-
April 10th, 2005, 08:11 PM
#31
That's what I needed! Good job. Now I can see what to fix - and it appears a lot of it may be gone already.
Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.
Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
Once in Safe Mode, please run Killbox.
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste the following into the top "Full Path of File to Delete" box.
- C:\WINDOWS\System32\ipiprz.exe
Click the red-and-white "Delete File".
Click "Yes" at the Replace on Reboot prompt.
Click "No" at the Pending Operations prompt.
Repeat steps above for this file:- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rkrk.exe
Click "Yes" at the Replace on Reboot prompt.
Click "Yes" at the Pending Operations prompt to restart your computer. You do not need to reboot into Safe Mode this time.
When your computer reboots, please run Find-Qoologic2.bat again and post the new log here. There will be more to clean up. We'll worry about the L2M when we get this straigtened out.
-
April 11th, 2005, 03:43 AM
#32
Junior Member
Here it is, and thanks again :-)
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»
NOT using address check -- 0x7c90df5e
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
DESKTOP.INI
Microsoft Works Calendar Reminders.lnk
rkrk.exe
User Startup:
C:\Documents and Settings\Molly\Start Menu\Programs\Startup
.
..
DESKTOP.INI
»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
<NO NAME> REG_SZ
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension
<NO NAME> REG_SZ {1E2CDF40-419B-11D2-A5A1-002018648BA7}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
<NO NAME> REG_SZ {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mnmngyxq
<NO NAME> REG_SZ {693b5c7d-be21-4d71-86a4-440e0e19397c}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
<NO NAME> REG_SZ {6EE51AA0-77A0-11D7-B4E1-000347126E46}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
<NO NAME> REG_SZ {5464D816-CF16-4784-B9F3-75C0DB52B499}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin
»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
"Find activesetup", version1, launched at: 22:41
Operating System: Windows XP SP2
HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
"cd43e2be-1b71-435c-a64d-b7d83dd5978f\(Default)" = ""
\StubPath = "C:\WINDOWS\system32\dndncam.exe" [null data]
-
April 11th, 2005, 01:53 PM
#33
If you dont feel comfortable reinstalling your Operating System, then I would say leave it to the pros. There can be much more to a reinstall than just slapping a disk in and running the setup.exe file. You may have drivers that need to be installed also. If you have any third party hardware installed then you will most likely need to get the drivers. But after reviewing these posts I see you have a Dell. Running the recovery cd will help you in reformatting your hard drive and starting fresh. be forwarned that you will loose all data with a format so backup your data.
Why should you do a fresh install? Well for one it can clean up alot of crap that malware, spyware, and adware ****ed up. Just look at the firewall issue. Reformatting the hard drive will also help free up space that once held old dll files and other files that arent removed after a uninstall. I suggest to all my customers to get a clean start once a year. P.S. I normally charge $120.00 for a reinstall and $45.00 for a backup. "Easy money" Geek squad charges more.
S25vd2xlZGdlIGlzIHBvd2VyIQ
-
April 11th, 2005, 06:22 PM
#34
Sorry it's taken me so long to get back to you. I have an illness in the family. If I dissappear for a day or so then things here need my attention. If noone else jumps in here bring your logs to bleepingcomputer.com & link back to this post. They'll help you out there. Hopefully that won't be neccesary though.
Please run Notepad and paste the following text into a new file:
REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\cd43e2be-1b71-435c-a64d-b7d83dd5978f]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mnmngyxq]
[-HKEY_CLASSES_ROOT\CLSID\{693b5c7d-be21-4d71-86a4-440e0e19397c}]
Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.
Then give me a new HJT log & a new findqoologic2 log.
-
April 12th, 2005, 04:23 AM
#35
Junior Member
Please; there is no need to apologize for taking awhile to get back. I feel indebted to you and everybody that is helping me. Believe it or not this is groundbreaking stuff for me. So, not only am I getting my computer fixed, I am learning a great deal as I go along. I'm also very sorry to hear about illness touching your life. We have had quite a bit of that here in the past several months too. I hope evrything is working out okay for you.
I did the operations you prescribed. I didn't shut down or anything before running these scans. Here is the first .....
Logfile of HijackThis v1.99.1
Scan saved at 11:17:15 PM, on 4/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\COMMON~1\AOL\110510~1\EE\AOLHOS~1.EXE
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\PROGRA~1\COMMON~1\AOL\110510~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rkrk.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105105845\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\ipiprz.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Molly"
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...d/install.html
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\kt68l7ju1.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
and the second .......
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»
NOT using address check -- 0x7c90df5e
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
DESKTOP.INI
Microsoft Works Calendar Reminders.lnk
rkrk.exe
User Startup:
C:\Documents and Settings\Molly\Start Menu\Programs\Startup
.
..
DESKTOP.INI
»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
<NO NAME> REG_SZ
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension
<NO NAME> REG_SZ {1E2CDF40-419B-11D2-A5A1-002018648BA7}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
<NO NAME> REG_SZ {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mnmngyxq
<NO NAME> REG_SZ {693b5c7d-be21-4d71-86a4-440e0e19397c}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
<NO NAME> REG_SZ {6EE51AA0-77A0-11D7-B4E1-000347126E46}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
<NO NAME> REG_SZ {5464D816-CF16-4784-B9F3-75C0DB52B499}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin
»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
"Find activesetup", version1, launched at: 23:22
Operating System: Windows XP SP2
HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
-
April 16th, 2005, 01:20 PM
#36
Junior Member
Here is a copy of my l2m scan.
Setting Directory
C:\Documents and Settings\Molly\Desktop\l2mfix
System Rebooted!
Running From:
C:\Documents and Settings\Molly\Desktop\l2mfix
killing explorer and rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1660 'explorer.exe'
Killing PID 1660 'explorer.exe'
Killing PID 1660 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1324 'rundll32.exe'
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINDOWS\system32\dn2u01f9e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dwwsockx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fhlemgmt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hrr2059oe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i8loli3318.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt40l7hm1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\KZDNE.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l4n4le5q1h.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\notrap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q4nu0e59eh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\dn2u01f9e.dll
Successfully Deleted: C:\WINDOWS\system32\dn2u01f9e.dll
deleting: C:\WINDOWS\system32\dwwsockx.dll
Successfully Deleted: C:\WINDOWS\system32\dwwsockx.dll
deleting: C:\WINDOWS\system32\fhlemgmt.dll
Successfully Deleted: C:\WINDOWS\system32\fhlemgmt.dll
deleting: C:\WINDOWS\system32\hrr2059oe.dll
Successfully Deleted: C:\WINDOWS\system32\hrr2059oe.dll
deleting: C:\WINDOWS\system32\i8loli3318.dll
Successfully Deleted: C:\WINDOWS\system32\i8loli3318.dll
deleting: C:\WINDOWS\system32\kt40l7hm1.dll
Successfully Deleted: C:\WINDOWS\system32\kt40l7hm1.dll
deleting: C:\WINDOWS\system32\KZDNE.DLL
Successfully Deleted: C:\WINDOWS\system32\KZDNE.DLL
deleting: C:\WINDOWS\system32\l4n4le5q1h.dll
Successfully Deleted: C:\WINDOWS\system32\l4n4le5q1h.dll
deleting: C:\WINDOWS\system32\notrap.dll
Successfully Deleted: C:\WINDOWS\system32\notrap.dll
deleting: C:\WINDOWS\system32\q4nu0e59eh.dll
Successfully Deleted: C:\WINDOWS\system32\q4nu0e59eh.dll
deleting: C:\WINDOWS\system32\guard.tmp
Zipping up files for submission:
updating: q4nu0e59eh.dll (164 bytes security) (deflated 5%)
adding: dn2u01f9e.dll (164 bytes security) (deflated 4%)
adding: dwwsockx.dll (164 bytes security) (deflated 4%)
adding: fhlemgmt.dll (164 bytes security) (deflated 5%)
adding: hrr2059oe.dll (164 bytes security) (deflated 4%)
adding: i8loli3318.dll (164 bytes security) (deflated 5%)
adding: kt40l7hm1.dll (164 bytes security) (deflated 5%)
adding: KZDNE.DLL (164 bytes security) (deflated 5%)
adding: l4n4le5q1h.dll (164 bytes security) (deflated 5%)
adding: notrap.dll (164 bytes security) (deflated 4%)
updating: guard.tmp (164 bytes security) (deflated 4%)
updating: clear.reg (164 bytes security) (deflated 37%)
adding: cecho.reg (164 bytes security) (stored 0%)
updating: direct.txt (164 bytes security) (stored 0%)
updating: lo2.txt (164 bytes security) (deflated 79%)
updating: readme.txt (164 bytes security) (deflated 49%)
updating: test.txt (164 bytes security) (deflated 70%)
updating: test2.txt (164 bytes security) (deflated 17%)
updating: test3.txt (164 bytes security) (deflated 17%)
updating: test5.txt (164 bytes security) (deflated 17%)
updating: xfind.txt (164 bytes security) (deflated 62%)
adding: log.txt (164 bytes security) (deflated 85%)
updating: backregs/10D1A8F8-6A26-4046-A5A8-E18F306C1EFF.reg (164 bytes security) (deflated 70%)
updating: backregs/shell.reg (164 bytes security) (deflated 74%)
adding: backregs/ADAE2B38-9C80-4220-A549-28C654834B32.reg (164 bytes security) (deflated 70%)
adding: backregs/CE30184A-E6A2-43A8-8F79-3AA3FA079489.reg (164 bytes security) (deflated 70%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rgaci)) - There is no ACE to remove!
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
deleting local copy: dn2u01f9e.dll
deleting local copy: dwwsockx.dll
deleting local copy: fhlemgmt.dll
deleting local copy: hrr2059oe.dll
deleting local copy: i8loli3318.dll
deleting local copy: kt40l7hm1.dll
deleting local copy: KZDNE.DLL
deleting local copy: l4n4le5q1h.dll
deleting local copy: notrap.dll
deleting local copy: q4nu0e59eh.dll
deleting local copy: guard.tmp
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j24o0ch3ef4.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dn2u01f9e.dll
C:\WINDOWS\system32\dwwsockx.dll
C:\WINDOWS\system32\fhlemgmt.dll
C:\WINDOWS\system32\hrr2059oe.dll
C:\WINDOWS\system32\i8loli3318.dll
C:\WINDOWS\system32\kt40l7hm1.dll
C:\WINDOWS\system32\KZDNE.DLL
C:\WINDOWS\system32\l4n4le5q1h.dll
C:\WINDOWS\system32\notrap.dll
C:\WINDOWS\system32\q4nu0e59eh.dll
C:\WINDOWS\system32\guard.tmp
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{ADAE2B38-9C80-4220-A549-28C654834B32}"=-
"{CE30184A-E6A2-43A8-8F79-3AA3FA079489}"=-
[-HKEY_CLASSES_ROOT\CLSID\{ADAE2B38-9C80-4220-A549-28C654834B32}]
[-HKEY_CLASSES_ROOT\CLSID\{CE30184A-E6A2-43A8-8F79-3AA3FA079489}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
-
April 16th, 2005, 01:34 PM
#37
Junior Member
Logfile of HijackThis v1.99.1
Scan saved at 8:28:49 AM, on 4/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\COMMON~1\AOL\110510~1\EE\AOLHOS~1.EXE
C:\Program Files\America Online 9.0a\waol.exe
C:\PROGRA~1\COMMON~1\AOL\110510~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rkrk.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105105845\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\ipiprz.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...d/install.html
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\j24o0ch3ef4.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|