petro 116th Report post Posted February 10, 2005 New HJT log Logfile of HijackThis v1.99.0 Scan saved at 2:23:40 PM, on 2/10/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\rundll32.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\soft.exe C:\Program Files\PC Booster\PCBooster.exe C:\WINNT\d3bd32.exe C:\WINNT\isrvs\desktop.exe C:\winnt\system32\vozhymx.exe C:\WINNT\system32\oddll.exe C:\WINNT\appec.exe C:\WINNT\appec.exe C:\Program Files\ISTsvc\istsvc.exe C:\WINNT\system32\nwevol32.exe C:\winnt\system32\packager.exe C:\WINNT\system32\dddd.exe C:\WINNT\system32\mshta.exe C:\Documents and Settings\The petro\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R3 - Default URLSearchHook is missing F3 - REG:win.ini: run=C:\WINNT\system32\soft.exe O2 - BHO: (no name) - {2A928540-DC8A-1A4C-4EDC-95558CC66BBE} - C:\WINNT\apibn32.dll O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PC Booster] C:\Program Files\PC Booster\PCBooster.exe O4 - HKLM\..\Run: [LtcyCfgApply] "C:\unzipped\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a O4 - HKLM\..\Run: [d3bd32.exe] C:\WINNT\d3bd32.exe O4 - HKLM\..\Run: [1A.tmp] C:\DOCUME~1\THEPET~1\LOCALS~1\Temp\1A.tmp.exe 1 10001 O4 - HKLM\..\Run: [Web Service] C:\WINNT\system32\sm.exe O4 - HKLM\..\Run: [1A.tmp.exe] C:\DOCUME~1\THEPET~1\LOCALS~1\Temp\1A.tmp.exe 1 10001 O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe O4 - HKLM\..\Run: [vozhymx] c:\winnt\system32\vozhymx.exe O4 - HKLM\..\Run: [os3S3Fe] oddll.exe O4 - HKLM\..\Run: [antiware] C:\winnt\system32\elitewug32.exe O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\ O4 - HKCU\..\Run: [Web Service] C:\WINNT\system32\sm.exe O4 - HKCU\..\Run: [ZBs2RPK3X] nwevol32.exe O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\dddd.exe O4 - Global Startup: Microsoft Office.hta O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O15 - Trusted Zone: *.addictivetechnologies.com O15 - Trusted Zone: *.addictivetechnologies.net O15 - Trusted Zone: *.admin2cash.biz O15 - Trusted Zone: *.awmdabest.com O15 - Trusted Zone: *.bettersearch.biz O15 - Trusted Zone: *.c4tdownload.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.crazywinnings.com O15 - Trusted Zone: *.f1organizer.com O15 - Trusted Zone: *.finefind.nettraffic2cash.biz O15 - Trusted Zone: *.iframe.biz O15 - Trusted Zone: *.megapornix.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.newiframe.biz O15 - Trusted Zone: *.overpro.com O15 - Trusted Zone: *.pizdato.biz O15 - Trusted Zone: *.private-dialer.biz O15 - Trusted Zone: *.private-iframe.biz O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.sp2admin.biz O15 - Trusted Zone: *.sp2:filtered:ed.biz O15 - Trusted Zone: *.topconverting.com O15 - Trusted Zone: *.vse-moe.biz O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.xxxtoolbar.com O15 - Trusted Zone: *.ysbweb.com O15 - Trusted IP range: 206.161.125.149 (HKLM) O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file) O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe Thanks. Share this post Link to post Share on other sites
crunchie Report post Posted February 11, 2005 (edited) Download LSPfix from here On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "aklsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish. Download about:Buster and unzip it to your Desktop. Doubleclick on AboutBuster.exe to run it and then click on Update > Check for Update. If there is an update available, click on 'Download Update and wait while it downloads. Once downloaded, click on Exit. When you have done this, boot into Safe Mode (restart your PC and tap F8 as it restarts) and make sure that you can view hidden files and folders. Close all open windows and run Hijack This again. Check the below entries and click on Fix Checked. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345 R3 - Default URLSearchHook is missing F3 - REG:win.ini: run=C:\WINNT\system32\soft.exe O2 - BHO: (no name) - {2A928540-DC8A-1A4C-4EDC-95558CC66BBE} - C:\WINNT\apibn32.dll O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O4 - HKLM\..\Run: [d3bd32.exe] C:\WINNT\d3bd32.exe O4 - HKLM\..\Run: [1A.tmp] C:\DOCUME~1\THEPET~1\LOCALS~1\Temp\1A.tmp.exe 1 10001 O4 - HKLM\..\Run: [Web Service] C:\WINNT\system32\sm.exe O4 - HKLM\..\Run: [1A.tmp.exe] C:\DOCUME~1\THEPET~1\LOCALS~1\Temp\1A.tmp.exe 1 10001 O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe O4 - HKLM\..\Run: [vozhymx] c:\winnt\system32\vozhymx.exe O4 - HKLM\..\Run: [os3S3Fe] oddll.exe O4 - HKLM\..\Run: [antiware] C:\winnt\system32\elitewug32.exe O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\ O4 - HKCU\..\Run: [Web Service] C:\WINNT\system32\sm.exe O4 - HKCU\..\Run: [ZBs2RPK3X] nwevol32.exe O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\dddd.exe O15 - Trusted Zone: *.addictivetechnologies.com O15 - Trusted Zone: *.addictivetechnologies.net O15 - Trusted Zone: *.admin2cash.biz O15 - Trusted Zone: *.awmdabest.com O15 - Trusted Zone: *.bettersearch.biz O15 - Trusted Zone: *.c4tdownload.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.crazywinnings.com O15 - Trusted Zone: *.f1organizer.com O15 - Trusted Zone: *.finefind.nettraffic2cash.biz O15 - Trusted Zone: *.iframe.biz O15 - Trusted Zone: *.megapornix.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.newiframe.biz O15 - Trusted Zone: *.overpro.com O15 - Trusted Zone: *.pizdato.biz O15 - Trusted Zone: *.private-dialer.biz O15 - Trusted Zone: *.private-iframe.biz O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.sp2admin.biz O15 - Trusted Zone: *.sp2:filtered:ed.biz O15 - Trusted Zone: *.topconverting.com O15 - Trusted Zone: *.vse-moe.biz O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.xxxtoolbar.com O15 - Trusted Zone: *.ysbweb.com O15 - Trusted IP range: 206.161.125.149 (HKLM) O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab searchmiracle O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab ISTBar Variant O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx Topconverting Adware O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file) Close Hijack This and run about:Buster again, click the 'Start' button and then click the 'OK' button. Let it scan (the scan can take some time to complete, so be patient.). Once the first scan has completed, it will ask you if you wish for about:Buster to scan once more. Click Yes and let it scan a second time. Once the second scan has finished, copy and paste the report to Notepad and save it on your drive. To copy and paste the report to a log file, select (highlight) all of the text produced by the scan with your mouse, right-click and select 'Copy'. Next, launch Notepad (click Start > Run > type notepad.exe and press enter). When the file is open, rightclick and select Paste. Click on File > Save As and save it in C:\ as Log.txt. Copy the log and post it back in this thread when you have rebooted. While still in Safe Mode, run a search and make sure that all of the below files in bold have been deleted (if not delete them): C:\WINNT\system32\rrrvu.dll<----file C:\WINNT\system32\soft.exe<----file C:\WINNT\apibn32.dll<----file C:\WINNT\d3bd32.exe<----file C:\WINNT\system32\sm.exe<----file c:\winnt\system32\vozhymx.exe<----file C:\WINNT\system32\oddll.exe<----file C:\winnt\system32\elitewug32.exe<----file C:\WINNT\system32\nwevol32.exe<----file C:\WINNT\system32\dddd.exe<----file c:\winnt\system32\aklsp.dll<----file C:\WINNT\isrvs<----folder C:\DOCUME~1\THEPET~1\LOCALS~1\Temp<----folder contents C:\Program Files\ISTsvc<----folder Reboot, reset your Home Page and run a Housecall scan. It will get rid of any remaining files. Post a new Hijack This log (and your About Buster log). Download, install and keep updated, Spywareblaster from www.javacoolsoftware.com to help keep your system clean. Please try the Symantec's fix tool to remove the Ist bar. Edited February 11, 2005 by crunchie Share this post Link to post Share on other sites
petro 116th Report post Posted February 11, 2005 OK, I have been doing what you advised, just need to reboot. Thankfully, i had another computer to log onto to see your reply. Thanks. Will post logs asap. Share this post Link to post Share on other sites
petro 116th Report post Posted February 12, 2005 Well i think i got to big for my britched and screwed up my system worse. HJT log Logfile of HijackThis v1.99.0 Scan saved at 9:20:51 PM, on 2/11/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\PC Booster\PCBooster.exe C:\WINNT\system32\rundll32.exe C:\Documents and Settings\The petro\Desktop\HijackThis.exe O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PC Booster] C:\Program Files\PC Booster\PCBooster.exe O4 - HKLM\..\Run: [LtcyCfgApply] "C:\unzipped\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a O15 - Trusted Zone: *.finefind.nettraffic2cash.biz O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe Share this post Link to post Share on other sites
petro 116th Report post Posted February 12, 2005 About buster Scanned at: 9:40:56 AM on: 12/27/2004 -- Scan 1 --------------------------- About:Buster Version 4.0 Reference List : 21 Removed Data Streams: C:\WINNT\AC3API.INI:rwact C:\WINNT\apiui.exe:wbszd C:\WINNT\appge.exe:jjqtr C:\WINNT\COM+.log:igbre C:\WINNT\control.ini:tybkc C:\WINNT\CTDV10K2.CDF:xfqkr C:\WINNT\delttsul.exe:rojgg C:\WINNT\Gone Fishing.bmp:nihza C:\WINNT\hh.exe:fjzfc C:\WINNT\KB834707-IE6SP1-20040929.091901.log:cghun C:\WINNT\KB839643.log:mazwa C:\WINNT\KB840315.log:niknj C:\WINNT\KB841533.log:ficsl C:\WINNT\KB841872.log:xbchw C:\WINNT\KB841873.log:wpmda C:\WINNT\ODBCINST.INI:juqvw C:\WINNT\setdebug.exe:spwna C:\WINNT\setuperr.log:kqpsc C:\WINNT\TMUPDATE.DLL:zknyr C:\WINNT\TSC.ini:jpblf C:\WINNT\uneng.exe:yfjen C:\WINNT\vbaddin.ini:awmpc C:\WINNT\VPTNFILE.319:lxxuw C:\WINNT\winlv.exe:hdvmg Removed! : C:\WINNT\ahdgj.dat Removed! : C:\WINNT\gllzt.dat Removed! : C:\WINNT\system32\kkkuh.dat Removed! : C:\WINNT\system32\nscgg.dat Removed! : C:\WINNT\system32\sybtz.dat Removed! : C:\WINNT\system32\vkjey.dat Removed! : C:\WINNT\system32\yufqc.dat Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! -- Scan 2 --------------------------- About:Buster Version 4.0 Reference List : 21 Removed Data Streams: C:\WINNT\AC3API.INI:rwact C:\WINNT\apiui.exe:wbszd C:\WINNT\appge.exe:jjqtr C:\WINNT\COM+.log:igbre C:\WINNT\control.ini:tybkc C:\WINNT\CTDV10K2.CDF:xfqkr C:\WINNT\delttsul.exe:rojgg C:\WINNT\Gone Fishing.bmp:nihza C:\WINNT\hh.exe:fjzfc C:\WINNT\KB834707-IE6SP1-20040929.091901.log:cghun C:\WINNT\KB839643.log:mazwa C:\WINNT\KB840315.log:niknj C:\WINNT\KB841533.log:ficsl C:\WINNT\KB841872.log:xbchw C:\WINNT\KB841873.log:wpmda C:\WINNT\ODBCINST.INI:juqvw C:\WINNT\setdebug.exe:spwna C:\WINNT\setuperr.log:kqpsc C:\WINNT\TMUPDATE.DLL:zknyr C:\WINNT\TSC.ini:jpblf C:\WINNT\uneng.exe:yfjen C:\WINNT\vbaddin.ini:awmpc C:\WINNT\VPTNFILE.319:lxxuw C:\WINNT\winlv.exe:hdvmg Attempted Clean Of Temp folder. Pages Reset... Done! Scanned at: 9:45:21 AM on: 12/27/2004 -- Scan 1 --------------------------- About:Buster Version 4.0 Reference List : 21 Removed Data Streams: C:\WINNT\winlv.exe:hdvmg Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! -- Scan 2 --------------------------- About:Buster Version 4.0 Reference List : 21 Removed Data Streams: C:\WINNT\winlv.exe:hdvmg Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! Scanned at: 10:21:39 AM on: 12/27/2004 -- Scan 1 --------------------------- About:Buster Version 4.0 Reference List : 21 Removed Data Streams: C:\WINNT\winlv.exe:hdvmg Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! -- Scan 2 --------------------------- About:Buster Version 4.0 Reference List : 21 Removed Data Streams: C:\WINNT\winlv.exe:hdvmg Attempted Clean Of Temp folder. Pages Reset... Done! Scanned at: 5:22:54 PM on: 2/11/2005 -- Scan 1 --------------------------- About:Buster Version 4.0 Reference List : 19 No ADS found on system Removed! : C:\WINNT\ifpoh.dat Removed! : C:\WINNT\system32\fnjfl.dat Removed! : C:\WINNT\system32\watzs.dat Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! -- Scan 2 --------------------------- About:Buster Version 4.0 Reference List : 19 No ADS found on system Attempted Clean Of Temp folder. Pages Reset... Done! Scanned at: 6:09:27 PM on: 2/11/2005 -- Scan 1 --------------------------- About:Buster Version 4.0 Reference List : 19 No ADS found on system Attempted Clean Of Temp folder. Pages Reset... Done! -- Scan 2 --------------------------- About:Buster Version 4.0 Reference List : 19 No ADS found on system Attempted Clean Of Temp folder. Pages Reset... Done! Scanned at: 9:24:08 PM on: 2/11/2005 -- Scan 1 --------------------------- About:Buster Version 4.0 Reference List : 23 No ADS found on system Removed! : C:\WINNT\hnylx.dll Removed! : C:\WINNT\sxozg.dat Attempted Clean Of Temp folder. Pages Reset... Done! -- Scan 2 --------------------------- About:Buster Version 4.0 Reference List : 23 No ADS found on system Attempted Clean Of Temp folder. Pages Reset... Done! Share this post Link to post Share on other sites
Y kawika Report post Posted February 12, 2005 Post a new HijackThis log as well Petro. Thanks. :)Y Share this post Link to post Share on other sites
petro 116th Report post Posted February 12, 2005 The one above the about buster log is no good? I am currently running Housecall. I appear to have many trojans. Share this post Link to post Share on other sites
Y kawika Report post Posted February 12, 2005 Post the most current after running the scans recommended. :)Y Share this post Link to post Share on other sites
crunchie Report post Posted February 12, 2005 It looks like you may have picked up the latest VX2 infection too . Download L2mfix from one of these two locations: http://www.atribune.org/downloads/l2mfix.exe http://www.downloads.subratam.org/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! Share this post Link to post Share on other sites
petro 116th Report post Posted February 12, 2005 L2MFIX find log 1.02b These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage] "Asynchronous"=dword:00000000 "DllName"="C:\\WINNT\\system32\\j66m0gj1e6o.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{11D7E785-FD3C-4CB7-B817-4B1A23A1F5C7}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks" "{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder" "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer" "{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder" "{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut" "{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume" "{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension" "{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page" "{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook" "{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service" "{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service" "{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service" "{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View" "{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu" "{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service" "{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service" "{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler" "{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions" "{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop" "{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension" "{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon" "{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper" "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder" "{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band" "{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu" "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site" "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails" "{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor" "{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor" "{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)" "{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..." "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer" "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu" "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu" "{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder" "{E0D79304-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79305-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79306-84BE-11CE-9641-444553540000}"="WinZip" "{B446400D-0030-457b-8F64-422A19605186}"="Logitech Gallery" "{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension" "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension" "{6C45B15D-7D70-4AB5-BEB9-FBD84EF9B8C3}"="" ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{6C45B15D-7D70-4AB5-BEB9-FBD84EF9B8C3}] @="" [HKEY_CLASSES_ROOT\CLSID\{6C45B15D-7D70-4AB5-BEB9-FBD84EF9B8C3}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{6C45B15D-7D70-4AB5-BEB9-FBD84EF9B8C3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{6C45B15D-7D70-4AB5-BEB9-FBD84EF9B8C3}\InprocServer32] @="C:\\WINNT\\system32\\cmmsvcs.dll" "ThreadingModel"="Apartment" ********************************************************************************** Files Found are not all bad files: Locate .tmp files: ********************************************************************************** Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is 1C55-8F41 Directory of C:\WINNT\System32 02/11/2005 09:31p 228,423 ennml1511.dll 02/11/2005 09:20p 231,895 isfgnt5.dll 02/11/2005 09:19p 228,423 o4pqle751h.dll 02/11/2005 09:16p <DIR> dllcache 02/11/2005 09:14p 228,943 q2860clsefq60.dll 02/11/2005 09:11p 230,604 fCxocm.dll 02/11/2005 09:10p 228,423 j66m0gj1e6o.dll 02/11/2005 08:50p 228,423 kqdbe.dll 02/11/2005 07:44p 231,120 wcspdmoe.dll 02/11/2005 07:36p 230,532 mrieftp.dll 02/11/2005 07:32p 230,242 SDLWAPI.DLL 02/11/2005 07:30p 230,242 muexcl40.dll 02/11/2005 07:19p 231,089 mmd32.dll 02/11/2005 06:49p 230,242 ckl3dv2.dll 02/11/2005 06:29p 229,281 fWxext32.dll 02/11/2005 06:14p 229,281 MXPRIVS.DLL 02/11/2005 05:18p 229,281 ngtevent.dll 02/11/2005 04:40p 229,281 wxnetmgr.dll 02/10/2005 07:08p 228,778 r2p8lc7u1f.dll 02/10/2005 06:23p 228,778 dosrslvr.dll 02/10/2005 05:48p 228,778 BHSESRV.DLL 02/10/2005 04:16p 228,778 l82slif7182.dll 02/10/2005 04:11p 232,062 mvrml9911.dll 02/10/2005 03:10p 232,062 nwdsa.dll 02/10/2005 02:22p 230,159 wev8dmod.dll 02/10/2005 02:15p 229,952 gp64l3jq1.dll 02/10/2005 01:58p 229,952 RLSMAN.DLL 02/10/2005 01:35p 229,736 notplwiz.dll 02/10/2005 12:51p 229,736 opesvr.dll 02/10/2005 12:49p 229,736 ir0ml5d11.dll 02/10/2005 12:44p 230,339 fp0603dse.dll 02/08/2005 07:57p 11,504 apphj32.exe 01/25/2005 11:17a 10,824 mslf32.exe 01/25/2005 04:15a 7,305 dklec.log 01/24/2005 12:33a 3,567 lygmb.dat 12/26/2004 02:30p 512 LsxI52.eg8 12/22/2004 02:23p 389,120 ??chost.exe 12/22/2004 10:03a 7,305 xnovg.log 12/15/2004 04:59p 7,305 livnj.txt 12/13/2004 06:04p 3,347 wtxrq.log 12/13/2004 05:16p 3,347 dbzeh.log 12/13/2004 04:09a 7,305 olizh.txt 12/11/2004 05:38p 3,347 mybyv.txt 12/09/2004 03:21p 3,347 apubp.txt 12/02/2004 08:56a 7,305 skahe.txt 10/29/2004 04:50p 56,320 hbdnr.dll 45 File(s) 7,416,331 bytes 1 Dir(s) 84,500,992,000 bytes free Share this post Link to post Share on other sites
petro 116th Report post Posted February 12, 2005 Logfile of HijackThis v1.99.0 Scan saved at 9:53:21 PM, on 2/11/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\PC Booster\PCBooster.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\The petro\Desktop\HijackThis.exe C:\WINNT\system32\rundll32.exe O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PC Booster] C:\Program Files\PC Booster\PCBooster.exe O4 - HKLM\..\Run: [LtcyCfgApply] "C:\unzipped\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a O15 - Trusted Zone: *.finefind.nettraffic2cash.biz O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe Share this post Link to post Share on other sites
crunchie Report post Posted February 12, 2005 Close any programs you have open since this step requires a reboot. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log. IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so! Share this post Link to post Share on other sites
petro 116th Report post Posted February 12, 2005 (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting registry permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Denying C access for really "Everyone" - adding new ACCESS DENY entry Registry Permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (CI) DENY --C------- Everyone (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Read BUILTIN\Power Users (ID-IO) ALLOW Read BUILTIN\Power Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting up for Reboot Starting Reboot! C:\Documents and Settings\The petro\Desktop\l2mfix System Rebooted! Running From: C:\Documents and Settings\The petro\Desktop\l2mfix killing explorer and rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 812 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Backing Up: C:\WINNT\system32\BHSESRV.DLL 1 file(s) copied. Backing Up: C:\WINNT\system32\ckl3dv2.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\dosrslvr.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\ennml1511.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\fCxocm.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\fp0603dse.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\fp8o03l3e.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\fWxext32.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\gp64l3jq1.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\ir0ml5d11.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\isfgnt5.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\j4l4le3q1h.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\kqdbe.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\l82slif7182.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\mmd32.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\mrieftp.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\muexcl40.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\mv08l9du1.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\mvrml9911.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\MXPRIVS.DLL 1 file(s) copied. Backing Up: C:\WINNT\system32\ngtevent.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\notplwiz.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\nwdsa.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\o4pqle751h.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\opesvr.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\q2860clsefq60.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\r2p8lc7u1f.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\RLSMAN.DLL 1 file(s) copied. Backing Up: C:\WINNT\system32\SDLWAPI.DLL 1 file(s) copied. Backing Up: C:\WINNT\system32\wcspdmoe.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\wev8dmod.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\wxnetmgr.dll 1 file(s) copied. Backing Up: C:\WINNT\system32\guard.tmp 1 file(s) copied. deleting: C:\WINNT\system32\BHSESRV.DLL Successfully Deleted: C:\WINNT\system32\BHSESRV.DLL deleting: C:\WINNT\system32\ckl3dv2.dll Successfully Deleted: C:\WINNT\system32\ckl3dv2.dll deleting: C:\WINNT\system32\dosrslvr.dll Successfully Deleted: C:\WINNT\system32\dosrslvr.dll deleting: C:\WINNT\system32\ennml1511.dll Successfully Deleted: C:\WINNT\system32\ennml1511.dll deleting: C:\WINNT\system32\fCxocm.dll Successfully Deleted: C:\WINNT\system32\fCxocm.dll deleting: C:\WINNT\system32\fp0603dse.dll Successfully Deleted: C:\WINNT\system32\fp0603dse.dll deleting: C:\WINNT\system32\fp8o03l3e.dll Successfully Deleted: C:\WINNT\system32\fp8o03l3e.dll deleting: C:\WINNT\system32\fWxext32.dll Successfully Deleted: C:\WINNT\system32\fWxext32.dll deleting: C:\WINNT\system32\gp64l3jq1.dll Successfully Deleted: C:\WINNT\system32\gp64l3jq1.dll deleting: C:\WINNT\system32\ir0ml5d11.dll Successfully Deleted: C:\WINNT\system32\ir0ml5d11.dll deleting: C:\WINNT\system32\isfgnt5.dll Successfully Deleted: C:\WINNT\system32\isfgnt5.dll deleting: C:\WINNT\system32\j4l4le3q1h.dll Successfully Deleted: C:\WINNT\system32\j4l4le3q1h.dll deleting: C:\WINNT\system32\kqdbe.dll Successfully Deleted: C:\WINNT\system32\kqdbe.dll deleting: C:\WINNT\system32\l82slif7182.dll Successfully Deleted: C:\WINNT\system32\l82slif7182.dll deleting: C:\WINNT\system32\mmd32.dll Successfully Deleted: C:\WINNT\system32\mmd32.dll deleting: C:\WINNT\system32\mrieftp.dll Successfully Deleted: C:\WINNT\system32\mrieftp.dll deleting: C:\WINNT\system32\muexcl40.dll Successfully Deleted: C:\WINNT\system32\muexcl40.dll deleting: C:\WINNT\system32\mv08l9du1.dll Successfully Deleted: C:\WINNT\system32\mv08l9du1.dll deleting: C:\WINNT\system32\mvrml9911.dll Successfully Deleted: C:\WINNT\system32\mvrml9911.dll deleting: C:\WINNT\system32\MXPRIVS.DLL Successfully Deleted: C:\WINNT\system32\MXPRIVS.DLL deleting: C:\WINNT\system32\ngtevent.dll Successfully Deleted: C:\WINNT\system32\ngtevent.dll deleting: C:\WINNT\system32\notplwiz.dll Successfully Deleted: C:\WINNT\system32\notplwiz.dll deleting: C:\WINNT\system32\nwdsa.dll Successfully Deleted: C:\WINNT\system32\nwdsa.dll deleting: C:\WINNT\system32\o4pqle751h.dll Successfully Deleted: C:\WINNT\system32\o4pqle751h.dll deleting: C:\WINNT\system32\opesvr.dll Successfully Deleted: C:\WINNT\system32\opesvr.dll deleting: C:\WINNT\system32\q2860clsefq60.dll Successfully Deleted: C:\WINNT\system32\q2860clsefq60.dll deleting: C:\WINNT\system32\r2p8lc7u1f.dll Successfully Deleted: C:\WINNT\system32\r2p8lc7u1f.dll deleting: C:\WINNT\system32\RLSMAN.DLL Successfully Deleted: C:\WINNT\system32\RLSMAN.DLL deleting: C:\WINNT\system32\SDLWAPI.DLL Successfully Deleted: C:\WINNT\system32\SDLWAPI.DLL deleting: C:\WINNT\system32\wcspdmoe.dll Successfully Deleted: C:\WINNT\system32\wcspdmoe.dll deleting: C:\WINNT\system32\wev8dmod.dll Successfully Deleted: C:\WINNT\system32\wev8dmod.dll deleting: C:\WINNT\system32\wxnetmgr.dll Successfully Deleted: C:\WINNT\system32\wxnetmgr.dll deleting: C:\WINNT\system32\guard.tmp Successfully Deleted: C:\WINNT\system32\guard.tmp Desktop.ini sucessfully removed Zipping up files for submission: adding: BHSESRV.DLL (152 bytes security) (deflated 4%) adding: ckl3dv2.dll (152 bytes security) (deflated 5%) adding: dosrslvr.dll (152 bytes security) (deflated 4%) adding: ennml1511.dll (152 bytes security) (deflated 4%) adding: fCxocm.dll (152 bytes security) (deflated 5%) adding: fp0603dse.dll (152 bytes security) (deflated 5%) adding: fp8o03l3e.dll (152 bytes security) (deflated 5%) adding: fWxext32.dll (152 bytes security) (deflated 5%) adding: gp64l3jq1.dll (152 bytes security) (deflated 5%) adding: ir0ml5d11.dll (152 bytes security) (deflated 5%) adding: isfgnt5.dll (152 bytes security) (deflated 6%) adding: j4l4le3q1h.dll (152 bytes security) (deflated 4%) adding: kqdbe.dll (152 bytes security) (deflated 4%) adding: l82slif7182.dll (152 bytes security) (deflated 4%) adding: mmd32.dll (152 bytes security) (deflated 5%) adding: mrieftp.dll (152 bytes security) (deflated 5%) adding: muexcl40.dll (152 bytes security) (deflated 5%) adding: mv08l9du1.dll (152 bytes security) (deflated 4%) adding: mvrml9911.dll (152 bytes security) (deflated 5%) adding: MXPRIVS.DLL (152 bytes security) (deflated 5%) adding: ngtevent.dll (152 bytes security) (deflated 5%) adding: notplwiz.dll (152 bytes security) (deflated 5%) adding: nwdsa.dll (152 bytes security) (deflated 5%) adding: o4pqle751h.dll (152 bytes security) (deflated 4%) adding: opesvr.dll (152 bytes security) (deflated 5%) adding: q2860clsefq60.dll (152 bytes security) (deflated 5%) adding: r2p8lc7u1f.dll (152 bytes security) (deflated 4%) adding: RLSMAN.DLL (152 bytes security) (deflated 5%) adding: SDLWAPI.DLL (152 bytes security) (deflated 5%) adding: wcspdmoe.dll (152 bytes security) (deflated 5%) adding: wev8dmod.dll (152 bytes security) (deflated 5%) adding: wxnetmgr.dll (152 bytes security) (deflated 5%) adding: guard.tmp (152 bytes security) (deflated 4%) adding: clear.reg (152 bytes security) (deflated 22%) adding: echo.reg (152 bytes security) (deflated 9%) adding: desktop.ini (152 bytes security) (deflated 14%) adding: direct.txt (152 bytes security) (stored 0%) adding: lo2.txt (152 bytes security) (deflated 84%) adding: readme.txt (152 bytes security) (deflated 49%) adding: report.txt (152 bytes security) (deflated 65%) adding: test.txt (152 bytes security) (deflated 79%) adding: test2.txt (152 bytes security) (stored 0%) adding: test3.txt (152 bytes security) (stored 0%) adding: test5.txt (152 bytes security) (stored 0%) adding: xfind.txt (152 bytes security) (deflated 73%) adding: backregs/6C45B15D-7D70-4AB5-BEB9-FBD84EF9B8C3.reg (152 bytes security) (deflated 70%) adding: backregs/shell.reg (152 bytes security) (deflated 74%) Restoring Registry Permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Revoking access for really "Everyone" Registry permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Read BUILTIN\Power Users (ID-IO) ALLOW Read BUILTIN\Power Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful deleting local copy: BHSESRV.DLL deleting local copy: ckl3dv2.dll deleting local copy: dosrslvr.dll deleting local copy: ennml1511.dll deleting local copy: fCxocm.dll deleting local copy: fp0603dse.dll deleting local copy: fp8o03l3e.dll deleting local copy: fWxext32.dll deleting local copy: gp64l3jq1.dll deleting local copy: ir0ml5d11.dll deleting local copy: isfgnt5.dll deleting local copy: j4l4le3q1h.dll deleting local copy: kqdbe.dll deleting local copy: l82slif7182.dll deleting local copy: mmd32.dll deleting local copy: mrieftp.dll deleting local copy: muexcl40.dll deleting local copy: mv08l9du1.dll deleting local copy: mvrml9911.dll deleting local copy: MXPRIVS.DLL deleting local copy: ngtevent.dll deleting local copy: notplwiz.dll deleting local copy: nwdsa.dll deleting local copy: o4pqle751h.dll deleting local copy: opesvr.dll deleting local copy: q2860clsefq60.dll deleting local copy: r2p8lc7u1f.dll deleting local copy: RLSMAN.DLL deleting local copy: SDLWAPI.DLL deleting local copy: wcspdmoe.dll deleting local copy: wev8dmod.dll deleting local copy: wxnetmgr.dll deleting local copy: guard.tmp The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 The following are the files found: **************************************************************************** C:\WINNT\system32\BHSESRV.DLL C:\WINNT\system32\ckl3dv2.dll C:\WINNT\system32\dosrslvr.dll C:\WINNT\system32\ennml1511.dll C:\WINNT\system32\fCxocm.dll C:\WINNT\system32\fp0603dse.dll C:\WINNT\system32\fp8o03l3e.dll C:\WINNT\system32\fWxext32.dll C:\WINNT\system32\gp64l3jq1.dll C:\WINNT\system32\ir0ml5d11.dll C:\WINNT\system32\isfgnt5.dll C:\WINNT\system32\j4l4le3q1h.dll C:\WINNT\system32\kqdbe.dll C:\WINNT\system32\l82slif7182.dll C:\WINNT\system32\mmd32.dll C:\WINNT\system32\mrieftp.dll C:\WINNT\system32\muexcl40.dll C:\WINNT\system32\mv08l9du1.dll C:\WINNT\system32\mvrml9911.dll C:\WINNT\system32\MXPRIVS.DLL C:\WINNT\system32\ngtevent.dll C:\WINNT\system32\notplwiz.dll C:\WINNT\system32\nwdsa.dll C:\WINNT\system32\o4pqle751h.dll C:\WINNT\system32\opesvr.dll C:\WINNT\system32\q2860clsefq60.dll C:\WINNT\system32\r2p8lc7u1f.dll C:\WINNT\system32\RLSMAN.DLL C:\WINNT\system32\SDLWAPI.DLL C:\WINNT\system32\wcspdmoe.dll C:\WINNT\system32\wev8dmod.dll C:\WINNT\system32\wxnetmgr.dll C:\WINNT\system32\guard.tmp Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{6C45B15D-7D70-4AB5-BEB9-FBD84EF9B8C3}"=- [-HKEY_CLASSES_ROOT\CLSID\{6C45B15D-7D70-4AB5-BEB9-FBD84EF9B8C3}] REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{11D7E785-FD3C-4CB7-B817-4B1A23A1F5C7}"=- **************************************************************************** Desktop.ini Contents: **************************************************************************** [.ShellClassInfo] CLSID={645FF040-5081-101B-9F08-00AA002F954E} <IDone>{11D7E785-FD3C-4CB7-B817-4B1A23A1F5C7}</IDone> <IDtwo>VT00</IDtwo> <VERSION>200</VERSION> **************************************************************************** Share this post Link to post Share on other sites
petro 116th Report post Posted February 12, 2005 Logfile of HijackThis v1.99.0 Scan saved at 7:14:24 AM, on 2/12/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\PC Booster\PCBooster.exe C:\WINNT\explorer.exe c:\winnt\system32\vozhymx.exe c:\winnt\system32\calc.exe C:\Documents and Settings\The petro\Desktop\l2mfix\dddd.exe C:\WINNT\system32\170078.exe C:\WINNT\system32\175906.exe C:\Program Files\WebSiteViewer\127062.dlr C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\The petro\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file) O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file) O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINNT\system32\boln.dll O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PC Booster] C:\Program Files\PC Booster\PCBooster.exe O4 - HKLM\..\Run: [LtcyCfgApply] "C:\unzipped\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe O4 - HKLM\..\Run: [vozhymx] c:\winnt\system32\vozhymx.exe O4 - HKLM\..\Run: [Windows Service] C:\WINNT\system32\dddd.exe O4 - HKLM\..\Run: [systems Restart] Rundll32.exe boln.dll, DllRegisterServer O4 - HKLM\..\Run: [antiware] c:\winnt\system32\elitehxs32.exe O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\dddd.exe O15 - Trusted Zone: *.addictivetechnologies.com O15 - Trusted Zone: *.addictivetechnologies.net O15 - Trusted Zone: *.admin2cash.biz O15 - Trusted Zone: *.awmdabest.com O15 - Trusted Zone: *.bettersearch.biz O15 - Trusted Zone: *.c4tdownload.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.f1organizer.com O15 - Trusted Zone: *.finefind.nettraffic2cash.biz O15 - Trusted Zone: *.iframe.biz O15 - Trusted Zone: *.megapornix.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.newiframe.biz O15 - Trusted Zone: *.overpro.com O15 - Trusted Zone: *.pizdato.biz O15 - Trusted Zone: *.private-dialer.biz O15 - Trusted Zone: *.private-iframe.biz O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.sp2admin.biz O15 - Trusted Zone: *.sp2:filtered:ed.biz O15 - Trusted Zone: *.vse-moe.biz O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.xxxtoolbar.com O15 - Trusted Zone: *.ysbweb.com O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe Share this post Link to post Share on other sites
crunchie Report post Posted February 12, 2005 Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes; vozhymx.exe 170078.exe 175906.exe Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button. R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file) O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file) O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINNT\system32\boln.dll O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe O4 - HKLM\..\Run: [vozhymx] c:\winnt\system32\vozhymx.exe O4 - HKLM\..\Run: [Windows Service] C:\WINNT\system32\dddd.exe O4 - HKLM\..\Run: [systems Restart] Rundll32.exe boln.dll, DllRegisterServer O4 - HKLM\..\Run: [antiware] c:\winnt\system32\elitehxs32.exe O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\dddd.exe O15 - Trusted Zone: *.addictivetechnologies.com O15 - Trusted Zone: *.addictivetechnologies.net O15 - Trusted Zone: *.admin2cash.biz O15 - Trusted Zone: *.awmdabest.com O15 - Trusted Zone: *.bettersearch.biz O15 - Trusted Zone: *.c4tdownload.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.f1organizer.com O15 - Trusted Zone: *.finefind.nettraffic2cash.biz O15 - Trusted Zone: *.iframe.biz O15 - Trusted Zone: *.megapornix.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.newiframe.biz O15 - Trusted Zone: *.overpro.com O15 - Trusted Zone: *.pizdato.biz O15 - Trusted Zone: *.private-dialer.biz O15 - Trusted Zone: *.private-iframe.biz O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.sp2admin.biz O15 - Trusted Zone: *.sp2:filtered:ed.biz O15 - Trusted Zone: *.vse-moe.biz O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.xxxtoolbar.com O15 - Trusted Zone: *.ysbweb.com O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll Reboot into safe mode following the instructions here and navigate to and delete the following if found: C:\WINNT\isrvs<----folder c:\winnt\system32\vozhymx.exe<----file C:\WINNT\system32\dddd.exe<----file c:\winnt\system32\elitehxs32.exe<----file C:\WINNT\system32\boln.dll<----file Reboot normally after doing the above, rescan with hijackthis, then post that log here please. Download, install and keep updated, Spywareblaster from www.javacoolsoftware.com to help keep your system clean. Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread. Share this post Link to post Share on other sites
petro 116th Report post Posted February 12, 2005 Logfile of HijackThis v1.99.0 Scan saved at 9:02:49 AM, on 2/12/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\PC Booster\PCBooster.exe C:\Documents and Settings\The petro\Desktop\HijackThis.exe O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll (file missing) O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PC Booster] C:\Program Files\PC Booster\PCBooster.exe O4 - HKLM\..\Run: [LtcyCfgApply] "C:\unzipped\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe O4 - HKLM\..\Run: [antiware] C:\winnt\system32\elitewsh32.exe O15 - Trusted Zone: *.finefind.nettraffic2cash.biz O15 - Trusted Zone: *.xxxtoolbar.com O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe Share this post Link to post Share on other sites
petro 116th Report post Posted February 12, 2005 Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. Find.bat is running from: C:\unzipped\finditnt2000xp\Find It NT-2K-XP ------- System Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 1C55-8F41 Directory of C:\WINNT\System32 02/11/2005 09:16p <DIR> dllcache 02/08/2005 07:57p 11,504 apphj32.exe 01/25/2005 11:17a 10,824 mslf32.exe 01/25/2005 04:15a 7,305 dklec.log 01/24/2005 12:33a 3,567 lygmb.dat 12/26/2004 02:30p 512 LsxI52.eg8 12/22/2004 02:23p 389,120 ??chost.exe 12/22/2004 10:03a 7,305 xnovg.log 12/15/2004 04:59p 7,305 livnj.txt 12/13/2004 06:04p 3,347 wtxrq.log 12/13/2004 05:16p 3,347 dbzeh.log 12/13/2004 04:09a 7,305 olizh.txt 12/11/2004 05:38p 3,347 mybyv.txt 12/09/2004 03:21p 3,347 apubp.txt 12/02/2004 08:56a 7,305 skahe.txt 10/29/2004 04:50p 56,320 hbdnr.dll 15 File(s) 521,760 bytes 1 Dir(s) 84,525,072,384 bytes free ------- Hidden Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 1C55-8F41 Directory of C:\WINNT\System32 02/11/2005 09:16p <DIR> dllcache 02/08/2005 07:57p 11,504 apphj32.exe 01/25/2005 11:17a 10,824 mslf32.exe 01/25/2005 04:15a 7,305 dklec.log 01/24/2005 12:33a 3,567 lygmb.dat 12/26/2004 02:30p 512 LsxI52.eg8 12/22/2004 02:23p 389,120 ??chost.exe 12/22/2004 10:03a 7,305 xnovg.log 12/15/2004 04:59p 7,305 livnj.txt 12/13/2004 06:04p 3,347 wtxrq.log 12/13/2004 05:16p 3,347 dbzeh.log 12/13/2004 04:09a 7,305 olizh.txt 12/11/2004 05:38p 3,347 mybyv.txt 12/09/2004 03:21p 3,347 apubp.txt 12/02/2004 08:56a 7,305 skahe.txt 10/29/2004 04:50p 56,320 hbdnr.dll 07/17/2004 01:32a <DIR> GroupPolicy 07/17/2004 01:27a 21,692 folder.htt 07/17/2004 01:27a 271 desktop.ini 17 File(s) 543,723 bytes 2 Dir(s) 84,525,068,288 bytes free ---------- Files Named "Guard" ------------- Volume in drive C has no label. Volume Serial Number is 1C55-8F41 Share this post Link to post Share on other sites
petro 116th Report post Posted February 12, 2005 Logfile of HijackThis v1.99.0 Scan saved at 11:33:24 AM, on 2/12/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\PC Booster\PCBooster.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\The petro\Desktop\HijackThis.exe O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PC Booster] C:\Program Files\PC Booster\PCBooster.exe O4 - HKLM\..\Run: [LtcyCfgApply] "C:\unzipped\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a O4 - Global Startup: strings.exe O15 - Trusted Zone: *.finefind.nettraffic2cash.biz O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe Share this post Link to post Share on other sites
petro 116th Report post Posted February 12, 2005 Crap resets itself. Bypasses spyware blaster. Share this post Link to post Share on other sites
crunchie Report post Posted February 13, 2005 (edited) That findit log was incomplete. You will need to rescan and post another . I would also suggest getting a firewall and anti-virus as you are likely getting hit every time you go online. To fix up the 015 entries do this; First, Disconnect from the Internet!! (Please copy these instructions to NotePad for copy/paste use, since you will be off the Internet.) ____ Next, launch Notepad, and copy/paste all the blue REGEDIT below to it Save in: Desktop File Name: fixme.reg Save as Type: All files Click: Save REGEDIT4 [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains] [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information. Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also have to re-install IE-SpyAd if installed. Edited February 13, 2005 by crunchie Share this post Link to post Share on other sites
petro 116th Report post Posted February 13, 2005 Ok, Installed firewall and anti virus. New HJT Logfile of HijackThis v1.99.0 Scan saved at 11:44:30 AM, on 2/13/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\PC Booster\PCBooster.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe C:\Documents and Settings\The petro\Desktop\HijackThis.exe O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PC Booster] C:\Program Files\PC Booster\PCBooster.exe O4 - HKLM\..\Run: [LtcyCfgApply] "C:\unzipped\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a O4 - HKLM\..\Run: [systems Restart] Rundll32.exe wnim.dll, DllRegisterServer O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - Global Startup: strings.exe O15 - Trusted Zone: *.finefind.nettraffic2cash.biz O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file) O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe Share this post Link to post Share on other sites
petro 116th Report post Posted February 13, 2005 Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. Find.bat is running from: C:\unzipped\finditnt2000xp\Find It NT-2K-XP ------- System Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 1C55-8F41 Directory of C:\WINNT\System32 02/11/2005 09:16p <DIR> dllcache 02/08/2005 07:57p 11,504 apphj32.exe 01/25/2005 11:17a 10,824 mslf32.exe 01/25/2005 04:15a 7,305 dklec.log 01/24/2005 12:33a 3,567 lygmb.dat 12/26/2004 02:30p 512 LsxI52.eg8 12/22/2004 02:23p 389,120 ??chost.exe 12/22/2004 10:03a 7,305 xnovg.log 12/15/2004 04:59p 7,305 livnj.txt 12/13/2004 06:04p 3,347 wtxrq.log 12/13/2004 05:16p 3,347 dbzeh.log 12/13/2004 04:09a 7,305 olizh.txt 12/11/2004 05:38p 3,347 mybyv.txt 12/09/2004 03:21p 3,347 apubp.txt 12/02/2004 08:56a 7,305 skahe.txt 10/29/2004 04:50p 56,320 hbdnr.dll 15 File(s) 521,760 bytes 1 Dir(s) 84,518,170,624 bytes free ------- Hidden Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 1C55-8F41 Directory of C:\WINNT\System32 02/13/2005 10:34a 890 vsconfig.xml 02/13/2005 09:40a 4,212 zllictbl.dat 02/11/2005 09:16p <DIR> dllcache 02/08/2005 07:57p 11,504 apphj32.exe 01/25/2005 11:17a 10,824 mslf32.exe 01/25/2005 04:15a 7,305 dklec.log 01/24/2005 12:33a 3,567 lygmb.dat 12/26/2004 02:30p 512 LsxI52.eg8 12/22/2004 02:23p 389,120 ??chost.exe 12/22/2004 10:03a 7,305 xnovg.log 12/15/2004 04:59p 7,305 livnj.txt 12/13/2004 06:04p 3,347 wtxrq.log 12/13/2004 05:16p 3,347 dbzeh.log 12/13/2004 04:09a 7,305 olizh.txt 12/11/2004 05:38p 3,347 mybyv.txt 12/09/2004 03:21p 3,347 apubp.txt 12/02/2004 08:56a 7,305 skahe.txt 10/29/2004 04:50p 56,320 hbdnr.dll 07/17/2004 01:32a <DIR> GroupPolicy 07/17/2004 01:27a 21,692 folder.htt 07/17/2004 01:27a 271 desktop.ini 19 File(s) 548,825 bytes 2 Dir(s) 84,518,166,528 bytes free ---------- Files Named "Guard" ------------- Volume in drive C has no label. Volume Serial Number is 1C55-8F41 Directory of C:\WINNT\System32 --------- Temp Files in System32 Directory -------- Volume in drive C has no label. Volume Serial Number is 1C55-8F41 Directory of C:\WINNT\System32 10/21/2003 04:54p 217,272 SET35.tmp 07/26/2000 07:00a 2,577 CONFIG.TMP 2 File(s) 219,849 bytes 0 Dir(s) 84,518,166,528 bytes free ---------------- User Agent ------------ REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "iebar"="" ------------ Keys Under Notify ------------ REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 ------------------ Locate.com Results ------------------ ------------ Strings.exe Qoologic Results ------------ C:\WINNT\system32\pav.sig: Qoologic C:\WINNT\system32\pav.sig: Qoologic -------------- Strings.exe Aspack Results ------------- C:\WINNT\system32\installer.exe: .aspack C:\WINNT\system32\pav.sig: AsPack C:\WINNT\system32\vkbwag.dat: .aspack ----------------- HKLM Run Key ------------------ REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup" "Synchronization Manager"="mobsync.exe /logon" "PC Booster"="C:\\Program Files\\PC Booster\\PCBooster.exe" "LtcyCfgApply"="\"C:\\unzipped\\LtcyCfg2-[guru3d]\\LtcyCfg.exe\" /a" "Systems Restart"="Rundll32.exe wnim.dll, DllRegisterServer" "CaAvTray"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVTray.exe\"" "CAVRID"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVRID.exe\"" "Zone Labs Client"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Firewall\\ca.exe\"" Share this post Link to post Share on other sites
petro 116th Report post Posted February 13, 2005 That was the whole logfile i received. Thanks , Marc Share this post Link to post Share on other sites
petro 116th Report post Posted February 14, 2005 (edited) Well, i have 2 virus scanners going, (PC cillin and Etrust EZ virus. ) Cleaned my system and the crap keeps resetting. Housecall will not tun, that is why i DLed PC cillin. it can't seem to clear out all trojans. Can i just reformat and make a copy of my back up HD? I quite frankly don't have the time, or patience for this. Edited February 14, 2005 by petro 116th Share this post Link to post Share on other sites
petro 116th Report post Posted February 14, 2005 Canned and quaratined 22 trojans. 2 Were not cleanable. Will look for an update. thatnks. Share this post Link to post Share on other sites