\WINNT\System32\artapi.dll
C:\WINNT\System32\kedfo.dll
C:\WINNT\System32\mvjml9111.dll
C:\WINNT\System32\LVASRV.DLL
C:\WINNT\System32\OKBCTRAC.dll
C:\WINNT\System32\mnvcr71.dll
C:\WINNT\System32\j46mlej11ho.dll
C:\WINNT\System32\mqutilse.dll
C:\WINNT\System32\irrql5951.dll
C:\WINNT\System32\rncss.dll
C:\WINNT\System32\m064lajq1doe.dll
C:\WINNT\System32\tkpmon.dll
C:\WINNT\System32\i460lejm1hoa.dll
C:\WINNT\System32\natman.dll
C:\WINNT\System32\en4ul1h91.dll
C:\WINNT\System32\dbcapi.dll
C:\WINNT\System32\fp4203hoe.dll
C:\WINNT\System32\wpwfaxui.dll
C:\WINNT\System32\nsmsdba.dll
C:\WINNT\System32\ir0ql5d51.dll
C:\WINNT\System32\dTdxof.dll
C:\WINNT\System32\UFLMON.DLL
C:\WINNT\System32\o4480ehueh480.dll
C:\WINNT\System32\icxwan.dll
C:\WINNT\System32\kodcan.dll
C:\WINNT\System32\cgc.dll
C:\WINNT\System32\irjsl5171.dll
C:\WINNT\System32\fpro0393e.dll
C:\WINNT\System32\fpp4037qe.dll
C:\WINNT\System32\f00olad31d0.dll
C:\WINNT\System32\alifile.dll
C:\WINNT\System32\fp0m03d1e.dll
C:\WINNT\System32\pnisdecd.dll
C:\WINNT\System32\iqengine.dll
C:\WINNT\System32\mcr2cenu.dll
C:\WINNT\System32\nbmssvc.dll
C:\WINNT\System32\fp6003jme.dll
C:\WINNT\System32\gkdef.dll
C:\WINNT\System32\n06qlaj51do.dll
C:\WINNT\System32\assldp.dll
C:\WINNT\System32\mtc42.dll
C:\WINNT\System32\ir2sl5f71.dll
C:\WINNT\System32\rYstls.dll
C:\WINNT\System32\nwoglnt.dll
C:\WINNT\System32\ioengine.dll
C:\WINNT\System32\ctnfmsp.dll
C:\WINNT\System32\guard.tmp
C:\WINNT\system32\onnuia.dll
C:\WINNT\system32\onnuia.txt
C:\WINNT\system32\akkywv.dat
C:\WINNT\system32\iccovk.exe
C:\WINNT\system32\iccovk.txt
C:\WINNT\system32\m428lefu1h28.dll <= save till last

After the reboot save the text in bold below as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A58DA8FE-17DA-4CE7-863B-4AE7267EA4E9}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]

Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

Try and see if you can make a HijackTHis log after all that.

Regards,

Pieter
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP