1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

VX2 help

Discussion in 'Virus & Other Malware Removal' started by repartist, Jan 22, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. repartist

    repartist Thread Starter

    Joined:
    Jan 22, 2005
    Messages:
    26
    I've been trying to get rid of a download.trojan and a VX2 infection for 4 days now. I seemed to rid myself of the trojan but the VX2 files still exist. I hope someone here can help.

    My log file is:

    Logfile of HijackThis v1.99.0
    Scan saved at 12:34:57 PM, on 1/22/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
    C:\WINDOWS\MXOALDR.EXE
    C:\Program Files\DIGStream\digstream.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\rkybc.exe
    C:\WINDOWS\system32\hrgfr\awsfrl.exe
    C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Call Soft Pro\toscservice.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Documents and Settings\Barry\Application Data\eetu.exe
    C:\WINDOWS\system32\sysmonnt.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\msupd5.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Iomega\Tools\IMGICON.EXE
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\explorer.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: (no name) - {0FC9268A-4809-7A6A-5E44-DCD031B00160} - C:\WINDOWS\system32\cddryjyz.dll
    O2 - BHO: (no name) - {E9773798-3AC7-C889-7EB0-70BFB3DAA45D} - C:\WINDOWS\system32\qxjbupri.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [rkybc] C:\WINDOWS\system32\rkybc.exe
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Common Files\Roxio Shared\System\DirectCD.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
    O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Barry\Application Data\eetu.exe
    O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
    O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
    O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
    O4 - Global Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://www.neededware.com
    O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
    O16 - DPF: RaptisoftGameLoader - http://miniclips.com/hamsterball/raptisoftgameloader.cab
    O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
    O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: awsfrlhrgfr - Unknown - C:\WINDOWS\system32\hrgfr\awsfrl.exe
    O23 - Service: Call Soft - Unknown - C:\Program Files\Call Soft Pro\toscservice.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: jmxoezzfrvdc - Unknown - C:\WINDOWS\system32\msupd5.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,315
    First Name:
    Karen
    Let's do some clean up first and then we'll go after VX2.

    I'll post back with instructions shortly.
     
  3. repartist

    repartist Thread Starter

    Joined:
    Jan 22, 2005
    Messages:
    26
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,315
    First Name:
    Karen
    Download the LSP Fix:

    http://cexx.org/lspfix.htm

    Launch the application, and click the "I know what I'm doing" checkbox.

    Check all instances of winlspak.dll and dolsp.dll (and nothing else), and move them to the "Remove" pane.
    Then click Finish.

    Now start your computer in Safe Mode and delete these files:

    C:\windows\system32\winlspak.dll
    C:\windows\system32\dolsp.dll

    Please download and run the following program(s):

    CWSHREDDER

    http://www.intermute.com/spysubtract/cwshredder_download.html

    Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

    Then restart your computer.

    AD-AWARE

    Go here: http://www.lavasoftusa.com/support/download/
    and download Ad-Aware SE Personal

    Install the program and launch it.

    First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

    Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

    Then, deselect Search for negligible risk entries.

    To start the scan, click the Next button.

    When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

    Restart your computer.


    SPYBOT SEARCH & DESTROY

    http://majorgeeks.com/download2471.html

    Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems'', Then restart your computer.

    Then, after rebooting, please post another log and we’ll see what’s left to get rid of.
     
  5. repartist

    repartist Thread Starter

    Joined:
    Jan 22, 2005
    Messages:
    26
    I did as you suggested but cwshredder kept shutting down during it's scan (I tried three times). I ran Ad Aware and Spybot. The new log is:

    Logfile of HijackThis v1.99.0
    Scan saved at 2:00:32 PM, on 1/22/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
    C:\WINDOWS\MXOALDR.EXE
    C:\Program Files\DIGStream\digstream.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\rkybc.exe
    C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Documents and Settings\Barry\Application Data\eetu.exe
    C:\WINDOWS\system32\hrgfr\awsfrl.exe
    C:\WINDOWS\system32\sysmonnt.exe
    C:\Program Files\Call Soft Pro\toscservice.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    C:\Program Files\Iomega\Tools\IMGICON.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\WINDOWS\system32\msupd5.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: (no name) - {0FC9268A-4809-7A6A-5E44-DCD031B00160} - C:\WINDOWS\system32\cddryjyz.dll
    O2 - BHO: (no name) - {E9773798-3AC7-C889-7EB0-70BFB3DAA45D} - C:\WINDOWS\system32\qxjbupri.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [rkybc] C:\WINDOWS\system32\rkybc.exe
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Common Files\Roxio Shared\System\DirectCD.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
    O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Barry\Application Data\eetu.exe
    O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
    O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
    O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
    O4 - Global Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://www.neededware.com
    O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
    O16 - DPF: RaptisoftGameLoader - http://miniclips.com/hamsterball/raptisoftgameloader.cab
    O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
    O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: awsfrlhrgfr - Unknown - C:\WINDOWS\system32\hrgfr\awsfrl.exe
    O23 - Service: Call Soft - Unknown - C:\Program Files\Call Soft Pro\toscservice.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: jmxoezzfrvdc - Unknown - C:\WINDOWS\system32\msupd5.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,315
    First Name:
    Karen
    Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {0FC9268A-4809-7A6A-5E44-DCD031B00160} - C:\WINDOWS\system32\cddryjyz.dll

    O2 - BHO: (no name) - {E9773798-3AC7-C889-7EB0-70BFB3DAA45D} - C:\WINDOWS\system32\qxjbupri.dll

    O4 - HKLM\..\Run: [rkybc] C:\WINDOWS\system32\rkybc.exe

    O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C

    O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1

    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Barry\Application Data\eetu.exe

    O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt

    O4 - Startup: PowerReg SchedulerV2.exe

    O15 - Trusted Zone: http://www.neededware.com

    O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB

    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

    O23 - Service: awsfrlhrgfr - Unknown - C:\WINDOWS\system32\hrgfr\awsfrl.exe

    O23 - Service: jmxoezzfrvdc - Unknown - C:\WINDOWS\system32\msupd5.exe



    Then boot to safe mode (see how below), locate and delete these files and/or folders:

    C:\WINDOWS\system32\rkybc.exe - file
    C:\Documents and Settings\Barry\Application Data\eetu.exe - file
    C:\WINDOWS\system32\sysmonnt.exe - file
    C:\WINDOWS\system32\hrgfr\awsfrl.exe - file
    C:\WINDOWS\system32\msupd5.exe - file

    How to restart to safe mode:
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now for VX2:

    Click here: http://www.atribune.org/downloads/l2mfix.exe to download L2mfix.

    Save the file to your desktop and double click l2mfix.exe. Read and accept the agreement. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
     
  7. repartist

    repartist Thread Starter

    Joined:
    Jan 22, 2005
    Messages:
    26
    Hi Cookie,

    I received the following message while running L2mfix

    16 bit ms-dos subsystem
    c:\windows\system32\cnd.exe
    c:\windows\system32\autoexec.nt. The system file is not suitable for running ms-dos and microsoft windows applications. choose 'close' to terminate the application.

    Should it close or ignore?
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,315
    First Name:
    Karen
    We'll use a different method then.

    Click here: http://forums.techguy.org/attachment.php?attachmentid=46183 to download Find It NT-2K-XP.zip.

    Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.

    Download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.

    http://www.downloads.subratam.org/VX2Finder.exe


    Next click here: http://www.downloads.subratam.org/DllCompare.exe to download DLLCompare.zip.

    Save it to your desktop.

    Now run DllCompare and click on the RunLocate.com button. It will scan for the hidden files. When it is finished, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the Compare button.

    It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.

    In a few minutes it will complete then you will see in blue Completed.
    Click the Make a Log of what was Found button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.

    After you have posted all that info here, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry needed to remove will change as well as some of the file names will change and we will have to start all over.
     
  9. repartist

    repartist Thread Starter

    Joined:
    Jan 22, 2005
    Messages:
    26
    I received the same error message as before but it still worked after clicking on close. Here is the log from NT-2k-xp. I will post the log from vx2 finder in a minute.

    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    Find.bat is running from: C:\Documents and Settings\Barry\Desktop\tech guy\Find It NT-2K-XP\Find It NT-2K-XP

    ------- System Files in System32 Directory -------
    Volume in drive C has no label.
    Volume Serial Number is F024-D752

    Directory of C:\WINDOWS\System32

    01/22/2005 03:07 PM 222,925 gp4sl3h71.dll
    01/22/2005 03:06 PM 222,925 VT5DB.DLL
    01/22/2005 03:06 PM 223,183 j8n20i5oe8.dll
    01/22/2005 02:56 PM <DIR> dllcache
    01/21/2005 09:44 AM 226,075 jtps0777e.dll
    01/21/2005 07:41 AM 223,214 u4rule991h.dll
    01/20/2005 09:10 AM 225,311 dn0m01d1e.dll
    01/18/2005 08:00 PM 225,739 nrwdev.dll
    03/02/2004 08:38 AM 32 {64F58932-3E0B-439C-A855-4BFF4492E729}.dat
    03/02/2004 08:37 AM 32 {73447189-DBCE-4C95-9F08-2ECEBF22BF7E}.dat
    03/02/2004 08:37 AM 32 {E15C37EE-99B8-49E0-A6E2-76CB1A477459}.dat
    03/02/2004 08:35 AM 32 {DAEDECDC-3CA9-4618-A869-B5F4F6E4B002}.dat
    03/02/2004 08:35 AM 32 {45CBCE88-C19D-45FD-9287-18E17D4F5A67}.dat
    03/02/2004 08:35 AM 32 {31665DC6-E324-43CF-9CD3-61FE72B732BB}.dat
    03/02/2004 08:33 AM 32 {CEE2F641-623C-4BDB-9E9B-51D06F3B7494}.dat
    02/29/2004 01:55 PM <DIR> Microsoft
    14 File(s) 1,569,596 bytes
    2 Dir(s) 12,803,530,752 bytes free

    ------- Hidden Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is F024-D752

    Directory of C:\WINDOWS\System32

    01/22/2005 02:56 PM <DIR> dllcache
    05/16/2004 11:35 AM 19 ezirioMeD4
    03/02/2004 08:38 AM 32 {64F58932-3E0B-439C-A855-4BFF4492E729}.dat
    03/02/2004 08:37 AM 32 {73447189-DBCE-4C95-9F08-2ECEBF22BF7E}.dat
    03/02/2004 08:37 AM 32 {E15C37EE-99B8-49E0-A6E2-76CB1A477459}.dat
    03/02/2004 08:35 AM 32 {DAEDECDC-3CA9-4618-A869-B5F4F6E4B002}.dat
    03/02/2004 08:35 AM 32 {45CBCE88-C19D-45FD-9287-18E17D4F5A67}.dat
    03/02/2004 08:35 AM 32 {31665DC6-E324-43CF-9CD3-61FE72B732BB}.dat
    03/02/2004 08:33 AM 32 {CEE2F641-623C-4BDB-9E9B-51D06F3B7494}.dat
    02/29/2004 01:33 PM 488 logonui.exe.manifest
    02/29/2004 01:33 PM 488 WindowsLogon.manifest
    02/29/2004 01:33 PM 749 nwc.cpl.manifest
    02/29/2004 01:33 PM 749 sapi.cpl.manifest
    02/29/2004 01:33 PM 749 wuaucpl.cpl.manifest
    02/29/2004 01:33 PM 749 cdplayer.exe.manifest
    02/29/2004 01:33 PM 749 ncpa.cpl.manifest
    15 File(s) 4,964 bytes
    1 Dir(s) 12,803,526,656 bytes free

    ---------- Files Named "Guard" -------------

    Volume in drive C has no label.
    Volume Serial Number is F024-D752

    Directory of C:\WINDOWS\System32

    01/22/2005 03:11 PM 223,183 guard.tmp
    1 File(s) 223,183 bytes
    0 Dir(s) 12,803,526,656 bytes free

    --------- Temp Files in System32 Directory --------

    Volume in drive C has no label.
    Volume Serial Number is F024-D752

    Directory of C:\WINDOWS\System32

    01/22/2005 03:11 PM 223,183 guard.tmp
    09/22/2004 06:46 PM 5,550,080 setb6.tmp
    09/03/2002 11:29 AM 2,577 CONFIG.TMP
    3 File(s) 5,775,840 bytes
    0 Dir(s) 12,803,522,560 bytes free

    ---------------- User Agent ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{FC62A7D4-0DEE-4BA2-B683-907EA6C8D652}"=""


    ------------ Keys Under Notify ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\j8n20i5oe8.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001


    ------------------ Locate.com Results ------------------
    ------------ Strings.exe Qoologic Results ------------


    -------------- Strings.exe Aspack Results -------------

    C:\WINDOWS\system32\ngypfn.ex$: .aspack
    C:\WINDOWS\system32\ntdll.dll: .aspack
    C:\WINDOWS\system32\trjscan.trb: .aspack
    C:\WINDOWS\system32\trupd.trb: .aspack
    C:\WINDOWS\system32\vuqygv.dat: .aspack

    ----------------- HKLM Run Key ------------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
    "RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
    "SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
    "PaperPort PTD"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"
    "IndexSearch"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"
    "ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "MaxtorOneTouch"="C:\\PROGRA~1\\Maxtor\\OneTouch\\Utils\\OneTouch.exe"
    "MXO Auto Loader"="C:\\WINDOWS\\MXOALDR.EXE"
    "DIGStream"="C:\\Program Files\\DIGStream\\digstream.exe"
    "BCMSMMSG"="BCMSMMSG.exe"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "EPSON Stylus Photo R800"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2J1.EXE /P23 \"EPSON Stylus Photo R800\" /O6 \"USB001\" /M \"Stylus Photo R800\""
    "zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"
    "iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "RegisterDropHandler"="C:\\PROGRA~1\\TEXTBR~1.0\\Bin\\REGIST~1.EXE"
    "nwiz"="nwiz.exe /install"
    "Logitech Utility"="Logi_MwX.Exe"
    "InstantAccess"="C:\\PROGRA~1\\TEXTBR~1.0\\Bin\\INSTAN~1.EXE /h"
    "GhostStartTrayApp"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
    "DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
    "AdaptecDirectCD"="C:\\Program Files\\Common Files\\Roxio Shared\\System\\DirectCD.exe"
    "TrojanScanner"="C:\\Program Files\\Trojan Remover\\Trjscan.exe"
    "rkybc"="C:\\WINDOWS\\system32\\rkybc.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"


    
     
  10. repartist

    repartist Thread Starter

    Joined:
    Jan 22, 2005
    Messages:
    26
    here's the log from vx2 finder:

    Log for VX2.BetterInternet File Finder (ALL)

    Files Found---

    Additional Files---

    Keys Under Notify---
    crypt32chain
    cryptnet
    cscdll
    ScCertProp
    Schedule
    sclgntfy
    SensLogn
    Setup
    termsrv
    wlballoon


    Guardian Key--- is called:

    Guardian Key--- :

    User Agent String---
    {FC62A7D4-0DEE-4BA2-B683-907EA6C8D652}
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,315
    First Name:
    Karen
    Do you have your XP CD?

    If you do we can fix that error message and use the first method, which is much easier.
     
  12. repartist

    repartist Thread Starter

    Joined:
    Jan 22, 2005
    Messages:
    26
    I have the xp cd ready!
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,315
    First Name:
    Karen
    When you've completed step 4, as it says, try to install the L2mfix program again and see if it works. If not, continue on with the rest of the steps.

    To resolve this issue:
    1. Insert the CD into the CD drive or DVD drive.
    2. Click Start, and then click Run.
    3. In the Open box, type cmd, and then click OK.
    4. At the command prompt, type the following commands, pressing ENTER after each command:


    expand CD-ROM Drive Letter:\i386\config.nt_ c:\windows\system32\config.nt

    expand CD-ROM Drive Letter:\i386\autoexec.nt_ c:\windows\system32\autoexec.nt

    expand CD-ROM Drive Letter:\i386\command.co_ c:\windows\system32\command.com

    exit

    5. Start or install the program. If the issue is resolved, do not complete the remaining steps. If the issue is not resolved, go to the next step.
    6. Note: The Command.com file is not edited or created in this in the following process. Because of this, you may have to expand it from your Windows XP CD-ROM.

    Start Notepad.
    7. In Notepad, type the following entries:

    dos=high, umb
    device=%SYSTEMROOT%\system32\himem.sys
    files=40

    8. On the File menu, click Save As.
    9. In the File Name box, type Config.nt, and then click Save. Close the Config.nt file.
    10. On the File menu, click New.
    11. In the new blank document, type the following entries:

    @echo off
    lh %SYSTEMROOT%\system32\mscdexnt.exe
    lh %SYSTEMROOT%\system32\redir
    lh %SYSTEMROOT%\system32\dosx
    SET BLASTER=A220 I5 D1 P330 T3

    12. On the File menu, click Save As.
    13. In the File Name box, type Autoexec.nt, and then click Save. Close the Autoexec.nt file.
    14. Start Windows Explorer. Locate the Config.nt file, right-click the Config.nt file, and then click Copy.
    15. Right-click the %SYSTEMROOT%\System32 folder, and then click Paste.
    16. Locate the Autoexec.nt file, right-click the Autoexec.nt file, and then click Copy.
    17. Right-click the %SYSTEMROOT%\System32 folder, and then click Paste.
    18. Locate the Command.com file, right-click the expanded Command.com file, and then click Copy.
    19. Right-click the %SYSTEMROOT%\System32 folder, and then click Paste. Restart your computer.
     
  14. repartist

    repartist Thread Starter

    Joined:
    Jan 22, 2005
    Messages:
    26
    I must be doing something wrong. I typed in:

    expand e:\i386\config.nt_c:\windows\system32\config.nt

    The return messages was:

    No destination specified for: e:\i386\config.nt_c:\windows\system32\config.nt
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,315
    First Name:
    Karen
    Try this one please and see if it works:

    expand CD-ROM Drive Letter:\i386\autoexec.nt_ c:\windows\system32\autoexec.nt
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/322215

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice