1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Help me fix an O20 - Winlogon Notify?

Discussion in 'Virus & Other Malware Removal' started by spiritofcat, Jan 24, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. spiritofcat

    spiritofcat Thread Starter

    Joined:
    Jan 24, 2006
    Messages:
    6
    My Firefox has been hijacked and is spewing out popups.
    I've already done what I can with my antivirus, adaware and what I know of HJT.
    The only thing that seems to remain is a pesky dll file whose name changes every time I reboot and which I suspect is responsible for the popups.

    Here is my HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:24:11 AM, on 1/25/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Fuzzy\Desktop\Things you need ... when you start again\Adaware\HijackThis.exe

    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Microsoft Office] C:\WINNT\system32\msoff.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138012032421
    O20 - Winlogon Notify: IPConfTSP - C:\WINNT\system32\jtls0737e.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
     
  2. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Download L2mfix from one of these two locations:

    http://www.atribune.org/downloads/l2mfix.exe
    http://www.downloads.subratam.org/l2mfix.exe

    Save the file to your desktop and double click l2mfix.exe. Click the
    Install button to extract the files and follow the prompts, then open
    the newly added l2mfix folder on your desktop. Double click l2mfix.bat
    and select option #1 for Run Find Log by typing 1 and then pressing
    enter. This will scan your computer and it may appear nothing is
    happening, then, after a minute or 2, notepad will open with a log.
    Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix
    folder until you are asked to do so!


    * Note: If you receive an error while running option #1 like:

    ''C:\windows\system32\cmd.exe
    C:\windows\system32\autoexec.nt the system file is not suitable for

    running ms-dos and microsoft windows applications, choose close to

    terminate the application.."...then do one of the following:

    1: Click on the l2mfix.bat again and choose option # 5 for Fix
    Autoexec.nt/cmd.exe error.

    2: Alternatively, you can click the fixautont.html link in the l2mfix
    folder and follow the directions there to fix it manually.

    Do not run the fix portion without fixing the error first.

    After you have performed the procedures to fix the error, repeat the
    steps above to run option #1 for Run Find Log.
     
  3. spiritofcat

    spiritofcat Thread Starter

    Joined:
    Jan 24, 2006
    Messages:
    6
    Here is my l2mfix log:

    L2MFIX find log 010406
    These are the registry keys present
    **********************************************************************************
    Winlogon/notify:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINNT\\system32\\jtls0737e.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    **********************************************************************************
    useragent:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{BDF03CBC-FD52-181D-6410-4CEB28DDE506}"=""

    **********************************************************************************
    Shell Extension key:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
    "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
    "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
    "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
    "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
    "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
    "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
    "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
    "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
    "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
    "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
    "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
    "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
    "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
    "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
    "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
    "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
    "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
    "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
    "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
    "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
    "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
    "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
    "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
    "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
    "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
    "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
    "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
    "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
    "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
    "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
    "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
    "{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
    "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
    "{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
    "{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
    "{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
    "{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
    "{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
    "{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
    "{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
    "{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
    "{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
    "{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
    "{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
    "{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
    "{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
    "{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
    "{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
    "{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
    "{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
    "{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
    "{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
    "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
    "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
    "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
    "{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
    "{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
    "{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
    "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
    "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
    "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
    "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Merge Shell Folder"
    "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
    "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
    "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Microsoft SearchBand"
    "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
    "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
    "{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
    "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
    "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
    "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
    "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
    "{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
    "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
    "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
    "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
    "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
    "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
    "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
    "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
    "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
    "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
    "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
    "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
    "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
    "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
    "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
    "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
    "{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
    "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
    "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
    "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
    "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
    "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
    "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
    "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
    "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
    "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
    "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
    "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
    "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
    "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
    "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
    "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
    "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
    "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
    "{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
    "{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
    "{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
    "{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
    "{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
    "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
    "{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
    "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
    "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
    "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
    "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
    "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
    "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
    "{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
    "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
    "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
    "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
    "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
    "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
    "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
    "{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
    "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
    "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
    "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
    "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
    "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
    "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
    "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
    "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
    "{23170F69-40C1-278A-1000-000100020000}"="7-Zip Shell Extension"
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
    "{3370A0DC-A539-4483-ADC6-921ACE9F6487}"=""

    **********************************************************************************
    HKEY ROOT CLASSIDS:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{3370A0DC-A539-4483-ADC6-921ACE9F6487}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{3370A0DC-A539-4483-ADC6-921ACE9F6487}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{3370A0DC-A539-4483-ADC6-921ACE9F6487}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{3370A0DC-A539-4483-ADC6-921ACE9F6487}\InprocServer32]
    @="C:\\WINNT\\system32\\ktdpo.dll"
    "ThreadingModel"="Apartment"

    **********************************************************************************
    Files Found are not all bad files:

    C:\WINNT\SYSTEM32\
    hr6u05~1.dll Wed Jan 25 2006 12:20:46a ..S.R 237,157 231.60 K
    jtls07~1.dll Tue Jan 24 2006 11:59:00p ..S.R 236,192 230.66 K
    ktdpo.dll Wed Jan 25 2006 12:20:46a ..S.R 236,192 230.66 K
    lfk.dll Tue Jan 24 2006 11:24:00p ..S.R 236,192 230.66 K
    msvcp71.dll Tue Jan 24 2006 2:39:54p A.... 499,712 488.00 K
    msvcr71.dll Tue Jan 24 2006 2:39:54p A.... 348,160 340.00 K
    nv4_disp.dll Sat Dec 10 2005 3:06:00a A.... 3,955,456 3.77 M
    nvapi.dll Sat Dec 10 2005 3:06:00a A.... 110,592 108.00 K
    nvcod.dll Sat Dec 10 2005 3:06:00a A.... 35,840 35.00 K
    nvcodins.dll Sat Dec 10 2005 3:06:00a A.... 35,840 35.00 K
    nvcpl.dll Sat Dec 10 2005 3:06:00a A.... 7,311,360 6.97 M
    nvhwvid.dll Sat Dec 10 2005 3:06:00a A.... 573,440 560.00 K
    nview.dll Sat Dec 10 2005 3:06:00a A.... 1,466,368 1.40 M
    nvmccs.dll Sat Dec 10 2005 3:06:00a A.... 229,376 224.00 K
    nvmccsrs.dll Sat Dec 10 2005 3:06:00a A.... 45,056 44.00 K
    nvmctray.dll Sat Dec 10 2005 3:06:00a A.... 86,016 84.00 K
    nvnt4cpl.dll Sat Dec 10 2005 3:06:00a A.... 286,720 280.00 K
    nvoglnt.dll Sat Dec 10 2005 3:06:00a A.... 5,402,624 5.15 M
    nvshell.dll Sat Dec 10 2005 3:06:00a A.... 466,944 456.00 K
    nvwddi.dll Sat Dec 10 2005 3:06:00a A.... 81,920 80.00 K
    nvwdmcpl.dll Sat Dec 10 2005 3:06:00a A.... 1,662,976 1.59 M
    nvwimg.dll Sat Dec 10 2005 3:06:00a A.... 1,019,904 996.00 K
    px.dll Mon Dec 5 2005 4:12:26p ..... 339,968 332.00 K
    pxdrv.dll Mon Dec 5 2005 4:12:26p ..... 405,504 396.00 K
    pxmas.dll Mon Dec 5 2005 4:12:26p ..... 172,032 168.00 K
    pxwave.dll Mon Dec 5 2005 4:12:26p ..... 339,968 332.00 K
    vxblock.dll Mon Dec 5 2005 4:12:26p ..... 28,672 28.00 K

    27 items found: 27 files (4 H/S), 0 directories.
    Total of file sizes: 25,850,181 bytes 24.65 M
    Locate .tmp files:

    No matches found.
    **********************************************************************************
    Directory Listing of system files:
    Volume in drive C is The New Space
    Volume Serial Number is 4419-2412

    Directory of C:\WINNT\System32

    01/25/2006 12:20a 236,192 ktdpo.dll
    01/25/2006 12:20a 237,157 hr6u05j9e.dll
    01/24/2006 11:58p 236,192 jtls0737e.dll
    01/24/2006 11:23p 236,192 lfk.dll
    01/24/2006 02:14p <DIR> dllcache
    4 File(s) 945,733 bytes
    1 Dir(s) 112,538,169,344 bytes free
     
  4. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Close any programs you have open since this step requires a reboot.

    Open the l2mfix folder and double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter.

    Your desktop and icons will disappear (this is normal).

    L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot.

    Press any key to reboot.

    After the reboot notepad will open with a log.

    Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

    IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
    If after the reboot the log does not open, double click on it in the l2mfix folder.
     
  5. spiritofcat

    spiritofcat Thread Starter

    Joined:
    Jan 24, 2006
    Messages:
    6
    L2mfix 010406
    Creating Account.
    The command completed successfully.


    Adding Administrative privleges.
    The command completed successfully.

    Checking for L2MFix account(0=no 1=yes):
    1
    Granting SeDebugPrivilege to L2MFIX ... successful

    Running From:
    C:\WINNT\system32

    Killing Processes!

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 220 'smss.exe'

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 264 'winlogon.exe'
    Killing PID 264 'winlogon.exe'
    Error 0x5 : Access is denied.


    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 1056 'explorer.exe'
    Killing PID 1056 'explorer.exe'
    Error 0x5 : Access is denied.


    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 972 'rundll32.exe'
    Killing PID 972 'rundll32.exe'
    Error 0x5 : Access is denied.

    Restoring Sedebugprivilege:
    Granting SeDebugPrivilege to Administrators ... successful

    Scanning First Pass. Please Wait!

    First Pass Completed

    Second Pass Scanning

    Second pass Completed!
    1 file(s) copied.
    1 file(s) copied.
    Deleting: C:\WINNT\system32\ktdpo.dll
    Successfully Deleted: C:\WINNT\system32\ktdpo.dll
    Deleting: C:\WINNT\system32\lfk.dll
    Successfully Deleted: C:\WINNT\system32\lfk.dll

    msg11?.dll
    0 file(s) copied.



    Restoring Windows Update Certificates.:

    The following Is the Current Export of the Winlogon notify key:
    ****************************************************************************
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINNT\\system32\\jtls0737e.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
    "DLLName"="wzcdlg.dll"
    "Logon"="WZCEventLogon"
    "Logoff"="WZCEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000000


    The following are the files found:
    ****************************************************************************
    C:\WINNT\system32\ktdpo.dll
    C:\WINNT\system32\lfk.dll

    Registry Entries that were Deleted:
    Please verify that the listing looks ok.
    If there was something deleted wrongly there are backups in the backreg folder.
    ****************************************************************************
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{3370A0DC-A539-4483-ADC6-921ACE9F6487}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{3370A0DC-A539-4483-ADC6-921ACE9F6487}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{3370A0DC-A539-4483-ADC6-921ACE9F6487}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{3370A0DC-A539-4483-ADC6-921ACE9F6487}\InprocServer32]
    @="C:\\WINNT\\system32\\ktdpo.dll"
    "ThreadingModel"="Apartment"

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{3370A0DC-A539-4483-ADC6-921ACE9F6487}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{3370A0DC-A539-4483-ADC6-921ACE9F6487}]
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    ****************************************************************************
    Desktop.ini Contents:
    ****************************************************************************
    ****************************************************************************
    Checking for L2MFix account(0=no 1=yes):
    0
    Zipping up files for submission:
    adding: dlls/ktdpo.dll (152 bytes security) (deflated 5%)
    adding: dlls/lfk.dll (152 bytes security) (deflated 5%)
    adding: backregs/3370A0DC-A539-4483-ADC6-921ACE9F6487.reg (164 bytes security) (deflated 70%)
    adding: backregs/notibac.reg (152 bytes security) (deflated 63%)
    adding: backregs/shell.reg (152 bytes security) (deflated 75%)




    Logfile of HijackThis v1.99.1
    Scan saved at 10:53:59 AM, on 1/25/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\notepad.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Documents and Settings\Fuzzy\Desktop\Things you need ... when you start again\Adaware\HijackThis.exe

    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Microsoft Office] C:\WINNT\system32\msoff.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138012032421
    O20 - Winlogon Notify: Setup - C:\WINNT\system32\jtls0737e.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
     
  6. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    The entry responds to the L2me variant. Lets run this program before we try the Look2me Fix again:

    Please download WebRoot SpySweeper (It's a 2 week trial):

    http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

    Click the Free Trial link under "Downloads/SpySweeper" to download the program.

    Install it. Once the program is installed, it will open.

    It will prompt you to update to the latest definitions, click Yes.
    Once the definitions are installed, click Options on the left side.
    Click the Sweep Options tab.

    Under What to Sweep please put a check next to the following:

    * Sweep Memory
    * Sweep Registry
    * Sweep Cookies
    * Sweep All User Accounts
    * Enable Direct Disk Sweeping
    * Sweep Contents of Compressed Files
    * Sweep for Rootkits

    Please UNCHECK Do not Sweep System Restore Folder.

    Click Sweep Now on the left side.

    Click the Start button.

    When it's done scanning, click the Next button.

    Make sure everything has a check next to it, then click the Next button.

    It will remove all of the items found.

    Click Session Log in the upper right corner, copy everything in that window.

    Click the Summary tab and click Finish.

    Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
     
  7. spiritofcat

    spiritofcat Thread Starter

    Joined:
    Jan 24, 2006
    Messages:
    6
    ********
    11:40 AM: | Start of Session, Wednesday, January 25, 2006 |
    11:40 AM: Spy Sweeper started
    11:40 AM: Sweep initiated using definitions version 605
    11:40 AM: Starting Memory Sweep
    11:41 AM: Memory Sweep Complete, Elapsed Time: 00:00:51
    11:41 AM: Starting Registry Sweep
    11:41 AM: Found Adware: look2me
    11:41 AM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\setup\ (6 subtraces) (ID = 129941)
    11:41 AM: Found Trojan Horse: trojan-dropper-sasearch
    11:41 AM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft office (ID = 812403)
    11:41 AM: Registry Sweep Complete, Elapsed Time:00:00:03
    11:41 AM: Starting Cookie Sweep
    11:41 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
    11:41 AM: Starting File Sweep
    11:41 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:41 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:41 AM: hr6u05j9e.dll (ID = 159)
    11:42 AM: lfk.dll (ID = 159)
    11:42 AM: ktdpo.dll (ID = 159)
    11:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:44 AM: kt2ql7f51.dll (ID = 159)
    11:44 AM: dhskcopy.dll (ID = 159)
    11:44 AM: jtls0737e.dll (ID = 159)
    11:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:45 AM: Found System Monitor: potentially rootkit-masked files
    11:45 AM: sysbus32.sys (ID = 0)
    11:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:46 AM: File Sweep Complete, Elapsed Time: 00:04:53
    11:46 AM: Full Sweep has completed. Elapsed time 00:05:54
    11:46 AM: Traces Found: 15
    11:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
    11:47 AM: Removal process initiated
    11:47 AM: Quarantining All Traces: look2me
    11:47 AM: look2me is in use. It will be removed on reboot.
    11:47 AM: kt2ql7f51.dll is in use. It will be removed on reboot.
    11:47 AM: dhskcopy.dll is in use. It will be removed on reboot.
    11:47 AM: jtls0737e.dll is in use. It will be removed on reboot.
    11:47 AM: Quarantining All Traces: potentially rootkit-masked files
    11:47 AM: Quarantining All Traces: trojan-dropper-sasearch
    11:48 AM: Preparing to restart your computer. Please wait...
    11:48 AM: Removal process completed. Elapsed time 00:00:43
    ********
    11:38 AM: | Start of Session, Wednesday, January 25, 2006 |
    11:38 AM: Spy Sweeper started
    11:38 AM: Messenger service has been disabled.
    11:38 AM: Your spyware definitions have been updated.
    11:40 AM: | End of Session, Wednesday, January 25, 2006 |


    Logfile of HijackThis v1.99.1
    Scan saved at 11:53:20 AM, on 1/25/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Fuzzy\Desktop\Things you need ... when you start again\Adaware\HijackThis.exe

    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138012032421
    O20 - Winlogon Notify: ShellScrap - C:\WINNT\system32\kt2ql7f51.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
     
  8. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    It mutated to ShellScrap?

    Close all browsers. Place a checkmark on the following line in Hiajckthis and click on Fix Checked:

    O20 - Winlogon Notify: ShellScrap - C:\WINNT\system32\kt2ql7f51.dll (file missing)

    Restart and post a new log.
     
  9. spiritofcat

    spiritofcat Thread Starter

    Joined:
    Jan 24, 2006
    Messages:
    6
    Logfile of HijackThis v1.99.1
    Scan saved at 12:09:03 PM, on 1/25/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Documents and Settings\Fuzzy\Desktop\Things you need ... when you start again\Malware Removal\HijackThis.exe

    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138012032421
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
     
  10. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
  11. spiritofcat

    spiritofcat Thread Starter

    Joined:
    Jan 24, 2006
    Messages:
    6
    Thanks for the help!
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/436803

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice