TheTechGuide Forum

General Category => Tech Clinic => Topic started by: big frank on March 29, 2005, 08:06:46 PM

Title: Computer Hijacked
Post by: big frank on March 29, 2005, 08:06:46 PM: I've run spybot, spy sweeper, spy subtract and ad aware and got some things cleaned. I tried to run CWShredder and get an error. I still have I.E. pop open and go to website on it's own. My home page hasn't changed.
I am running windows xp pro and IE 6.0
The hijackthis log looks like this
Logfile of HijackThis v1.99.1
Scan saved at 7:58:38 PM, on 3/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\system32\vvnlla.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\FRANKW~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cichlid-forum.com/index.php (http://\"http://www.cichlid-forum.com/index.php\")
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vvnlla.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\fp4203hoe.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Thanks in advance,
Frank
Title: Computer Hijacked
Post by: guestolo on March 29, 2005, 08:14:55 PM: Download L2mfix from here

http://www.atribune.org/downloads/l2mfix.exe (http://\"http://www.atribune.org/downloads/l2mfix.exe\")

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]

Don't restart your computer again until further instructions

Can you also please redownload Hijackthis and save it too a permanent folder
Please Read This (http://\"http://www.thetechguide.com/forum/index.php?showtopic=14623\")
I don't need to see an updated Hijackthis log yet, but I will soon
I hope to see it running from a different location that your Temp folder /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
I just need the log from L2mfix for now
Title: Computer Hijacked
Post by: big frank on March 29, 2005, 10:16:08 PM: Thanks for the help, Here's the i2mfix log:
L2MFIX find log 1.03
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hrnq0555e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6E29B836-4540-D655-20BB-98B4C44691E0}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{6EE51AA0-77A0-11D7-B4E1-000347126E46}"="Window Washer Shredding Utility"
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Explode"
"{F9291142-28DB-4A4F-9866-F902CE89AC35}"=""
"{607C9BB3-AC9F-481C-B13A-C3056828E31B}"=""
"{A55509EF-AD0E-41CC-9FB3-D964E236FEC0}"=""
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"
"{6C8A412E-7A89-4582-816B-133E51C5AB24}"=""
"{E4FC8387-1949-44A5-8447-DD76F28858F0}"=""

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F9291142-28DB-4A4F-9866-F902CE89AC35}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F9291142-28DB-4A4F-9866-F902CE89AC35}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F9291142-28DB-4A4F-9866-F902CE89AC35}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F9291142-28DB-4A4F-9866-F902CE89AC35}\InprocServer32]
@="C:\\WINDOWS\\system32\\rbched20.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{607C9BB3-AC9F-481C-B13A-C3056828E31B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{607C9BB3-AC9F-481C-B13A-C3056828E31B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{607C9BB3-AC9F-481C-B13A-C3056828E31B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{607C9BB3-AC9F-481C-B13A-C3056828E31B}\InprocServer32]
@="C:\\WINDOWS\\system32\\sdrialui.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A55509EF-AD0E-41CC-9FB3-D964E236FEC0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A55509EF-AD0E-41CC-9FB3-D964E236FEC0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A55509EF-AD0E-41CC-9FB3-D964E236FEC0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A55509EF-AD0E-41CC-9FB3-D964E236FEC0}\InprocServer32]
@="C:\\WINDOWS\\system32\\czyptdll.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6C8A412E-7A89-4582-816B-133E51C5AB24}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C8A412E-7A89-4582-816B-133E51C5AB24}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C8A412E-7A89-4582-816B-133E51C5AB24}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C8A412E-7A89-4582-816B-133E51C5AB24}\InprocServer32]
@="C:\\WINDOWS\\system32\\MCIMRT32.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E4FC8387-1949-44A5-8447-DD76F28858F0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E4FC8387-1949-44A5-8447-DD76F28858F0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E4FC8387-1949-44A5-8447-DD76F28858F0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E4FC8387-1949-44A5-8447-DD76F28858F0}\InprocServer32]
@="C:\\WINDOWS\\system32\\crcui.dll"
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
1803.dll Tue Mar 29 2005 9:50:52p A.... 150,528 147.00 K
aaaqq.dll Mon Mar 28 2005 12:18:52p A.... 4,096 4.00 K
acl.dll Tue Mar 29 2005 9:18:58p ..S.R 234,409 228.91 K
browseui.dll Thu Jan 27 2005 12:13:16p A.... 1,016,832 993.00 K
cdfview.dll Thu Jan 27 2005 12:13:16p A.... 151,040 147.50 K
cmdlin~1.dll Sun Jan 2 2005 4:42:38p A.... 43,520 42.50 K
crcdll.dll Tue Mar 29 2005 6:58:44p ..S.R 234,579 229.08 K
crcui.dll Tue Mar 29 2005 9:52:48p ..S.R 234,597 229.10 K
czyptdll.dll Mon Mar 28 2005 12:25:36p ..S.R 233,135 227.67 K
delfin.dll Tue Mar 29 2005 9:50:52p A.... 51,712 50.50 K
dnpq01~1.dll Mon Mar 28 2005 1:12:48p ..S.R 233,573 228.10 K
durawex.dll Tue Mar 29 2005 6:05:04p ..S.R 234,579 229.08 K
duwave.dll Mon Mar 28 2005 6:34:24p ..S.R 235,050 229.54 K
dxprpres.dll Tue Mar 29 2005 5:52:02p ..S.R 235,897 230.37 K
goldne~1.dll Wed Feb 16 2005 1:30:14p A.... 61,440 60.00 K
hr0805~1.dll Tue Mar 29 2005 5:18:50p ..S.R 234,552 229.05 K
hrnq05~1.dll Tue Mar 29 2005 9:51:48p ..S.R 234,597 229.10 K
iepeers.dll Thu Jan 27 2005 12:13:16p A.... 249,856 244.00 K
ifxrip.dll Sun Mar 27 2005 2:41:12p ..S.R 234,408 228.91 K
ilssam.dll Mon Mar 28 2005 12:46:30p ..S.R 235,107 229.59 K
inseng.dll Thu Jan 27 2005 12:13:16p A.... 96,256 94.00 K
irq.dll Tue Mar 29 2005 5:25:48p ..S.R 233,747 228.27 K
iwput.dll Mon Mar 28 2005 1:46:56p ..S.R 234,245 228.75 K
j46m0e~1.dll Sun Mar 27 2005 10:05:46a ..S.R 235,663 230.14 K
josh400.dll Mon Mar 28 2005 11:11:14a ..S.R 234,462 228.96 K
kqdno1.dll Tue Mar 29 2005 7:13:46p ..... 235,462 229.94 K
ktp4l7~1.dll Tue Mar 29 2005 9:52:48p ..S.R 236,074 230.54 K
mcimrt32.dll Tue Mar 29 2005 7:14:42p ..S.R 232,759 227.30 K
mdisip.dll Mon Mar 28 2005 2:01:48p ..S.R 233,632 228.16 K
midad.dll Wed Jan 26 2005 12:24:24p A.... 356,352 348.00 K
mpgina.dll Mon Mar 28 2005 12:54:48p ..S.R 235,332 229.82 K
mqls31.dll Mon Mar 28 2005 11:32:34a ..S.R 236,187 230.65 K
mshtml.dll Thu Jan 27 2005 12:13:18p A.... 3,006,976 2.87 M
mudmo.dll Mon Mar 28 2005 6:59:46a ..S.R 234,408 228.91 K
mytext40.dll Mon Mar 28 2005 2:36:12p ..S.R 236,227 230.69 K
nwtman.dll Mon Mar 28 2005 11:13:08a ..S.R 236,127 230.59 K
o8nsli~1.dll Sun Mar 27 2005 9:44:12a ..S.R 233,248 227.78 K
ole32.dll Fri Jan 14 2005 3:55:50a A.... 1,285,120 1.22 M
olecli32.dll Fri Jan 14 2005 3:55:50a A.... 74,752 73.00 K
olecnv32.dll Fri Jan 14 2005 3:55:50a A.... 37,888 37.00 K
pncrt.dll Mon Jan 3 2005 6:46:52p A.... 273,408 267.00 K
pndx5016.dll Mon Jan 3 2005 6:46:54p A.... 6,656 6.50 K
pndx5032.dll Mon Jan 3 2005 6:46:54p A.... 5,632 5.50 K
pop317.dll Sat Mar 19 2005 2:29:18p A.... 53,760 52.50 K
pzofmap.dll Sun Mar 27 2005 1:07:54p ..S.R 235,499 229.98 K
rbched20.dll Sun Mar 27 2005 11:17:26a ..S.R 235,499 229.98 K
rfched20.dll Mon Mar 28 2005 6:31:20p ..S.R 234,576 229.08 K
rmoc3260.dll Mon Jan 3 2005 6:46:54p A.... 119,808 117.00 K
rpcss.dll Fri Jan 14 2005 3:55:50a A.... 395,776 386.50 K
rqmkg.dll Sun Mar 27 2005 10:30:16a ..SH. 475 0.46 K
sdrialui.dll Sun Mar 27 2005 1:25:48p ..S.R 233,056 227.59 K
sgobject.dll Sun Mar 27 2005 10:14:00p ..S.R 234,462 228.96 K
shdocvw.dll Thu Jan 27 2005 12:13:18p A.... 1,483,264 1.41 M
shlwapi.dll Thu Jan 27 2005 12:13:18p A.... 473,600 462.50 K
sporder.dll Mon Mar 28 2005 12:04:44p A.... 8,464 8.27 K
svbcsp.dll Mon Mar 28 2005 12:30:12p ..S.R 234,438 228.94 K
ttgbber.dll Mon Mar 28 2005 12:18:52p A.... 27,136 26.50 K
urlmon.dll Thu Jan 27 2005 12:13:18p A.... 607,744 593.50 K
uvimdmat.dll Mon Mar 28 2005 11:21:32a ..S.R 234,462 228.96 K
vyumn.dll Sun Mar 27 2005 10:29:48a A..H. 106 0.10 K
wcweb.dll Sun Mar 27 2005 1:59:52p ..S.R 233,056 227.59 K
wininet.dll Thu Jan 27 2005 12:13:18p A.... 656,896 641.50 K
winup2~1.dll Sun Mar 27 2005 9:53:12a A.... 5,632 5.50 K

63 items found: 63 files (35 H/S), 0 directories.
Total of file sizes: 18,681,829 bytes 17.81 M
Locate .tmp files:

No matches found.
********************************************************************************
**
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 447A-C7F6

Directory of C:\WINDOWS\System32

03/29/2005 10:10 PM <DIR> dllcache
03/29/2005 09:52 PM 234,597 crcui.dll
03/29/2005 09:52 PM 236,074 ktp4l77q1.dll
03/29/2005 09:51 PM 234,597 hrnq0555e.dll
03/29/2005 09:18 PM 234,409 acl.dll
03/29/2005 07:14 PM 232,759 MCIMRT32.DLL
03/29/2005 06:58 PM 234,579 crcdll.dll
03/29/2005 06:05 PM 234,579 durawex.dll
03/29/2005 05:52 PM 235,897 dxprpres.dll
03/29/2005 05:25 PM 233,747 irq.dll
03/29/2005 05:18 PM 234,552 hr0805due.dll
03/28/2005 06:34 PM 235,050 duwave.dll
03/28/2005 06:31 PM 234,576 rfched20.dll
03/28/2005 02:36 PM 236,227 mytext40.dll
03/28/2005 02:01 PM 233,632 mdisip.dll
03/28/2005 01:46 PM 234,245 iwput.dll
03/28/2005 01:12 PM 233,573 dnpq0175e.dll
03/28/2005 12:54 PM 235,332 mpgina.dll
03/28/2005 12:46 PM 235,107 iLssam.dll
03/28/2005 12:30 PM 234,438 svbcsp.dll
03/28/2005 12:25 PM 233,135 czyptdll.dll
03/28/2005 11:32 AM 236,187 mqls31.dll
03/28/2005 11:21 AM 234,462 uvimdmat.dll
03/28/2005 11:13 AM 236,127 nwtman.dll
03/28/2005 11:11 AM 234,462 josh400.dll
03/28/2005 06:59 AM 234,408 mudmo.dll
03/27/2005 10:13 PM 234,462 sgobject.dll
03/27/2005 02:41 PM 234,408 ifxrip.dll
03/27/2005 01:59 PM 233,056 wcweb.dll
03/27/2005 01:25 PM 233,056 sdrialui.dll
03/27/2005 01:07 PM 235,499 pzofmap.dll
03/27/2005 11:17 AM 235,499 rbched20.dll
03/27/2005 10:30 AM 475 rqmkg.dll
03/27/2005 10:05 AM 235,663 j46m0ej1eho.dll
03/27/2005 09:44 AM 233,248 o8nsli5718.dll
12/17/2004 05:44 AM <DIR> Microsoft
34 File(s) 7,742,117 bytes
2 Dir(s) 113,966,882,816 bytes free
Title: Computer Hijacked
Post by: guestolo on March 29, 2005, 10:19:58 PM: Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

[color=\"red\"]IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so![/color]

NOTE:After restart and L2MFIX finishes scanning for files>>give this time to finish
If a text doesn't open, run the "second.bat" located inside the L2mfix folder
Title: Computer Hijacked
Post by: big frank on March 30, 2005, 03:08:38 PM: Heres the I2mfix file. I'll post the hijack in the next post because of the length.
Frank

L2Mfix 1.03

Running From:
C:\Documents and Settings\Frank Wishinsky\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Read     BUILTIN\Power Users
(ID-IO) ALLOW Read     BUILTIN\Power Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C-------    BUILTIN\Administrators
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Read     BUILTIN\Power Users
(ID-IO) ALLOW Read     BUILTIN\Power Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Frank Wishinsky\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Frank Wishinsky\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1320 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1408 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\acl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\crcdll.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\crcui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\czyptdll.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnpq0175e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\durawex.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\duwave.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dxprpres.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hr0805due.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ifxrip.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iLssam.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\irq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iwput.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j46m0ej1eho.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\josh400.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kqdno1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ktp4l77q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MCIMRT32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mdisip.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mpgina.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mqls31.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mudmo.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mytext40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nulanui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nwtman.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\o8nsli5718.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pzofmap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rbched20.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rfched20.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sdrialui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sgobject.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\svbcsp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uvimdmat.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wcweb.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\acl.dll
Successfully Deleted: C:\WINDOWS\system32\acl.dll
deleting: C:\WINDOWS\system32\crcdll.dll
Successfully Deleted: C:\WINDOWS\system32\crcdll.dll
deleting: C:\WINDOWS\system32\crcui.dll
Successfully Deleted: C:\WINDOWS\system32\crcui.dll
deleting: C:\WINDOWS\system32\czyptdll.dll
Successfully Deleted: C:\WINDOWS\system32\czyptdll.dll
deleting: C:\WINDOWS\system32\dnpq0175e.dll
Successfully Deleted: C:\WINDOWS\system32\dnpq0175e.dll
deleting: C:\WINDOWS\system32\durawex.dll
Successfully Deleted: C:\WINDOWS\system32\durawex.dll
deleting: C:\WINDOWS\system32\duwave.dll
Successfully Deleted: C:\WINDOWS\system32\duwave.dll
deleting: C:\WINDOWS\system32\dxprpres.dll
Successfully Deleted: C:\WINDOWS\system32\dxprpres.dll
deleting: C:\WINDOWS\system32\hr0805due.dll
Successfully Deleted: C:\WINDOWS\system32\hr0805due.dll
deleting: C:\WINDOWS\system32\ifxrip.dll
Successfully Deleted: C:\WINDOWS\system32\ifxrip.dll
deleting: C:\WINDOWS\system32\iLssam.dll
Successfully Deleted: C:\WINDOWS\system32\iLssam.dll
deleting: C:\WINDOWS\system32\irq.dll
Successfully Deleted: C:\WINDOWS\system32\irq.dll
deleting: C:\WINDOWS\system32\iwput.dll
Successfully Deleted: C:\WINDOWS\system32\iwput.dll
deleting: C:\WINDOWS\system32\j46m0ej1eho.dll
Successfully Deleted: C:\WINDOWS\system32\j46m0ej1eho.dll
deleting: C:\WINDOWS\system32\josh400.dll
Successfully Deleted: C:\WINDOWS\system32\josh400.dll
deleting: C:\WINDOWS\system32\kqdno1.dll
Successfully Deleted: C:\WINDOWS\system32\kqdno1.dll
deleting: C:\WINDOWS\system32\ktp4l77q1.dll
Successfully Deleted: C:\WINDOWS\system32\ktp4l77q1.dll
deleting: C:\WINDOWS\system32\MCIMRT32.DLL
Successfully Deleted: C:\WINDOWS\system32\MCIMRT32.DLL
deleting: C:\WINDOWS\system32\mdisip.dll
Successfully Deleted: C:\WINDOWS\system32\mdisip.dll
deleting: C:\WINDOWS\system32\mpgina.dll
Successfully Deleted: C:\WINDOWS\system32\mpgina.dll
deleting: C:\WINDOWS\system32\mqls31.dll
Successfully Deleted: C:\WINDOWS\system32\mqls31.dll
deleting: C:\WINDOWS\system32\mudmo.dll
Successfully Deleted: C:\WINDOWS\system32\mudmo.dll
deleting: C:\WINDOWS\system32\mytext40.dll
Successfully Deleted: C:\WINDOWS\system32\mytext40.dll
deleting: C:\WINDOWS\system32\nulanui.dll
Successfully Deleted: C:\WINDOWS\system32\nulanui.dll
deleting: C:\WINDOWS\system32\nwtman.dll
Successfully Deleted: C:\WINDOWS\system32\nwtman.dll
deleting: C:\WINDOWS\system32\o8nsli5718.dll
Successfully Deleted: C:\WINDOWS\system32\o8nsli5718.dll
deleting: C:\WINDOWS\system32\pzofmap.dll
Successfully Deleted: C:\WINDOWS\system32\pzofmap.dll
deleting: C:\WINDOWS\system32\rbched20.dll
Successfully Deleted: C:\WINDOWS\system32\rbched20.dll
deleting: C:\WINDOWS\system32\rfched20.dll
Successfully Deleted: C:\WINDOWS\system32\rfched20.dll
deleting: C:\WINDOWS\system32\sdrialui.dll
Successfully Deleted: C:\WINDOWS\system32\sdrialui.dll
deleting: C:\WINDOWS\system32\sgobject.dll
Successfully Deleted: C:\WINDOWS\system32\sgobject.dll
deleting: C:\WINDOWS\system32\svbcsp.dll
Successfully Deleted: C:\WINDOWS\system32\svbcsp.dll
deleting: C:\WINDOWS\system32\uvimdmat.dll
Successfully Deleted: C:\WINDOWS\system32\uvimdmat.dll
deleting: C:\WINDOWS\system32\wcweb.dll
Successfully Deleted: C:\WINDOWS\system32\wcweb.dll

Zipping up files for submission:
adding: acl.dll (164 bytes security) (deflated 5%)
adding: crcdll.dll (164 bytes security) (deflated 5%)
adding: crcui.dll (164 bytes security) (deflated 5%)
adding: czyptdll.dll (164 bytes security) (deflated 4%)
adding: dnpq0175e.dll (164 bytes security) (deflated 5%)
adding: durawex.dll (164 bytes security) (deflated 5%)
adding: duwave.dll (164 bytes security) (deflated 5%)
adding: dxprpres.dll (164 bytes security) (deflated 6%)
adding: hr0805due.dll (164 bytes security) (deflated 5%)
adding: ifxrip.dll (164 bytes security) (deflated 5%)
adding: iLssam.dll (164 bytes security) (deflated 5%)
adding: irq.dll (164 bytes security) (deflated 5%)
adding: iwput.dll (164 bytes security) (deflated 5%)
adding: j46m0ej1eho.dll (164 bytes security) (deflated 5%)
adding: josh400.dll (164 bytes security) (deflated 5%)
adding: kqdno1.dll (164 bytes security) (deflated 5%)
adding: ktp4l77q1.dll (164 bytes security) (deflated 6%)
adding: MCIMRT32.DLL (164 bytes security) (deflated 4%)
adding: mdisip.dll (164 bytes security) (deflated 5%)
adding: mpgina.dll (164 bytes security) (deflated 5%)
adding: mqls31.dll (164 bytes security) (deflated 6%)
adding: mudmo.dll (164 bytes security) (deflated 5%)
adding: mytext40.dll (164 bytes security) (deflated 6%)
adding: nulanui.dll (164 bytes security) (deflated 5%)
adding: nwtman.dll (164 bytes security) (deflated 6%)
adding: o8nsli5718.dll (164 bytes security) (deflated 4%)
adding: pzofmap.dll (164 bytes security) (deflated 5%)
adding: rbched20.dll (164 bytes security) (deflated 5%)
adding: rfched20.dll (164 bytes security) (deflated 5%)
adding: sdrialui.dll (164 bytes security) (deflated 4%)
adding: sgobject.dll (164 bytes security) (deflated 5%)
adding: svbcsp.dll (164 bytes security) (deflated 5%)
adding: uvimdmat.dll (164 bytes security) (deflated 5%)
adding: wcweb.dll (164 bytes security) (deflated 4%)
adding: clear.reg (164 bytes security) (deflated 56%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 85%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 68%)
adding: test.txt (164 bytes security) (deflated 83%)
adding: test2.txt (164 bytes security) (deflated 38%)
adding: test3.txt (164 bytes security) (deflated 38%)
adding: test5.txt (164 bytes security) (deflated 38%)
adding: xfind.txt (164 bytes security) (deflated 77%)
adding: backregs/607C9BB3-AC9F-481C-B13A-C3056828E31B.reg (164 bytes security) (deflated 70%)
adding: backregs/6C8A412E-7A89-4582-816B-133E51C5AB24.reg (164 bytes security) (deflated 70%)
adding: backregs/A55509EF-AD0E-41CC-9FB3-D964E236FEC0.reg (164 bytes security) (deflated 70%)
adding: backregs/E4FC8387-1949-44A5-8447-DD76F28858F0.reg (164 bytes security) (deflated 70%)
adding: backregs/F9291142-28DB-4A4F-9866-F902CE89AC35.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Read     BUILTIN\Power Users
(ID-IO) ALLOW Read     BUILTIN\Power Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: acl.dll
deleting local copy: crcdll.dll
deleting local copy: crcui.dll
deleting local copy: czyptdll.dll
deleting local copy: dnpq0175e.dll
deleting local copy: durawex.dll
deleting local copy: duwave.dll
deleting local copy: dxprpres.dll
deleting local copy: hr0805due.dll
deleting local copy: ifxrip.dll
deleting local copy: iLssam.dll
deleting local copy: irq.dll
deleting local copy: iwput.dll
deleting local copy: j46m0ej1eho.dll
deleting local copy: josh400.dll
deleting local copy: kqdno1.dll
deleting local copy: ktp4l77q1.dll
deleting local copy: MCIMRT32.DLL
deleting local copy: mdisip.dll
deleting local copy: mpgina.dll
deleting local copy: mqls31.dll
deleting local copy: mudmo.dll
deleting local copy: mytext40.dll
deleting local copy: nulanui.dll
deleting local copy: nwtman.dll
deleting local copy: o8nsli5718.dll
deleting local copy: pzofmap.dll
deleting local copy: rbched20.dll
deleting local copy: rfched20.dll
deleting local copy: sdrialui.dll
deleting local copy: sgobject.dll
deleting local copy: svbcsp.dll
deleting local copy: uvimdmat.dll
deleting local copy: wcweb.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\acl.dll
C:\WINDOWS\system32\crcdll.dll
C:\WINDOWS\system32\crcui.dll
C:\WINDOWS\system32\czyptdll.dll
C:\WINDOWS\system32\dnpq0175e.dll
C:\WINDOWS\system32\durawex.dll
C:\WINDOWS\system32\duwave.dll
C:\WINDOWS\system32\dxprpres.dll
C:\WINDOWS\system32\hr0805due.dll
C:\WINDOWS\system32\ifxrip.dll
C:\WINDOWS\system32\iLssam.dll
C:\WINDOWS\system32\irq.dll
C:\WINDOWS\system32\iwput.dll
C:\WINDOWS\system32\j46m0ej1eho.dll
C:\WINDOWS\system32\josh400.dll
C:\WINDOWS\system32\kqdno1.dll
C:\WINDOWS\system32\ktp4l77q1.dll
C:\WINDOWS\system32\MCIMRT32.DLL
C:\WINDOWS\system32\mdisip.dll
C:\WINDOWS\system32\mpgina.dll
C:\WINDOWS\system32\mqls31.dll
C:\WINDOWS\system32\mudmo.dll
C:\WINDOWS\system32\mytext40.dll
C:\WINDOWS\system32\nulanui.dll
C:\WINDOWS\system32\nwtman.dll
C:\WINDOWS\system32\o8nsli5718.dll
C:\WINDOWS\system32\pzofmap.dll
C:\WINDOWS\system32\rbched20.dll
C:\WINDOWS\system32\rfched20.dll
C:\WINDOWS\system32\sdrialui.dll
C:\WINDOWS\system32\sgobject.dll
C:\WINDOWS\system32\svbcsp.dll
C:\WINDOWS\system32\uvimdmat.dll
C:\WINDOWS\system32\wcweb.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{F9291142-28DB-4A4F-9866-F902CE89AC35}"=-
"{607C9BB3-AC9F-481C-B13A-C3056828E31B}"=-
"{A55509EF-AD0E-41CC-9FB3-D964E236FEC0}"=-
"{6C8A412E-7A89-4582-816B-133E51C5AB24}"=-
"{E4FC8387-1949-44A5-8447-DD76F28858F0}"=-
[-HKEY_CLASSES_ROOT\CLSID\{F9291142-28DB-4A4F-9866-F902CE89AC35}]
[-HKEY_CLASSES_ROOT\CLSID\{607C9BB3-AC9F-481C-B13A-C3056828E31B}]
[-HKEY_CLASSES_ROOT\CLSID\{A55509EF-AD0E-41CC-9FB3-D964E236FEC0}]
[-HKEY_CLASSES_ROOT\CLSID\{6C8A412E-7A89-4582-816B-133E51C5AB24}]
[-HKEY_CLASSES_ROOT\CLSID\{E4FC8387-1949-44A5-8447-DD76F28858F0}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Title: Computer Hijacked
Post by: big frank on March 30, 2005, 03:14:10 PM: Heres the new hijack log,
Thanks, Frank
Logfile of HijackThis v1.99.1
Scan saved at 3:11:24 PM, on 3/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\system32\vvnlla.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\hijack\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cichlid-forum.com/index.php (http://\"http://www.cichlid-forum.com/index.php\")
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vvnlla.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
Title: Computer Hijacked
Post by: guestolo on March 30, 2005, 03:22:24 PM: Let's try the following

Open Hijackthis>>Open Misc tools section>>Open Process manager
Highlight and Kill this process
C:\WINDOWS\system32\vvnlla.exe

Back in Hijackthis>>Misc tools section>>Click the "Delete file on Reboot" button

Copy and paste the line directly below in bold to the "File Name" box

C:\WINDOWS\system32\vvnlla.exe
Click the OPEN button
You should get a prompt that the file will be Deleted on Reboot
and you must Restart your computer
Don't restart yet

Instead
Do another scan with Hijackthis and put a check next to these entries:

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vvnlla.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer
Make sure this file is gone, if not delete it
C:\WINDOWS\system32\vvnlla.exe <-file

Post back a fresh Hijackthis log afterwards

EDIT>>added "R3 - Default URLSearchHook is missing" to the fix with Hijackthis
Minor overlook, but if you haven't started the last set of instructions, please include it
Thanks
Title: Computer Hijacked
Post by: Guest on March 30, 2005, 06:01:06 PM: OK I ran hijack and followed your instruction. Though I missed the edit part at thr bottom. Here's the log
Logfile of HijackThis v1.99.1
Scan saved at 5:48:07 PM, on 3/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nntc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cichlid-forum.com/index.php (http://\"http://www.cichlid-forum.com/index.php\")
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vvnlla.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

I found these file when I was looking at the files:
I don't ever recall seeing them before, what are they?

C:\WINDOWS\$hf_mig$
C:\WINDOWS\$NtUninstallKB834707$

C:\WINDOWS\$NtUninstallKB867282$
C:\WINDOWS\$NtUninstallKB873333$
C:\WINDOWS\$NtUninstallKB873339$
C:\WINDOWS\$NtUninstallKB885250$
C:\WINDOWS\$NtUninstallKB885835$
C:\WINDOWS\$NtUninstallKB885836$
C:\WINDOWS\$NtUninstallKB886185$
C:\WINDOWS\$NtUninstallKB887472$

C:\WINDOWS\$NtUninstallKB887472$
C:\WINDOWS\$NtUninstallKB888113$
C:\WINDOWS\$NtUninstallKB888302$
C:\WINDOWS\$NtUninstallKB890047$
C:\WINDOWS\$NtUninstallKB890175$
C:\WINDOWS\$NtUninstallKB891781$
Title: Computer Hijacked
Post by: big frank on March 30, 2005, 06:06:10 PM: I forgot to log in the last post. I am new to xp pro and those files I posted at the end of the log are new. Is that spyware/adware?
Thanks, Frank
Title: Computer Hijacked
Post by: guestolo on March 30, 2005, 06:15:49 PM: Don't worry about those other files you see that you don't normally, there usually hidden
Let's worry about the infection

Can you download and save to desktop
[attachment=101:attachment]
UNZIP the contents within to Desktop so you now have a Find-Qoologic folder on your desktop
Open the folder
Double click on Find-Qoologic2.bat
Let this run
A log will be produced, post it back here
Title: Computer Hijacked
Post by: big frank on March 30, 2005, 06:54:01 PM: PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\WINDOWS\JJKVV.DLL

* ad-beh C:\WINDOWS\System32\AAAQQ.DLL
* ad-beh C:\WINDOWS\System32\TTGBBER.DLL
* ad-beh C:\WINDOWS\System32\WINUP2~1.DLL
* ad-beh C:\WINDOWS\System32\BBOQQXM.EXE
* ad-beh C:\WINDOWS\System32\VVNLLA.EXE
* ad-behNior.com C:\WINDOWS\System32\PPVYY.DAT
* ad-behNior.com C:\WINDOWS\System32\WMCONFIG.CPL

* ad-beh C:\WINDOWS\UNADBEH.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\NNTC.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»

Using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
nntc.exe
SpySubtract.lnk

User Startup:
C:\Documents and Settings\Frank Wishinsky\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
<NO NAME>   REG_SZ

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ffqkksxg
<NO NAME>   REG_SZ   {e2c359ce-5fa1-4a7f-a0ab-024252a20cd9}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
<NO NAME>   REG_SZ   {BDA77241-42F6-11d0-85E2-00AA001FE28C}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME>   REG_SZ   {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME>   REG_SZ   {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME>   REG_SZ   {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
<NO NAME>   REG_SZ   {6EE51AA0-77A0-11D7-B4E1-000347126E46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME>   REG_SZ   Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 18:48
Operating System: Windows XP SP2

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
"c038842b-b244-4df5-9c00-7f247d127d12\(Default)" = ""
\StubPath = "C:\WINDOWS\system32\bboqqxm.exe" [null data]

»»»»»»»»»»»»»»»»»»»»»»»» File read Error »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

**File C:\DOCUME~1\FRANKW~1\Desktop\FIND_Q~1\FIND-Q~1\LIST.TXT

Heres the next list,
Frank
Title: Computer Hijacked
Post by: guestolo on March 30, 2005, 07:34:32 PM: Can you do me a favor
Print out these instructions or save them too a Notepad file

Create a new folder on your desktop
Right click an empty spot and select NEW>>FOLDER
Name it Backup

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, well need this later, don't run it yet

Code: [Select]
REGEDIT4 [-HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{c038842b-b244-4df5-9c00-7f247d127d12}] [-HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{c038842b-b244-4df5-9c00-7f247d127d12}] [-HKEY_CLASSES_ROOT\CLSID\{c038842b-b244-4df5-9c00-7f247d127d12}] [-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ffqkksxg] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e2c359ce-5fa1-4a7f-a0ab-024252a20cd9}]
Important
RESTART into SAFE MODE

Find and MOVE these files to the backup folder on the desktop
Left click and Drag them over, Don't copy and paste them because we just want to have them in the backup folder for backup purposes, but not left in the folders there now found in

These are the files to drag over
C:\WINDOWS\System32\AAAQQ.DLL
C:\WINDOWS\System32\TTGBBER.DLL
C:\WINDOWS\System32\WINUP2~1.DLL
C:\WINDOWS\System32\BBOQQXM.EXE
C:\WINDOWS\System32\VVNLLA.EXE
C:\WINDOWS\System32\PPVYY.DAT
C:\WINDOWS\System32\WMCONFIG.CPL
C:\WINDOWS\UNADBEH.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nntc.exe

When that's done
Do another scan with Hijackthis and put a check next to these entries:

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vvnlla.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on fix.reg and allow to merge to the registry

Restart back to Normal mode

Post back a fresh Hijackthis log
Also run FindQoogic.bat again and post a fresh log
Title: Computer Hijacked
Post by: big frank on March 30, 2005, 09:41:16 PM: Heres the hijacklog. I couldn't find the file:system32\winup2~1.dll
I did find system32\winup2date.dll and moved it into the backup file.
Logfile of HijackThis v1.99.1
Scan saved at 9:37:14 PM, on 3/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijack\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\MSOffice\Winword\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cichlid-forum.com/index.php (http://\"http://www.cichlid-forum.com/index.php\")
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
Title: Computer Hijacked
Post by: big frank on March 30, 2005, 09:45:29 PM: Heres the ooogic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\WINDOWS\JJKVV.DLL

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»

Using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
SpySubtract.lnk

User Startup:
C:\Documents and Settings\Frank Wishinsky\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
<NO NAME>   REG_SZ

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
<NO NAME>   REG_SZ   {BDA77241-42F6-11d0-85E2-00AA001FE28C}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME>   REG_SZ   {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME>   REG_SZ   {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME>   REG_SZ   {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
<NO NAME>   REG_SZ   {6EE51AA0-77A0-11D7-B4E1-000347126E46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME>   REG_SZ   Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 21:42
Operating System: Windows XP SP2

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

»»»»»»»»»»»»»»»»»»»»»»»» File read Error »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

**File C:\DOCUME~1\FRANKW~1\Desktop\FIND_Q~1\FIND-Q~1\LIST.TXT
Title: Computer Hijacked
Post by: guestolo on March 30, 2005, 09:49:42 PM: Good work Frank

Sorry, I didn't extend the name to read
winup2date.dll
But you figured it out

Can you find and delete this file
C:\WINDOWS\JJKVV.DLL <-file

I missed it last time

Restart your computer one more time

Run FindQoogic.bat on last time and post back the log
Could you also supply me with one last hijackthis log, thanks
Title: Computer Hijacked
Post by: big frank on March 30, 2005, 10:08:38 PM: Heres the Qoogic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»

Using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
SpySubtract.lnk

User Startup:
C:\Documents and Settings\Frank Wishinsky\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
<NO NAME>   REG_SZ

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
<NO NAME>   REG_SZ   {BDA77241-42F6-11d0-85E2-00AA001FE28C}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME>   REG_SZ   {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME>   REG_SZ   {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME>   REG_SZ   {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
<NO NAME>   REG_SZ   {6EE51AA0-77A0-11D7-B4E1-000347126E46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME>   REG_SZ   Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 22:03
Operating System: Windows XP SP2

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

»»»»»»»»»»»»»»»»»»»»»»»» File read Error »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

**File C:\DOCUME~1\FRANKW~1\Desktop\FIND_Q~1\FIND-Q~1\LIST.TXT
Title: Computer Hijacked
Post by: big frank on March 30, 2005, 10:10:46 PM: and the highjack
ogfile of HijackThis v1.99.1
Scan saved at 10:08:27 PM, on 3/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cichlid-forum.com/index.php (http://\"http://www.cichlid-forum.com/index.php\")
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
Title: Computer Hijacked
Post by: guestolo on March 30, 2005, 10:28:19 PM: Frank, that's all looking good now
We have some minor cleanup, but some, not all of the files find bad by
L2Mfix were removed

As a double check you may want to try the following
Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, save it and then double click to run
It will self extract

Temporarily disable Norton's aV

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and save it too a notepad file

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

I'll leave the above at your option, but it's a free scan and very thorough
Title: Computer Hijacked
Post by: big frank on March 30, 2005, 10:30:54 PM: Appears to be running well.
Thanks I couldn't have done it without your help
Title: Computer Hijacked
Post by: guestolo on March 30, 2005, 10:34:34 PM: Frank, I hope you decide to run that virus checker

If not, please do the following
You should clear your System Restore points
disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Title: Computer Hijacked
Post by: Guest on March 30, 2005, 10:48:22 PM: Thanks for the extra tips in the last post.
Frank
Title: Computer Hijacked
Post by: guestolo on April 03, 2005, 12:06:03 AM: Locking this topic as your problems appear resolved
If you need it reopened, please PM a Mod or the site Admin
Supply a link to this thread

Take Care /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />