[Solved]Got About Blank Again,

[petro 116th]

New HJT log

 

 

Logfile of HijackThis v1.99.0

Scan saved at 2:23:40 PM, on 2/10/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\soft.exe

C:\Program Files\PC Booster\PCBooster.exe

C:\WINNT\d3bd32.exe

C:\WINNT\isrvs\desktop.exe

C:\winnt\system32\vozhymx.exe

C:\WINNT\system32\oddll.exe

C:\WINNT\appec.exe

C:\WINNT\appec.exe

C:\Program Files\ISTsvc\istsvc.exe

C:\WINNT\system32\nwevol32.exe

C:\winnt\system32\packager.exe

C:\WINNT\system32\dddd.exe

C:\WINNT\system32\mshta.exe

C:\Documents and Settings\The petro\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345

R3 - Default URLSearchHook is missing

F3 - REG:win.ini: run=C:\WINNT\system32\soft.exe

O2 - BHO: (no name) - {2A928540-DC8A-1A4C-4EDC-95558CC66BBE} - C:\WINNT\apibn32.dll

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PC Booster] C:\Program Files\PC Booster\PCBooster.exe

O4 - HKLM\..\Run: [LtcyCfgApply] "C:\unzipped\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a

O4 - HKLM\..\Run: [d3bd32.exe] C:\WINNT\d3bd32.exe

O4 - HKLM\..\Run: [1A.tmp] C:\DOCUME~1\THEPET~1\LOCALS~1\Temp\1A.tmp.exe 1 10001

O4 - HKLM\..\Run: [Web Service] C:\WINNT\system32\sm.exe

O4 - HKLM\..\Run: [1A.tmp.exe] C:\DOCUME~1\THEPET~1\LOCALS~1\Temp\1A.tmp.exe 1 10001

O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [vozhymx] c:\winnt\system32\vozhymx.exe

O4 - HKLM\..\Run: [os3S3Fe] oddll.exe

O4 - HKLM\..\Run: [antiware] C:\winnt\system32\elitewug32.exe

O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\

O4 - HKCU\..\Run: [Web Service] C:\WINNT\system32\sm.exe

O4 - HKCU\..\Run: [ZBs2RPK3X] nwevol32.exe

O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\dddd.exe

O4 - Global Startup: Microsoft Office.hta

O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll

O15 - Trusted Zone: *.addictivetechnologies.com

O15 - Trusted Zone: *.addictivetechnologies.net

O15 - Trusted Zone: *.admin2cash.biz

O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.bettersearch.biz

O15 - Trusted Zone: *.c4tdownload.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.crazywinnings.com

O15 - Trusted Zone: *.f1organizer.com

O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

O15 - Trusted Zone: *.iframe.biz

O15 - Trusted Zone: *.megapornix.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.newiframe.biz

O15 - Trusted Zone: *.overpro.com

O15 - Trusted Zone: *.pizdato.biz

O15 - Trusted Zone: *.private-dialer.biz

O15 - Trusted Zone: *.private-iframe.biz

O15 - Trusted Zone: *.slotch.com

O15 - Trusted Zone: *.sp2admin.biz

O15 - Trusted Zone: *.sp2:filtered:ed.biz

O15 - Trusted Zone: *.topconverting.com

O15 - Trusted Zone: *.vse-moe.biz

O15 - Trusted Zone: *.windupdates.com

O15 - Trusted Zone: *.xxxtoolbar.com

O15 - Trusted Zone: *.ysbweb.com

O15 - Trusted IP range: 206.161.125.149 (HKLM)

O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

 

Thanks.

[crunchie]

Download LSPfix from here

On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "aklsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.

 

Download about:Buster and unzip it to your Desktop. Doubleclick on AboutBuster.exe to run it and then click on Update > Check for Update. If there is an update available, click on 'Download Update and wait while it downloads. Once downloaded, click on Exit.

 

When you have done this, boot into Safe Mode (restart your PC and tap F8 as it restarts) and make sure that you can view hidden files and folders.

 

Close all open windows and run Hijack This again. Check the below entries and click on Fix Checked.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rrrvu.dll/sp.html#12345

R3 - Default URLSearchHook is missing

 

F3 - REG:win.ini: run=C:\WINNT\system32\soft.exe

 

O2 - BHO: (no name) - {2A928540-DC8A-1A4C-4EDC-95558CC66BBE} - C:\WINNT\apibn32.dll

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

 

O4 - HKLM\..\Run: [d3bd32.exe] C:\WINNT\d3bd32.exe

O4 - HKLM\..\Run: [1A.tmp] C:\DOCUME~1\THEPET~1\LOCALS~1\Temp\1A.tmp.exe 1 10001

O4 - HKLM\..\Run: [Web Service] C:\WINNT\system32\sm.exe

O4 - HKLM\..\Run: [1A.tmp.exe] C:\DOCUME~1\THEPET~1\LOCALS~1\Temp\1A.tmp.exe 1 10001

O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [vozhymx] c:\winnt\system32\vozhymx.exe

O4 - HKLM\..\Run: [os3S3Fe] oddll.exe

O4 - HKLM\..\Run: [antiware] C:\winnt\system32\elitewug32.exe

O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\

O4 - HKCU\..\Run: [Web Service] C:\WINNT\system32\sm.exe

O4 - HKCU\..\Run: [ZBs2RPK3X] nwevol32.exe

O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\dddd.exe

 

O15 - Trusted Zone: *.addictivetechnologies.com

O15 - Trusted Zone: *.addictivetechnologies.net

O15 - Trusted Zone: *.admin2cash.biz

O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.bettersearch.biz

O15 - Trusted Zone: *.c4tdownload.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.crazywinnings.com

O15 - Trusted Zone: *.f1organizer.com

O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

O15 - Trusted Zone: *.iframe.biz

O15 - Trusted Zone: *.megapornix.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.newiframe.biz

O15 - Trusted Zone: *.overpro.com

O15 - Trusted Zone: *.pizdato.biz

O15 - Trusted Zone: *.private-dialer.biz

O15 - Trusted Zone: *.private-iframe.biz

O15 - Trusted Zone: *.slotch.com

O15 - Trusted Zone: *.sp2admin.biz

O15 - Trusted Zone: *.sp2:filtered:ed.biz

O15 - Trusted Zone: *.topconverting.com

O15 - Trusted Zone: *.vse-moe.biz

O15 - Trusted Zone: *.windupdates.com

O15 - Trusted Zone: *.xxxtoolbar.com

O15 - Trusted Zone: *.ysbweb.com

O15 - Trusted IP range: 206.161.125.149 (HKLM)

 

O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab

searchmiracle

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

ISTBar Variant

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx

Topconverting Adware

 

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

 

Close Hijack This and run about:Buster again, click the 'Start' button and then click the 'OK' button. Let it scan (the scan can take some time to complete, so be patient.). Once the first scan has completed, it will ask you if you wish for about:Buster to scan once more. Click Yes and let it scan a second time. Once the second scan has finished, copy and paste the report to Notepad and save it on your drive.

 

To copy and paste the report to a log file, select (highlight) all of the text produced by the scan with your mouse, right-click and select 'Copy'.

 

Next, launch Notepad (click Start > Run > type notepad.exe and press enter). When the file is open, rightclick and select Paste. Click on File > Save As and save it in C:\ as Log.txt. Copy the log and post it back in this thread when you have rebooted.

 

While still in Safe Mode, run a search and make sure that all of the below files in bold have been deleted (if not delete them):

 

C:\WINNT\system32\rrrvu.dll<----file

C:\WINNT\system32\soft.exe<----file

C:\WINNT\apibn32.dll<----file

C:\WINNT\d3bd32.exe<----file

C:\WINNT\system32\sm.exe<----file

c:\winnt\system32\vozhymx.exe<----file

C:\WINNT\system32\oddll.exe<----file

C:\winnt\system32\elitewug32.exe<----file

C:\WINNT\system32\nwevol32.exe<----file

C:\WINNT\system32\dddd.exe<----file

c:\winnt\system32\aklsp.dll<----file

 

C:\WINNT\isrvs<----folder

C:\DOCUME~1\THEPET~1\LOCALS~1\Temp<----folder contents

C:\Program Files\ISTsvc<----folder

 

Reboot, reset your Home Page and run a Housecall scan. It will get rid of any remaining files. Post a new Hijack This log (and your About Buster log).

 

Download, install and keep updated, Spywareblaster from www.javacoolsoftware.com to help keep your system clean.

 

Please try the Symantec's fix tool to remove the Ist bar.

Edited February 11, 2005 by crunchie

[petro 116th]

OK, I have been doing what you advised, just need to reboot.

Thankfully, i had another computer to log onto to see your reply.

Thanks.

Will post logs asap.

[petro 116th]

Well i think i got to big for my britched and screwed up my system worse.

 

HJT log

 

Logfile of HijackThis v1.99.0

Scan saved at 9:20:51 PM, on 2/11/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\PC Booster\PCBooster.exe

C:\WINNT\system32\rundll32.exe

C:\Documents and Settings\The petro\Desktop\HijackThis.exe

 

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PC Booster] C:\Program Files\PC Booster\PCBooster.exe

O4 - HKLM\..\Run: [LtcyCfgApply] "C:\unzipped\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a

O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

[petro 116th]

About buster

Scanned at: 9:40:56 AM on: 12/27/2004

 

 

-- Scan 1 ---------------------------

About:Buster Version 4.0

Reference List : 21

 

 

Removed Data Streams:

C:\WINNT\AC3API.INI:rwact

C:\WINNT\apiui.exe:wbszd

C:\WINNT\appge.exe:jjqtr

C:\WINNT\COM+.log:igbre

C:\WINNT\control.ini:tybkc

C:\WINNT\CTDV10K2.CDF:xfqkr

C:\WINNT\delttsul.exe:rojgg

C:\WINNT\Gone Fishing.bmp:nihza

C:\WINNT\hh.exe:fjzfc

C:\WINNT\KB834707-IE6SP1-20040929.091901.log:cghun

C:\WINNT\KB839643.log:mazwa

C:\WINNT\KB840315.log:niknj

C:\WINNT\KB841533.log:ficsl

C:\WINNT\KB841872.log:xbchw

C:\WINNT\KB841873.log:wpmda

C:\WINNT\ODBCINST.INI:juqvw

C:\WINNT\setdebug.exe:spwna

C:\WINNT\setuperr.log:kqpsc

C:\WINNT\TMUPDATE.DLL:zknyr

C:\WINNT\TSC.ini:jpblf

C:\WINNT\uneng.exe:yfjen

C:\WINNT\vbaddin.ini:awmpc

C:\WINNT\VPTNFILE.319:lxxuw

C:\WINNT\winlv.exe:hdvmg

 

 

Removed! : C:\WINNT\ahdgj.dat

Removed! : C:\WINNT\gllzt.dat

Removed! : C:\WINNT\system32\kkkuh.dat

Removed! : C:\WINNT\system32\nscgg.dat

Removed! : C:\WINNT\system32\sybtz.dat

Removed! : C:\WINNT\system32\vkjey.dat

Removed! : C:\WINNT\system32\yufqc.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 ---------------------------

About:Buster Version 4.0

Reference List : 21

 

 

Removed Data Streams:

C:\WINNT\AC3API.INI:rwact

C:\WINNT\apiui.exe:wbszd

C:\WINNT\appge.exe:jjqtr

C:\WINNT\COM+.log:igbre

C:\WINNT\control.ini:tybkc

C:\WINNT\CTDV10K2.CDF:xfqkr

C:\WINNT\delttsul.exe:rojgg

C:\WINNT\Gone Fishing.bmp:nihza

C:\WINNT\hh.exe:fjzfc

C:\WINNT\KB834707-IE6SP1-20040929.091901.log:cghun

C:\WINNT\KB839643.log:mazwa

C:\WINNT\KB840315.log:niknj

C:\WINNT\KB841533.log:ficsl

C:\WINNT\KB841872.log:xbchw

C:\WINNT\KB841873.log:wpmda

C:\WINNT\ODBCINST.INI:juqvw

C:\WINNT\setdebug.exe:spwna

C:\WINNT\setuperr.log:kqpsc

C:\WINNT\TMUPDATE.DLL:zknyr

C:\WINNT\TSC.ini:jpblf

C:\WINNT\uneng.exe:yfjen

C:\WINNT\vbaddin.ini:awmpc

C:\WINNT\VPTNFILE.319:lxxuw

C:\WINNT\winlv.exe:hdvmg

 

 

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

 

 

 

 

 

Scanned at: 9:45:21 AM on: 12/27/2004

 

 

-- Scan 1 ---------------------------

About:Buster Version 4.0

Reference List : 21

 

 

Removed Data Streams:

C:\WINNT\winlv.exe:hdvmg

 

 

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 ---------------------------

About:Buster Version 4.0

Reference List : 21

 

 

Removed Data Streams:

C:\WINNT\winlv.exe:hdvmg

 

 

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

 

 

 

 

 

Scanned at: 10:21:39 AM on: 12/27/2004

 

 

-- Scan 1 ---------------------------

About:Buster Version 4.0

Reference List : 21

 

 

Removed Data Streams:

C:\WINNT\winlv.exe:hdvmg

 

 

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 ---------------------------

About:Buster Version 4.0

Reference List : 21

 

 

Removed Data Streams:

C:\WINNT\winlv.exe:hdvmg

 

 

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

 

 

 

 

 

Scanned at: 5:22:54 PM on: 2/11/2005

 

 

-- Scan 1 ---------------------------

About:Buster Version 4.0

Reference List : 19

 

No ADS found on system

Removed! : C:\WINNT\ifpoh.dat

Removed! : C:\WINNT\system32\fnjfl.dat

Removed! : C:\WINNT\system32\watzs.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 ---------------------------

About:Buster Version 4.0

Reference List : 19

 

No ADS found on system

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

 

 

 

 

 

Scanned at: 6:09:27 PM on: 2/11/2005

 

 

-- Scan 1 ---------------------------

About:Buster Version 4.0

Reference List : 19

 

No ADS found on system

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

-- Scan 2 ---------------------------

About:Buster Version 4.0

Reference List : 19

 

No ADS found on system

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

 

 

 

 

 

Scanned at: 9:24:08 PM on: 2/11/2005

 

 

-- Scan 1 ---------------------------

About:Buster Version 4.0

Reference List : 23

 

No ADS found on system

Removed! : C:\WINNT\hnylx.dll

Removed! : C:\WINNT\sxozg.dat

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

-- Scan 2 ---------------------------

About:Buster Version 4.0

Reference List : 23

 

No ADS found on system

Attempted Clean Of Temp folder.

Pages Reset... Done!

[Y kawika]

Post a new HijackThis log as well Petro. Thanks. :)Y

[petro 116th]

The one above the about buster log is no good?

I am currently running Housecall. I appear to have many trojans.

[Y kawika]

Post the most current after running the scans recommended. :)Y

[crunchie]

It looks like you may have picked up the latest VX2 infection too .

Download L2mfix from one of these two locations:

 

http://www.atribune.org/downloads/l2mfix.exe

http://www.downloads.subratam.org/l2mfix.exe

 

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

 

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

[petro 116th]

L2MFIX find log 1.02b

These are the registry keys present

**********************************************************************************

Winlogon/notify:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINNT\\system32\\j66m0gj1e6o.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]

"DLLName"="wzcdlg.dll"

"Logon"="WZCEventLogon"

"Logoff"="WZCEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000000

 

**********************************************************************************

useragent:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{11D7E785-FD3C-4CB7-B817-4B1A23A1F5C7}"=""

 

**********************************************************************************

Shell Extension key:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"

"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"

"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"

"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"

"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"

"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"

"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"

"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"

"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"

"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"

"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"

"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"

"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"

"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"

"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"

"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"

"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"

"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"

"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"

"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"

"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"

"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"

"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"

"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"

"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"

"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"

"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"

"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"

"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"

"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"

"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"

"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"

"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"

"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"

"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"

"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"

"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"

"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"

"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"

"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"

"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"

"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"

"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"

"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"

"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"

"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"

"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"

"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"

"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"

"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"

"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"

"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"

"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"

"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"

"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"

"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"

"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"

"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"

"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"

"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"

"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"

"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"

"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"

"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"

"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"

"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"

"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"

"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"

"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"

"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"

"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"

"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"

"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"

"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"

"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"

"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"

"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"

"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"

"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"

"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"

"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"

"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"

"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"

"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"

"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"

"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"

"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"

"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"

"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"

"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"

"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"

"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"

"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"

"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"

"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"

"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"

"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"

"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"

"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"

"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"

"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"

"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"

"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"

"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"

"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"

"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"

"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"

"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"

"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"

"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"

"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"

"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"

"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"

"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"

"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"

"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"

"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"

"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"

"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"

"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"

"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"

"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"

"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"

"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"

"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"

"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"

"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"

"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"

"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"

"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"

"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"

"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"

"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"

"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"

"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"

"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"

"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"

"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"

"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"

"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"

"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"

"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"

"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."

"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"

"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"

"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"

"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"

"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"

"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"

"{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder"

"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"

"{B446400D-0030-457b-8F64-422A19605186}"="Logitech Gallery"

"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"

"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"

"{6C45B15D-7D70-4AB5-BEB9-FBD84EF9B8C3}"=""

 

**********************************************************************************

HKEY ROOT CLASSIDS:

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\CLSID\{6C45B15D-7D70-4AB5-BEB9-FBD84EF9B8C3}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{6C45B15D-7D70-4AB5-BEB9-FBD84EF9B8C3}\Implemented Categories]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{6C45B15D-7D70-4AB5-BEB9-FBD84EF9B8C3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{6C45B15D-7D70-4AB5-BEB9-FBD84EF9B8C3}\InprocServer32]

@="C:\\WINNT\\system32\\cmmsvcs.dll"

"ThreadingModel"="Apartment"

 

**********************************************************************************

Files Found are not all bad files:

Locate .tmp files:

**********************************************************************************

Directory Listing of system files:

Volume in drive C has no label.

Volume Serial Number is 1C55-8F41

 

Directory of C:\WINNT\System32

 

02/11/2005 09:31p 228,423 ennml1511.dll

02/11/2005 09:20p 231,895 isfgnt5.dll

02/11/2005 09:19p 228,423 o4pqle751h.dll

02/11/2005 09:16p <DIR> dllcache

02/11/2005 09:14p 228,943 q2860clsefq60.dll

02/11/2005 09:11p 230,604 fCxocm.dll

02/11/2005 09:10p 228,423 j66m0gj1e6o.dll

02/11/2005 08:50p 228,423 kqdbe.dll

02/11/2005 07:44p 231,120 wcspdmoe.dll

02/11/2005 07:36p 230,532 mrieftp.dll

02/11/2005 07:32p 230,242 SDLWAPI.DLL

02/11/2005 07:30p 230,242 muexcl40.dll

02/11/2005 07:19p 231,089 mmd32.dll

02/11/2005 06:49p 230,242 ckl3dv2.dll

02/11/2005 06:29p 229,281 fWxext32.dll

02/11/2005 06:14p 229,281 MXPRIVS.DLL

02/11/2005 05:18p 229,281 ngtevent.dll

02/11/2005 04:40p 229,281 wxnetmgr.dll

02/10/2005 07:08p 228,778 r2p8lc7u1f.dll

02/10/2005 06:23p 228,778 dosrslvr.dll

02/10/2005 05:48p 228,778 BHSESRV.DLL

02/10/2005 04:16p 228,778 l82slif7182.dll

02/10/2005 04:11p 232,062 mvrml9911.dll

02/10/2005 03:10p 232,062 nwdsa.dll

02/10/2005 02:22p 230,159 wev8dmod.dll

02/10/2005 02:15p 229,952 gp64l3jq1.dll

02/10/2005 01:58p 229,952 RLSMAN.DLL

02/10/2005 01:35p 229,736 notplwiz.dll

02/10/2005 12:51p 229,736 opesvr.dll

02/10/2005 12:49p 229,736 ir0ml5d11.dll

02/10/2005 12:44p 230,339 fp0603dse.dll

02/08/2005 07:57p 11,504 apphj32.exe

01/25/2005 11:17a 10,824 mslf32.exe

01/25/2005 04:15a 7,305 dklec.log

01/24/2005 12:33a 3,567 lygmb.dat

12/26/2004 02:30p 512 LsxI52.eg8

12/22/2004 02:23p 389,120 ??chost.exe

12/22/2004 10:03a 7,305 xnovg.log

12/15/2004 04:59p 7,305 livnj.txt

12/13/2004 06:04p 3,347 wtxrq.log

12/13/2004 05:16p 3,347 dbzeh.log

12/13/2004 04:09a 7,305 olizh.txt

12/11/2004 05:38p 3,347 mybyv.txt

12/09/2004 03:21p 3,347 apubp.txt

12/02/2004 08:56a 7,305 skahe.txt

10/29/2004 04:50p 56,320 hbdnr.dll

45 File(s) 7,416,331 bytes

1 Dir(s) 84,500,992,000 bytes free

[petro 116th]

Logfile of HijackThis v1.99.0

Scan saved at 9:53:21 PM, on 2/11/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\PC Booster\PCBooster.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\The petro\Desktop\HijackThis.exe

C:\WINNT\system32\rundll32.exe

 

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PC Booster] C:\Program Files\PC Booster\PCBooster.exe

O4 - HKLM\..\Run: [LtcyCfgApply] "C:\unzipped\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a

O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

[crunchie]

Close any programs you have open since this step requires a reboot.

 

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

 

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

[petro 116th]

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

 

 

Setting registry permissions:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

 

Denying C access for really "Everyone"

- adding new ACCESS DENY entry

 

 

Registry Permissions set too:

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(CI) DENY --C------- Everyone

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Read BUILTIN\Power Users

(ID-IO) ALLOW Read BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

 

 

Setting up for Reboot

 

 

Starting Reboot!

 

C:\Documents and Settings\The petro\Desktop\l2mfix

System Rebooted!

 

Running From:

C:\Documents and Settings\The petro\Desktop\l2mfix

 

killing explorer and rundll32.exe

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 812 'explorer.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Error, Cannot find a process with an image name of rundll32.exe

 

Scanning First Pass. Please Wait!

 

First Pass Completed

 

Second Pass Scanning

 

Second pass Completed!

Backing Up: C:\WINNT\system32\BHSESRV.DLL

1 file(s) copied.

Backing Up: C:\WINNT\system32\ckl3dv2.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\dosrslvr.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\ennml1511.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\fCxocm.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\fp0603dse.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\fp8o03l3e.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\fWxext32.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\gp64l3jq1.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\ir0ml5d11.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\isfgnt5.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\j4l4le3q1h.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\kqdbe.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\l82slif7182.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\mmd32.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\mrieftp.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\muexcl40.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\mv08l9du1.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\mvrml9911.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\MXPRIVS.DLL

1 file(s) copied.

Backing Up: C:\WINNT\system32\ngtevent.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\notplwiz.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\nwdsa.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\o4pqle751h.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\opesvr.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\q2860clsefq60.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\r2p8lc7u1f.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\RLSMAN.DLL

1 file(s) copied.

Backing Up: C:\WINNT\system32\SDLWAPI.DLL

1 file(s) copied.

Backing Up: C:\WINNT\system32\wcspdmoe.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\wev8dmod.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\wxnetmgr.dll

1 file(s) copied.

Backing Up: C:\WINNT\system32\guard.tmp

1 file(s) copied.

deleting: C:\WINNT\system32\BHSESRV.DLL

Successfully Deleted: C:\WINNT\system32\BHSESRV.DLL

deleting: C:\WINNT\system32\ckl3dv2.dll

Successfully Deleted: C:\WINNT\system32\ckl3dv2.dll

deleting: C:\WINNT\system32\dosrslvr.dll

Successfully Deleted: C:\WINNT\system32\dosrslvr.dll

deleting: C:\WINNT\system32\ennml1511.dll

Successfully Deleted: C:\WINNT\system32\ennml1511.dll

deleting: C:\WINNT\system32\fCxocm.dll

Successfully Deleted: C:\WINNT\system32\fCxocm.dll

deleting: C:\WINNT\system32\fp0603dse.dll

Successfully Deleted: C:\WINNT\system32\fp0603dse.dll

deleting: C:\WINNT\system32\fp8o03l3e.dll

Successfully Deleted: C:\WINNT\system32\fp8o03l3e.dll

deleting: C:\WINNT\system32\fWxext32.dll

Successfully Deleted: C:\WINNT\system32\fWxext32.dll

deleting: C:\WINNT\system32\gp64l3jq1.dll

Successfully Deleted: C:\WINNT\system32\gp64l3jq1.dll

deleting: C:\WINNT\system32\ir0ml5d11.dll

Successfully Deleted: C:\WINNT\system32\ir0ml5d11.dll

deleting: C:\WINNT\system32\isfgnt5.dll

Successfully Deleted: C:\WINNT\system32\isfgnt5.dll

deleting: C:\WINNT\system32\j4l4le3q1h.dll

Successfully Deleted: C:\WINNT\system32\j4l4le3q1h.dll

deleting: C:\WINNT\system32\kqdbe.dll

Successfully Deleted: C:\WINNT\system32\kqdbe.dll

deleting: C:\WINNT\system32\l82slif7182.dll

Successfully Deleted: C:\WINNT\system32\l82slif7182.dll

deleting: C:\WINNT\system32\mmd32.dll

Successfully Deleted: C:\WINNT\system32\mmd32.dll

deleting: C:\WINNT\system32\mrieftp.dll

Successfully Deleted: C:\WINNT\system32\mrieftp.dll

deleting: C:\WINNT\system32\muexcl40.dll

Successfully Deleted: C:\WINNT\system32\muexcl40.dll

deleting: C:\WINNT\system32\mv08l9du1.dll

Successfully Deleted: C:\WINNT\system32\mv08l9du1.dll

deleting: C:\WINNT\system32\mvrml9911.dll

Successfully Deleted: C:\WINNT\system32\mvrml9911.dll

deleting: C:\WINNT\system32\MXPRIVS.DLL

Successfully Deleted: C:\WINNT\system32\MXPRIVS.DLL

deleting: C:\WINNT\system32\ngtevent.dll

Successfully Deleted: C:\WINNT\system32\ngtevent.dll

deleting: C:\WINNT\system32\notplwiz.dll

Successfully Deleted: C:\WINNT\system32\notplwiz.dll

deleting: C:\WINNT\system32\nwdsa.dll

Successfully Deleted: C:\WINNT\system32\nwdsa.dll

deleting: C:\WINNT\system32\o4pqle751h.dll

Successfully Deleted: C:\WINNT\system32\o4pqle751h.dll

deleting: C:\WINNT\system32\opesvr.dll

Successfully Deleted: C:\WINNT\system32\opesvr.dll

deleting: C:\WINNT\system32\q2860clsefq60.dll

Successfully Deleted: C:\WINNT\system32\q2860clsefq60.dll

deleting: C:\WINNT\system32\r2p8lc7u1f.dll

Successfully Deleted: C:\WINNT\system32\r2p8lc7u1f.dll

deleting: C:\WINNT\system32\RLSMAN.DLL

Successfully Deleted: C:\WINNT\system32\RLSMAN.DLL

deleting: C:\WINNT\system32\SDLWAPI.DLL

Successfully Deleted: C:\WINNT\system32\SDLWAPI.DLL

deleting: C:\WINNT\system32\wcspdmoe.dll

Successfully Deleted: C:\WINNT\system32\wcspdmoe.dll

deleting: C:\WINNT\system32\wev8dmod.dll

Successfully Deleted: C:\WINNT\system32\wev8dmod.dll

deleting: C:\WINNT\system32\wxnetmgr.dll

Successfully Deleted: C:\WINNT\system32\wxnetmgr.dll

deleting: C:\WINNT\system32\guard.tmp

Successfully Deleted: C:\WINNT\system32\guard.tmp

 

Desktop.ini sucessfully removed

 

Zipping up files for submission:

adding: BHSESRV.DLL (152 bytes security) (deflated 4%)

adding: ckl3dv2.dll (152 bytes security) (deflated 5%)

adding: dosrslvr.dll (152 bytes security) (deflated 4%)

adding: ennml1511.dll (152 bytes security) (deflated 4%)

adding: fCxocm.dll (152 bytes security) (deflated 5%)

adding: fp0603dse.dll (152 bytes security) (deflated 5%)

adding: fp8o03l3e.dll (152 bytes security) (deflated 5%)

adding: fWxext32.dll (152 bytes security) (deflated 5%)

adding: gp64l3jq1.dll (152 bytes security) (deflated 5%)

adding: ir0ml5d11.dll (152 bytes security) (deflated 5%)

adding: isfgnt5.dll (152 bytes security) (deflated 6%)

adding: j4l4le3q1h.dll (152 bytes security) (deflated 4%)

adding: kqdbe.dll (152 bytes security) (deflated 4%)

adding: l82slif7182.dll (152 bytes security) (deflated 4%)

adding: mmd32.dll (152 bytes security) (deflated 5%)

adding: mrieftp.dll (152 bytes security) (deflated 5%)

adding: muexcl40.dll (152 bytes security) (deflated 5%)

adding: mv08l9du1.dll (152 bytes security) (deflated 4%)

adding: mvrml9911.dll (152 bytes security) (deflated 5%)

adding: MXPRIVS.DLL (152 bytes security) (deflated 5%)

adding: ngtevent.dll (152 bytes security) (deflated 5%)

adding: notplwiz.dll (152 bytes security) (deflated 5%)

adding: nwdsa.dll (152 bytes security) (deflated 5%)

adding: o4pqle751h.dll (152 bytes security) (deflated 4%)

adding: opesvr.dll (152 bytes security) (deflated 5%)

adding: q2860clsefq60.dll (152 bytes security) (deflated 5%)

adding: r2p8lc7u1f.dll (152 bytes security) (deflated 4%)

adding: RLSMAN.DLL (152 bytes security) (deflated 5%)

adding: SDLWAPI.DLL (152 bytes security) (deflated 5%)

adding: wcspdmoe.dll (152 bytes security) (deflated 5%)

adding: wev8dmod.dll (152 bytes security) (deflated 5%)

adding: wxnetmgr.dll (152 bytes security) (deflated 5%)

adding: guard.tmp (152 bytes security) (deflated 4%)

adding: clear.reg (152 bytes security) (deflated 22%)

adding: echo.reg (152 bytes security) (deflated 9%)

adding: desktop.ini (152 bytes security) (deflated 14%)

adding: direct.txt (152 bytes security) (stored 0%)

adding: lo2.txt (152 bytes security) (deflated 84%)

adding: readme.txt (152 bytes security) (deflated 49%)

adding: report.txt (152 bytes security) (deflated 65%)

adding: test.txt (152 bytes security) (deflated 79%)

adding: test2.txt (152 bytes security) (stored 0%)

adding: test3.txt (152 bytes security) (stored 0%)

adding: test5.txt (152 bytes security) (stored 0%)

adding: xfind.txt (152 bytes security) (deflated 73%)

adding: backregs/6C45B15D-7D70-4AB5-BEB9-FBD84EF9B8C3.reg (152 bytes security) (deflated 70%)

adding: backregs/shell.reg (152 bytes security) (deflated 74%)

 

Restoring Registry Permissions:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

 

Revoking access for really "Everyone"

 

 

Registry permissions set too:

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Read BUILTIN\Power Users

(ID-IO) ALLOW Read BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

 

Restoring Sedebugprivilege:

 

Granting SeDebugPrivilege to Administrators ... successful

 

deleting local copy: BHSESRV.DLL

deleting local copy: ckl3dv2.dll

deleting local copy: dosrslvr.dll

deleting local copy: ennml1511.dll

deleting local copy: fCxocm.dll

deleting local copy: fp0603dse.dll

deleting local copy: fp8o03l3e.dll

deleting local copy: fWxext32.dll

deleting local copy: gp64l3jq1.dll

deleting local copy: ir0ml5d11.dll

deleting local copy: isfgnt5.dll

deleting local copy: j4l4le3q1h.dll

deleting local copy: kqdbe.dll

deleting local copy: l82slif7182.dll

deleting local copy: mmd32.dll

deleting local copy: mrieftp.dll

deleting local copy: muexcl40.dll

deleting local copy: mv08l9du1.dll

deleting local copy: mvrml9911.dll

deleting local copy: MXPRIVS.DLL

deleting local copy: ngtevent.dll

deleting local copy: notplwiz.dll

deleting local copy: nwdsa.dll

deleting local copy: o4pqle751h.dll

deleting local copy: opesvr.dll

deleting local copy: q2860clsefq60.dll

deleting local copy: r2p8lc7u1f.dll

deleting local copy: RLSMAN.DLL

deleting local copy: SDLWAPI.DLL

deleting local copy: wcspdmoe.dll

deleting local copy: wev8dmod.dll

deleting local copy: wxnetmgr.dll

deleting local copy: guard.tmp

 

The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]

"DLLName"="wzcdlg.dll"

"Logon"="WZCEventLogon"

"Logoff"="WZCEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000000

 

 

The following are the files found:

****************************************************************************

C:\WINNT\system32\BHSESRV.DLL

C:\WINNT\system32\ckl3dv2.dll

C:\WINNT\system32\dosrslvr.dll

C:\WINNT\system32\ennml1511.dll

C:\WINNT\system32\fCxocm.dll

C:\WINNT\system32\fp0603dse.dll

C:\WINNT\system32\fp8o03l3e.dll

C:\WINNT\system32\fWxext32.dll

C:\WINNT\system32\gp64l3jq1.dll

C:\WINNT\system32\ir0ml5d11.dll

C:\WINNT\system32\isfgnt5.dll

C:\WINNT\system32\j4l4le3q1h.dll

C:\WINNT\system32\kqdbe.dll

C:\WINNT\system32\l82slif7182.dll

C:\WINNT\system32\mmd32.dll

C:\WINNT\system32\mrieftp.dll

C:\WINNT\system32\muexcl40.dll

C:\WINNT\system32\mv08l9du1.dll

C:\WINNT\system32\mvrml9911.dll

C:\WINNT\system32\MXPRIVS.DLL

C:\WINNT\system32\ngtevent.dll

C:\WINNT\system32\notplwiz.dll

C:\WINNT\system32\nwdsa.dll

C:\WINNT\system32\o4pqle751h.dll

C:\WINNT\system32\opesvr.dll

C:\WINNT\system32\q2860clsefq60.dll

C:\WINNT\system32\r2p8lc7u1f.dll

C:\WINNT\system32\RLSMAN.DLL

C:\WINNT\system32\SDLWAPI.DLL

C:\WINNT\system32\wcspdmoe.dll

C:\WINNT\system32\wev8dmod.dll

C:\WINNT\system32\wxnetmgr.dll

C:\WINNT\system32\guard.tmp

 

Registry Entries that were Deleted:

Please verify that the listing looks ok.

If there was something deleted wrongly there are backups in the backreg folder.

****************************************************************************

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{6C45B15D-7D70-4AB5-BEB9-FBD84EF9B8C3}"=-

[-HKEY_CLASSES_ROOT\CLSID\{6C45B15D-7D70-4AB5-BEB9-FBD84EF9B8C3}]

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{11D7E785-FD3C-4CB7-B817-4B1A23A1F5C7}"=-

****************************************************************************

Desktop.ini Contents:

****************************************************************************

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

<IDone>{11D7E785-FD3C-4CB7-B817-4B1A23A1F5C7}</IDone>

<IDtwo>VT00</IDtwo>

<VERSION>200</VERSION>

****************************************************************************

[petro 116th]

Logfile of HijackThis v1.99.0

Scan saved at 7:14:24 AM, on 2/12/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\PC Booster\PCBooster.exe

C:\WINNT\explorer.exe

c:\winnt\system32\vozhymx.exe

c:\winnt\system32\calc.exe

C:\Documents and Settings\The petro\Desktop\l2mfix\dddd.exe

C:\WINNT\system32\170078.exe

C:\WINNT\system32\175906.exe

C:\Program Files\WebSiteViewer\127062.dlr

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\The petro\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll

O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file)

O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINNT\system32\boln.dll

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PC Booster] C:\Program Files\PC Booster\PCBooster.exe

O4 - HKLM\..\Run: [LtcyCfgApply] "C:\unzipped\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a

O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [vozhymx] c:\winnt\system32\vozhymx.exe

O4 - HKLM\..\Run: [Windows Service] C:\WINNT\system32\dddd.exe

O4 - HKLM\..\Run: [systems Restart] Rundll32.exe boln.dll, DllRegisterServer

O4 - HKLM\..\Run: [antiware] c:\winnt\system32\elitehxs32.exe

O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\dddd.exe

O15 - Trusted Zone: *.addictivetechnologies.com

O15 - Trusted Zone: *.addictivetechnologies.net

O15 - Trusted Zone: *.admin2cash.biz

O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.bettersearch.biz

O15 - Trusted Zone: *.c4tdownload.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.f1organizer.com

O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

O15 - Trusted Zone: *.iframe.biz

O15 - Trusted Zone: *.megapornix.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.newiframe.biz

O15 - Trusted Zone: *.overpro.com

O15 - Trusted Zone: *.pizdato.biz

O15 - Trusted Zone: *.private-dialer.biz

O15 - Trusted Zone: *.private-iframe.biz

O15 - Trusted Zone: *.slotch.com

O15 - Trusted Zone: *.sp2admin.biz

O15 - Trusted Zone: *.sp2:filtered:ed.biz

O15 - Trusted Zone: *.vse-moe.biz

O15 - Trusted Zone: *.windupdates.com

O15 - Trusted Zone: *.xxxtoolbar.com

O15 - Trusted Zone: *.ysbweb.com

O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll

O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

[crunchie]

Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes;

vozhymx.exe

170078.exe

175906.exe

 

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

 

O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll

O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file)

O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINNT\system32\boln.dll

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

 

O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [vozhymx] c:\winnt\system32\vozhymx.exe

O4 - HKLM\..\Run: [Windows Service] C:\WINNT\system32\dddd.exe

O4 - HKLM\..\Run: [systems Restart] Rundll32.exe boln.dll, DllRegisterServer

O4 - HKLM\..\Run: [antiware] c:\winnt\system32\elitehxs32.exe

O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\dddd.exe

 

O15 - Trusted Zone: *.addictivetechnologies.com

O15 - Trusted Zone: *.addictivetechnologies.net

O15 - Trusted Zone: *.admin2cash.biz

O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.bettersearch.biz

O15 - Trusted Zone: *.c4tdownload.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.f1organizer.com

O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

O15 - Trusted Zone: *.iframe.biz

O15 - Trusted Zone: *.megapornix.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.newiframe.biz

O15 - Trusted Zone: *.overpro.com

O15 - Trusted Zone: *.pizdato.biz

O15 - Trusted Zone: *.private-dialer.biz

O15 - Trusted Zone: *.private-iframe.biz

O15 - Trusted Zone: *.slotch.com

O15 - Trusted Zone: *.sp2admin.biz

O15 - Trusted Zone: *.sp2:filtered:ed.biz

O15 - Trusted Zone: *.vse-moe.biz

O15 - Trusted Zone: *.windupdates.com

O15 - Trusted Zone: *.xxxtoolbar.com

O15 - Trusted Zone: *.ysbweb.com

 

O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx

 

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll

 

Reboot into safe mode following the instructions here and navigate to and delete the following if found:

 

C:\WINNT\isrvs<----folder

 

c:\winnt\system32\vozhymx.exe<----file

C:\WINNT\system32\dddd.exe<----file

c:\winnt\system32\elitehxs32.exe<----file

C:\WINNT\system32\boln.dll<----file

 

Reboot normally after doing the above, rescan with hijackthis, then post that log here please.

 

Download, install and keep updated, Spywareblaster from www.javacoolsoftware.com to help keep your system clean.

 

Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.

[petro 116th]

Logfile of HijackThis v1.99.0

Scan saved at 9:02:49 AM, on 2/12/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\PC Booster\PCBooster.exe

C:\Documents and Settings\The petro\Desktop\HijackThis.exe

 

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll (file missing)

O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PC Booster] C:\Program Files\PC Booster\PCBooster.exe

O4 - HKLM\..\Run: [LtcyCfgApply] "C:\unzipped\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a

O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [antiware] C:\winnt\system32\elitewsh32.exe

O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

O15 - Trusted Zone: *.xxxtoolbar.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll

O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

[petro 116th]

Warning! This utility will find legitimate files in addition to malware.

Do not remove anything unless you are sure you know what you're doing.

 

Find.bat is running from: C:\unzipped\finditnt2000xp\Find It NT-2K-XP

 

------- System Files in System32 Directory -------

Volume in drive C has no label.

Volume Serial Number is 1C55-8F41

 

Directory of C:\WINNT\System32

 

02/11/2005 09:16p <DIR> dllcache

02/08/2005 07:57p 11,504 apphj32.exe

01/25/2005 11:17a 10,824 mslf32.exe

01/25/2005 04:15a 7,305 dklec.log

01/24/2005 12:33a 3,567 lygmb.dat

12/26/2004 02:30p 512 LsxI52.eg8

12/22/2004 02:23p 389,120 ??chost.exe

12/22/2004 10:03a 7,305 xnovg.log

12/15/2004 04:59p 7,305 livnj.txt

12/13/2004 06:04p 3,347 wtxrq.log

12/13/2004 05:16p 3,347 dbzeh.log

12/13/2004 04:09a 7,305 olizh.txt

12/11/2004 05:38p 3,347 mybyv.txt

12/09/2004 03:21p 3,347 apubp.txt

12/02/2004 08:56a 7,305 skahe.txt

10/29/2004 04:50p 56,320 hbdnr.dll

15 File(s) 521,760 bytes

1 Dir(s) 84,525,072,384 bytes free

 

------- Hidden Files in System32 Directory -------

 

Volume in drive C has no label.

Volume Serial Number is 1C55-8F41

 

Directory of C:\WINNT\System32

 

02/11/2005 09:16p <DIR> dllcache

02/08/2005 07:57p 11,504 apphj32.exe

01/25/2005 11:17a 10,824 mslf32.exe

01/25/2005 04:15a 7,305 dklec.log

01/24/2005 12:33a 3,567 lygmb.dat

12/26/2004 02:30p 512 LsxI52.eg8

12/22/2004 02:23p 389,120 ??chost.exe

12/22/2004 10:03a 7,305 xnovg.log

12/15/2004 04:59p 7,305 livnj.txt

12/13/2004 06:04p 3,347 wtxrq.log

12/13/2004 05:16p 3,347 dbzeh.log

12/13/2004 04:09a 7,305 olizh.txt

12/11/2004 05:38p 3,347 mybyv.txt

12/09/2004 03:21p 3,347 apubp.txt

12/02/2004 08:56a 7,305 skahe.txt

10/29/2004 04:50p 56,320 hbdnr.dll

07/17/2004 01:32a <DIR> GroupPolicy

07/17/2004 01:27a 21,692 folder.htt

07/17/2004 01:27a 271 desktop.ini

17 File(s) 543,723 bytes

2 Dir(s) 84,525,068,288 bytes free

 

---------- Files Named "Guard" -------------

 

Volume in drive C has no label.

Volume Serial Number is 1C55-8F41

[petro 116th]

Logfile of HijackThis v1.99.0

Scan saved at 11:33:24 AM, on 2/12/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\PC Booster\PCBooster.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\The petro\Desktop\HijackThis.exe

 

O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PC Booster] C:\Program Files\PC Booster\PCBooster.exe

O4 - HKLM\..\Run: [LtcyCfgApply] "C:\unzipped\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a

O4 - Global Startup: strings.exe

O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

[petro 116th]

Crap resets itself.

Bypasses spyware blaster.

[crunchie]

That findit log was incomplete. You will need to rescan and post another .

I would also suggest getting a firewall and anti-virus as you are likely getting hit every time you go online.

 

To fix up the 015 entries do this;

 

First, Disconnect from the Internet!!

 

(Please copy these instructions to NotePad for copy/paste use, since you will be off the Internet.)

____

Next, launch Notepad, and copy/paste all the blue REGEDIT below to it

Save in: Desktop

File Name: fixme.reg

Save as Type: All files

Click: Save

 

REGEDIT4

 

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

 

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

 

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

 

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

 

Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

 

Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also have to re-install IE-SpyAd if installed.

Edited February 13, 2005 by crunchie

[petro 116th]

Ok, Installed firewall and anti virus.

New HJT

Logfile of HijackThis v1.99.0

Scan saved at 11:44:30 AM, on 2/13/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\PC Booster\PCBooster.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe

C:\Documents and Settings\The petro\Desktop\HijackThis.exe

 

O2 - BHO: (no name) - {5E3CCC2F-DEE0-9814-E5DB-4738CCA6A835} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PC Booster] C:\Program Files\PC Booster\PCBooster.exe

O4 - HKLM\..\Run: [LtcyCfgApply] "C:\unzipped\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a

O4 - HKLM\..\Run: [systems Restart] Rundll32.exe wnim.dll, DllRegisterServer

O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"

O4 - Global Startup: strings.exe

O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe

O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

[petro 116th]

Warning! This utility will find legitimate files in addition to malware.

Do not remove anything unless you are sure you know what you're doing.

 

Find.bat is running from: C:\unzipped\finditnt2000xp\Find It NT-2K-XP

 

------- System Files in System32 Directory -------

Volume in drive C has no label.

Volume Serial Number is 1C55-8F41

 

Directory of C:\WINNT\System32

 

02/11/2005 09:16p <DIR> dllcache

02/08/2005 07:57p 11,504 apphj32.exe

01/25/2005 11:17a 10,824 mslf32.exe

01/25/2005 04:15a 7,305 dklec.log

01/24/2005 12:33a 3,567 lygmb.dat

12/26/2004 02:30p 512 LsxI52.eg8

12/22/2004 02:23p 389,120 ??chost.exe

12/22/2004 10:03a 7,305 xnovg.log

12/15/2004 04:59p 7,305 livnj.txt

12/13/2004 06:04p 3,347 wtxrq.log

12/13/2004 05:16p 3,347 dbzeh.log

12/13/2004 04:09a 7,305 olizh.txt

12/11/2004 05:38p 3,347 mybyv.txt

12/09/2004 03:21p 3,347 apubp.txt

12/02/2004 08:56a 7,305 skahe.txt

10/29/2004 04:50p 56,320 hbdnr.dll

15 File(s) 521,760 bytes

1 Dir(s) 84,518,170,624 bytes free

 

------- Hidden Files in System32 Directory -------

 

Volume in drive C has no label.

Volume Serial Number is 1C55-8F41

 

Directory of C:\WINNT\System32

 

02/13/2005 10:34a 890 vsconfig.xml

02/13/2005 09:40a 4,212 zllictbl.dat

02/11/2005 09:16p <DIR> dllcache

02/08/2005 07:57p 11,504 apphj32.exe

01/25/2005 11:17a 10,824 mslf32.exe

01/25/2005 04:15a 7,305 dklec.log

01/24/2005 12:33a 3,567 lygmb.dat

12/26/2004 02:30p 512 LsxI52.eg8

12/22/2004 02:23p 389,120 ??chost.exe

12/22/2004 10:03a 7,305 xnovg.log

12/15/2004 04:59p 7,305 livnj.txt

12/13/2004 06:04p 3,347 wtxrq.log

12/13/2004 05:16p 3,347 dbzeh.log

12/13/2004 04:09a 7,305 olizh.txt

12/11/2004 05:38p 3,347 mybyv.txt

12/09/2004 03:21p 3,347 apubp.txt

12/02/2004 08:56a 7,305 skahe.txt

10/29/2004 04:50p 56,320 hbdnr.dll

07/17/2004 01:32a <DIR> GroupPolicy

07/17/2004 01:27a 21,692 folder.htt

07/17/2004 01:27a 271 desktop.ini

19 File(s) 548,825 bytes

2 Dir(s) 84,518,166,528 bytes free

 

---------- Files Named "Guard" -------------

 

Volume in drive C has no label.

Volume Serial Number is 1C55-8F41

 

Directory of C:\WINNT\System32

 

 

--------- Temp Files in System32 Directory --------

 

Volume in drive C has no label.

Volume Serial Number is 1C55-8F41

 

Directory of C:\WINNT\System32

 

10/21/2003 04:54p 217,272 SET35.tmp

07/26/2000 07:00a 2,577 CONFIG.TMP

2 File(s) 219,849 bytes

0 Dir(s) 84,518,166,528 bytes free

 

---------------- User Agent ------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"iebar"=""

 

 

------------ Keys Under Notify ------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]

"DLLName"="wzcdlg.dll"

"Logon"="WZCEventLogon"

"Logoff"="WZCEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000000

 

 

------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

 

C:\WINNT\system32\pav.sig: Qoologic

C:\WINNT\system32\pav.sig: Qoologic

 

-------------- Strings.exe Aspack Results -------------

 

C:\WINNT\system32\installer.exe: .aspack

C:\WINNT\system32\pav.sig: AsPack

C:\WINNT\system32\vkbwag.dat: .aspack

 

----------------- HKLM Run Key ------------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"

"Synchronization Manager"="mobsync.exe /logon"

"PC Booster"="C:\\Program Files\\PC Booster\\PCBooster.exe"

"LtcyCfgApply"="\"C:\\unzipped\\LtcyCfg2-[guru3d]\\LtcyCfg.exe\" /a"

"Systems Restart"="Rundll32.exe wnim.dll, DllRegisterServer"

"CaAvTray"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVTray.exe\""

"CAVRID"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVRID.exe\""

"Zone Labs Client"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Firewall\\ca.exe\""

[petro 116th]

That was the whole logfile i received.

Thanks ,

Marc

[petro 116th]

Well, i have 2 virus scanners going, (PC cillin and Etrust EZ virus. )

 

Cleaned my system and the crap keeps resetting.

Housecall will not tun, that is why i DLed PC cillin. it can't seem to clear out all trojans.

 

Can i just reformat and make a copy of my back up HD?

I quite frankly don't have the time, or patience for this.

Edited February 14, 2005 by petro 116th

[petro 116th]

Canned and quaratined 22 trojans. 2 Were not cleanable.

Will look for an update.

thatnks.