Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Is there no end to this? [resolved]


  • This topic is locked This topic is locked

#1
Psyk0

Psyk0

    New Member

  • Member
  • Pip
  • 4 posts
Hello, first time posting, but i've been hanging around for a while.

I've installed 5 different software to clean the mess caused by spyware, trojan, adware etc.

My system is running better now, but whenever i scan with Ad-Aware (SE), 3 files always pop-up and one of them cannot be deleted (file in-use). So AA tells me it will be deleted on next boot, but it keeps coming back, sometimes the name will change.

example:

(vx2/process/malware)
c:\winnt\system32\ennql1551.dll
c:\winnt\system32\szbrsrc.dll
c:\winnt\system32\szbrsrc.dll

REGKEY:
Location:software\microsoft\internet explorer\toolbar\webbrowser "{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
Last Activity:2/2/2005

The 2nd "problem" is everytime i connect to the internet (im on DSL), zonealarm warns me that \??\C:\WINNT\system32\winlogon.exe is trying to access a HTTP adress, and then a few seconds later rundll32.exe tries to connect to the same address!.

Any help is appreciated.

Logfile of HijackThis v1.99.0
Scan saved at 3:37:43 PM, on 2/2/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\runservice.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\pppoeservice.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\3dsmax5\sfmgr\sfmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINNT\system32\ZoneLabs\minilog.exe
C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\EnterNet.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O23 - Service: Gestion d'applications - Unknown - C:\WINNT\system32\services.exe
O23 - Service: AVSync Manager - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Client DHCP - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINNT\System32\dmadmin.exe
O23 - Service: Gestionnaire de disque logique - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Client DNS - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Journal des événements - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Service de télécopie - Unknown - C:\WINNT\system32\faxsvc.exe
O23 - Service: LicCtrl Service - Unknown - C:\WINNT\runservice.exe
O23 - Service: Service d'application d'assistance TCP/IP NetBIOS - Unknown - C:\WINNT\System32\services.exe
O23 - Service: McShield - Unknown - C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
O23 - Service: TrueVector Basic Logging Client - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\minilog.exe
O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - C:\WINNT\System32\mnmsrvc.exe
O23 - Service: DDE réseau - Unknown - C:\WINNT\system32\netdde.exe
O23 - Service: DSDM DDE réseau - Unknown - C:\WINNT\system32\netdde.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Plug-and-Play - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Agent de stratégie IPSEC - Unknown - C:\WINNT\System32\lsass.exe
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\pppoeservice.exe
O23 - Service: Emplacement protégé - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Gestionnaire de comptes de sécurité - Unknown - C:\WINNT\system32\lsass.exe
O23 - Service: Prise en charge des cartes à puces - Unknown - C:\WINNT\System32\SCardSvr.exe
O23 - Service: Carte à puce - Unknown - C:\WINNT\System32\SCardSvr.exe
O23 - Service: Service d'exécution par délégation - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Journaux et alertes de performance - Unknown - C:\WINNT\system32\smlogsvc.exe
O23 - Service: Telnet - Unknown - C:\WINNT\system32\tlntsvr.exe
O23 - Service: Client de suivi de lien distribué - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Gestionnaire d'utilitaires - Unknown - C:\WINNT\System32\UtilMan.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Horloge Windows - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Infrastructure de gestion Windows - Unknown - C:\WINNT\System32\WBEM\WinMgmt.exe
O23 - Service: Extensions du pilote WMI - Unknown - C:\WINNT\system32\Services.exe
  • 0

Advertisements


#2
LineOFire

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Hello and welcome to the GeeksToGo Forums. We hope you enjoy your stay here! :tazz:

You might have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#3
Psyk0

Psyk0

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the help :tazz:.


L2MFIX find log 1.02a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\irnml5511.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\h0n0la5m1d.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BFF70B1E-C2B6-46DE-9B81-C11A71BBE92B}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Feuille de propri‚t‚s du fichier multim‚dia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Gestion de scanneur ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Page de s‚curit‚ NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Page des propri‚t‚s de OLE DocFile"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensions de l'interpr‚teur de commandes pour le partage"
"{41E300E0-78B6-11ce-849B-444553540000}"="Extension du Panneau de configuration PlusPack"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Carte du Panneau de configuration"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage cran du Panneau de configuration"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Extension Affichage Panorama du Panneau de configuration"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Page de s‚curit‚ DS"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Gestionnaire de donn‚es endommag‚es de l'interpr‚teur de commandes"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Extension copie de disquette"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensions de l'interpr‚teur de commandes pour les objets Microsoft Windows Network"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gestion d'‚cran ICM"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gestion d'imprimante ICM"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensions de l'interpr‚teur de commandes pour la compression de fichiers"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Extension du shell d'imprimante Web"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu contextuel de cryptage"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porte-documents"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Profil ICC"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Page de s‚curit‚ des imprimantes"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensions de l'interpr‚teur de commandes pour le partage"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extension de l'interpr‚teur de commande pour Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie PKO"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Extension de cryptographie Sign"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Connexions r‚seau et accŠs … distance"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tƒches planifi‚es"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Dossier favori du shell"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="Poste de travail"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Porte-documents"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Raccourci vers le dossier"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Volume mont‚"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="Extension de la page de propri‚t‚s des fichiers"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="Page des types de fichiers"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="Gestionnaire des types de fichiers MIME"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Service Copier vers Microsoft"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Service D‚placer vers Microsoft"
"{13709620-C279-11CE-A49E-444553540000}"="Service d'automatisation de l'interface"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Menu D‚marrer"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Service SendTo Microsoft"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Service Nouvel objet Microsoft"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Ouvrir avec le gestionnaire de menu contextuel"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Afficher les extensions HTML du Panneau de configuration"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Extension de la page de propri‚t‚s des options des dossiers"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Application d'aide du systŠme pour le glisser-d‚placer"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Ajouter l'‚l‚ment de cryptage dans les menus contextuels de l'Explorateur"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barre d'outils Internet Microsoft"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="tat du t‚l‚chargement"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Dossier Bureau"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Bande de menus"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Suivi du menu Shell"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Barre du Bureau"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Dossier Bureau ‚tendu"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Dossier du shell augment‚"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Bande du navigateur Microsoft"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Bande de recherche"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Volet int‚gr‚ de recherche"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Recherche Web"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Liens"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilitaire des options de l'arborescence du Registre"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="BoŒte d'entr‚e de l'adresse"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Saisie semi-automatique Microsoft"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Image miniature"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="Liste de saisie semi-automatique MRU"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Liste de saisie semi-automatique de l'historique Microsoft"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Liste de saisie semi-automatique du dossier Shell Microsoft"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Conteneur de la liste de saisie semi-automatique multiple Microsoft"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu Site de bandes"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Barre du Bureau"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistance utilisateur"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="ParamŠtres du dossier global"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Historique"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Image de d‚marrage de la Suite IE4"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Dossier ActiveX Cache"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Dossier Inscription"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Miniatures"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="Extracteur de miniatures HTML"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Extracteur de miniatures des filtres graphiques Office"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gestionnaire d'application du shell"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="num‚rateur d'applications install‚es"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Menu Fichiers hors connexion"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Options du dossier Fichiers hors connexion"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Dossier Fichiers hors connexion"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}"="eLicense Control"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{BCBB65DC-3865-4B21-84B5-02BC81DF1541}"=""
"{D0165F44-96F5-4DD0-A10F-D4F37D2D0DB4}"=""
"{A09B41C6-5C2E-418B-AABF-7AC5B2299194}"=""
"{2E6F463B-9671-4D62-B53E-A69689F7FE5C}"=""
"{1B5C5866-88F3-45C8-B454-9430A5175E6B}"=""
"{BABF8C26-7E41-4BCC-B0A7-1E6ABB5188B1}"=""
"{F78047D7-467C-42CB-B0AA-FE75856ADAA8}"=""
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Liste de saisie semi-automatique personnalis‚e MRU"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barre de progrŠs auto-ouvrante"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analyseur de la barre d'adresses"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Fichier de chaŒne"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Raccourci de chaŒne"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Des &personnes..."
"{D5252C1E-4F7A-4D91-A08C-3AFA455F2C7E}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BCBB65DC-3865-4B21-84B5-02BC81DF1541}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BCBB65DC-3865-4B21-84B5-02BC81DF1541}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BCBB65DC-3865-4B21-84B5-02BC81DF1541}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BCBB65DC-3865-4B21-84B5-02BC81DF1541}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D0165F44-96F5-4DD0-A10F-D4F37D2D0DB4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D0165F44-96F5-4DD0-A10F-D4F37D2D0DB4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D0165F44-96F5-4DD0-A10F-D4F37D2D0DB4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D0165F44-96F5-4DD0-A10F-D4F37D2D0DB4}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A09B41C6-5C2E-418B-AABF-7AC5B2299194}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A09B41C6-5C2E-418B-AABF-7AC5B2299194}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A09B41C6-5C2E-418B-AABF-7AC5B2299194}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A09B41C6-5C2E-418B-AABF-7AC5B2299194}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2E6F463B-9671-4D62-B53E-A69689F7FE5C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2E6F463B-9671-4D62-B53E-A69689F7FE5C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2E6F463B-9671-4D62-B53E-A69689F7FE5C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2E6F463B-9671-4D62-B53E-A69689F7FE5C}\InprocServer32]
@="C:\\WINNT\\system32\\jvbexec.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1B5C5866-88F3-45C8-B454-9430A5175E6B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1B5C5866-88F3-45C8-B454-9430A5175E6B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1B5C5866-88F3-45C8-B454-9430A5175E6B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1B5C5866-88F3-45C8-B454-9430A5175E6B}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BABF8C26-7E41-4BCC-B0A7-1E6ABB5188B1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BABF8C26-7E41-4BCC-B0A7-1E6ABB5188B1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BABF8C26-7E41-4BCC-B0A7-1E6ABB5188B1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BABF8C26-7E41-4BCC-B0A7-1E6ABB5188B1}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F78047D7-467C-42CB-B0AA-FE75856ADAA8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F78047D7-467C-42CB-B0AA-FE75856ADAA8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F78047D7-467C-42CB-B0AA-FE75856ADAA8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F78047D7-467C-42CB-B0AA-FE75856ADAA8}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D5252C1E-4F7A-4D91-A08C-3AFA455F2C7E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D5252C1E-4F7A-4D91-A08C-3AFA455F2C7E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D5252C1E-4F7A-4D91-A08C-3AFA455F2C7E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D5252C1E-4F7A-4D91-A08C-3AFA455F2C7E}\InprocServer32]
@="C:\\WINNT\\system32\\mhwdat10.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
h0n0la~1.dll Thu Feb 3 2005 1:37:34p ..S.R 225,096 219.82 K
ir82l5~1.dll Fri Feb 4 2005 12:41:40p ..S.R 224,046 218.79 K
irnml5~1.dll Sat Jan 29 2005 7:51:28p ..S.R 224,566 219.30 K
lv0o09~1.dll Sat Feb 5 2005 1:14:46p ..S.R 225,096 219.82 K
mecat32.dll Fri Feb 4 2005 12:44:36p ..S.R 225,096 219.82 K
mhwdat10.dll Sat Feb 5 2005 1:16:40p ..S.R 225,096 219.82 K
phd.dll Thu Feb 3 2005 1:37:34p ..S.R 224,046 218.79 K
wtvemsp.dll Wed Feb 2 2005 9:56:50p ..S.R 224,046 218.79 K
wwvemsp.dll Wed Feb 2 2005 11:14:58p ..S.R 224,046 218.79 K

9 items found: 9 files (9 H/S), 0 directories.
Total of file sizes: 2,021,134 bytes 1.93 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Le volume dans le lecteur C s'appelle HD01
Le num‚ro de s‚rie du volume est A40E-AB1C

R‚pertoire de C:\WINNT\System32

02/05/2005 01:16p 225,096 mhwdat10.dll
02/05/2005 01:16p 801 mmf.sys
02/05/2005 01:14p 225,096 lv0o09d3e.dll
02/04/2005 12:44p 225,096 mecat32.dll
02/04/2005 12:41p 224,046 ir82l5lo1.dll
02/03/2005 01:37p 224,046 phd.dll
02/03/2005 01:37p 225,096 h0n0la5m1d.dll
02/02/2005 11:14p 224,046 wWvemsp.dll
02/02/2005 09:56p 224,046 wTvemsp.dll
02/01/2005 03:38p <DIR> dllcache
01/29/2005 07:51p 224,566 irnml5511.dll
01/29/2005 02:51p 1,056 KGyGaAvL.sys
11 fichier(s) 2,022,991 octets
1 R‚p(s) 48,432,844,800 octets libres
  • 0

#4
LineOFire

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

#5
Psyk0

Psyk0

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Sorry my version of windows is in french, hopefully that wont be a problem for you. I dont get warnings about winlogon and rundll32 anymore.

L2Mfix 1.02a

Running From:
C:\Program Files\lm2fix\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Tout le monde
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE



Setting up for Reboot


Starting Reboot!

C:\Program Files\lm2fix\l2mfix
System Rebooted!

Running From:
C:\Program Files\lm2fix\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 956 'explorer.exe'
Killing PID 956 'explorer.exe'
Error 0x5 : Accès refusé.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1012 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\hrl8053ue.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINNT\system32\ir82l5lo1.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINNT\system32\mecat32.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINNT\system32\mhwdat10.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINNT\system32\mqi.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINNT\system32\phd.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINNT\system32\SFELL32.DLL
1 fichier(s) copi‚(s).
Backing Up: C:\WINNT\system32\wTvemsp.dll
1 fichier(s) copi‚(s).
Backing Up: C:\WINNT\system32\wWvemsp.dll
1 fichier(s) copi‚(s).
deleting: C:\WINNT\system32\hrl8053ue.dll
Successfully Deleted: C:\WINNT\system32\hrl8053ue.dll
deleting: C:\WINNT\system32\ir82l5lo1.dll
Successfully Deleted: C:\WINNT\system32\ir82l5lo1.dll
deleting: C:\WINNT\system32\mecat32.dll
Successfully Deleted: C:\WINNT\system32\mecat32.dll
deleting: C:\WINNT\system32\mhwdat10.dll
Successfully Deleted: C:\WINNT\system32\mhwdat10.dll
deleting: C:\WINNT\system32\mqi.dll
Successfully Deleted: C:\WINNT\system32\mqi.dll
deleting: C:\WINNT\system32\phd.dll
Successfully Deleted: C:\WINNT\system32\phd.dll
deleting: C:\WINNT\system32\SFELL32.DLL
Successfully Deleted: C:\WINNT\system32\SFELL32.DLL
deleting: C:\WINNT\system32\wTvemsp.dll
Successfully Deleted: C:\WINNT\system32\wTvemsp.dll
deleting: C:\WINNT\system32\wWvemsp.dll
Successfully Deleted: C:\WINNT\system32\wWvemsp.dll

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: hrl8053ue.dll (164 bytes security) (deflated 5%)
adding: ir82l5lo1.dll (164 bytes security) (deflated 4%)
adding: mecat32.dll (164 bytes security) (deflated 4%)
adding: mhwdat10.dll (164 bytes security) (deflated 4%)
adding: mqi.dll (164 bytes security) (deflated 4%)
adding: phd.dll (164 bytes security) (deflated 4%)
adding: SFELL32.DLL (164 bytes security) (deflated 4%)
adding: wTvemsp.dll (164 bytes security) (deflated 4%)
adding: wWvemsp.dll (164 bytes security) (deflated 4%)
adding: clear.reg (164 bytes security) (deflated 62%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: desktop.ini (164 bytes security) (deflated 13%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 78%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 69%)
adding: test.txt (164 bytes security) (deflated 70%)
adding: test2.txt (164 bytes security) (deflated 43%)
adding: test3.txt (164 bytes security) (deflated 43%)
adding: test5.txt (164 bytes security) (deflated 43%)
adding: xfind.txt (164 bytes security) (deflated 64%)
adding: backregs/1B5C5866-88F3-45C8-B454-9430A5175E6B.reg (164 bytes security) (deflated 70%)
adding: backregs/2E6F463B-9671-4D62-B53E-A69689F7FE5C.reg (164 bytes security) (deflated 70%)
adding: backregs/A09B41C6-5C2E-418B-AABF-7AC5B2299194.reg (164 bytes security) (deflated 70%)
adding: backregs/BABF8C26-7E41-4BCC-B0A7-1E6ABB5188B1.reg (164 bytes security) (deflated 70%)
adding: backregs/BCBB65DC-3865-4B21-84B5-02BC81DF1541.reg (164 bytes security) (deflated 70%)
adding: backregs/D0165F44-96F5-4DD0-A10F-D4F37D2D0DB4.reg (164 bytes security) (deflated 70%)
adding: backregs/D5252C1E-4F7A-4D91-A08C-3AFA455F2C7E.reg (164 bytes security) (deflated 70%)
adding: backregs/F78047D7-467C-42CB-B0AA-FE75856ADAA8.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Utilisateurs
(ID-IO) ALLOW Read BUILTIN\Utilisateurs
(ID-NI) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-IO) ALLOW Read BUILTIN\Utilisateurs avec pouvoir
(ID-NI) ALLOW Full access BUILTIN\Administrateurs
(ID-IO) ALLOW Full access BUILTIN\Administrateurs
(ID-NI) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access AUTORITE NT\SYSTEM
(ID-IO) ALLOW Full access CREATEUR PROPRIETAIRE


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

deleting local copy: hrl8053ue.dll
deleting local copy: ir82l5lo1.dll
deleting local copy: mecat32.dll
deleting local copy: mhwdat10.dll
deleting local copy: mqi.dll
deleting local copy: phd.dll
deleting local copy: SFELL32.DLL
deleting local copy: wTvemsp.dll
deleting local copy: wWvemsp.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\irnml5511.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINNT\system32\hrl8053ue.dll
C:\WINNT\system32\ir82l5lo1.dll
C:\WINNT\system32\mecat32.dll
C:\WINNT\system32\mhwdat10.dll
C:\WINNT\system32\mqi.dll
C:\WINNT\system32\phd.dll
C:\WINNT\system32\SFELL32.DLL
C:\WINNT\system32\wTvemsp.dll
C:\WINNT\system32\wWvemsp.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BCBB65DC-3865-4B21-84B5-02BC81DF1541}"=-
"{D0165F44-96F5-4DD0-A10F-D4F37D2D0DB4}"=-
"{A09B41C6-5C2E-418B-AABF-7AC5B2299194}"=-
"{2E6F463B-9671-4D62-B53E-A69689F7FE5C}"=-
"{1B5C5866-88F3-45C8-B454-9430A5175E6B}"=-
"{BABF8C26-7E41-4BCC-B0A7-1E6ABB5188B1}"=-
"{F78047D7-467C-42CB-B0AA-FE75856ADAA8}"=-
"{D5252C1E-4F7A-4D91-A08C-3AFA455F2C7E}"=-
[-HKEY_CLASSES_ROOT\CLSID\{BCBB65DC-3865-4B21-84B5-02BC81DF1541}]
[-HKEY_CLASSES_ROOT\CLSID\{D0165F44-96F5-4DD0-A10F-D4F37D2D0DB4}]
[-HKEY_CLASSES_ROOT\CLSID\{A09B41C6-5C2E-418B-AABF-7AC5B2299194}]
[-HKEY_CLASSES_ROOT\CLSID\{2E6F463B-9671-4D62-B53E-A69689F7FE5C}]
[-HKEY_CLASSES_ROOT\CLSID\{1B5C5866-88F3-45C8-B454-9430A5175E6B}]
[-HKEY_CLASSES_ROOT\CLSID\{BABF8C26-7E41-4BCC-B0A7-1E6ABB5188B1}]
[-HKEY_CLASSES_ROOT\CLSID\{F78047D7-467C-42CB-B0AA-FE75856ADAA8}]
[-HKEY_CLASSES_ROOT\CLSID\{D5252C1E-4F7A-4D91-A08C-3AFA455F2C7E}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BFF70B1E-C2B6-46DE-9B81-C11A71BBE92B}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{BFF70B1E-C2B6-46DE-9B81-C11A71BBE92B}</IDone>
<IDtwo>AD</IDtwo>
<VERSION>200</VERSION>
****************************************************************************





Logfile of HijackThis v1.99.0
Scan saved at 1:27:23 PM, on 2/6/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\runservice.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\pppoeservice.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\3dsmax5\sfmgr\sfmgr.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINNT\system32\ZoneLabs\minilog.exe
C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\EnterNet.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O23 - Service: Gestion d'applications - Unknown - C:\WINNT\system32\services.exe
O23 - Service: AVSync Manager - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Client DHCP - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINNT\System32\dmadmin.exe
O23 - Service: Gestionnaire de disque logique - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Client DNS - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Journal des événements - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Service de télécopie - Unknown - C:\WINNT\system32\faxsvc.exe
O23 - Service: LicCtrl Service - Unknown - C:\WINNT\runservice.exe
O23 - Service: Service d'application d'assistance TCP/IP NetBIOS - Unknown - C:\WINNT\System32\services.exe
O23 - Service: McShield - Unknown - C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
O23 - Service: TrueVector Basic Logging Client - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\minilog.exe
O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - C:\WINNT\System32\mnmsrvc.exe
O23 - Service: DDE réseau - Unknown - C:\WINNT\system32\netdde.exe
O23 - Service: DSDM DDE réseau - Unknown - C:\WINNT\system32\netdde.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Plug-and-Play - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Agent de stratégie IPSEC - Unknown - C:\WINNT\System32\lsass.exe
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\pppoeservice.exe
O23 - Service: Emplacement protégé - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Gestionnaire de comptes de sécurité - Unknown - C:\WINNT\system32\lsass.exe
O23 - Service: Prise en charge des cartes à puces - Unknown - C:\WINNT\System32\SCardSvr.exe
O23 - Service: Carte à puce - Unknown - C:\WINNT\System32\SCardSvr.exe
O23 - Service: Service d'exécution par délégation - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Journaux et alertes de performance - Unknown - C:\WINNT\system32\smlogsvc.exe
O23 - Service: Telnet - Unknown - C:\WINNT\system32\tlntsvr.exe
O23 - Service: Client de suivi de lien distribué - Unknown - C:\WINNT\system32\services.exe
O23 - Service: Gestionnaire d'utilitaires - Unknown - C:\WINNT\System32\UtilMan.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Horloge Windows - Unknown - C:\WINNT\System32\services.exe
O23 - Service: Infrastructure de gestion Windows - Unknown - C:\WINNT\System32\WBEM\WinMgmt.exe
O23 - Service: Extensions du pilote WMI - Unknown - C:\WINNT\system32\Services.exe
  • 0

#6
LineOFire

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
Log looks clean now. Congratulations! :tazz:

Are you having anymore problems?
  • 0

#7
Psyk0

Psyk0

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Everything looks clean now, i also had a problem with the recycle bin (files didnt show up when deleted from my c: drive), that's also fixed now.

Thank you very much for the help, you guys rock! :tazz:
  • 0

#8
LineOFire

LineOFire

    Malware Expert

  • Retired Staff
  • 235 posts
The Recycle Bin problem was part of the VX2 infection. :tazz:

Glad that we could help. Thanks for cooperating with me!

Here are some tips, in order to reduce the potential for future malware infections. ;)
  • Secure Internet Explorer - The most common reason that malware installs itself is that your Internet Explorer security settings are set too low.
    • Open Internet Explorer.
    • Click on the "Tools" menu and select "Internet Options...".
    • If not already selected, select the "Security" tab.
    • Click on "Internet" so that it becomes highlighted and then click "Custom Level...".
    • In the "Reset to:" drop-down menu select "Medium".
    • Click "Reset" and choose "Yes" at the prompt to reset the security settings.
    • Click "OK" to return to the Security menu.
    • Repeat the same steps for "Local intranet", "Trusted sites", "Restricted sites" with these security settings:
      • "Local intranet" - "Medium-low"
      • "Trusted sites" - "Low"
      • "Restricted sites" - "High"
    • Finally, click "Apply" and then "OK" to apply the settings that you set.
  • Windows Update - It is absolutely imperative that you stay on top of all updates to your operating system and browser. Malware authors and hackers make use of the many loopholes found in Microsoft's code. Keeping your system up to date is one of the most important steps in preventing infection.
  • Spybot - Search & Destroy - Spybot - Search & Destroy is an excellent general anti-malware tool. It has the ability to scan your system for all kinds of malware and even offers TeaTimer and SDHelper in order to provide real-time protection from malware.
  • Ad-Aware SE - Ad-Aware SE, like Spybot - Search & Destroy, is another general anti-malware solution which offers scanning. Both programs will often catch something the other cannot. It is best to use both of these wonderful programs in tandem so that you maximize the detection capabilities.
  • SpywareBlaster - SpywareBlaster offers real-time protection against malicious ActiveX controls. This will stop most of the drive-by malware installations that have been very common recently. The best part is, this program does not need to run in the background, so it uses no resources!
  • IE-SpyAd - IE-SpyAd attempts to stop malware infections by placing a huge list of known malicious sites into Internet Explorer's Restricted Sites list. If you accidentally come upon a harmful site, the Restricted Sites zone will hinder its maliciousness.
  • HOSTS - The HOSTS file is the Windows solution to malware prevention. By placing harmful sites in the HOSTS file, you are effectively denying your computer access to the site, and denying the site access to your computer.
  • Update Programs Regularly - Just as with your operating system and browser, the five aforementioned utlitlies are in need of constant updating. Malware changes everyday and is critical to be prepared at all times.
  • Get A New Browser - The recent outburst of malware that has taken the Internet and the world by storm. More and more people are realizing that Internet Explorer is a terribly insecure browser. Since then, several great browsers have been developed to dull the blow of malware. Besides offering improved security, alternate browers supply many new features. These are the browsers I currently recommend: Mozilla Firefox and Opera.
I encourage you to at least consider following some of these steps. It is important that everyone learn how to combat these evil creations.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP