Idiot (Me) Installed Norton 2005 Now have problems

XPBri · Jan 23, 2005

First off, I'm an idiot.
That clearly stated here is my problem:
I am running windows 2000 Pro, I had been using Spybot, Ad-aware, Zone Alarm Pro, and AVG for virus protection. I had a brilliant idea to switch to Norton Anti-Virus 2005 When installing Norton- it made me delete AVG, this was when my problems began, I tried to play an online game- BF1942, I kept getting kicked for inadaquete O/S Privelages. Well after some searches I found I was infected by VX2 (i think). So I figured Norton would fix the mess it created, it opened the quarentine list that AVG had created, and sent all the little devils contained within it throughout my machine. Norton cannot delete the problem files, and upon manual deletion they come back after a reboot. I paid Norton $29.00 for a product support call with no resolution If you can please take a moment to help me it would be greatly appreciated, and a donation will be headed your way
Thanks,
Brian

Note: I noticed that HJT was outdated so I ran this log with the latest version

Logfile of HijackThis v1.99.0
Scan saved at 6:43:34 PM, on 1/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\system32\ntsmod.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wrrogi.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Home\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.snkypete.com/forum
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe Ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ntsmod] C:\WINNT\system32\ntsmod.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvfmt32.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WINT] C:\WINNT\system32\wcpsvtr.exe
O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Wonderful Norton 2005 scan results:
coozqy.dll Adware.QoolAid
dCdref.dll Adware.Look2Me
pbbyka.dat Adware.QoolAid

XPBri · Jan 23, 2005

Here are a couple more logs, I'll add the spy bot log when it completes
Also I have spyblaster installed on the machine.
Thanks Again,
Brian

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---AtiExtEvent
Keys Under Notify---ATINotify
Keys Under Notify---Control Panel
Keys Under Notify---crypt32chain
Keys Under Notify---cryptnet
Keys Under Notify---cscdll
Keys Under Notify---sclgntfy
Keys Under Notify---SensLogn
Keys Under Notify---wzcnotif

Guardian Key--- is called:

User Agent String---
{7591635B-8C5A-41E2-BAD5-836F54786397}

Hosts Log:
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
69.20.16.183 auto.search.msn.com
69.20.16.183 search.netscape.com
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch

XPBri · Jan 23, 2005

Spybot log
Elitum.EliteBar: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1547161642-1275210071-839522115-1000\Software\LQ

Common hijacker: Redirected host (Redirected host, nothing done)

Common hijacker: Redirected host (Redirected host, nothing done)

CoolWWWSearch.Bootconf: Redirected host (Redirected host, nothing done)

CoolWWWSearch.Loadbat: Redirected host (Redirected host, nothing done)

CoolWWWSearch.Msconfd: Redirected host (Redirected host, nothing done)

CoolWWWSearch.Oslogo: Redirected host (Redirected host, nothing done)

CoolWWWSearch.Tapicfg: Redirected host (Redirected host, nothing done)

CoolWWWSearch.Xmlmimefilter: Redirected host (Redirected host, nothing done)

IGetNet: Redirected host (Redirected host, nothing done)

--- Spybot - Search && Destroy version: 1.3 ---
2004-11-29 Includes\Cookies.sbi
2005-01-04 Includes\Dialer.sbi
2005-01-04 Includes\Hijackers.sbi
2004-12-29 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2005-01-04 Includes\Malware.sbi
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2005-01-05 Includes\Spybots.sbi
2004-11-29 Includes\Tracks.uti
2005-01-04 Includes\Trojans.sbi

XPBri · Jan 23, 2005

Finally here is my Ad-aware SE log- note that it deletes most of the errors found- but when the machine reboots there are even more found

Ad-Aware SE Build 1.05
Logfile Created on:Sunday, January 23, 2005 5:20:55 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R25 11.01.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):4 total references
Ebates MoneyMaker(TAC index:4):1 total references
Elitum.ElitebarBHO(TAC index:5):42 total references
MRU List(TAC index:0):43 total references
Redirected hostfile entry(TAC index:4):5 total references
Search Miracle(TAC index:5):3 total references
VX2(TAC index:10):6 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

1-23-2005 5:20:55 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives

MRU List Object Recognized!
Location: : software\musicmatch\musicmatch jukebox\4.0\mmradio
Description : information on the last station listened to using musicmatch radio

MRU List Object Recognized!
Location: : software\musicmatch\musicmatch jukebox\4.0\fileconv
Description : file conversion location settings in musicmatch jukebox

MRU List Object Recognized!
Location: : software\musicmatch
Description : download location of the musicmatch installer

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\office\9.0\excel\recent files
Description : list of recent files used by microsoft excel

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\office\9.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\mediaplayer\preferences
Description : last search path used in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\mediaplayer\player\settings
Description : last save as directory used in jasc paint shop pro

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\frontpage\explorer\navigation\mrulist
Description : list for the navigation feature of microsoft frontpage

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\frontpage\explorer\frontpage explorer\recently created servers
Description : list of recently created servers in microsoft frontpage

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\frontpage\explorer\frontpage explorer\recent web list
Description : list of recently used webs in microsoft frontpage

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\frontpage\explorer\frontpage explorer\recent page list
Description : list of recently used pages in microsoft frontpage

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\frontpage\explorer\frontpage explorer\recent file list
Description : list of recently used files in microsoft frontpage

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\frontpage\editor\per-web image save directories
Description : list of image save directories per web in microsoft frontpage

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\frontpage\editor\insert image\recently used urls
Description : list of recently used urls in microsoft frontpage

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\frontpage
Description : default save location in microsoft frontpage

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\ahead\cover designer\recent file list
Description : list of recently used files in ahead cover designer

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history

MRU List Object Recognized!
Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

MRU List Object Recognized!
Location: : C:\Documents and Settings\Home\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : C:\Documents and Settings\Home\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 168
ThreadCreationTime : 1-23-2005 10:15:27 PM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 188
ThreadCreationTime : 1-23-2005 10:15:44 PM
BasePriority : High

VX2 Object Recognized!
Type : Process
Data : k4260efseh260.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\

Warning! VX2 Object found in memory(C:\WINNT\system32\k4260efseh260.dll)

#:3 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 240
ThreadCreationTime : 1-23-2005 10:15:45 PM
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 252
ThreadCreationTime : 1-23-2005 10:15:45 PM
BasePriority : Normal
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:5 [ati2evxx.exe]
FilePath : C:\WINNT\system32\
ProcessID : 372
ThreadCreationTime : 1-23-2005 10:15:48 PM
BasePriority : Normal

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 452
ThreadCreationTime : 1-23-2005 10:15:49 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [sndsrvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 464
ThreadCreationTime : 1-23-2005 10:15:49 PM
BasePriority : Normal
FileVersion : 5.4.3.11
ProductVersion : 5.4
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:8 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 500
ThreadCreationTime : 1-23-2005 10:15:49 PM
BasePriority : Normal
FileVersion : 103.0.3.8
ProductVersion : 103.0.3.8
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:9 [spbbcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\SPBBC\
ProcessID : 524
ThreadCreationTime : 1-23-2005 10:15:50 PM
BasePriority : Normal
FileVersion : 1,0,1,47
ProductVersion : 1,0,1,47
ProductName : SPBBC
CompanyName : Symantec Corporation
FileDescription : SPBBC Service
InternalName : SPBBCSvc
LegalCopyright : Copyright (c) 2004 Symantec Corporation. All rights reserved.
OriginalFilename : SPBBCSvc.exe

#:10 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 588
ThreadCreationTime : 1-23-2005 10:15:53 PM
BasePriority : Normal
FileVersion : 103.0.3.8
ProductVersion : 103.0.3.8
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:11 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 708
ThreadCreationTime : 1-23-2005 10:15:54 PM
BasePriority : Normal
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe

#:12 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 752
ThreadCreationTime : 1-23-2005 10:15:55 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:13 [hidserv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 768
ThreadCreationTime : 1-23-2005 10:15:56 PM
BasePriority : Normal
FileVersion : 5.00.2195.6655
ProductVersion : 5.00.2195.6655
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : HID Audio Service
InternalName : hidserv
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : HIDSERV.EXE

#:14 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ProcessID : 808
ThreadCreationTime : 1-23-2005 10:15:57 PM
BasePriority : Normal
FileVersion : 11.0.2.4
ProductVersion : 11.0.2
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:15 [npfmntor.exe]
FilePath : C:\Program Files\Norton AntiVirus\IWP\
ProcessID : 820
ThreadCreationTime : 1-23-2005 10:15:58 PM
BasePriority : Normal
FileVersion : 11.0.2.4
ProductVersion : 11.0.2
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Firewall Install Monitor
InternalName : NPFMonitor
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NPFMonitor.EXE

#:16 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 880
ThreadCreationTime : 1-23-2005 10:15:58 PM
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:17 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 932
ThreadCreationTime : 1-23-2005 10:15:59 PM
BasePriority : Normal
FileVersion : 4.71.2195.6920
ProductVersion : 4.71.2195.6920
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright (C) Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:18 [smagent.exe]
FilePath : C:\Program Files\Analog Devices\SoundMAX\
ProcessID : 1008
ThreadCreationTime : 1-23-2005 10:16:03 PM
BasePriority : Normal
FileVersion : 3, 2, 6, 0
ProductVersion : 3, 2, 6, 0
ProductName : SoundMAX service agent
CompanyName : Analog Devices, Inc.
FileDescription : SoundMAX service agent component
InternalName : SMAgent
LegalCopyright : Copyright © 2002
OriginalFilename : SMAgent.exe

#:19 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ProcessID : 1040
ThreadCreationTime : 1-23-2005 10:16:04 PM
BasePriority : Normal
FileVersion : 1, 8, 54, 478
ProductVersion : 1, 8, 54, 478
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright (C) 2003
OriginalFilename : symlcsvc.exe

#:20 [vsmon.exe]
FilePath : C:\WINNT\system32\ZoneLabs\
ProcessID : 1068
ThreadCreationTime : 1-23-2005 10:16:06 PM
BasePriority : Normal
FileVersion : 4.0.146.029
ProductVersion : 4.0.146.029
ProductName : TrueVector Service
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2003, Zone Labs Inc.
OriginalFilename : vsmon.exe

#:21 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 620
ThreadCreationTime : 1-23-2005 10:16:30 PM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright (C) Microsoft Corp. 1995-1999

#:22 [mspmspsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1228
ThreadCreationTime : 1-23-2005 10:16:31 PM
BasePriority : Normal
FileVersion : 7.01.00.3055
ProductVersion : 7.01.00.3055
ProductName : Microsoft (R) DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright (C) Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:23 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1240
ThreadCreationTime : 1-23-2005 10:16:31 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:24 [ati2evxx.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1108
ThreadCreationTime : 1-23-2005 10:16:38 PM
BasePriority : Normal

CoolWebSearch Object Recognized!
Type : Process
Data : ebbuno.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\

Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\ebbuno.dll)

#:25 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1348
ThreadCreationTime : 1-23-2005 10:16:38 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

VX2 Object Recognized!
Type : Process
Data : MVVBVM60.DLL
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\

Warning! VX2 Object found in memory(C:\WINNT\system32\MVVBVM60.DLL)

CoolWebSearch Object Recognized!
Type : Process
Data : ebbuno.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\

Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\ebbuno.dll)

#:26 [smax4pnp.exe]
FilePath : C:\Program Files\Analog Devices\SoundMAX\
ProcessID : 1628
ThreadCreationTime : 1-23-2005 10:17:04 PM
BasePriority : Normal
FileVersion : 4, 0, 4, 1
ProductVersion : 4, 0, 4, 1
ProductName : SMax4PNP Application
CompanyName : Analog Devices, Inc.
FileDescription : SMax4PNP MFC Application
InternalName : SMax4PNP
LegalCopyright : Copyright (C) 2002-2003 Analog Devices
OriginalFilename : SMax4PNP.EXE

#:27 [smax4.exe]
FilePath : C:\Program Files\Analog Devices\SoundMAX\
ProcessID : 1632
ThreadCreationTime : 1-23-2005 10:17:05 PM
BasePriority : Normal
FileVersion : 4, 0, 4, 22
ProductVersion : 4, 0, 4, 22
ProductName : SoundMAX Control Panel
CompanyName : Analog Devices, Inc.
FileDescription : SoundMAX Control Center
InternalName : SMax4
LegalCopyright : Copyright © 2002-2003, Analog Devices
OriginalFilename : SMax4.EXE

#:28 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1652
ThreadCreationTime : 1-23-2005 10:17:07 PM
BasePriority : Normal
FileVersion : 6.0.2
ProductVersion : QuickTime 6.0.2
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2002
OriginalFilename : QTTask.exe

XPBri · Jan 23, 2005

#:29 [zapro.exe]
FilePath : C:\PROGRA~1\ZONELA~1\ZONEAL~1\
ProcessID : 1668
ThreadCreationTime : 1-23-2005 10:17:08 PM
BasePriority : Normal
FileVersion : 4.0.146.029
ProductVersion : 4.0.146.029
ProductName : ZoneAlarm Pro
CompanyName : Zone Labs Inc.
FileDescription : ZoneAlarm Pro
InternalName : zapro
LegalCopyright : Copyright © 1998-2003, Zone Labs Inc.
OriginalFilename : zapro.exe

#:30 [sgtray.exe]
FilePath : C:\Program Files\Common Files\Sonic\Update Manager\
ProcessID : 1704
ThreadCreationTime : 1-23-2005 10:17:11 PM
BasePriority : Normal
FileVersion : 1.01.32a
CompanyName : Sonic Solutions
FileDescription : Sonic Update Manager
LegalCopyright : Copyright © 2002 Sonic Solutions

#:31 [cli.exe]
FilePath : C:\Program Files\ATI Technologies\ATI.ACE\
ProcessID : 1736
ThreadCreationTime : 1-23-2005 10:17:12 PM
BasePriority : Normal

#:32 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_05\bin\
ProcessID : 1744
ThreadCreationTime : 1-23-2005 10:17:12 PM
BasePriority : Normal

#:33 [itouch.exe]
FilePath : C:\Program Files\Logitech\iTouch\
ProcessID : 1780
ThreadCreationTime : 1-23-2005 10:17:16 PM
BasePriority : Normal
FileVersion : 2.20.243
ProductVersion : 2.20.243
ProductName : iTouch
CompanyName : Logitech Inc.
FileDescription : iTouch Application
InternalName : iTouch
LegalCopyright : (C) 1998-2003 Logitech. All rights reserved.
LegalTrademarks : Logitech® and iTouch® are registered trademarks of Logitech Inc.
OriginalFilename : iTouch.exe
Comments : Created by the iTouch team

#:34 [ntsmod.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1804
ThreadCreationTime : 1-23-2005 10:17:17 PM
BasePriority : Normal
FileVersion : 5.01.2600
ProductVersion : 5.01.2600
ProductName : ntsmod
FileDescription : NT System Module
InternalName : ntsmod
LegalCopyright : Copyright (c) 2003
OriginalFilename : ntsmod.exe
Comments : NT System Module

#:35 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1836
ThreadCreationTime : 1-23-2005 10:17:17 PM
BasePriority : Normal
FileVersion : 103.0.3.8
ProductVersion : 103.0.3.8
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:36 [em_exec.exe]
FilePath : C:\Program Files\Logitech\MouseWare\system\
ProcessID : 1856
ThreadCreationTime : 1-23-2005 10:17:18 PM
BasePriority : Normal
FileVersion : 9.79.019
ProductVersion : 9.79.019
ProductName : MouseWare
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
LegalCopyright : (C) 1987-2003 Logitech. All rights reserved.
LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
OriginalFilename : Em_Exec.exe
Comments : Created by the MouseWare team

#:37 [usrprmpt.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\Security Center\
ProcessID : 1820
ThreadCreationTime : 1-23-2005 10:17:20 PM
BasePriority : Normal
FileVersion : 2005.1.2.20
ProductVersion : 2005.1
ProductName : Norton Security Center
CompanyName : Symantec Corporation
FileDescription : Norton Security Center Helper
InternalName : UsrPrmpt.dll
LegalCopyright : Copyright (c) 1997-2004 Symantec Corporation
OriginalFilename : UsrPrmpt.dll

#:38 [quickdcf.exe]
FilePath : C:\Program Files\FinePixViewer\
ProcessID : 1988
ThreadCreationTime : 1-23-2005 10:17:27 PM
BasePriority : Normal
FileVersion : 2, 0, 0, 3
ProductVersion : 2, 0, 0, 3
ProductName : FinePixViewer
CompanyName : FUJI PHOTO FILM CO., LTD.
FileDescription : Exif Launcher
InternalName : QuickDCF
LegalCopyright : Copyright 2000-2001 FUJI PHOTO FILM CO.,LTD.
OriginalFilename : QuickDCF.exe

#:39 [httpiu.exe]
FilePath : C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ProcessID : 2000
ThreadCreationTime : 1-23-2005 10:17:28 PM
BasePriority : Normal

VX2 Object Recognized!
Type : Process
Data : httpiu.exe
Category : Malware
Comment : (CSI MATCH)
Object : C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Warning! VX2 Object found in memory(C:\Documents and Settings\All Users\Start Menu\Programs\Startup\httpiu.exe)

Warning! "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\httpiu.exe"Process could not be terminated!
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\httpiu.exe"Process terminated successfully

#:40 [rundll32.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1600
ThreadCreationTime : 1-23-2005 10:18:30 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : RUNDLL.EXE

VX2 Object Recognized!
Type : Process
Data : guard.tmp
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\

Warning! VX2 Object found in memory(C:\WINNT\system32\guard.tmp)

Warning! "C:\WINNT\system32\rundll32.exe"Process could not be terminated!

#:41 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 488
ThreadCreationTime : 1-23-2005 10:20:40 PM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 49

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : AccountNumber

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : uninstalled

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : _show

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : FirstTimeStarted

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : SearchIndex

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : AutoComplete

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : ac1

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : adult.tbr

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : popupblocker

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : default.tbr

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : search.mnu

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : version

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : path

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : UpdateDate

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : guid

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : searchkeys

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : errorreport

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : excluded

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : keywords

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : axparam

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : city

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : state

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : country

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum\elitetoolbar
Value : Activated

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "AC"
Rootkey : HKEY_USERS
Object : S-1-5-21-1547161642-1275210071-839522115-1000\software\lq
Value : AC

Search Miracle Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "kalvsys"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\run
Value : kalvsys

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 27
Objects found so far: 76

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 76

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 76

Deep scanning and examining files (C
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 76

Deep scanning and examining files (G
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for G:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 76

Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Warning!
Bad Hosts file entry:69.20.16.183:search.netscape.com

Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:search.netscape.com
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch

Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch

Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch
Warning!
Bad Hosts file entry:69.20.16.183:auto.search.msn.com

Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:auto.search.msn.com
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch

Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
15 entries scanned.
New critical objects:5
Objects found so far: 81

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\run
Value : Narrator

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Search Bar

Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : TM

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AT

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AC

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : U

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AD

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : I

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AM

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : TR

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : country

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : city

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : state

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX2.8

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX2.9

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.0

Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\elitum

Search Miracle Object Recognized!
Type : File
Data : tmp1.tmp
Category : Malware
Comment :
Object : C:\DOCUME~1\Home\LOCALS~1\Temp\

Search Miracle Object Recognized!
Type : File
Data : tmp75.tmp
Category : Malware
Comment :
Object : C:\DOCUME~1\Home\LOCALS~1\Temp\

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 23
Objects found so far: 104

5:31:00 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:10:04.313
Objects scanned:119179
Objects identified:56
Objects ignored:0
New critical objects:56

Cookiegal · Jan 23, 2005

Hi and welcome to TSG,

Click here: http://www.atribune.org/downloads/l2mfix.exe to download L2mfix.

Save the file to your desktop and double click l2mfix.exe. Read and accept the agreement. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

XPBri · Jan 23, 2005

Here is the log- and thank you for helping =)
Brian

L2MFIX find log 1.02
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ATINotify]
"Asynchronous"=dword:00000000
"DllName"="logonnfy.dll"
"Impersonate"=dword:00000000
"Lock"="WLEventConsoleLock"
"Unlock"="WLEventConsoleUnLock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\o484lelq1hqe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7591635B-8C5A-41E2-BAD5-836F54786397}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{F5D92341-0A64-11D0-9956-0000E8096023}"="CD Copy Shell Extension"
"{F5D92342-0A64-11D0-9956-0000E8096023}"="CD Wizard Shell Extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{37C3FCE9-25F1-403A-886D-0B7E5D965A0E}"=""
"{E9D65FF5-32B0-4437-9585-FED5712D1207}"=""
"{5D1578B3-DE5D-458D-B4AB-462E1BC485FF}"=""
"{2F517A1D-006B-4EEB-B9C2-6E8258B5164A}"=""
"{E3ED8C11-7F81-44CE-B4BB-327CD65DF789}"=""
"{50811444-8123-4233-A31B-5D55A3751197}"=""
"{C5B8D122-63E0-4326-9448-679EA0338EC7}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{37C3FCE9-25F1-403A-886D-0B7E5D965A0E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37C3FCE9-25F1-403A-886D-0B7E5D965A0E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37C3FCE9-25F1-403A-886D-0B7E5D965A0E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{37C3FCE9-25F1-403A-886D-0B7E5D965A0E}\InprocServer32]
@="C:\\WINNT\\system32\\TgkatiRedistributor.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E9D65FF5-32B0-4437-9585-FED5712D1207}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E9D65FF5-32B0-4437-9585-FED5712D1207}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E9D65FF5-32B0-4437-9585-FED5712D1207}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E9D65FF5-32B0-4437-9585-FED5712D1207}\InprocServer32]
@="C:\\WINNT\\system32\\ecpsrv.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5D1578B3-DE5D-458D-B4AB-462E1BC485FF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5D1578B3-DE5D-458D-B4AB-462E1BC485FF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5D1578B3-DE5D-458D-B4AB-462E1BC485FF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5D1578B3-DE5D-458D-B4AB-462E1BC485FF}\InprocServer32]
@="C:\\WINNT\\system32\\MVVBVM60.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2F517A1D-006B-4EEB-B9C2-6E8258B5164A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F517A1D-006B-4EEB-B9C2-6E8258B5164A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F517A1D-006B-4EEB-B9C2-6E8258B5164A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F517A1D-006B-4EEB-B9C2-6E8258B5164A}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E3ED8C11-7F81-44CE-B4BB-327CD65DF789}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E3ED8C11-7F81-44CE-B4BB-327CD65DF789}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E3ED8C11-7F81-44CE-B4BB-327CD65DF789}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E3ED8C11-7F81-44CE-B4BB-327CD65DF789}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{50811444-8123-4233-A31B-5D55A3751197}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{50811444-8123-4233-A31B-5D55A3751197}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{50811444-8123-4233-A31B-5D55A3751197}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{50811444-8123-4233-A31B-5D55A3751197}\InprocServer32]
@="C:\\WINNT\\system32\\sjrobj.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C5B8D122-63E0-4326-9448-679EA0338EC7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C5B8D122-63E0-4326-9448-679EA0338EC7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C5B8D122-63E0-4326-9448-679EA0338EC7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C5B8D122-63E0-4326-9448-679EA0338EC7}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
akupd.dll Thu Jan 13 2005 6:09:02p A.... 155,648 152.00 K
ciodm.dll Thu Nov 4 2004 11:41:52p A.... 68,880 67.27 K
coozqy.dll Sun Jan 23 2005 2:41:06p A.... 5,632 5.50 K
dosync.dll Thu Jan 13 2005 10:47:24p A.... 114,688 112.00 K
ebbuno.dll Sat Jan 15 2005 9:41:56a A.... 24,576 24.00 K
hrj005~1.dll Sun Jan 23 2005 5:45:32p ..S.R 223,629 218.39 K
hypertrm.dll Tue Nov 16 2004 5:47:02a A.... 576,784 563.27 K
mshtml.dll Mon Oct 25 2004 10:39:16a A.... 2,693,120 2.57 M
o484le~1.dll Sun Jan 23 2005 5:01:18p A.... 223,005 217.78 K
riowmsp.dll Mon Dec 13 2004 10:00:44p A.... 1,171,456 1.12 M
shdocvw.dll Thu Nov 11 2004 11:20:56p A.... 1,332,224 1.27 M
sp3res.dll Thu Dec 2 2004 9:27:18a ..... 6,272,512 5.98 M
urlmon.dll Mon Oct 25 2004 10:39:52a A.... 450,048 439.50 K
user32.dll Wed Dec 29 2004 4:14:10a A.... 380,688 371.77 K

14 items found: 14 files (1 H/S), 0 directories.
Total of file sizes: 13,692,890 bytes 13.05 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 5CE8-CE59

Directory of C:\WINNT\System32

01/23/2005 05:45p 223,629 hrj0051me.dll
01/19/2005 05:43p <DIR> dllcache
05/10/2000 10:00p 397,312 Msrdo20.dll
03/13/2000 10:00p 151,552 Rdocurs.dll
3 File(s) 772,493 bytes
1 Dir(s) 57,305,837,568 bytes free

Cookiegal · Jan 23, 2005

The tool is not recognizing the files so we'll have to rever to the more tedious removal method.

Click here: http://forums.techguy.org/attachment.php?attachmentid=46183 to download Find It NT-2K-XP.zip.

Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.

Download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.

http://www.downloads.subratam.org/VX2Finder.exe

Next click here: http://www.downloads.subratam.org/DllCompare.exe to download DLLCompare.zip.

Save it to your desktop.

Now run DllCompare and click on the RunLocate.com button. It will scan for the hidden files. When it is finished, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the Compare button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.

In a few minutes it will complete then you will see in blue Completed.
Click the Make a Log of what was Found button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.

After you have posted all that info here, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry needed to remove will change as well as some of the file names will change and we will have to start all over.

XPBri · Jan 23, 2005

Thanks! I made a donation to the site for all of your help (Hopefully you get a portion) =)
Brian

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Home\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 5CE8-CE59

Directory of C:\WINNT\System32

01/23/2005 05:45p 223,629 hrj0051me.dll
01/19/2005 05:43p <DIR> dllcache
05/10/2000 10:00p 397,312 Msrdo20.dll
03/13/2000 10:00p 151,552 Rdocurs.dll
3 File(s) 772,493 bytes
1 Dir(s) 57,298,395,136 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5CE8-CE59

Directory of C:\WINNT\System32

01/23/2005 06:14p 335 vsconfig.xml
01/19/2005 05:43p <DIR> dllcache
12/02/2003 08:21a 4,212 zllictbl.dat
10/04/2003 04:43p <DIR> GroupPolicy
10/04/2003 04:36p 271 desktop.ini
10/04/2003 04:36p 21,692 folder.htt
4 File(s) 26,510 bytes
2 Dir(s) 57,298,395,136 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 5CE8-CE59

Directory of C:\WINNT\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 5CE8-CE59

Directory of C:\WINNT\System32

12/07/1999 07:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 57,298,391,040 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7591635B-8C5A-41E2-BAD5-836F54786397}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ATINotify]
"Asynchronous"=dword:00000000
"DllName"="logonnfy.dll"
"Impersonate"=dword:00000000
"Lock"="WLEventConsoleLock"
"Unlock"="WLEventConsoleUnLock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\o484lelq1hqe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

------------------ Locate.com Results ------------------

C:\WINNT\SYSTEM32\
hrj005~1.dll Sun Jan 23 2005 5:45:32p ..S.R 223,629 218.39 K
vsconfig.xml Sun Jan 23 2005 6:14:14p A..H. 335 0.32 K

2 items found: 2 files, 0 directories.
Total of file sizes: 223,964 bytes 218.71 K

------------ Strings.exe Qoologic Results ------------

C:\WINNT\system32\coozqy.dll: updates.qoologic.com
C:\WINNT\system32\ebbuno.dll: updates.qoologic.com
C:\WINNT\system32\hwwmaz.exe: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINNT\system32\pbbyka.dat: .aspack
C:\WINNT\system32\wrrogi.exe: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\httpiu.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PtiuPbmd"="Rundll32.exe Ptipbm.dll,SetWriteBack"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\smax4.exe\" /tray"
"Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Zone Labs Client"="C:\\PROGRA~1\\ZONELA~1\\ZONEAL~1\\zapro.exe"
"REGSHAVE"="C:\\Progra~1\\REGSHAVE\\REGSHAVE.EXE /autorun"
"PinnacleDriverCheck"="C:\\WINNT\\system32\\PSDrvCheck.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Openwares LiveUpdate"="C:\\Program Files\\LiveUpdate\\LiveUpdate.exe"
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"Logitech Utility"="Logi_MwX.Exe"
"ntsmod"="C:\\WINNT\\system32\\ntsmod.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"kalvsys"="C:\\winnt\\system32\\kalvfmt32.exe"
"Narrator"="C:\\WINNT\\system32\\wrrogi.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
AtiExtEvent
ATINotify
crypt32chain
cryptnet
cscdll
sclgntfy
SensLogn
SharedDLLs
wzcnotif

Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{7591635B-8C5A-41E2-BAD5-836F54786397}

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\hrj005~1.dll Sun Jan 23 2005 5:45:32p ..S.R 223,629 218.39 K
C:\WINNT\SYSTEM32\msrdo20.dll Wed May 10 2000 10:00:00p A.S.. 397,312 388.00 K
C:\WINNT\SYSTEM32\rdocurs.dll Mon Mar 13 2000 10:00:00p A.S.. 151,552 148.00 K
________________________________________________

1,223 items found: 1,223 files (3 H/S), 0 directories.
Total of file sizes: 240,928,878 bytes 229.77 M

Administrator Account = True

--------------------End log---------------------

Cookiegal · Jan 23, 2005

Download the Hoster from: http://members.aol.com/toadbee/hoster.zip. UnZip the file to your desktop.

Click here: http://www.downloads.subratam.org/KillBox.exe to download Pocket KillBox.

Unzip the files to the folder of your choice.

Also I am attaching a fix.zip file to this post. Download fix.zip to your desktop and unzip it.

IMPORTANT!: Before you continue, close ALL running programs. Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access.

Double click on the fix.reg file to enter into the registry. Answer yes when asked to have its contents added to the registry.

Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
Click "Apply" then "OK"

Run Pocket Killbox and click on Tools > Delete Temp Files and let it do its thing.

Double-click on Killbox.exe to run it. Now put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINNT\SYSTEM32\hrj0051me.dll
C:\WINNT\system32\o484lelq1hqe.dll
C:\WINNT\system32\coozqy.dll
C:\WINNT\system32\ebbuno.dll
C:\WINNT\system32\hwwmaz.exe
C:\WINNT\system32\pbbyka.dat
C:\WINNT\system32\wrrogi.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\httpiu.exe

Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

Next run VX2Finder and click the "Restore Policy" button.

Now restart your computer.

Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. When it is finished, hit any key to close find.bat. When you close find.bat it will ask you if you want to save the changes to output.txt. Click Yes and post the contents of the new output.txt file here along with a new Hijack This log and a log from DLLCompare.

Again I remind you, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.

XPBri · Jan 23, 2005

OK, I followed the instructions to a "t". and here are the logs that you requested:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Home\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 5CE8-CE59

Directory of C:\WINNT\System32

01/19/2005 05:43p <DIR> dllcache
05/10/2000 10:00p 397,312 Msrdo20.dll
03/13/2000 10:00p 151,552 Rdocurs.dll
2 File(s) 548,864 bytes
1 Dir(s) 57,317,683,200 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5CE8-CE59

Directory of C:\WINNT\System32

01/23/2005 06:14p 335 vsconfig.xml
01/19/2005 05:43p <DIR> dllcache
12/02/2003 08:21a 4,212 zllictbl.dat
10/04/2003 04:43p <DIR> GroupPolicy
10/04/2003 04:36p 271 desktop.ini
10/04/2003 04:36p 21,692 folder.htt
4 File(s) 26,510 bytes
2 Dir(s) 57,317,683,200 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 5CE8-CE59

Directory of C:\WINNT\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 5CE8-CE59

Directory of C:\WINNT\System32

12/07/1999 07:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 57,317,679,104 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7591635B-8C5A-41E2-BAD5-836F54786397}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ATINotify]
"Asynchronous"=dword:00000000
"DllName"="logonnfy.dll"
"Impersonate"=dword:00000000
"Lock"="WLEventConsoleLock"
"Unlock"="WLEventConsoleUnLock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\hrj0051me.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

------------------ Locate.com Results ------------------

C:\WINNT\SYSTEM32\
vsconfig.xml Sun Jan 23 2005 6:14:14p A..H. 335 0.32 K

1 item found: 1 file, 0 directories.
Total of file sizes: 335 bytes 0.32 K

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PtiuPbmd"="Rundll32.exe Ptipbm.dll,SetWriteBack"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\smax4.exe\" /tray"
"Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Zone Labs Client"="C:\\PROGRA~1\\ZONELA~1\\ZONEAL~1\\zapro.exe"
"REGSHAVE"="C:\\Progra~1\\REGSHAVE\\REGSHAVE.EXE /autorun"
"PinnacleDriverCheck"="C:\\WINNT\\system32\\PSDrvCheck.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Openwares LiveUpdate"="C:\\Program Files\\LiveUpdate\\LiveUpdate.exe"
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"Logitech Utility"="Logi_MwX.Exe"
"ntsmod"="C:\\WINNT\\system32\\ntsmod.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"kalvsys"="C:\\winnt\\system32\\kalvfmt32.exe"
"Narrator"="C:\\WINNT\\system32\\wrrogi.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Logfile of HijackThis v1.99.0
Scan saved at 9:54:20 PM, on 1/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\system32\ntsmod.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\programfiles\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.snkypete.com/forum
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe Ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ntsmod] C:\WINNT\system32\ntsmod.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvfmt32.exe
O4 - HKLM\..\Run: [Narrator] C:\WINNT\system32\wrrogi.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WINT] C:\WINNT\system32\wcpsvtr.exe
O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\msrdo20.dll Wed May 10 2000 10:00:00p A.S.. 397,312 388.00 K
C:\WINNT\SYSTEM32\rdocurs.dll Mon Mar 13 2000 10:00:00p A.S.. 151,552 148.00 K
________________________________________________

1,219 items found: 1,219 files (2 H/S), 0 directories.
Total of file sizes: 240,452,036 bytes 229.31 M

Administrator Account = True

--------------------End log---------------------

XPBri · Jan 23, 2005

This all may have been done in vain- after that last post, the wonderful computer locked up and rebooted itself ;; I don't know if I should start the whole procedure over, or if the same problem may occur?
Thanks Again,
Brian

Cookiegal · Jan 24, 2005

Please post a current Hijack This log and a Findit log. I think we're going to be OK.

XPBri · Jan 24, 2005

Sorry for the delay in my response. I left the computer on overnight, when I got home from work, it was still up and running =)

Logfile of HijackThis v1.99.0
Scan saved at 6:24:13 PM, on 1/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\system32\ntsmod.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\programfiles\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.snkypete.com/forum
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe Ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ntsmod] C:\WINNT\system32\ntsmod.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvfmt32.exe
O4 - HKLM\..\Run: [Narrator] C:\WINNT\system32\wrrogi.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WINT] C:\WINNT\system32\wcpsvtr.exe
O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: strings.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Home\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 5CE8-CE59

Directory of C:\WINNT\System32

01/19/2005 05:43p <DIR> dllcache
05/10/2000 10:00p 397,312 Msrdo20.dll
03/13/2000 10:00p 151,552 Rdocurs.dll
2 File(s) 548,864 bytes
1 Dir(s) 57,248,313,344 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5CE8-CE59

Directory of C:\WINNT\System32

01/24/2005 06:21p 335 vsconfig.xml
01/19/2005 05:43p <DIR> dllcache
12/02/2003 08:21a 4,212 zllictbl.dat
10/04/2003 04:43p <DIR> GroupPolicy
10/04/2003 04:36p 271 desktop.ini
10/04/2003 04:36p 21,692 folder.htt
4 File(s) 26,510 bytes
2 Dir(s) 57,248,313,344 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 5CE8-CE59

Directory of C:\WINNT\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 5CE8-CE59

Directory of C:\WINNT\System32

12/07/1999 07:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 57,248,309,248 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7591635B-8C5A-41E2-BAD5-836F54786397}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ATINotify]
"Asynchronous"=dword:00000000
"DllName"="logonnfy.dll"
"Impersonate"=dword:00000000
"Lock"="WLEventConsoleLock"
"Unlock"="WLEventConsoleUnLock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\hrj0051me.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

------------------ Locate.com Results ------------------

C:\WINNT\SYSTEM32\
vsconfig.xml Mon Jan 24 2005 6:21:10p A..H. 335 0.32 K

1 item found: 1 file, 0 directories.
Total of file sizes: 335 bytes 0.32 K

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PtiuPbmd"="Rundll32.exe Ptipbm.dll,SetWriteBack"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\smax4.exe\" /tray"
"Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Zone Labs Client"="C:\\PROGRA~1\\ZONELA~1\\ZONEAL~1\\zapro.exe"
"REGSHAVE"="C:\\Progra~1\\REGSHAVE\\REGSHAVE.EXE /autorun"
"PinnacleDriverCheck"="C:\\WINNT\\system32\\PSDrvCheck.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Openwares LiveUpdate"="C:\\Program Files\\LiveUpdate\\LiveUpdate.exe"
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"Logitech Utility"="Logi_MwX.Exe"
"ntsmod"="C:\\WINNT\\system32\\ntsmod.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"kalvsys"="C:\\winnt\\system32\\kalvfmt32.exe"
"Narrator"="C:\\WINNT\\system32\\wrrogi.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Cookiegal · Jan 24, 2005

I am attaching a fix2.zip file to this post. Download fix2.zip to your desktop and unzip it.

IMPORTANT!: Before you continue, close ALL running programs. Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access.

Double click on the fix2.reg file to enter into the registry. Answer yes when asked to have its contents added to the registry.

Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
Click "Apply" then "OK"

Run Pocket Killbox and click on Tools > Delete Temp Files and let it do its thing.

Double-click on Killbox.exe to run it. Now put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINNT\SYSTEM32\hrj0051me.dll
C:\winnt\system32\kalvfmt32.exe"
C:\WINNT\system32\wrrogi.exe

Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

Next run VX2Finder and click the "Restore Policy" button.

Now restart your computer.

Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. When it is finished, hit any key to close find.bat. When you close find.bat it will ask you if you want to save the changes to output.txt. Click Yes and post the contents of the new output.txt file here along with a new Hijack This log and a log from DLLCompare.

Again I remind you, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.

Log in or Sign up

Idiot (Me) Installed Norton 2005 Now have problems

XPBri Thread Starter

XPBri Thread Starter

XPBri Thread Starter

XPBri Thread Starter

XPBri Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

XPBri Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

XPBri Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

XPBri Thread Starter

XPBri Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

XPBri Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

Sponsor

Welcome to Tech Support Guy!

Log in or Sign up

Idiot (Me) Installed Norton 2005 Now have problems

XPBri Thread Starter

XPBri Thread Starter

XPBri Thread Starter

XPBri Thread Starter

XPBri Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

XPBri Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

XPBri Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

XPBri Thread Starter

XPBri Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

XPBri Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

Sponsor

Welcome to Tech Support Guy!

Useful Searches