Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

UMonitor, disappearing desktop, recycle bin, etc


  • Please log in to reply

#1
cube

cube

    New Member

  • Member
  • Pip
  • 5 posts
Hello, I've got some real wierd stuff happenings with my computer and I hope that someone can help.

Here are the problems:
1. Desktop explorer won't come up when system is starting. The computer keeps
loading but the screen is blue. By doing Alt-Ctrl-Del/ Task Manager/ New Task/
and cmd.exe, I can start explorer.exe.
2. Sometimes I get the following message when the desktop is supposed to appear

An exception has occurred while trying to run "C:\WINNT\System32\
______.dll","UMonitor"

3. The quick launch toolbar shows duplicate icons.

4. The recycle bin will not empty.

5. When shutting down, get message that Fax Monitor will not shut down,
however, Fax Monitor was not an active program prior to shutting down.

I will attach my Finditnt200xp and Hijackthis logs.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Administrator\My Documents\Computer\Umonitor\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

01/14/2005 07:12p 222,863 dpauth.dll
01/14/2005 07:09p 225,491 fp8m03l1e.dll
01/11/2005 11:33p 222,863 g0jola131d.dll
01/11/2005 10:59p <DIR> dllcache
01/09/2005 08:01p 222,647 lvp8097ue.dll
01/09/2005 10:38a 225,491 o4480ehueh480.dll
01/09/2005 10:26a 225,491 fpr0039me.dll
01/09/2005 10:02a 225,338 ir0sl5d71.dll
01/08/2005 03:44p 222,722 g440lehm1h4a.dll
01/08/2005 12:14a 223,153 enr8l19u1.dll
01/07/2005 11:21p 225,865 q0rqla951d.dll
01/07/2005 11:16p 225,595 h02olaf31d2.dll
01/06/2005 11:40p 222,552 lv8609lse.dll
01/06/2005 11:03p 225,866 lvro0993e.dll
01/06/2005 09:13p 226,213 f00olad31d0.dll
01/06/2005 09:10p 223,065 irjsl5171.dll
01/06/2005 09:06p 225,537 k4260efseh260.dll
01/06/2005 08:45p 225,174 dn6201joe.dll
01/06/2005 08:37p 223,005 i8lo0i33e8.dll
01/06/2005 08:28p 223,005 doprop.dll
01/06/2005 08:24p 223,108 fp0m03d1e.dll
01/06/2005 08:20p 226,180 ir8ol5l31.dll
01/06/2005 06:52p 226,150 g8400ihme84a0.dll
01/06/2005 06:48p 225,689 lvns0957e.dll
01/06/2005 06:43p 225,689 dlauth.dll
01/06/2005 06:37p 222,875 k044lahq1d4e.dll
01/06/2005 06:33p 222,875 MOGSVC.DLL
01/06/2005 05:30p 224,254 en2ul1f91.dll
01/05/2005 09:34p 224,692 j8l40i3qe8.dll
01/05/2005 09:25p 225,483 mv22l9fo1.dll
01/05/2005 09:15p 223,376 fp4403hqe.dll
01/05/2005 06:42p 224,730 k4nole531h.dll
01/05/2005 06:19p 225,246 m4280efueh280.dll
01/03/2005 04:49p 223,789 fpj4031qe.dll
01/02/2005 04:38p 223,810 fn2021fmg.dll
12/30/2004 11:19p 224,256 e420lefm1h2a.dll
35 File(s) 7,854,138 bytes
1 Dir(s) 33,643,208,704 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

01/14/2005 07:12p 890 vsconfig.xml
01/11/2005 10:59p <DIR> dllcache
01/07/2005 11:12p <DIR> vmss
01/07/2005 11:36a <DIR> wsxsvc
01/06/2005 11:27p 21,692 folder.htt
01/06/2005 11:27p 271 desktop.ini
01/02/2005 07:31p 4,212 zllictbl.dat
10/23/2004 11:52a <DIR> GroupPolicy
4 File(s) 27,065 bytes
4 Dir(s) 33,643,208,704 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

07/24/2002 06:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 33,643,208,704 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BCF65EE1-3368-4CF8-A78A-E1D36625F190}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\g0jola131d.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------- Locate.com Results -------------

C:\WINNT\SYSTEM32\
desktop.ini Thu Jan 6 2005 11:27:08p ...H. 271 0.26 K
dlauth.dll Thu Jan 6 2005 6:43:54p A.S.R 225,689 220.40 K
dn6201~1.dll Thu Jan 6 2005 8:45:16p A.S.R 225,174 219.89 K
doprop.dll Thu Jan 6 2005 8:28:22p A.S.R 223,005 217.78 K
dpauth.dll Fri Jan 14 2005 7:12:30p ..S.R 222,863 217.64 K
e420le~1.dll Thu Dec 30 2004 11:19:32p A.S.R 224,256 219.00 K
en2ul1~1.dll Thu Jan 6 2005 5:30:06p A.S.R 224,254 218.99 K
enr8l1~1.dll Sat Jan 8 2005 12:14:12a ..S.R 223,153 217.92 K
f00ola~1.dll Thu Jan 6 2005 9:13:12p A.S.R 226,213 220.91 K
fn2021~1.dll Sun Jan 2 2005 4:38:10p A.S.R 223,810 218.56 K
folder.htt Thu Jan 6 2005 11:27:08p ...H. 21,692 21.18 K
fp0m03~1.dll Thu Jan 6 2005 8:24:04p A.S.R 223,108 217.88 K
fp4403~1.dll Wed Jan 5 2005 9:15:18p A.S.R 223,376 218.14 K
fp8m03~1.dll Fri Jan 14 2005 7:09:38p ..S.R 225,491 220.20 K
fpj403~1.dll Mon Jan 3 2005 4:49:52p A.S.R 223,789 218.54 K
fpr003~1.dll Sun Jan 9 2005 10:26:44a ..S.R 225,491 220.20 K
g0jola~1.dll Tue Jan 11 2005 11:33:12p ..S.R 222,863 217.64 K
g440le~1.dll Sat Jan 8 2005 3:45:00p ..S.R 222,722 217.50 K
g8400i~1.dll Thu Jan 6 2005 6:52:40p A.S.R 226,150 220.85 K
h02ola~1.dll Fri Jan 7 2005 11:16:54p ..S.R 225,595 220.30 K
i8lo0i~1.dll Thu Jan 6 2005 8:37:22p A.S.R 223,005 217.78 K
ir0sl5~1.dll Sun Jan 9 2005 10:02:26a ..S.R 225,338 220.05 K
ir8ol5~1.dll Thu Jan 6 2005 8:20:22p A.S.R 226,180 220.88 K
irjsl5~1.dll Thu Jan 6 2005 9:10:48p A.S.R 223,065 217.84 K
j8l40i~1.dll Wed Jan 5 2005 9:34:02p A.S.R 224,692 219.43 K
k044la~1.dll Thu Jan 6 2005 6:37:26p A.S.R 222,875 217.65 K
k4260e~1.dll Thu Jan 6 2005 9:06:52p A.S.R 225,537 220.25 K
k4nole~1.dll Wed Jan 5 2005 6:42:18p A.S.R 224,730 219.46 K
lv8609~1.dll Thu Jan 6 2005 11:40:02p ..S.R 222,552 217.34 K
lvns09~1.dll Thu Jan 6 2005 6:48:54p A.S.R 225,689 220.40 K
lvp809~1.dll Sun Jan 9 2005 8:01:24p ..S.R 222,647 217.43 K
lvro09~1.dll Thu Jan 6 2005 11:03:26p A.S.R 225,866 220.57 K
m4280e~1.dll Wed Jan 5 2005 6:19:22p A.S.R 225,246 219.96 K
mogsvc.dll Thu Jan 6 2005 6:33:26p A.S.R 222,875 217.65 K
mv22l9~1.dll Wed Jan 5 2005 9:25:44p A.S.R 225,483 220.20 K
o4480e~1.dll Sun Jan 9 2005 10:38:58a ..S.R 225,491 220.20 K
q0rqla~1.dll Fri Jan 7 2005 11:21:08p ..S.R 225,865 220.57 K
vsconfig.xml Fri Jan 14 2005 7:12:24p A..H. 890 0.87 K
zllictbl.dat Sun Jan 2 2005 7:31:06p A..H. 4,212 4.11 K

39 items found: 39 files, 0 directories.
Total of file sizes: 7,881,203 bytes 7.52 M

-------- Strings.exe Qoologic Results --------

C:\WINNT\system32\hlluxm.exe: updates.qoologic.com

--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"zzzHPSETUP"="D:\\Setup.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"SSRunScript"="\"C:\\Program Files\\Support.com\\Charter\\bin\\SSRunScript.exe\" /script \"C:\\Program Files\\Support.com\\Charter\\vbs\\verifyconnection.vbs\" /args //b startupdelay"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"vcmxin"="C:\\WINNT\\system32\\BW_ActiveX.Stub.exe"
"Dvx"="C:\\WINNT\\System32\\wsxsvc\\wsxsvc.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"projselector"="\"C:\\Program Files\\Common Files\\Roxio Shared\\Project Selector\\projselector.exe\" -r"
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"RoxioAudioCentral"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


Logfile of HijackThis v1.98.2
Scan saved at 8:22:53 PM, on 1/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\userinit.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\mdm.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\wsxsvc\wsxsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Documents and Settings\Administrator\My Documents\Computer\Hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vcmxin] C:\WINNT\system32\BW_ActiveX.Stub.exe
O4 - HKLM\..\Run: [Dvx] C:\WINNT\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
  • 0

Advertisements


#2
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Do you still need help? If so, have you restarted your computer? If you have, you need to post a new log and not reboot until it is fixed.
  • 0

#3
cube

cube

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi,

Yes, I could still use some more help.

By following some of the other problems and fixes (and a lot of luck) I was able to get rid of the UMonitor, Desktop Explorer, and shutdown problems by using Hijackthis, Findit2000ntxp, Killbox, and CWShredder.

Now Ad-Aware SE, Microsoft Anti-spyware, and Spybot are finding nothing. I still can not completely get rid of guard.tmp.

My computer seems to be running great except for the recycle bin and the Quick Launch Toolbar. I can't place any icons on the Quick Launch Toolbar.

Thanks for any help you can give me.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Administrator\My Documents\Computer\Umonitor\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

01/18/2005 09:36p <DIR> dllcache
01/06/2005 08:28p 223,005 doprop.dll
01/06/2005 06:43p 225,689 dlauth.dll
01/06/2005 06:33p 222,875 MOGSVC.DLL
3 File(s) 671,569 bytes
1 Dir(s) 32,806,305,792 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

01/18/2005 09:41p 890 vsconfig.xml
01/18/2005 09:36p <DIR> dllcache
01/07/2005 11:12p <DIR> vmss
01/06/2005 11:27p 21,692 folder.htt
01/06/2005 11:27p 271 desktop.ini
01/02/2005 07:31p 4,212 zllictbl.dat
10/23/2004 11:52a <DIR> GroupPolicy
4 File(s) 27,065 bytes
3 Dir(s) 32,806,305,792 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

01/17/2005 09:20a 56 guard.tmp
1 File(s) 56 bytes
0 Dir(s) 32,806,305,792 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

01/17/2005 09:20a 56 guard.tmp
07/24/2002 06:00a 2,577 CONFIG.TMP
2 File(s) 2,633 bytes
0 Dir(s) 32,806,305,792 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BCF65EE1-3368-4CF8-A78A-E1D36625F190}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\en4ul1h91.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------- Locate.com Results -------------

C:\WINNT\SYSTEM32\
desktop.ini Thu Jan 6 2005 11:27:08p ...H. 271 0.26 K
dlauth.dll Thu Jan 6 2005 6:43:54p A.S.R 225,689 220.40 K
doprop.dll Thu Jan 6 2005 8:28:22p A.S.R 223,005 217.78 K
folder.htt Thu Jan 6 2005 11:27:08p ...H. 21,692 21.18 K
mogsvc.dll Thu Jan 6 2005 6:33:26p A.S.R 222,875 217.65 K
vsconfig.xml Tue Jan 18 2005 9:41:08p A..H. 890 0.87 K
zllictbl.dat Sun Jan 2 2005 7:31:06p A..H. 4,212 4.11 K

7 items found: 7 files, 0 directories.
Total of file sizes: 698,634 bytes 682.26 K

-------- Strings.exe Qoologic Results --------

C:\WINNT\system32\hlluxm.exe: updates.qoologic.com

--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"zzzHPSETUP"="D:\\Setup.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"SSRunScript"="\"C:\\Program Files\\Support.com\\Charter\\bin\\SSRunScript.exe\" /script \"C:\\Program Files\\Support.com\\Charter\\vbs\\verifyconnection.vbs\" /args //b startupdelay"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"vcmxin"="C:\\WINNT\\system32\\BW_ActiveX.Stub.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"CleanUp"="C:\\PROGRA~1\\McAfee.com\\Shared\\mcappins.exe /v=3 /cleanup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


Logfile of HijackThis v1.98.2
Scan saved at 9:39:57 PM, on 1/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\mdm.exe
C:\WINNT\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Administrator\My Documents\Computer\Hijackthis\HijackThis.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vcmxin] C:\WINNT\system32\BW_ActiveX.Stub.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
  • 0

#4
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
1. Download the Pocket Killbox
2. Unzip the contents of KillBox.zip to a convenient location.
3. Double-click on KillBox.exe.
4. Click "Replace on Reboot" and check the "Use Dummy" box.
5. Paste this file into the top "Full Path of File to Delete" box.
* C:\WINDOWS\System32\doprop.dll
6. Click the "Delete File" button which looks like a stop sign.
7. Click "Yes" at the Replace on Reboot prompt.
8. Click "No" at the Pending Operations prompt.
9. Repeat steps 4-8 above for these files:
* C:\WINDOWS\System32\dlauth.dll
* C:\WINDOWS\System32\MOGSVC.dll
* C:\\WINNT\\system32\\en4ul1h91.dll
* C:\WINDOWS\System32\wzcdlg.dll
* C:\\WINNT\\system32\\BW_ActiveX.Stub.exe
* D:\\Setup.exe
*C:\WINNT\system32\hlluxm.exe
10. Click "Replace on Reboot" and check the "Use Dummy" box.
11. Paste this file into the top "Full Path of File to Delete" box.
* C:\WINDOWS\System32\Guard.tmp
12. Click the "Delete File" button which looks like a stop sign.
13. Click "Yes" at the Replace on Reboot prompt.
14. Click "Yes" at the Pending Operations prompt to restart your computer.
15. Double-click on find.bat and post the new output.txt.

Copy and paste this text into a text editor such as Notepad.

Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BCF65EE1-3368-4CF8-A78A-E1D36625F190}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vcmxin"="-
"zzzHPSETUP"="-


Download and install VX2Finder from:
http://www.downloads...g/VX2Finder.exe


Press 'Click to Find VX2.BetterInternet'.

Delete all files found.
(note: one file will not delete at this time)

Press 'Open Regedit'. (note: This should take you the Guardian key)

Hilite 'Guardian'
Right Click and choose Security/Permissions (a window will open)
Select 'Advanced'
Remove the Check Mark from 'Inherit from parents…'
Press 'OK' and 'Remove' on the prompts.
Restart Computer (*** important ***)

Run VX2Finder again.

Press 'Click to Find VX2.BetterInternet' again.

Delete the last file.

Press 'User Agent$'.

Press 'Open Regedit'. (note: This should take you the Guardian key)

Hilite 'Guardian'
Right Click and choose Security/Permissions (a window will open)
Select 'Advanced'
Replace the Check Mark in 'Inherit from parents…'
Press 'OK' and 'Add' on the prompts.

Press 'Guardian.reg' (this will remove the registry key)

Press 'Click to Find VX2.BetterInternet' again. (no files should be found)

Press 'Restore Policy'.

Run VX2Finder again and use the Restore Policy button


Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")

attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f



Close all programs and doubleclick recyclerem.bat

Post back with a HijackThis log.

Restart computer again.
  • 0

#5
cube

cube

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Well, the first part seemed to go good, but I ran into problems running VX2Finder.

I got rid of the files with KillBox and did the FixVX2.reg, which seemed to go okay.

When I ran VX2Finder.exe and clicked on find VX2.BetterInternet there no files found, and then clicking 'Open Regedit' took me to a folder named Notify (see VX2Finder log below). I did a find for a key named guardian but it found nothing.
So I couldn't figure out what to hilite! Therefore, I didn't complete any of the VX2Finder fixes.

What did I do wrong?

Thanks for all your help

VX2Finder Log

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
sclgntfy
SensLogn
wzcnotif


Guardian Key--- is called:

Guardian Key--- :

User Agent String---




Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Administrator\My Documents\Computer\Umonitor\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

01/20/2005 07:30a <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 32,758,411,264 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

01/23/2005 10:56a 890 vsconfig.xml
01/20/2005 07:30a <DIR> dllcache
01/07/2005 11:12p <DIR> vmss
01/06/2005 11:27p 21,692 folder.htt
01/06/2005 11:27p 271 desktop.ini
01/02/2005 07:31p 4,212 zllictbl.dat
10/23/2004 11:52a <DIR> GroupPolicy
4 File(s) 27,065 bytes
3 Dir(s) 32,758,411,264 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

01/23/2005 10:53a 56 guard.tmp
1 File(s) 56 bytes
0 Dir(s) 32,758,411,264 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

01/23/2005 10:53a 56 guard.tmp
07/24/2002 06:00a 2,577 CONFIG.TMP
2 File(s) 2,633 bytes
0 Dir(s) 32,758,411,264 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BCF65EE1-3368-4CF8-A78A-E1D36625F190}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\en4ul1h91.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------- Locate.com Results -------------

C:\WINNT\SYSTEM32\
desktop.ini Thu Jan 6 2005 11:27:08p ...H. 271 0.26 K
folder.htt Thu Jan 6 2005 11:27:08p ...H. 21,692 21.18 K
vsconfig.xml Sun Jan 23 2005 10:56:40a A..H. 890 0.87 K
zllictbl.dat Sun Jan 2 2005 7:31:06p A..H. 4,212 4.11 K

4 items found: 4 files, 0 directories.
Total of file sizes: 27,065 bytes 26.43 K

-------- Strings.exe Qoologic Results --------

C:\WINNT\system32\hlluxm.exe: updates.qoologic.com

--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"zzzHPSETUP"="D:\\Setup.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"SSRunScript"="\"C:\\Program Files\\Support.com\\Charter\\bin\\SSRunScript.exe\" /script \"C:\\Program Files\\Support.com\\Charter\\vbs\\verifyconnection.vbs\" /args //b startupdelay"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"vcmxin"="C:\\WINNT\\system32\\BW_ActiveX.Stub.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


Logfile of HijackThis v1.98.2
Scan saved at 11:32:25 AM, on 1/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Administrator\My Documents\Computer\Hijackthis\HijackThis.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vcmxin] C:\WINNT\system32\BW_ActiveX.Stub.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
  • 0

#6
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts

1. Double-click on KillBox.exe.

2. Click "Replace on Reboot" and check the "Use Dummy" box.
3. Paste this file into the top "Full Path of File to Delete" box.
* C:\\WINNT\\system32\\en4ul1h91.dll
4. Click the "Delete File" button which looks like a stop sign.
5. Click "Yes" at the Replace on Reboot prompt.
6. Click "No" at the Pending Operations prompt.
7. Repeat steps 4-8 above for these files:

* D:\\Setup.exe
*C:\WINNT\system32\hlluxm.exe


8. Click "Replace on Reboot" and check the "Use Dummy" box.
9. Paste this file into the top "Full Path of File to Delete" box.
* C:\WINDOWS\System32\Guard.tmp
10. Click the "Delete File" button which looks like a stop sign.
11. Click "Yes" at the Replace on Reboot prompt.
12. Click "Yes" at the Pending Operations prompt to restart your computer.
13. Double-click on find.bat and post the new output.txt.

Copy and paste this text into a text editor such as Notepad.

Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BCF65EE1-3368-4CF8-A78A-E1D36625F190}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zzzHPSETUP"=-


Run VX2Finder again and use the Restore Policy button

Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")

attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f



Close all programs and doubleclick recyclerem.bat

Post back with a HijackThis log.

Restart computer again. :tazz:
  • 0

#7
cube

cube

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
;) :cheers: :thumbsup: :tazz: :woot: :cheers:

Thank You, Thank You, Thank You!

Everything seems to be working now.

The only thing strange is the file guard.tmp still won't delete completely. Hopefully, that doesn't matter unless I still did something wrong.

Once again -- THANK YOU !!!!!!

Below are the Findit and Hijackthis logs.

Warning! This utility will find legitimate files in addition

to malware.
Do not remove anything unless you are sure you know what

you're doing.

Find.bat is running from: C:\Documents and

Settings\Administrator\My Documents\Computer\Umonitor\Find It

NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

01/20/2005 07:30a <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 32,757,932,032 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

01/23/2005 06:25p 890 vsconfig.xml
01/20/2005 07:30a <DIR> dllcache
01/07/2005 11:12p <DIR> vmss
01/06/2005 11:27p 21,692 folder.htt
01/06/2005 11:27p 271 desktop.ini
01/02/2005 07:31p 4,212 zllictbl.dat
10/23/2004 11:52a <DIR> GroupPolicy
4 File(s) 27,065 bytes
3 Dir(s) 32,757,932,032 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

01/23/2005 05:44p 56 Guard.tmp
1 File(s) 56 bytes
0 Dir(s) 32,757,932,032 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

01/23/2005 05:44p 56 Guard.tmp
07/24/2002 06:00a 2,577 CONFIG.TMP
2 File(s) 2,633 bytes
0 Dir(s) 32,757,932,032 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------- Locate.com Results -------------

C:\WINNT\SYSTEM32\
desktop.ini Thu Jan 6 2005 11:27:08p ...H.

271 0.26 K
folder.htt Thu Jan 6 2005 11:27:08p ...H.

21,692 21.18 K
vsconfig.xml Sun Jan 23 2005 6:26:00p A..H.

890 0.87 K
zllictbl.dat Sun Jan 2 2005 7:31:06p A..H.

4,212 4.11 K

4 items found: 4 files, 0 directories.
Total of file sizes: 27,065 bytes 26.43 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Run]
"Synchronization Manager"="mobsync.exe /logon"
"BJCFD"="C:\\Program Files\\BroadJump\\Client

Foundation\\CFD.exe"
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\"

/server /startmonitor /deaf"
"SSRunScript"="\"C:\\Program

Files\\Support.com\\Charter\\bin\\SSRunScript.exe\" /script

\"C:\\Program

Files\\Support.com\\Charter\\vbs\\verifyconnection.vbs\" /args

//b startupdelay"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\

" /checktask"
"VirusScan

Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone

Labs\\ZoneAlarm\\zlclient.exe\""
"vcmxin"="C:\\WINNT\\system32\\BW_ActiveX.Stub.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft

AntiSpyware\\gcasServ.exe\""
"WinPatrol"="C:\\Program Files\\BillP

Studios\\WinPatrol\\winpatrol.exe"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Run\OptionalComponents\MSFS]
"Installed"="1"


Logfile of HijackThis v1.98.2
Scan saved at 6:28:19 PM, on 1/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Administrator\My Documents\Computer\Hijackthis\HijackThis.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vcmxin] C:\WINNT\system32\BW_ActiveX.Stub.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
  • 0

#8
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
We want to get rid of that guard file. Let's try removing the ".dat" file first.

First,
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
C:\WINDOWS\System32\zllictbl.dat
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
Next,
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
C:\WINDOWS\System32\Guard.tmp <- last
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • Double-click on find.bat and post the new output.txt.

  • 0

#9
cube

cube

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
:tazz:

zllictbl.dat is still there, but Guard.tmp appears to be gone.

I'd like to thank both admin and coachwife6 for all of your help.

Below is posted both the Findit and Hijackthis logs.

Once again, thanks

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Administrator\My Documents\Computer\Umonitor\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

01/20/2005 07:30a <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 32,756,731,904 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

01/24/2005 10:08p 4,212 zllictbl.dat
01/24/2005 10:07p 890 vsconfig.xml
01/20/2005 07:30a <DIR> dllcache
01/07/2005 11:12p <DIR> vmss
01/06/2005 11:27p 21,692 folder.htt
01/06/2005 11:27p 271 desktop.ini
10/23/2004 11:52a <DIR> GroupPolicy
4 File(s) 27,065 bytes
3 Dir(s) 32,756,731,904 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 00CB-17C1

Directory of C:\WINNT\System32

07/24/2002 06:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 32,756,731,904 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------- Locate.com Results -------------

C:\WINNT\SYSTEM32\
desktop.ini Thu Jan 6 2005 11:27:08p ...H. 271 0.26 K
folder.htt Thu Jan 6 2005 11:27:08p ...H. 21,692 21.18 K
vsconfig.xml Mon Jan 24 2005 10:07:04p A..H. 890 0.87 K
zllictbl.dat Mon Jan 24 2005 10:08:04p ...H. 4,212 4.11 K

4 items found: 4 files, 0 directories.
Total of file sizes: 27,065 bytes 26.43 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"SSRunScript"="\"C:\\Program Files\\Support.com\\Charter\\bin\\SSRunScript.exe\" /script \"C:\\Program Files\\Support.com\\Charter\\vbs\\verifyconnection.vbs\" /args //b startupdelay"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"vcmxin"="C:\\WINNT\\system32\\BW_ActiveX.Stub.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


Logfile of HijackThis v1.98.2
Scan saved at 10:22:24 PM, on 1/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Administrator\My Documents\Computer\Hijackthis\HijackThis.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vcmxin] C:\WINNT\system32\BW_ActiveX.Stub.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
  • 0

#10
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. ;)
  • 0

#11
jlevins

jlevins

    New Member

  • Member
  • Pip
  • 1 posts
What is Findit2000ntxp? Can someone provide a download link please? Thanks.
  • 0

#12
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi jl. Welcome to GTG. A new fix has come out for this problem. Start a new thread in the Hijack This column and we will look at your log and help you out. Read the HJThis instructions in my signature. :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP