1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

please help--can't get rid of adware!

Discussion in 'Virus & Other Malware Removal' started by kulrich, Feb 4, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. kulrich

    kulrich Thread Starter

    Joined:
    Feb 3, 2005
    Messages:
    12
    Hi,
    I can't get rid of this virus/trojan thing and it is driving me crazy! I tried adware and spybot and can't get anything to go away. Here is my hijack this log. Can someone help me?
    Thank you ever so much!

    Logfile of HijackThis v1.99.0
    Scan saved at 8:56:06 PM, on 2/4/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\WINDOWS\system32\NWTRAY.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\isrvs\desktop.exe
    C:\WINDOWS\system32\haekg.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\System32\msupd5.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\sessmgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\vwgurg.exe
    C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\My Documents\hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.law.umich.edu
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
    O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)
    O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [haekg] C:\WINDOWS\system32\haekg.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [Web Offer] Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O15 - Trusted Zone: http://www.neededware.com
    O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
    O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MARKETING2.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DF600A33-85DF-4EFB-9BA0-3AB7B6BE04AB}: NameServer = 206.141.193.55 66.73.20.40
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
    O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\System32\msupd5.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
     
  2. Cretemonster

    Cretemonster

    Joined:
    Jan 29, 2005
    Messages:
    31
    Thats a Nice Fresh Version Of VX2!!!

    First thing you need to do is download LSPFix:
    http://cexx.org/lspfix.htm

    1. Run LSPFix.
    2. Check 'I know what I'm doing'.
    3. Select c:\windows\system32\dolsp.dll
    4. Click the right-pointing arrow (moves it to the "remove" page).
    5. Click 'Finished'.

    Now create a folder on your Desktop for anything you may be asked to download!
    To create a Folder:
    Place the Pointer inside the Desktop,right click and select New>>>Now select Folder>>>Name it whatever you want!

    Now Download L2MFix to the New Folder.
    Here is that link:
    http://www.atribune.org/downloads/l2mfix.exe
    Double click l2mfix.exe.
    Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until asked to!!
     
  3. kulrich

    kulrich Thread Starter

    Joined:
    Feb 3, 2005
    Messages:
    12
    Oh thank you so much! Here are the contents of the log:

    L2MFIX find log 1.02a
    These are the registry keys present
    **********************************************************************************
    Winlogon/notify:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\j62q0gf5e62.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
    @=""
    "DLLName"="igfxsrvc.dll"
    "Asynchronous"=dword:00000001
    "Impersonate"=dword:00000001
    "Unlock"="WinlogonUnlockEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    **********************************************************************************
    useragent:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{C0664D93-6ED1-46C2-B0F2-6A761EAF3F5D}"=""

    **********************************************************************************
    Shell Extension key:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
    "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
    "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
    "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
    "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
    "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
    "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
    "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
    "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
    "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
    "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
    "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
    "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
    "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
    "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
    "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
    "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
    "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
    "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
    "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
    "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
    "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
    "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
    "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
    "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
    "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
    "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
    "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
    "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
    "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
    "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
    "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
    "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
    "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
    "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
    "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
    "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
    "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
    "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
    "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
    "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
    "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
    "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
    "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
    "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
    "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
    "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
    "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
    "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
    "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
    "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
    "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
    "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
    "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
    "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
    "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
    "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
    "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
    "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
    "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
    "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
    "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
    "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
    "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
    "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
    "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
    "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
    "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
    "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
    "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
    "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
    "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
    "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
    "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
    "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
    "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
    "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
    "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
    "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
    "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
    "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
    "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
    "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
    "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
    "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
    "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
    "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
    "{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
    "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
    "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
    "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
    "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
    "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
    "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
    "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
    "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
    "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
    "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
    "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
    "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
    "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
    "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
    "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
    "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
    "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
    "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
    "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
    "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
    "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
    "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
    "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
    "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
    "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
    "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
    "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
    "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
    "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
    "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
    "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
    "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
    "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
    "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
    "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
    "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
    "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
    "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
    "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
    "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
    "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
    "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
    "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
    "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
    "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
    "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
    "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
    "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
    "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
    "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
    "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
    "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
    "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
    "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
    "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
    "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
    "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
    "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
    "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
    "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
    "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
    "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
    "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
    "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
    "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
    "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
    "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
    "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
    "{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
    "{AF8DE18D-9065-4102-BC40-EB294A95BB07}"="Novell Connections"
    "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
    "{0EA09DC3-89B7-418A-A10E-5EE22148E75E}"=""
    "{12850CA9-1547-4F1D-8809-5EED63F43A33}"=""
    "{914A133C-EF1A-41BA-BD9F-D6145781F710}"=""
    "{1A4E7718-9A6B-4075-8A34-90A44E496D1D}"=""
    "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
    "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
    "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
    "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
    "{746CF332-5611-4454-A0C0-18ECCE640FEB}"=""
    "{4ED80B1A-804A-4A2C-A70B-6A281DA53B6E}"=""
    "{B8AAEB22-679F-4AB1-BBBB-56183A61E716}"=""
    "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
    "{EA26FBD2-1F32-4382-BBC1-90AEF756DC6F}"=""
    "{1402E267-8169-4AC8-BA2C-F6025A4974F6}"=""

    **********************************************************************************
    HKEY ROOT CLASSIDS:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{0EA09DC3-89B7-418A-A10E-5EE22148E75E}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{0EA09DC3-89B7-418A-A10E-5EE22148E75E}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{0EA09DC3-89B7-418A-A10E-5EE22148E75E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{0EA09DC3-89B7-418A-A10E-5EE22148E75E}\InprocServer32]
    @="C:\\WINDOWS\\system32\\guard.tmp"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{12850CA9-1547-4F1D-8809-5EED63F43A33}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{12850CA9-1547-4F1D-8809-5EED63F43A33}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{12850CA9-1547-4F1D-8809-5EED63F43A33}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{12850CA9-1547-4F1D-8809-5EED63F43A33}\InprocServer32]
    @="C:\\WINDOWS\\system32\\jtbexec.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{914A133C-EF1A-41BA-BD9F-D6145781F710}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{914A133C-EF1A-41BA-BD9F-D6145781F710}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{914A133C-EF1A-41BA-BD9F-D6145781F710}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{914A133C-EF1A-41BA-BD9F-D6145781F710}\InprocServer32]
    @="C:\\WINDOWS\\system32\\svcsccp.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{1A4E7718-9A6B-4075-8A34-90A44E496D1D}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{1A4E7718-9A6B-4075-8A34-90A44E496D1D}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{1A4E7718-9A6B-4075-8A34-90A44E496D1D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{1A4E7718-9A6B-4075-8A34-90A44E496D1D}\InprocServer32]
    @="C:\\WINDOWS\\system32\\guard.tmp"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{746CF332-5611-4454-A0C0-18ECCE640FEB}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{746CF332-5611-4454-A0C0-18ECCE640FEB}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{746CF332-5611-4454-A0C0-18ECCE640FEB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{746CF332-5611-4454-A0C0-18ECCE640FEB}\InprocServer32]
    @="C:\\WINDOWS\\system32\\guard.tmp"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{4ED80B1A-804A-4A2C-A70B-6A281DA53B6E}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{4ED80B1A-804A-4A2C-A70B-6A281DA53B6E}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{4ED80B1A-804A-4A2C-A70B-6A281DA53B6E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{4ED80B1A-804A-4A2C-A70B-6A281DA53B6E}\InprocServer32]
    @="C:\\WINDOWS\\system32\\nwtshell.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{B8AAEB22-679F-4AB1-BBBB-56183A61E716}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{B8AAEB22-679F-4AB1-BBBB-56183A61E716}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{B8AAEB22-679F-4AB1-BBBB-56183A61E716}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{B8AAEB22-679F-4AB1-BBBB-56183A61E716}\InprocServer32]
    @="C:\\WINDOWS\\system32\\kwdkaz.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{EA26FBD2-1F32-4382-BBC1-90AEF756DC6F}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{EA26FBD2-1F32-4382-BBC1-90AEF756DC6F}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{EA26FBD2-1F32-4382-BBC1-90AEF756DC6F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{EA26FBD2-1F32-4382-BBC1-90AEF756DC6F}\InprocServer32]
    @="C:\\WINDOWS\\system32\\mcvcp60.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{1402E267-8169-4AC8-BA2C-F6025A4974F6}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{1402E267-8169-4AC8-BA2C-F6025A4974F6}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{1402E267-8169-4AC8-BA2C-F6025A4974F6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{1402E267-8169-4AC8-BA2C-F6025A4974F6}\InprocServer32]
    @="C:\\WINDOWS\\system32\\kjdcz1.dll"
    "ThreadingModel"="Apartment"

    **********************************************************************************
    Files Found are not all bad files:
    Directory Listing of system files:
    Volume in drive C has no label.
    Volume Serial Number is BCFB-2313

    Directory of C:\WINDOWS\System32

    02/04/2005 08:49 PM 231,465 dn4o01h3e.dll
    02/04/2005 03:28 PM 229,784 j62q0gf5e62.dll
    02/02/2005 03:18 PM 231,028 stnscfg.dll
    01/31/2005 11:52 PM 231,028 p8r4li9q18.dll
    01/31/2005 10:45 PM 230,617 lv6m09j1e.dll
    01/31/2005 08:31 AM 231,054 no4_disp.dll
    01/30/2005 11:03 PM 230,617 dsmsvinn.dLL
    01/30/2005 10:50 PM 229,215 f0l02a3mgd.dll
    01/30/2005 09:16 PM 230,617 pwlstore.dll
    01/30/2005 08:55 PM 230,964 mpw3prt.dll
    01/30/2005 07:42 PM 230,897 mohtmler.dll
    01/30/2005 06:48 PM 229,947 ptotowiz.dll
    01/30/2005 06:05 PM 231,824 dfcqry32.dll
    01/30/2005 05:25 PM 230,729 dvmv2clt.dll
    01/30/2005 01:39 PM 228,520 pirfts.dll
    01/28/2005 06:39 PM 230,866 l24qlch51f4.dll
    01/28/2005 05:18 PM <DIR> dllcache
    01/28/2005 03:52 PM 230,866 merddm.dll
    01/28/2005 03:51 PM 231,302 lt4027hmg.dll
    01/28/2005 03:00 PM 231,489 fp2603fse.dll
    01/28/2005 02:36 PM 228,931 iqrtprio.dll
    01/27/2005 01:36 PM 229,523 q2rq0c95ef.dll
    01/27/2005 12:57 PM 229,843 m2ju0c19ef.dll
    01/27/2005 10:38 AM 231,610 u8ruli9918.dll
    01/27/2005 09:34 AM 228,931 m264lcjq1foe.dll
    01/26/2005 09:53 AM 229,874 g8lm0i31e8.dll
    01/11/2005 09:10 AM 401,408 ??anregw.exe
    11/20/2003 06:56 PM <DIR> Microsoft
    26 File(s) 6,162,949 bytes
    2 Dir(s) 46,840,713,216 bytes free
     
  4. Cretemonster

    Cretemonster

    Joined:
    Jan 29, 2005
    Messages:
    31
    Close any programs you have open since this step requires a reboot.

    From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

    IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

    Download FindIt:
    http://lineofire.geekstogo.com/FindIt NT-2K-XP.zip

    Unzip the contents of finditnt2000xp.zip to the new folder.

    Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
    A command prompt will open and it will search your computer for malicious files.

    Once it has finished a Notepad window will pop up with output.txt.
    Copy/paste this output.txt in the next post a,ong with the L2Mfix Log!
     
  5. kulrich

    kulrich Thread Starter

    Joined:
    Feb 3, 2005
    Messages:
    12
    Thanks again...ok here goes...actually, the output files will be in a second post as it was too long otherwise. the l2mfix and the hijack this are in this one. thanks!!!

    l2mfix log:

    L2Mfix 1.02a

    Running From:
    C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\Desktop\Downloaded help things\l2mfix



    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Read BUILTIN\Power Users
    (ID-IO) ALLOW Read BUILTIN\Power Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER



    Setting registry permissions:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!


    Denying C access for really "Everyone"
    - adding new ACCESS DENY entry


    Registry Permissions set too:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (CI) DENY --C------- Everyone
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Read BUILTIN\Power Users
    (ID-IO) ALLOW Read BUILTIN\Power Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER



    Setting up for Reboot


    Starting Reboot!

    C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\Desktop\Downloaded help things\l2mfix
    System Rebooted!

    Running From:
    C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\Desktop\Downloaded help things\l2mfix

    killing explorer and rundll32.exe

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 208 'explorer.exe'

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Error, Cannot find a process with an image name of rundll32.exe

    Scanning First Pass. Please Wait!

    First Pass Completed

    Second Pass Scanning

    Second pass Completed!
    Backing Up: C:\WINDOWS\system32\dfcqry32.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\dn4o01h3e.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\dsmsvinn.dLL
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\dvmv2clt.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\f0l02a3mgd.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\fp2603fse.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\g8lm0i31e8.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\iqrtprio.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\l24qlch51f4.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\lt4027hmg.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\lv6m09j1e.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\m264lcjq1foe.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\m2ju0c19ef.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\merddm.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\mohtmler.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\mpw3prt.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\no4_disp.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\p8r4li9q18.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\pirfts.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\ptotowiz.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\pwlstore.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\q2rq0c95ef.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\stnscfg.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\u8ruli9918.dll
    1 file(s) copied.
    Backing Up: C:\WINDOWS\system32\guard.tmp
    1 file(s) copied.
    deleting: C:\WINDOWS\system32\dfcqry32.dll
    Successfully Deleted: C:\WINDOWS\system32\dfcqry32.dll
    deleting: C:\WINDOWS\system32\dn4o01h3e.dll
    Successfully Deleted: C:\WINDOWS\system32\dn4o01h3e.dll
    deleting: C:\WINDOWS\system32\dsmsvinn.dLL
    Successfully Deleted: C:\WINDOWS\system32\dsmsvinn.dLL
    deleting: C:\WINDOWS\system32\dvmv2clt.dll
    Successfully Deleted: C:\WINDOWS\system32\dvmv2clt.dll
    deleting: C:\WINDOWS\system32\f0l02a3mgd.dll
    Successfully Deleted: C:\WINDOWS\system32\f0l02a3mgd.dll
    deleting: C:\WINDOWS\system32\fp2603fse.dll
    Successfully Deleted: C:\WINDOWS\system32\fp2603fse.dll
    deleting: C:\WINDOWS\system32\g8lm0i31e8.dll
    Successfully Deleted: C:\WINDOWS\system32\g8lm0i31e8.dll
    deleting: C:\WINDOWS\system32\iqrtprio.dll
    Successfully Deleted: C:\WINDOWS\system32\iqrtprio.dll
    deleting: C:\WINDOWS\system32\l24qlch51f4.dll
    Successfully Deleted: C:\WINDOWS\system32\l24qlch51f4.dll
    deleting: C:\WINDOWS\system32\lt4027hmg.dll
    Successfully Deleted: C:\WINDOWS\system32\lt4027hmg.dll
    deleting: C:\WINDOWS\system32\lv6m09j1e.dll
    Successfully Deleted: C:\WINDOWS\system32\lv6m09j1e.dll
    deleting: C:\WINDOWS\system32\m264lcjq1foe.dll
    Successfully Deleted: C:\WINDOWS\system32\m264lcjq1foe.dll
    deleting: C:\WINDOWS\system32\m2ju0c19ef.dll
    Successfully Deleted: C:\WINDOWS\system32\m2ju0c19ef.dll
    deleting: C:\WINDOWS\system32\merddm.dll
    Successfully Deleted: C:\WINDOWS\system32\merddm.dll
    deleting: C:\WINDOWS\system32\mohtmler.dll
    Successfully Deleted: C:\WINDOWS\system32\mohtmler.dll
    deleting: C:\WINDOWS\system32\mpw3prt.dll
    Successfully Deleted: C:\WINDOWS\system32\mpw3prt.dll
    deleting: C:\WINDOWS\system32\no4_disp.dll
    Successfully Deleted: C:\WINDOWS\system32\no4_disp.dll
    deleting: C:\WINDOWS\system32\p8r4li9q18.dll
    Successfully Deleted: C:\WINDOWS\system32\p8r4li9q18.dll
    deleting: C:\WINDOWS\system32\pirfts.dll
    Successfully Deleted: C:\WINDOWS\system32\pirfts.dll
    deleting: C:\WINDOWS\system32\ptotowiz.dll
    Successfully Deleted: C:\WINDOWS\system32\ptotowiz.dll
    deleting: C:\WINDOWS\system32\pwlstore.dll
    Successfully Deleted: C:\WINDOWS\system32\pwlstore.dll
    deleting: C:\WINDOWS\system32\q2rq0c95ef.dll
    Successfully Deleted: C:\WINDOWS\system32\q2rq0c95ef.dll
    deleting: C:\WINDOWS\system32\stnscfg.dll
    Successfully Deleted: C:\WINDOWS\system32\stnscfg.dll
    deleting: C:\WINDOWS\system32\u8ruli9918.dll
    Successfully Deleted: C:\WINDOWS\system32\u8ruli9918.dll
    deleting: C:\WINDOWS\system32\guard.tmp
    Successfully Deleted: C:\WINDOWS\system32\guard.tmp

    Desktop.ini sucessfully removed

    Zipping up files for submission:
    adding: dfcqry32.dll (164 bytes security) (deflated 6%)
    adding: dn4o01h3e.dll (164 bytes security) (deflated 6%)
    adding: dsmsvinn.dLL (164 bytes security) (deflated 5%)
    adding: dvmv2clt.dll (164 bytes security) (deflated 5%)
    adding: f0l02a3mgd.dll (164 bytes security) (deflated 5%)
    adding: fp2603fse.dll (164 bytes security) (deflated 5%)
    adding: g8lm0i31e8.dll (164 bytes security) (deflated 5%)
    adding: iqrtprio.dll (164 bytes security) (deflated 4%)
    adding: l24qlch51f4.dll (164 bytes security) (deflated 5%)
    adding: lt4027hmg.dll (164 bytes security) (deflated 5%)
    adding: lv6m09j1e.dll (164 bytes security) (deflated 5%)
    adding: m264lcjq1foe.dll (164 bytes security) (deflated 4%)
    adding: m2ju0c19ef.dll (164 bytes security) (deflated 5%)
    adding: merddm.dll (164 bytes security) (deflated 5%)
    adding: mohtmler.dll (164 bytes security) (deflated 5%)
    adding: mpw3prt.dll (164 bytes security) (deflated 5%)
    adding: no4_disp.dll (164 bytes security) (deflated 5%)
    adding: p8r4li9q18.dll (164 bytes security) (deflated 5%)
    adding: pirfts.dll (164 bytes security) (deflated 4%)
    adding: ptotowiz.dll (164 bytes security) (deflated 5%)
    adding: pwlstore.dll (164 bytes security) (deflated 5%)
    adding: q2rq0c95ef.dll (164 bytes security) (deflated 5%)
    adding: stnscfg.dll (164 bytes security) (deflated 5%)
    adding: u8ruli9918.dll (164 bytes security) (deflated 5%)
    adding: guard.tmp (164 bytes security) (deflated 5%)
    adding: clear.reg (164 bytes security) (deflated 63%)
    adding: echo.reg (164 bytes security) (deflated 14%)
    adding: desktop.ini (164 bytes security) (deflated 13%)
    adding: direct.txt (164 bytes security) (deflated 4%)
    adding: lo2.txt (164 bytes security) (deflated 83%)
    adding: readme.txt (164 bytes security) (deflated 49%)
    adding: report.txt (164 bytes security) (deflated 69%)
    adding: test.txt (164 bytes security) (deflated 79%)
    adding: test2.txt (164 bytes security) (deflated 45%)
    adding: test3.txt (164 bytes security) (deflated 45%)
    adding: test5.txt (164 bytes security) (deflated 45%)
    adding: xfind.txt (164 bytes security) (deflated 73%)
    adding: backregs/0EA09DC3-89B7-418A-A10E-5EE22148E75E.reg (164 bytes security) (deflated 70%)
    adding: backregs/12850CA9-1547-4F1D-8809-5EED63F43A33.reg (164 bytes security) (deflated 70%)
    adding: backregs/1402E267-8169-4AC8-BA2C-F6025A4974F6.reg (164 bytes security) (deflated 70%)
    adding: backregs/1A4E7718-9A6B-4075-8A34-90A44E496D1D.reg (164 bytes security) (deflated 70%)
    adding: backregs/4ED80B1A-804A-4A2C-A70B-6A281DA53B6E.reg (164 bytes security) (deflated 70%)
    adding: backregs/746CF332-5611-4454-A0C0-18ECCE640FEB.reg (164 bytes security) (deflated 70%)
    adding: backregs/914A133C-EF1A-41BA-BD9F-D6145781F710.reg (164 bytes security) (deflated 70%)
    adding: backregs/B8AAEB22-679F-4AB1-BBBB-56183A61E716.reg (164 bytes security) (deflated 70%)
    adding: backregs/EA26FBD2-1F32-4382-BBC1-90AEF756DC6F.reg (164 bytes security) (deflated 70%)
    adding: backregs/shell.reg (164 bytes security) (deflated 73%)

    Restoring Registry Permissions:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!


    Revoking access for really "Everyone"


    Registry permissions set too:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Read BUILTIN\Power Users
    (ID-IO) ALLOW Read BUILTIN\Power Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER


    Restoring Sedebugprivilege:

    Granting SeDebugPrivilege to Administrators ... successful

    deleting local copy: dfcqry32.dll
    deleting local copy: dn4o01h3e.dll
    deleting local copy: dsmsvinn.dLL
    deleting local copy: dvmv2clt.dll
    deleting local copy: f0l02a3mgd.dll
    deleting local copy: fp2603fse.dll
    deleting local copy: g8lm0i31e8.dll
    deleting local copy: iqrtprio.dll
    deleting local copy: l24qlch51f4.dll
    deleting local copy: lt4027hmg.dll
    deleting local copy: lv6m09j1e.dll
    deleting local copy: m264lcjq1foe.dll
    deleting local copy: m2ju0c19ef.dll
    deleting local copy: merddm.dll
    deleting local copy: mohtmler.dll
    deleting local copy: mpw3prt.dll
    deleting local copy: no4_disp.dll
    deleting local copy: p8r4li9q18.dll
    deleting local copy: pirfts.dll
    deleting local copy: ptotowiz.dll
    deleting local copy: pwlstore.dll
    deleting local copy: q2rq0c95ef.dll
    deleting local copy: stnscfg.dll
    deleting local copy: u8ruli9918.dll
    deleting local copy: guard.tmp

    The following Is the Current Export of the Winlogon notify key:
    ****************************************************************************
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
    @=""
    "DLLName"="igfxsrvc.dll"
    "Asynchronous"=dword:00000001
    "Impersonate"=dword:00000001
    "Unlock"="WinlogonUnlockEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001


    The following are the files found:
    ****************************************************************************
    C:\WINDOWS\system32\dfcqry32.dll
    C:\WINDOWS\system32\dn4o01h3e.dll
    C:\WINDOWS\system32\dsmsvinn.dLL
    C:\WINDOWS\system32\dvmv2clt.dll
    C:\WINDOWS\system32\f0l02a3mgd.dll
    C:\WINDOWS\system32\fp2603fse.dll
    C:\WINDOWS\system32\g8lm0i31e8.dll
    C:\WINDOWS\system32\iqrtprio.dll
    C:\WINDOWS\system32\l24qlch51f4.dll
    C:\WINDOWS\system32\lt4027hmg.dll
    C:\WINDOWS\system32\lv6m09j1e.dll
    C:\WINDOWS\system32\m264lcjq1foe.dll
    C:\WINDOWS\system32\m2ju0c19ef.dll
    C:\WINDOWS\system32\merddm.dll
    C:\WINDOWS\system32\mohtmler.dll
    C:\WINDOWS\system32\mpw3prt.dll
    C:\WINDOWS\system32\no4_disp.dll
    C:\WINDOWS\system32\p8r4li9q18.dll
    C:\WINDOWS\system32\pirfts.dll
    C:\WINDOWS\system32\ptotowiz.dll
    C:\WINDOWS\system32\pwlstore.dll
    C:\WINDOWS\system32\q2rq0c95ef.dll
    C:\WINDOWS\system32\stnscfg.dll
    C:\WINDOWS\system32\u8ruli9918.dll
    C:\WINDOWS\system32\guard.tmp

    Registry Entries that were Deleted:
    Please verify that the listing looks ok.
    If there was something deleted wrongly there are backups in the backreg folder.
    ****************************************************************************
    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{0EA09DC3-89B7-418A-A10E-5EE22148E75E}"=-
    "{12850CA9-1547-4F1D-8809-5EED63F43A33}"=-
    "{914A133C-EF1A-41BA-BD9F-D6145781F710}"=-
    "{1A4E7718-9A6B-4075-8A34-90A44E496D1D}"=-
    "{746CF332-5611-4454-A0C0-18ECCE640FEB}"=-
    "{4ED80B1A-804A-4A2C-A70B-6A281DA53B6E}"=-
    "{B8AAEB22-679F-4AB1-BBBB-56183A61E716}"=-
    "{EA26FBD2-1F32-4382-BBC1-90AEF756DC6F}"=-
    "{1402E267-8169-4AC8-BA2C-F6025A4974F6}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{0EA09DC3-89B7-418A-A10E-5EE22148E75E}]
    [-HKEY_CLASSES_ROOT\CLSID\{12850CA9-1547-4F1D-8809-5EED63F43A33}]
    [-HKEY_CLASSES_ROOT\CLSID\{914A133C-EF1A-41BA-BD9F-D6145781F710}]
    [-HKEY_CLASSES_ROOT\CLSID\{1A4E7718-9A6B-4075-8A34-90A44E496D1D}]
    [-HKEY_CLASSES_ROOT\CLSID\{746CF332-5611-4454-A0C0-18ECCE640FEB}]
    [-HKEY_CLASSES_ROOT\CLSID\{4ED80B1A-804A-4A2C-A70B-6A281DA53B6E}]
    [-HKEY_CLASSES_ROOT\CLSID\{B8AAEB22-679F-4AB1-BBBB-56183A61E716}]
    [-HKEY_CLASSES_ROOT\CLSID\{EA26FBD2-1F32-4382-BBC1-90AEF756DC6F}]
    [-HKEY_CLASSES_ROOT\CLSID\{1402E267-8169-4AC8-BA2C-F6025A4974F6}]
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{C0664D93-6ED1-46C2-B0F2-6A761EAF3F5D}"=-
    "SV1"=""
    ****************************************************************************
    Desktop.ini Contents:
    ****************************************************************************
    [.ShellClassInfo]
    CLSID={645FF040-5081-101B-9F08-00AA002F954E}
    <IDone>{C0664D93-6ED1-46C2-B0F2-6A761EAF3F5D}</IDone>
    <IDtwo>DS4</IDtwo>
    <VERSION>200</VERSION>
    ****************************************************************************
    
    new hijack this log:

    Logfile of HijackThis v1.99.0
    Scan saved at 10:37:21 PM, on 2/4/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\WINDOWS\system32\NWTRAY.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\isrvs\desktop.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
    C:\WINDOWS\system32\haekg.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\khigti.exe
    C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\System32\msupd5.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\imapi.exe
    C:\WINDOWS\system32\sessmgr.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\My Documents\hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.law.umich.edu
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
    O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)
    O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [haekg] C:\WINDOWS\system32\haekg.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O15 - Trusted Zone: http://www.neededware.com
    O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
    O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MARKETING2.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DF600A33-85DF-4EFB-9BA0-3AB7B6BE04AB}: NameServer = 206.141.193.55 66.73.20.40
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
    O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\System32\msupd5.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
     
  6. kulrich

    kulrich Thread Starter

    Joined:
    Feb 3, 2005
    Messages:
    12
    ok here is the output log:

    ---------------- FindVX2 NT-2K-XP ----------------

    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    ***** Operating System *****

    Microsoft Windows XP Professional 5.1 Service Pack 2 (Build 2600)

    ********* Date/Time ********

    Friday, February 04, 2005 (2/4/2005)
    10:40 PM, Eastern Standard Time

    *********** Path ***********

    FindVX2.bat is running from: C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\Desktop\Downloaded help things\FindIt NT-2K-XP\FindIt NT-2K-XP

    ------- System Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is BCFB-2313

    Directory of C:\WINDOWS\System32

    01/28/2005 05:18 PM <DIR> dllcache
    01/11/2005 09:10 AM 401,408 ??anregw.exe
    11/20/2003 06:56 PM <DIR> Microsoft
    1 File(s) 401,408 bytes
    2 Dir(s) 46,836,486,144 bytes free

    ------- Hidden Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is BCFB-2313

    Directory of C:\WINDOWS\System32

    02/04/2005 04:59 AM <DIR> vmss
    02/04/2005 04:59 AM <DIR> wsxsvc
    01/28/2005 05:18 PM <DIR> dllcache
    01/25/2005 01:54 PM 53,248 haekg.exe
    01/11/2005 09:10 AM 401,408 ??anregw.exe
    04/21/2004 10:23 AM 488 WindowsLogon.manifest
    04/21/2004 10:23 AM 488 logonui.exe.manifest
    04/21/2004 10:23 AM 749 sapi.cpl.manifest
    04/21/2004 10:23 AM 749 nwc.cpl.manifest
    04/21/2004 10:23 AM 749 wuaucpl.cpl.manifest
    04/21/2004 10:23 AM 749 cdplayer.exe.manifest
    04/21/2004 10:23 AM 749 ncpa.cpl.manifest
    9 File(s) 459,377 bytes
    3 Dir(s) 46,836,482,048 bytes free

    --------------- Files Named "Guard" --------------

    Volume in drive C has no label.
    Volume Serial Number is BCFB-2313

    Directory of C:\WINDOWS\System32


    -------- Temp Files in System32 Directory --------

    Volume in drive C has no label.
    Volume Serial Number is BCFB-2313

    Directory of C:\WINDOWS\System32

    03/08/2004 11:00 PM 132,880 nsw42.tmp
    08/29/2002 07:00 AM 2,577 CONFIG.TMP
    2 File(s) 135,457 bytes
    0 Dir(s) 46,836,482,048 bytes free

    ------------------- User Agent -------------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "SV1"=""

    --------------- Keys Under Notify ----------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
    @=""
    "DLLName"="igfxsrvc.dll"
    "Asynchronous"=dword:00000001
    "Impersonate"=dword:00000001
    "Unlock"="WinlogonUnlockEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    ------------ Shell Extensions Approved -----------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
    "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
    "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
    "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
    "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
    "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
    "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
    "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
    "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
    "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
    "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
    "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
    "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
    "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
    "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
    "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
    "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
    "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
    "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
    "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
    "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
    "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
    "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
    "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
    "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
    "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
    "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
    "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
    "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
    "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
    "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
    "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
    "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
    "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
    "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
    "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
    "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
    "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
    "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
    "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
    "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
    "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
    "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
    "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
    "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
    "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
    "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
    "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
    "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
    "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
    "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
    "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
    "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
    "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
    "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
    "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
    "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
    "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
    "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
    "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
    "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
    "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
    "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
    "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
    "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
    "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
    "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
    "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
    "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
    "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
    "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
    "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
    "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
    "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
    "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
    "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
    "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
    "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
    "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
    "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
    "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
    "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
    "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
    "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
    "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
    "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
    "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
    "{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
    "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
    "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
    "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
    "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
    "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
    "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
    "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
    "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
    "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
    "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
    "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
    "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
    "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
    "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
    "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
    "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
    "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
    "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
    "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
    "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
    "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
    "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
    "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
    "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
    "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
    "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
    "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
    "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
    "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
    "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
    "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
    "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
    "{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"
    "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
    "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
    "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
    "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
    "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
    "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
    "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
    "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
    "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
    "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
    "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
    "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
    "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
    "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
    "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
    "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
    "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
    "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
    "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
    "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
    "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
    "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
    "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
    "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
    "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
    "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
    "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
    "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
    "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
    "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
    "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
    "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
    "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
    "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
    "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
    "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
    "{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
    "{AF8DE18D-9065-4102-BC40-EB294A95BB07}"="Novell Connections"
    "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
    "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
    "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
    "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
    "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
    "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"

    --------------- Locate.com Results ---------------
    
     
  7. Cretemonster

    Cretemonster

    Joined:
    Jan 29, 2005
    Messages:
    31
    Some more Downloads:

    Pocket KillBox:
    http://www.bleepingcomputer.com/files/killbox.php
    Inside this page is a direct download plus a brief description of what the progrma does!

    Download VX2Finder from:
    http://www.downloads.subratam.org/VX2Finder.exe

    Just hang on to it,we will use it in a bit!

    Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    R3 - Default URLSearchHook is missing

    O1 - Hosts: 69.20.16.183 auto.search.msn.com

    O1 - Hosts: 69.20.16.183 search.netscape.com

    O1 - Hosts: 69.20.16.183 ieautosearch

    O1 - Hosts: 69.20.16.183 ieautosearch

    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll

    O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)

    O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)

    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

    O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe

    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

    O4 - HKLM\..\Run: [haekg] C:\WINDOWS\system32\haekg.exe

    O15 - Trusted Zone: http://www.neededware.com

    O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB

    O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/d..._MARKETING2.cab

    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

    Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

    Unregister this DLL
    Click Start>>Click Run>>Type in regsvr32 /u C:\WINDOWS\isrvs\mfiltis.dll and hit OK!
    If you get an error message,try this:
    Click Start>>Click Run>>Type in regsvr32 /u mfiltis.dll

    Open KillBox,Select Standard File Delete and select End explorer shell while Killing file.

    Copy&Paste these into KillBox one at a time,after each entry,click the Red StopSign with The White X in the middle!

    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\khigti.exe

    C:\WINDOWS\system32\nsw42.tmp

    C:\WINDOWS\system32\haekg.exe

    C:\WINDOWS\System32\msupd5.exe

    If any of the above will not delete,make a note of which do not,open KillBox again and select Delete on Reboot,paste those entries into KillBox,decline the option to reboot until you have entered the last file!

    When Prompted to reboot,do so,select Safe Mode:

    Here is a link on how to boot into Safe Mode:
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
    Here is a link to help with that:
    http://www.bleepingcomputer.com/forums/index.php?showtutorial=62
    Please Make sure this Config is done in Safe Mode!

    Now I need you to locate and delete a few folders:

    C:\WINDOWS\isrvs<<< The Entire isrvs folder!

    C:\WINDOWS\System32\wsxsvc<<< The Entire wsxsvc folder!

    C:\WINDOWS\System32\vmss<<< The Entire vmss folder!

    When finished, reboot your system again and bring it back up in normal mode. Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK.
    Select the tab labeled Startup and put a Check by every box there!! Once everything is enabled, run "Hijack This!" and post a new log to this thread!!

    Here is a link explaining:

    http://netsquirrel.com/msconfig/

    Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
    http://members.aol.com/toadbee/hoster.zip

    Once Restarted,download this program:

    Download VX2Finder from:
    http://www.downloads.subratam.org/VX2Finder.exe
    Click on these buttons in the right pane unless they are "greyed" out:
    In this order please,
    Guardian.reg
    User Agent$
    Restore Policy

    You will be prompted to reboot,do so!

    Once restarted,post a fresh HijackThis log and lets have a look!
     
  8. kulrich

    kulrich Thread Starter

    Joined:
    Feb 3, 2005
    Messages:
    12
    Thank you ever so much!
    here is the first hijack this log (after enabling all the startup stuff); more to come...:

    Logfile of HijackThis v1.99.0
    Scan saved at 12:20:46 AM, on 2/5/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\WINDOWS\system32\NWTRAY.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\vwgurg.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\sessmgr.exe
    C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\My Documents\hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.law.umich.edu
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
    O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)
    O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [haekg] C:\WINDOWS\system32\haekg.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
    O4 - HKLM\..\Run: [wdecma] c:\windows\system32\wdecma.exe
    O4 - HKLM\..\Run: [vyjuic] C:\WINDOWS\System32\vyjuic.exe
    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
    O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\adl_dh.exe
    O4 - HKLM\..\Run: [vcmpin] C:\windows\bundles\adl_mteststub.exe
    O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
    O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
    O4 - HKLM\..\Run: [of9r6mmd] C:\Program Files\of9r6mmd\of9r6mmd.exe
    O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [igvcoc] C:\WINDOWS\System32\igvcoc.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [dlsmgr] C:\Program Files\dlsmgr\dlsmgr.exe
    O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [App32dll] C:\WINDOWS\system32\msnav32.exe dvd
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
    O4 - HKLM\..\Run: [3soj39V] vgaompos.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [Sesr] C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\Application Data\ioub.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [IB7tRVZ6V] uxttcprx.exe
    O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DF600A33-85DF-4EFB-9BA0-3AB7B6BE04AB}: NameServer = 206.141.193.55 66.73.20.40
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
    O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\System32\msupd5.exe (file missing)
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
     
  9. kulrich

    kulrich Thread Starter

    Joined:
    Feb 3, 2005
    Messages:
    12
    i'm glad you know what you are doing. here is the new hijack this log:

    Logfile of HijackThis v1.99.0
    Scan saved at 12:27:56 AM, on 2/5/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\vwgurg.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\WINDOWS\system32\NWTRAY.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\wintask.exe
    C:\program files\support.com\bin\tgcmd.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\dlsmgr\dlsmgr.exe
    C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
    C:\WINDOWS\system32\msnav32.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\sessmgr.exe
    C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\My Documents\hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.law.umich.edu
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
    O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)
    O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [haekg] C:\WINDOWS\system32\haekg.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
    O4 - HKLM\..\Run: [wdecma] c:\windows\system32\wdecma.exe
    O4 - HKLM\..\Run: [vyjuic] C:\WINDOWS\System32\vyjuic.exe
    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
    O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\adl_dh.exe
    O4 - HKLM\..\Run: [vcmpin] C:\windows\bundles\adl_mteststub.exe
    O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
    O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
    O4 - HKLM\..\Run: [of9r6mmd] C:\Program Files\of9r6mmd\of9r6mmd.exe
    O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [igvcoc] C:\WINDOWS\System32\igvcoc.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [dlsmgr] C:\Program Files\dlsmgr\dlsmgr.exe
    O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [App32dll] C:\WINDOWS\system32\msnav32.exe dvd
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
    O4 - HKLM\..\Run: [3soj39V] vgaompos.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [Sesr] C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\Application Data\ioub.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [IB7tRVZ6V] uxttcprx.exe
    O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
    O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\System32\msupd5.exe (file missing)
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
     
  10. Cretemonster

    Cretemonster

    Joined:
    Jan 29, 2005
    Messages:
    31
    Have Faith,we are getting there!!!

    Go to Add/remove programs and remove:
    AdStatus Service

    Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)

    O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)

    O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)

    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

    O4 - HKLM\..\Run: [haekg] C:\WINDOWS\system32\haekg.exe

    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe

    O4 - HKLM\..\Run: [wdecma] c:\windows\system32\wdecma.exe

    O4 - HKLM\..\Run: [vyjuic] C:\WINDOWS\System32\vyjuic.exe

    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe

    O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\adl_dh.exe

    O4 - HKLM\..\Run: [vcmpin] C:\windows\bundles\adl_mteststub.exe

    O4 - HKLM\..\Run: [of9r6mmd] C:\Program Files\of9r6mmd\of9r6mmd.exe

    O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe

    O4 - HKLM\..\Run: [igvcoc] C:\WINDOWS\System32\igvcoc.exe

    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe

    O4 - HKLM\..\Run: [dlsmgr] C:\Program Files\dlsmgr\dlsmgr.exe

    O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe

    O4 - HKLM\..\Run: [App32dll] C:\WINDOWS\system32\msnav32.exe dvd

    O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe

    O4 - HKCU\..\Run: [Sesr] C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\Application Data\ioub.exe

    O4 - HKCU\..\Run: [IB7tRVZ6V] uxttcprx.exe


    O4 - HKLM\..\Run: [3soj39V] vgaompos.exe

    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

    O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\System32\msupd5.exe (file missing

    Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

    Reboot into SAFE MODE(F5 or F8 when restarting)

    Locate and delete:

    C:\WINDOWS\system32\haekg.exe<<< Just the EXE!

    C:\WINDOWS\system32\wintask.exe<<< Just the EXE!

    C:\windows\system32\wdecma.exe<<< Just the EXE!

    C:\WINDOWS\System32\vyjuic.exe<<< Just the EXE!

    C:\WINDOWS\System32\adl_dh.exe<<< Just the EXE!

    C:\WINDOWS\system32\n20050308.exe<<< Just the EXE!

    C:\WINDOWS\System32\igvcoc.exe<<< Just the EXE!

    C:\WINDOWS\system32\msnav32.exe<<< Just the EXE!

    C:\windows\bundles\adl_mteststub.exe<<< Just the EXE!

    C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\Application Data\ioub.exe<<< Just the EXE!

    C:\WINDOWS\isrvs<<< The entre isrvs folder!

    C:\WINDOWS\System32\vmss<<< The entre vmss folder!

    C:\WINDOWS\System32\wsxsvc<<< The entre wsxsvc folder!

    C:\Program Files\dlsmgr<<< The entre dlsmgr folder!

    C:\Program Files\CSBB<<< The entre CSBB folder!

    C:\Program Files\of9r6mmd<<< The entre of9r6mmd folder!

    C:\Program Files\AdStatus Service<<< The entre AdStatus Service folder!

    uxttcprx.exe<<< Unsure of exact location!

    vgaompos.exe<<< Unsure of exact location!

    Once completed,post a fresh HijackThis log and lets hear how the PC is running?
     
  11. kulrich

    kulrich Thread Starter

    Joined:
    Feb 3, 2005
    Messages:
    12
    I didn't see adstatus service when i went to add/remove programs. am i doing something wrong?
     
  12. kulrich

    kulrich Thread Starter

    Joined:
    Feb 3, 2005
    Messages:
    12
    hmm. am afraid i did something wrong. the only files i found to delete when i was in safemode were wintask.exe, msnav32.exe, dlsmgr, of9r6mmd, AdStatus Service. i didn't see any of the others. have i thanked you recently for all your help? well i will again...thank you!!! and the ole computer seems to be doing pretty well. the demonic flashy pop up toolbar over my clock has disappeared, and (holding my breath) i haven't seen any pesky pop-ups recently.
    so here is my new hijack this log:

    Logfile of HijackThis v1.99.0
    Scan saved at 1:44:56 AM, on 2/5/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\vwgurg.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\WINDOWS\system32\NWTRAY.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\program files\support.com\bin\tgcmd.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\sessmgr.exe
    C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\My Documents\hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.law.umich.edu
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
    O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)
    O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
    O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
    O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
     
  13. Cretemonster

    Cretemonster

    Joined:
    Jan 29, 2005
    Messages:
    31
    I gotta get a new Internet Provider,mine is upgrading the lines to fiber Optic and wham,I have no Internet Connection!

    OK,we still have some bugs running around in there!!

    Open KillBox,Select Standard File Delete and End Explorer SHell while Killing File!

    Look to the bottom right,under processes,locate this one vwgurg.exe,select to end or kill it!

    Now Copy&Paste this into the Text Box:
    C:\WINDOWS\system32\vwgurg.exe
    Hit the Stop Sign With the white X in the middle!

    Now go back and make sure Windows is properly configured to show ALL Hidden Files and Folders!
    This is a must for whatever Mode you are in!
    Might be why you didnt see some of those files last round!
    The Config for Hidden Files has to be done per user>>>Per mode!

    Once thats completed,lcoate and delete this folder:

    C:\WINDOWS\isrvs

    If it wont delete in Normal Mode,go back to Safe Mode and kill it!

    Make sure to Check the Recycle Bin to see if its there,if not,let me know,if so empty the Recycle Bin!

    Once Completed,Open HijackThis,put a check by these but Do Not Hit the Fix Checked Button yet!

    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)

    O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)

    O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)

    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

    Now Close ALL Windows and Browsers and Hit the Fix Checked Button!

    I will need you to restart the PC once more,and Scan with HijackThis,save that log!

    Download Install and Scan with eScan:
    http://www.mwti.net/antivirus/free_utilities.asp
    Extract All Files,Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, Copy and paste it in your next reply.
    All I need to see is whats in the Bottom Window!

    Place those 2 logs in the next post and we will go from there!
     
  14. kulrich

    kulrich Thread Starter

    Joined:
    Feb 3, 2005
    Messages:
    12
    all right. here is what i got. when i tried to get C:\WINDOWS\system32\vwgurg.exe, it claimed the file didn't exist. i then went to try and kill C:\WINDOWS\isrvs, and i had it all configed for showing hidden files, but it still wasn't there. i checked my recycling bin, and it WAS there, so I emptyed the recycling bin.
    thanks again for putting up with me...

    here is my hijack this log:

    Logfile of HijackThis v1.99.0
    Scan saved at 12:14:57 PM, on 2/5/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\WINDOWS\system32\NWTRAY.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\program files\support.com\bin\tgcmd.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\khigti.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\sessmgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\My Documents\hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.law.umich.edu
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
    O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)
    O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
    O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DF600A33-85DF-4EFB-9BA0-3AB7B6BE04AB}: NameServer = 206.141.193.55 66.73.20.40
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
    O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    and here is my eScan log:

    File C:\WINDOWS\system32\ienpbn.dll infected by "Trojan-Downloader.Win32.Qoologic.f" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\khigti.exe infected by "Trojan-Downloader.Win32.Qoologic.f" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\lhauwa.exe infected by "Trojan-Downloader.Win32.Qoologic.d" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\drivers\phqghume.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\exdl.exe infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\iconu.exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\adupdater.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\cp.exe infected by "Trojan-Downloader.Win32.Agent.ic" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\CP18.exe infected by "Trojan-Downloader.Win32.Small.ahx" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\docore.dll infected by "not-a-virus:AdWare.Couponage.a" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\dolsp.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\dosync.dll infected by "not-a-virus:AdWare.Couponage.a" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\dsktrf.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.b" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\exp.exe infected by "Trojan-Downloader.Win32.Small.abd" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\hszvg.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\hynek.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\igvco.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\instsrv.exe tagged as not-a-virus:RiskWare.Tool.ServiceRunner.f. No Action Taken.
    File C:\WINDOWS\system32\ivluh.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\ivluhd.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\ivluhf.exe infected by "not-a-virus:AdWare.Adstart.d" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\javex80.vxd infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\kthocgto.exe infected by "Trojan-Proxy.Win32.Agent.l" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\lcquoq.dll infected by "Trojan-Downloader.Win32.Qoologic.d" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\lukky.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\lukkyd.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\mac80ex.idf infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\mqexdlm.srg infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\netut80ex.vxd infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\pgnzc.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\psis80ex.ax infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\vyjui.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\wpkubk.dat infected by "Trojan-Downloader.Win32.Qoologic.f" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\yfutm.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\ymxyl.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\yzrst.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\ICD1.tmp\installer_MEDIAWHIZ8.exe infected by "Trojan-Downloader.Win32.Adload.a" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.fr088D infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.fr5297 infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.fr60EB infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.fr7E47 infected by "Trojan-Downloader.Win32.Qoologic.f" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.fr884A infected by "Trojan-Downloader.Win32.Qoologic.f" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.fr8BFE infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.frAE5E infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.frEE76 infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.frF964 infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\CFF2C6RA\installer_MEDIAWHIZ8[1].cab infected by "Trojan-Downloader.Win32.Adload.a" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\vmstmp\vmstmp.exe infected by "not-a-virus:AdWare.DelphinMediaViewer.c" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\TEMPOR~1\Content.IE5\IHP6ZQXW\AppWrap[1].exe infected by "Trojan-Dropper.Win32.Small.ru" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\TEMPOR~1\Content.IE5\KPGFSN8J\AppWrap[1].exe infected by "Trojan-Dropper.Win32.Small.of" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\TEMPOR~1\Content.IE5\QTCZMPM5\AppWrap[1].exe infected by "Trojan-Dropper.Win32.Small.ru" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\TEMPOR~1\Content.IE5\S5638X6N\AppWrap[2].exe infected by "Trojan-Dropper.Win32.Small.ru" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\TEMPOR~1\Content.IE5\T8W3LH8L\AppWrap[1].exe infected by "Trojan-Dropper.Win32.Small.ru" Virus. Action Taken: No Action Taken.
    File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\TEMPOR~1\Content.IE5\YL30PS3M\AppWrap[1].exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.
     
  15. Cretemonster

    Cretemonster

    Joined:
    Jan 29, 2005
    Messages:
    31
    Tell ya what,Kaspersky offers a 30 day trial of thier AV!

    Download it and Update it!
    http://www.kaspersky.com/trials

    Scan the System twice!

    Remove all it finds,it should remove everything in the eScan log for us!

    You can remove this program once all is clear!

    Post a fresh HijackThis Log once completed!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326868

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice