Author Topic: Persistent VX2 problem (Read 3298 times)

Watchman_987 · « **on:** March 14, 2005, 10:26:28 AM »

I've been reading these forums quite a bit the past couple days and have pretty much downloaded most of the tools to remove what I think was the VX2 (newer version) I've got it down to the point where the only issue remaining is a new Registry directory/key keeps being added in the Winlogon/Notify section running a new dll in the system32 folder.

I've run the following:

Ad-Aware SE
Spy Bot
Spy Sweeper
l2mfix
kill2me
TDS-3
Norton's
VX2Find
CWShredder

All come up clean except for VX2Find and HijackThis. The following two logs are from VX2Find and HijackThis;

Code: [Select]

Files Found--- 


Guardian Key--- is called: 
Asynchronous 000 
DllName 
Impersonate 000 
Logon WinLogon 
Logoff WinLogoff 
Shutdown WinShutdown 

User Agent String--- 
{782117A7-F846-94C0-C408-3F250AC614A8} 


Logfile of HijackThis v1.99.1 
Scan saved at 8:17:57 AM, on 3/11/2005 
Platform: Windows XP SP2 (WinNT 5.01.2600) 
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) 

Running processes: 
C:\WINDOWS\System32\smss.exe 
C:\WINDOWS\system32\winlogon.exe 
C:\WINDOWS\system32\services.exe 
C:\WINDOWS\system32\lsass.exe 
C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\system32\rundll32.exe 
C:\WINDOWS\Explorer.EXE 
C:\Documents and Settings\cc\Desktop\REmoval\vx2finder.exe 
C:\Program Files\NoteTab Pro\NotePro.exe 
C:\Documents and Settings\cc\My Documents\Documents\Programs\Hijack_this\HijackThis.exe 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thevirtualillusion.com/main/index.php 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thevirtualillusion.com/main/index.php 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites 
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll 
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup 
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" 
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM 
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM 
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll 
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll 
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll 
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll 
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe 
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe 
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe 
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll 
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com 
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab 
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab 
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe 
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab 
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab 
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab 
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\dnnq0155e.dll 
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe 
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe 
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe 
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe 
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE 
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe 
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe 
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe 
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe 
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE 
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe 
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

As a further note, I cannot locate any guard.tmp file. I have made certain all hidden files are viewable and have done countless searches on variations of the name and by date (last accessed) all to no avail. Yet the symptoms of the added registry keys and the elusive changing DLL in system32/keep occurring.

I appreciate any help anyone can give me with this.

guestolo · « **Reply #1 on:** March 14, 2005, 11:20:06 PM »

I'm not sure what you tried

But if you haven't tried this yet
Please do
Download L2mfix from here

http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]

Can you post this log anyways, thanks

Watchman_987 · « **Reply #2 on:** March 15, 2005, 08:20:25 AM »

I really appreciate you taking the time to help me here.

The following is the result of the log from l2mfix

Code: [Select]

L2MFIX find log 1.02b
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l46o0ej3eho.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{42B3D3FA-40C6-BC2E-D70E-7B0EE216FAD4}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{336B02CE-F88A-4aea-8731-79EF94D3723A}"="Free AOL & Unlimited Internet.url"
"{5E44E225-A408-11CF-B581-008029601108}"="Roxio DragToDisc Shell Extension"
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}"="My Media"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{57C9D926-056E-45D7-9D44-CE8D98A69476}"=""
"{52303D83-FD27-4FCF-9FFF-97AAC024F29D}"=""

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{57C9D926-056E-45D7-9D44-CE8D98A69476}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{57C9D926-056E-45D7-9D44-CE8D98A69476}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{57C9D926-056E-45D7-9D44-CE8D98A69476}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{57C9D926-056E-45D7-9D44-CE8D98A69476}\InprocServer32]
@="C:\\WINDOWS\\system32\\ioircl.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{52303D83-FD27-4FCF-9FFF-97AAC024F29D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52303D83-FD27-4FCF-9FFF-97AAC024F29D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52303D83-FD27-4FCF-9FFF-97AAC024F29D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52303D83-FD27-4FCF-9FFF-97AAC024F29D}\InprocServer32]
@="C:\\WINDOWS\\system32\\jrsd400.dll"
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
   bqdispl.dll    Thu Mar 10 2005  12:34:40p  ..S.R        232,808   227.35 K
   ceyptui.dll    Thu Mar 10 2005   4:54:24p  ..S.R        232,556   227.11 K
   cxmsvcs.dll    Mon Mar 14 2005  10:00:34a  ..S.R        234,558   229.06 K
   debugg.dll     Mon Mar  7 2005   9:55:32a  A....              0     0.00 K
   dz3j.dll       Thu Mar 10 2005   4:47:38p  ..S.R        235,408   229.89 K
   en88l1~1.dll   Thu Mar 10 2005   4:06:52p  ..S.R        233,164   227.70 K
   gccoll~1.dll   Fri Dec 31 2004   3:00:00p  A....        134,880   131.72 K
   gcmd5q~1.dll   Mon Jan 10 2005   9:21:20p  A....         10,752    10.50 K
   gcunco~1.dll   Fri Dec 31 2004   1:14:32p  A....        130,272   127.22 K
   hashlib.dll    Fri Dec 31 2004   3:00:00p  A....         81,120    79.22 K
   ikcvid.dll     Fri Mar 11 2005   7:52:00a  ..S.R        234,748   229.25 K
   il50_qcx.dll   Fri Mar 11 2005   7:37:54a  ..S.R        233,944   228.46 K
   ioircl.dll     Fri Mar 11 2005   7:09:14a  ..S.R        232,556   227.11 K
   ipsutil.dll    Mon Mar 14 2005   9:25:32a  ..S.R        232,824   227.37 K
   iwsecsnp.dll   Thu Mar 10 2005   5:27:14p  ..S.R        236,260   230.72 K
   jrsd400.dll    Mon Mar 14 2005   4:57:10p  ..S.R        233,188   227.72 K
   k280lc~1.dll   Fri Mar 11 2005   6:10:50p  ..S.R        233,150   227.68 K
   kadnec.dll     Thu Mar 10 2005   7:59:42a  ..S.R        233,732   228.25 K
   kcuser.dll     Mon Mar 14 2005   7:08:02a  ..S.R        234,718   229.21 K
   ksdmac.dll     Fri Mar 11 2005   8:00:02a  ..S.R        234,764   229.26 K
   l46o0e~1.dll   Mon Mar 14 2005  10:13:48a  ..S.R        233,188   227.72 K
   lebfcur.dll    Mon Mar 14 2005   8:07:16a  ..S.R        235,659   230.13 K
   lzxlmpm.dll    Thu Mar 10 2005   7:52:42a  ..S.R        232,736   227.28 K
   mlvcr71.dll    Fri Mar 11 2005   7:32:40a  ..S.R        234,792   229.29 K
   mqihnd.dll     Fri Mar 11 2005   7:46:40a  ..S.R        234,213   228.72 K
   muaatext.dll   Fri Mar 11 2005   9:41:50a  ..S.R        233,150   227.68 K
   mv8ql9~1.dll   Thu Mar 10 2005  12:16:36p  ..S.R        234,397   228.90 K
   mvn2l9~1.dll   Thu Mar 10 2005   9:38:42a  ..S.R        232,853   227.39 K
   mvpol9~1.dll   Thu Mar 10 2005   5:45:48p  ..S.R        233,935   228.45 K
   nawrssl.dll    Thu Mar 10 2005   3:46:40p  ..S.R        233,180   227.71 K
   nbrszhc.dll    Fri Mar 11 2005   8:23:46a  ..S.R        236,003   230.47 K
   ntwrsru.dll    Fri Mar 11 2005   6:12:12p  ..S.R        234,718   229.21 K
   o684lg~1.dll   Mon Mar 14 2005   4:57:10p  ..S.R        234,674   229.17 K
   paofmap.dll    Thu Mar 10 2005   9:45:12a  ..S.R        235,596   230.07 K
   pdlstore.dll   Thu Mar 10 2005   4:51:36p  ..S.R        235,804   230.28 K
   pirfdisk.dll   Tue Mar  8 2005   5:29:26p  ..S.R        232,736   227.28 K
   pyrfproc.dll   Tue Mar  8 2005   5:29:20p  ..S.R        232,736   227.28 K
   rccres.dll     Thu Mar 10 2005   4:44:38p  ..S.R        235,122   229.61 K
   rzched20.dll   Fri Mar 11 2005   7:55:48a  ..S.R        234,213   228.72 K
   s32evnt1.dll   Mon Dec 20 2004   6:58:18p  A....         83,664    81.70 K
   skrio600.dll   Thu Mar 10 2005   9:38:42a  ..S.R        235,596   230.07 K
   smlights.dll   Thu Mar 10 2005   1:43:22p  ..S.R        233,787   228.30 K
   snc.dll        Thu Mar 10 2005   1:02:00p  ..S.R        233,446   227.97 K
   swndmail.dll   Fri Mar 11 2005   7:27:14a  ..S.R        233,944   228.46 K
   symneti.dll    Fri Jan 21 2005  10:31:54p  A....        513,752   501.71 K
   symredir.dll   Fri Jan 21 2005  10:31:52p  A....        141,016   137.71 K
   syrialui.dll   Thu Mar 10 2005   1:57:24p  ..S.R        234,917   229.41 K
   tjd32.dll      Thu Mar 10 2005   1:17:00p  ..S.R        233,787   228.30 K
   tvkwks.dll     Thu Mar 10 2005   5:45:50p  ..S.R        232,556   227.11 K
   ukrv42a.dll    Mon Mar 14 2005  10:13:48a  ..S.R        232,824   227.37 K
   wssdmoe2.dll   Thu Mar 10 2005   3:48:52p  ..S.R        235,122   229.61 K

51 items found:  51 files (43 H/S), 0 directories.
   Total of file sizes:  11,159,518 bytes     10.64 M
Locate .tmp files:

No matches found.
********************************************************************************
**
Directory Listing of system files:
 Volume in drive C has no label.
 Volume Serial Number is C8DC-65E8

 Directory of C:\WINDOWS\System32

03/14/2005  04:57 PM           233,188 jrsd400.dll
03/14/2005  04:57 PM           234,674 o684lglq16qe.dll
03/14/2005  10:13 AM           232,824 ukrv42a.dll
03/14/2005  10:13 AM           233,188 l46o0ej3eho.dll
03/14/2005  10:00 AM           234,558 cxmsvcs.dll
03/14/2005  09:25 AM           232,824 ipsutil.dll
03/14/2005  08:07 AM           235,659 LEBFCUR.DLL
03/14/2005  07:08 AM           234,718 kcuser.dll
03/11/2005  06:12 PM           234,718 ntwrsru.dll
03/11/2005  06:10 PM           233,150 k280lclm1fqa.dll
03/11/2005  09:41 AM           233,150 muaatext.dll
03/11/2005  08:23 AM           236,003 nbrszhc.dll
03/11/2005  08:00 AM           234,764 ksdmac.dll
03/11/2005  07:55 AM           234,213 rzched20.dll
03/11/2005  07:51 AM           234,748 ikcvid.dll
03/11/2005  07:46 AM           234,213 mqihnd.dll
03/11/2005  07:37 AM           233,944 il50_qcx.dll
03/11/2005  07:32 AM           234,792 mlvcr71.dll
03/11/2005  07:27 AM           233,944 swndmail.dll
03/11/2005  07:09 AM           232,556 ioircl.dll
03/10/2005  05:45 PM           232,556 tvkwks.dll
03/10/2005  05:45 PM           233,935 mvpol9731.dll
03/10/2005  05:27 PM           236,260 iwsecsnp.dll
03/10/2005  04:54 PM           232,556 ceyptui.dll
03/10/2005  04:51 PM           235,804 pdlstore.dll
03/10/2005  04:47 PM           235,408 dz3j.dll
03/10/2005  04:44 PM           235,122 RCCRES.dll
03/10/2005  04:06 PM           233,164 en88l1lu1.dll
03/10/2005  03:48 PM           235,122 wssdmoe2.dll
03/10/2005  03:46 PM           233,180 nawrssl.dll
03/10/2005  01:57 PM           234,917 syrialui.dll
03/10/2005  01:43 PM           233,787 SMLights.dll
03/10/2005  01:16 PM           233,787 tjd32.dll
03/10/2005  01:01 PM           233,446 snc.dll
03/10/2005  12:58 PM    <DIR>          dllcache
03/10/2005  12:34 PM           232,808 bqdispl.dll
03/10/2005  12:16 PM           234,397 mv8ql9l51.dll
03/10/2005  09:45 AM           235,596 paofmap.dll
03/10/2005  09:38 AM           235,596 skrio600.dll
03/10/2005  09:38 AM           232,853 mvn2l95o1.dll
03/10/2005  07:59 AM           233,732 kadnec.dll
03/10/2005  07:52 AM           232,736 lzxlmpm.dll
03/08/2005  05:29 PM           232,736 pirfdisk.dll
03/08/2005  05:29 PM           232,736 pyrfproc.dll
08/13/2003  08:32 AM    <DIR>          Microsoft
              43 File(s)     10,064,062 bytes
               2 Dir(s)  82,689,544,192 bytes free

Here is what I've discovered, note the key here;[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]

That last directory called \Setup just got created, in fact there is a whole list of names that keep getting recreated there all linking to that DLL file which also keeps changing. Each time I go in and delete that directory and all the sub keys, then delete that DLL file, they all return and I cannot seem to pinpoint what is re-creating them.

Just some additional information, not sure if it's useful or not.

guestolo · « **Reply #3 on:** March 15, 2005, 08:12:10 PM »

I want to ensure you do this

Close any programs you have open since this step requires a reboot.
Open L2Mfix and run l2mfix.bat
Select option #4 and then press Enter

Select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

Note: once the pc has restarted if a text does not open run the "second.bat" located inside the L2mfix folder.
[color=\"purple\"]IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so![/color]

Watchman_987 · « **Reply #4 on:** March 16, 2005, 07:54:04 AM »

Thanks for the continued follow-up!

I've followed your instructions with one variation. After running the second.bat file (the first one did not open the text file) the guard.tmp file appeard in the systems32 folder. I deleted that file.

The following are the two logs:

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\kt0sl7d71.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

Followed by the HijackThis log:

Code: [Select]

Logfile of HijackThis v1.99.1
Scan saved at 7:48:07 AM, on 3/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\cc\My Documents\Documents\Programs\Hijack_this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thevirtualillusion.com/main/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thevirtualillusion.com/main/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\fp6803jue.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

guestolo · « **Reply #5 on:** March 16, 2005, 10:08:52 AM »

Watchman, L2Mfix has been updated
I'm on my way to work

But could I get you to delete your version of L2Mfix

Redownload it please and reinstall
Download L2mfix from here

http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

Watchman_987 · « **Reply #6 on:** March 16, 2005, 10:33:48 AM »

Hi, I've removed my existing L2MFix and replaced it with the version in your previous post. I've also run another HijackThis log.

L2MFIX find log 1.03
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr6m05j1e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E73EDE8B-5A10-D4CB-B4C5-7D11228C70D7}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{336B02CE-F88A-4aea-8731-79EF94D3723A}"="Free AOL & Unlimited Internet.url"
"{5E44E225-A408-11CF-B581-008029601108}"="Roxio DragToDisc Shell Extension"
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}"="My Media"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{A4193AA0-2DAD-4E4C-A9F9-CEA4FF4A09AF}"=""
"{C9FB244E-D8B1-4B77-9C3B-78684680793F}"=""

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A4193AA0-2DAD-4E4C-A9F9-CEA4FF4A09AF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A4193AA0-2DAD-4E4C-A9F9-CEA4FF4A09AF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A4193AA0-2DAD-4E4C-A9F9-CEA4FF4A09AF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A4193AA0-2DAD-4E4C-A9F9-CEA4FF4A09AF}\InprocServer32]
@="C:\\WINDOWS\\system32\\uwlmon.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C9FB244E-D8B1-4B77-9C3B-78684680793F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C9FB244E-D8B1-4B77-9C3B-78684680793F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C9FB244E-D8B1-4B77-9C3B-78684680793F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C9FB244E-D8B1-4B77-9C3B-78684680793F}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
bqdispl.dll Thu Mar 10 2005 12:34:40p ..S.R 232,808 227.35 K
ceyptui.dll Thu Mar 10 2005 4:54:24p ..S.R 232,556 227.11 K
cxmsvcs.dll Mon Mar 14 2005 10:00:34a ..S.R 234,558 229.06 K
debugg.dll Mon Mar 7 2005 9:55:32a A.... 0 0.00 K
dkmclien.dll Tue Mar 15 2005 2:30:44p ..S.R 233,036 227.57 K
dz3j.dll Thu Mar 10 2005 4:47:38p ..S.R 235,408 229.89 K
en88l1~1.dll Thu Mar 10 2005 4:06:52p ..S.R 233,164 227.70 K
gccoll~1.dll Fri Dec 31 2004 3:00:00p A.... 134,880 131.72 K
gcmd5q~1.dll Mon Jan 10 2005 9:21:20p A.... 10,752 10.50 K
gcunco~1.dll Fri Dec 31 2004 1:14:32p A.... 130,272 127.22 K
hashlib.dll Fri Dec 31 2004 3:00:00p A.... 81,120 79.22 K
hr6m05~1.dll Wed Mar 16 2005 7:40:08a ..S.R 233,741 228.26 K
ikcvid.dll Fri Mar 11 2005 7:52:00a ..S.R 234,748 229.25 K
il50_qcx.dll Fri Mar 11 2005 7:37:54a ..S.R 233,944 228.46 K
ioircl.dll Fri Mar 11 2005 7:09:14a ..S.R 232,556 227.11 K
ipsutil.dll Mon Mar 14 2005 9:25:32a ..S.R 232,824 227.37 K
iwsecsnp.dll Thu Mar 10 2005 5:27:14p ..S.R 236,260 230.72 K
jrsd400.dll Mon Mar 14 2005 4:57:10p ..S.R 233,188 227.72 K
k280lc~1.dll Fri Mar 11 2005 6:10:50p ..S.R 233,150 227.68 K
kadnec.dll Thu Mar 10 2005 7:59:42a ..S.R 233,732 228.25 K
kcuser.dll Mon Mar 14 2005 7:08:02a ..S.R 234,718 229.21 K
ksdmac.dll Fri Mar 11 2005 8:00:02a ..S.R 234,764 229.26 K
lebfcur.dll Mon Mar 14 2005 8:07:16a ..S.R 235,659 230.13 K
lzxlmpm.dll Thu Mar 10 2005 7:52:42a ..S.R 232,736 227.28 K
mlvcr71.dll Fri Mar 11 2005 7:32:40a ..S.R 234,792 229.29 K
mnmxsdk.dll Wed Mar 16 2005 7:16:08a ..S.R 233,741 228.26 K
mqihnd.dll Fri Mar 11 2005 7:46:40a ..S.R 234,213 228.72 K
muaatext.dll Fri Mar 11 2005 9:41:50a ..S.R 233,150 227.68 K
mv8ql9~1.dll Thu Mar 10 2005 12:16:36p ..S.R 234,397 228.90 K
mvn2l9~1.dll Thu Mar 10 2005 9:38:42a ..S.R 232,853 227.39 K
mvpol9~1.dll Thu Mar 10 2005 5:45:48p ..S.R 233,935 228.45 K
mzrd3x40.dll Wed Mar 16 2005 8:14:56a ..S.R 233,741 228.26 K
nawrssl.dll Thu Mar 10 2005 3:46:40p ..S.R 233,180 227.71 K
nbrszhc.dll Fri Mar 11 2005 8:23:46a ..S.R 236,003 230.47 K
ntwrsru.dll Fri Mar 11 2005 6:12:12p ..S.R 234,718 229.21 K
paofmap.dll Thu Mar 10 2005 9:45:12a ..S.R 235,596 230.07 K
pdlstore.dll Thu Mar 10 2005 4:51:36p ..S.R 235,804 230.28 K
pirfdisk.dll Tue Mar 8 2005 5:29:26p ..S.R 232,736 227.28 K
pyrfproc.dll Tue Mar 8 2005 5:29:20p ..S.R 232,736 227.28 K
r2p80c~1.dll Wed Mar 16 2005 8:14:56a ..S.R 234,613 229.11 K
rccres.dll Thu Mar 10 2005 4:44:38p ..S.R 235,122 229.61 K
rzched20.dll Fri Mar 11 2005 7:55:48a ..S.R 234,213 228.72 K
s32evnt1.dll Mon Dec 20 2004 6:58:18p A.... 83,664 81.70 K
skrio600.dll Thu Mar 10 2005 9:38:42a ..S.R 235,596 230.07 K
smlights.dll Thu Mar 10 2005 1:43:22p ..S.R 233,787 228.30 K
snc.dll Thu Mar 10 2005 1:02:00p ..S.R 233,446 227.97 K
swndmail.dll Fri Mar 11 2005 7:27:14a ..S.R 233,944 228.46 K
symneti.dll Fri Jan 21 2005 10:31:54p A.... 513,752 501.71 K
symredir.dll Fri Jan 21 2005 10:31:52p A.... 141,016 137.71 K
syrialui.dll Thu Mar 10 2005 1:57:24p ..S.R 234,917 229.41 K
tjd32.dll Thu Mar 10 2005 1:17:00p ..S.R 233,787 228.30 K
tvkwks.dll Thu Mar 10 2005 5:45:50p ..S.R 232,556 227.11 K
ukrv42a.dll Mon Mar 14 2005 10:13:48a ..S.R 232,824 227.37 K
uwlmon.dll Wed Mar 16 2005 7:41:12a ..S.R 233,036 227.57 K
wssdmoe2.dll Thu Mar 10 2005 3:48:52p ..S.R 235,122 229.61 K

55 items found: 55 files (47 H/S), 0 directories.
Total of file sizes: 12,093,564 bytes 11.53 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Wed Mar 16 2005 8:17:30a ..S.R 233,741 228.26 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 233,741 bytes 228.26 K
********************************************************************************
**
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is C8DC-65E8

Directory of C:\WINDOWS\System32

03/16/2005 08:17 AM 233,741 guard.tmp
03/16/2005 08:14 AM 233,741 mzrd3x40.dll
03/16/2005 08:14 AM 234,613 r2p80c7uef.dll
03/16/2005 07:41 AM 233,036 uwlmon.dll
03/16/2005 07:40 AM 233,741 hr6m05j1e.dll
03/16/2005 07:16 AM 233,741 mnmxsdk.dll
03/15/2005 02:30 PM 233,036 dkmclien.dll
03/14/2005 04:57 PM 233,188 jrsd400.dll
03/14/2005 10:13 AM 232,824 ukrv42a.dll
03/14/2005 10:00 AM 234,558 cxmsvcs.dll
03/14/2005 09:25 AM 232,824 ipsutil.dll
03/14/2005 08:07 AM 235,659 LEBFCUR.DLL
03/14/2005 07:08 AM 234,718 kcuser.dll
03/11/2005 06:12 PM 234,718 ntwrsru.dll
03/11/2005 06:10 PM 233,150 k280lclm1fqa.dll
03/11/2005 09:41 AM 233,150 muaatext.dll
03/11/2005 08:23 AM 236,003 nbrszhc.dll
03/11/2005 08:00 AM 234,764 ksdmac.dll
03/11/2005 07:55 AM 234,213 rzched20.dll
03/11/2005 07:51 AM 234,748 ikcvid.dll
03/11/2005 07:46 AM 234,213 mqihnd.dll
03/11/2005 07:37 AM 233,944 il50_qcx.dll
03/11/2005 07:32 AM 234,792 mlvcr71.dll
03/11/2005 07:27 AM 233,944 swndmail.dll
03/11/2005 07:09 AM 232,556 ioircl.dll
03/10/2005 05:45 PM 232,556 tvkwks.dll
03/10/2005 05:45 PM 233,935 mvpol9731.dll
03/10/2005 05:27 PM 236,260 iwsecsnp.dll
03/10/2005 04:54 PM 232,556 ceyptui.dll
03/10/2005 04:51 PM 235,804 pdlstore.dll
03/10/2005 04:47 PM 235,408 dz3j.dll
03/10/2005 04:44 PM 235,122 RCCRES.dll
03/10/2005 04:06 PM 233,164 en88l1lu1.dll
03/10/2005 03:48 PM 235,122 wssdmoe2.dll
03/10/2005 03:46 PM 233,180 nawrssl.dll
03/10/2005 01:57 PM 234,917 syrialui.dll
03/10/2005 01:43 PM 233,787 SMLights.dll
03/10/2005 01:16 PM 233,787 tjd32.dll
03/10/2005 01:01 PM 233,446 snc.dll
03/10/2005 12:58 PM <DIR> dllcache
03/10/2005 12:34 PM 232,808 bqdispl.dll
03/10/2005 12:16 PM 234,397 mv8ql9l51.dll
03/10/2005 09:45 AM 235,596 paofmap.dll
03/10/2005 09:38 AM 235,596 skrio600.dll
03/10/2005 09:38 AM 232,853 mvn2l95o1.dll
03/10/2005 07:59 AM 233,732 kadnec.dll
03/10/2005 07:52 AM 232,736 lzxlmpm.dll
03/08/2005 05:29 PM 232,736 pirfdisk.dll
03/08/2005 05:29 PM 232,736 pyrfproc.dll
08/13/2003 08:32 AM <DIR> Microsoft
48 File(s) 11,231,849 bytes
2 Dir(s) 82,691,264,512 bytes free

Here is the HIjackThis log as well.

Logfile of HijackThis v1.99.1
Scan saved at 10:25:34 AM, on 3/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\NoteTab Pro\NotePro.exe
C:\Documents and Settings\cc\My Documents\Documents\Programs\Hijack_this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thevirtualillusion.com/main/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thevirtualillusion.com/main/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\hr6m05j1e.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks again for the continued assistance!

guestolo · « **Reply #7 on:** March 16, 2005, 07:26:10 PM »

Let's see if the new version works for you
Try running this from Normal mode

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

[color=\"red\"]IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so![/color]

NOTE:After restart and L2MFIX finishes scanning for files>>give this time to finish
If a text doesn't open, run the "second.bat" located inside the L2mfix folder

Watchman_987 · « **Reply #8 on:** March 17, 2005, 12:31:14 PM »

Well it looks like we got it! Here are the logs of HijackThis and the l2mfix:

Code: [Select]

Logfile of HijackThis v1.99.1
Scan saved at 11:52:01 AM, on 3/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\cc\My Documents\Documents\Programs\Hijack_this\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thevirtualillusion.com/main/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thevirtualillusion.com/main/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Code: [Select]

L2Mfix 1.03
 
Running From:
C:\Documents and Settings\cc\Desktop\l2mfix
 
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read       	 BUILTIN\Users
(ID-IO) ALLOW  Read       	 BUILTIN\Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER


 
Setting registry permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
 - adding new ACCESS DENY entry

 
Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------    BUILTIN\Administrators
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read       	 BUILTIN\Users
(ID-IO) ALLOW  Read       	 BUILTIN\Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER


 
Setting up for Reboot
 
 
Starting Reboot!
 
C:\Documents and Settings\cc\Desktop\l2mfix 
System Rebooted! 
 
Running From:
C:\Documents and Settings\cc\Desktop\l2mfix
 
killing explorer and rundll32.exe 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 416 'explorer.exe'
Killing PID 416 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1136 'rundll32.exe'
 
Scanning First Pass. Please Wait!
 
First Pass Completed 
 
Second Pass Scanning 
 
Second pass Completed!
Backing Up: C:\WINDOWS\system32\bqdispl.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ceyptui.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cxmsvcs.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dkmclien.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dz3j.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en88l1lu1.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ikcvid.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\il50_qcx.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ioircl.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ipsutil.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iwsecsnp.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jrsd400.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k280lclm1fqa.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kadnec.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kcuser.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kkdinbe1.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ksdmac.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\LEBFCUR.DLL
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lzxlmpm.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mlvcr71.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mnmxsdk.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mqihnd.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\muaatext.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv8ql9l51.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvn2l95o1.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvpol9731.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mzrd3x40.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nawrssl.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nbrszhc.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ntwrsru.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p8n8li5u18.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\paofmap.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pdlstore.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pirfdisk.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pyrfproc.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RCCRES.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rzched20.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\skrio600.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\SMLights.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\snc.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\solwid.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swndmail.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\syrialui.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tjd32.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tvkwks.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ukrv42a.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uwlmon.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wssdmoe2.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtvdmoe.dll
        1 file(s) copied.
deleting: C:\WINDOWS\system32\bqdispl.dll  
Successfully Deleted: C:\WINDOWS\system32\bqdispl.dll
deleting: C:\WINDOWS\system32\ceyptui.dll  
Successfully Deleted: C:\WINDOWS\system32\ceyptui.dll
deleting: C:\WINDOWS\system32\cxmsvcs.dll  
Successfully Deleted: C:\WINDOWS\system32\cxmsvcs.dll
deleting: C:\WINDOWS\system32\dkmclien.dll  
Successfully Deleted: C:\WINDOWS\system32\dkmclien.dll
deleting: C:\WINDOWS\system32\dz3j.dll  
Successfully Deleted: C:\WINDOWS\system32\dz3j.dll
deleting: C:\WINDOWS\system32\en88l1lu1.dll  
Successfully Deleted: C:\WINDOWS\system32\en88l1lu1.dll
deleting: C:\WINDOWS\system32\ikcvid.dll  
Successfully Deleted: C:\WINDOWS\system32\ikcvid.dll
deleting: C:\WINDOWS\system32\il50_qcx.dll  
Successfully Deleted: C:\WINDOWS\system32\il50_qcx.dll
deleting: C:\WINDOWS\system32\ioircl.dll  
Successfully Deleted: C:\WINDOWS\system32\ioircl.dll
deleting: C:\WINDOWS\system32\ipsutil.dll  
Successfully Deleted: C:\WINDOWS\system32\ipsutil.dll
deleting: C:\WINDOWS\system32\iwsecsnp.dll  
Successfully Deleted: C:\WINDOWS\system32\iwsecsnp.dll
deleting: C:\WINDOWS\system32\jrsd400.dll  
Successfully Deleted: C:\WINDOWS\system32\jrsd400.dll
deleting: C:\WINDOWS\system32\k280lclm1fqa.dll  
Successfully Deleted: C:\WINDOWS\system32\k280lclm1fqa.dll
deleting: C:\WINDOWS\system32\kadnec.dll  
Successfully Deleted: C:\WINDOWS\system32\kadnec.dll
deleting: C:\WINDOWS\system32\kcuser.dll  
Successfully Deleted: C:\WINDOWS\system32\kcuser.dll
deleting: C:\WINDOWS\system32\kkdinbe1.dll  
Successfully Deleted: C:\WINDOWS\system32\kkdinbe1.dll
deleting: C:\WINDOWS\system32\ksdmac.dll  
Successfully Deleted: C:\WINDOWS\system32\ksdmac.dll
deleting: C:\WINDOWS\system32\LEBFCUR.DLL  
Successfully Deleted: C:\WINDOWS\system32\LEBFCUR.DLL
deleting: C:\WINDOWS\system32\lzxlmpm.dll  
Successfully Deleted: C:\WINDOWS\system32\lzxlmpm.dll
deleting: C:\WINDOWS\system32\mlvcr71.dll  
Successfully Deleted: C:\WINDOWS\system32\mlvcr71.dll
deleting: C:\WINDOWS\system32\mnmxsdk.dll  
Successfully Deleted: C:\WINDOWS\system32\mnmxsdk.dll
deleting: C:\WINDOWS\system32\mqihnd.dll  
Successfully Deleted: C:\WINDOWS\system32\mqihnd.dll
deleting: C:\WINDOWS\system32\muaatext.dll  
Successfully Deleted: C:\WINDOWS\system32\muaatext.dll
deleting: C:\WINDOWS\system32\mv8ql9l51.dll  
Successfully Deleted: C:\WINDOWS\system32\mv8ql9l51.dll
deleting: C:\WINDOWS\system32\mvn2l95o1.dll  
Successfully Deleted: C:\WINDOWS\system32\mvn2l95o1.dll
deleting: C:\WINDOWS\system32\mvpol9731.dll  
Successfully Deleted: C:\WINDOWS\system32\mvpol9731.dll
deleting: C:\WINDOWS\system32\mzrd3x40.dll  
Successfully Deleted: C:\WINDOWS\system32\mzrd3x40.dll
deleting: C:\WINDOWS\system32\nawrssl.dll  
Successfully Deleted: C:\WINDOWS\system32\nawrssl.dll
deleting: C:\WINDOWS\system32\nbrszhc.dll  
Successfully Deleted: C:\WINDOWS\system32\nbrszhc.dll
deleting: C:\WINDOWS\system32\ntwrsru.dll  
Successfully Deleted: C:\WINDOWS\system32\ntwrsru.dll
deleting: C:\WINDOWS\system32\p8n8li5u18.dll  
Successfully Deleted: C:\WINDOWS\system32\p8n8li5u18.dll
deleting: C:\WINDOWS\system32\paofmap.dll  
Successfully Deleted: C:\WINDOWS\system32\paofmap.dll
deleting: C:\WINDOWS\system32\pdlstore.dll  
Successfully Deleted: C:\WINDOWS\system32\pdlstore.dll
deleting: C:\WINDOWS\system32\pirfdisk.dll  
Successfully Deleted: C:\WINDOWS\system32\pirfdisk.dll
deleting: C:\WINDOWS\system32\pyrfproc.dll  
Successfully Deleted: C:\WINDOWS\system32\pyrfproc.dll
deleting: C:\WINDOWS\system32\RCCRES.dll  
Successfully Deleted: C:\WINDOWS\system32\RCCRES.dll
deleting: C:\WINDOWS\system32\rzched20.dll  
Successfully Deleted: C:\WINDOWS\system32\rzched20.dll
deleting: C:\WINDOWS\system32\skrio600.dll  
Successfully Deleted: C:\WINDOWS\system32\skrio600.dll
deleting: C:\WINDOWS\system32\SMLights.dll  
Successfully Deleted: C:\WINDOWS\system32\SMLights.dll
deleting: C:\WINDOWS\system32\snc.dll  
Successfully Deleted: C:\WINDOWS\system32\snc.dll
deleting: C:\WINDOWS\system32\solwid.dll  
Successfully Deleted: C:\WINDOWS\system32\solwid.dll
deleting: C:\WINDOWS\system32\swndmail.dll  
Successfully Deleted: C:\WINDOWS\system32\swndmail.dll
deleting: C:\WINDOWS\system32\syrialui.dll  
Successfully Deleted: C:\WINDOWS\system32\syrialui.dll
deleting: C:\WINDOWS\system32\tjd32.dll  
Successfully Deleted: C:\WINDOWS\system32\tjd32.dll
deleting: C:\WINDOWS\system32\tvkwks.dll  
Successfully Deleted: C:\WINDOWS\system32\tvkwks.dll
deleting: C:\WINDOWS\system32\ukrv42a.dll  
Successfully Deleted: C:\WINDOWS\system32\ukrv42a.dll
deleting: C:\WINDOWS\system32\uwlmon.dll  
Successfully Deleted: C:\WINDOWS\system32\uwlmon.dll
deleting: C:\WINDOWS\system32\wssdmoe2.dll  
Successfully Deleted: C:\WINDOWS\system32\wssdmoe2.dll
deleting: C:\WINDOWS\system32\wtvdmoe.dll  
Successfully Deleted: C:\WINDOWS\system32\wtvdmoe.dll
 
 
Zipping up files for submission:
  adding: bqdispl.dll (164 bytes security) (deflated 4%)
  adding: ceyptui.dll (164 bytes security) (deflated 4%)
  adding: cxmsvcs.dll (164 bytes security) (deflated 5%)
  adding: dkmclien.dll (164 bytes security) (deflated 4%)
  adding: dz3j.dll (164 bytes security) (deflated 5%)
  adding: en88l1lu1.dll (164 bytes security) (deflated 4%)
  adding: ikcvid.dll (164 bytes security) (deflated 5%)
  adding: il50_qcx.dll (164 bytes security) (deflated 5%)
  adding: ioircl.dll (164 bytes security) (deflated 4%)
  adding: ipsutil.dll (164 bytes security) (deflated 4%)
  adding: iwsecsnp.dll (164 bytes security) (deflated 6%)
  adding: jrsd400.dll (164 bytes security) (deflated 4%)
  adding: k280lclm1fqa.dll (164 bytes security) (deflated 4%)
  adding: kadnec.dll (164 bytes security) (deflated 5%)
  adding: kcuser.dll (164 bytes security) (deflated 5%)
  adding: kkdinbe1.dll (164 bytes security) (deflated 5%)
  adding: ksdmac.dll (164 bytes security) (deflated 5%)
  adding: LEBFCUR.DLL (164 bytes security) (deflated 5%)
  adding: lzxlmpm.dll (164 bytes security) (deflated 4%)
  adding: mlvcr71.dll (164 bytes security) (deflated 5%)
  adding: mnmxsdk.dll (164 bytes security) (deflated 5%)
  adding: mqihnd.dll (164 bytes security) (deflated 5%)
  adding: muaatext.dll (164 bytes security) (deflated 4%)
  adding: mv8ql9l51.dll (164 bytes security) (deflated 5%)
  adding: mvn2l95o1.dll (164 bytes security) (deflated 4%)
  adding: mvpol9731.dll (164 bytes security) (deflated 5%)
  adding: mzrd3x40.dll (164 bytes security) (deflated 5%)
  adding: nawrssl.dll (164 bytes security) (deflated 4%)
  adding: nbrszhc.dll (164 bytes security) (deflated 6%)
  adding: ntwrsru.dll (164 bytes security) (deflated 5%)
  adding: p8n8li5u18.dll (164 bytes security) (deflated 5%)
  adding: paofmap.dll (164 bytes security) (deflated 5%)
  adding: pdlstore.dll (164 bytes security) (deflated 5%)
  adding: pirfdisk.dll (164 bytes security) (deflated 4%)
  adding: pyrfproc.dll (164 bytes security) (deflated 4%)
  adding: RCCRES.dll (164 bytes security) (deflated 5%)
  adding: rzched20.dll (164 bytes security) (deflated 5%)
  adding: skrio600.dll (164 bytes security) (deflated 5%)
  adding: SMLights.dll (164 bytes security) (deflated 5%)
  adding: snc.dll (164 bytes security) (deflated 5%)
  adding: solwid.dll (164 bytes security) (deflated 5%)
  adding: swndmail.dll (164 bytes security) (deflated 5%)
  adding: syrialui.dll (164 bytes security) (deflated 5%)
  adding: tjd32.dll (164 bytes security) (deflated 5%)
  adding: tvkwks.dll (164 bytes security) (deflated 4%)
  adding: ukrv42a.dll (164 bytes security) (deflated 4%)
  adding: uwlmon.dll (164 bytes security) (deflated 4%)
  adding: wssdmoe2.dll (164 bytes security) (deflated 5%)
  adding: wtvdmoe.dll (164 bytes security) (deflated 5%)
  adding: clear.reg (164 bytes security) (deflated 37%)
  adding: echo.reg (164 bytes security) (deflated 8%)
  adding: direct.txt (164 bytes security) (stored 0%)
  adding: lo2.txt (164 bytes security) (deflated 86%)
  adding: readme.txt (164 bytes security) (deflated 49%)
  adding: report.txt (164 bytes security) (deflated 67%)
  adding: test.txt (164 bytes security) (deflated 83%)
  adding: test2.txt (164 bytes security) (deflated 17%)
  adding: test3.txt (164 bytes security) (deflated 17%)
  adding: test5.txt (164 bytes security) (deflated 17%)
  adding: xfind.txt (164 bytes security) (deflated 78%)
  adding: backregs/A4193AA0-2DAD-4E4C-A9F9-CEA4FF4A09AF.reg (164 bytes security) (deflated 70%)
  adding: backregs/C9FB244E-D8B1-4B77-9C3B-78684680793F.reg (164 bytes security) (deflated 70%)
  adding: backregs/shell.reg (164 bytes security) (deflated 74%)
 
Restoring Registry Permissions: 
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

 
Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read       	 BUILTIN\Users
(ID-IO) ALLOW  Read       	 BUILTIN\Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER


Restoring Sedebugprivilege:
 
 Granting SeDebugPrivilege to Administrators   ... successful
 
deleting local copy: bqdispl.dll   
deleting local copy: ceyptui.dll   
deleting local copy: cxmsvcs.dll   
deleting local copy: dkmclien.dll   
deleting local copy: dz3j.dll   
deleting local copy: en88l1lu1.dll   
deleting local copy: ikcvid.dll   
deleting local copy: il50_qcx.dll   
deleting local copy: ioircl.dll   
deleting local copy: ipsutil.dll   
deleting local copy: iwsecsnp.dll   
deleting local copy: jrsd400.dll   
deleting local copy: k280lclm1fqa.dll   
deleting local copy: kadnec.dll   
deleting local copy: kcuser.dll   
deleting local copy: kkdinbe1.dll   
deleting local copy: ksdmac.dll   
deleting local copy: LEBFCUR.DLL   
deleting local copy: lzxlmpm.dll   
deleting local copy: mlvcr71.dll   
deleting local copy: mnmxsdk.dll   
deleting local copy: mqihnd.dll   
deleting local copy: muaatext.dll   
deleting local copy: mv8ql9l51.dll   
deleting local copy: mvn2l95o1.dll   
deleting local copy: mvpol9731.dll   
deleting local copy: mzrd3x40.dll   
deleting local copy: nawrssl.dll   
deleting local copy: nbrszhc.dll   
deleting local copy: ntwrsru.dll   
deleting local copy: p8n8li5u18.dll   
deleting local copy: paofmap.dll   
deleting local copy: pdlstore.dll   
deleting local copy: pirfdisk.dll   
deleting local copy: pyrfproc.dll   
deleting local copy: RCCRES.dll   
deleting local copy: rzched20.dll   
deleting local copy: skrio600.dll   
deleting local copy: SMLights.dll   
deleting local copy: snc.dll   
deleting local copy: solwid.dll   
deleting local copy: swndmail.dll   
deleting local copy: syrialui.dll   
deleting local copy: tjd32.dll   
deleting local copy: tvkwks.dll   
deleting local copy: ukrv42a.dll   
deleting local copy: uwlmon.dll   
deleting local copy: wssdmoe2.dll   
deleting local copy: wtvdmoe.dll   
 
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

 
The following are the files found: 
****************************************************************************
C:\WINDOWS\system32\bqdispl.dll 
C:\WINDOWS\system32\ceyptui.dll 
C:\WINDOWS\system32\cxmsvcs.dll 
C:\WINDOWS\system32\dkmclien.dll 
C:\WINDOWS\system32\dz3j.dll 
C:\WINDOWS\system32\en88l1lu1.dll 
C:\WINDOWS\system32\ikcvid.dll 
C:\WINDOWS\system32\il50_qcx.dll 
C:\WINDOWS\system32\ioircl.dll 
C:\WINDOWS\system32\ipsutil.dll 
C:\WINDOWS\system32\iwsecsnp.dll 
C:\WINDOWS\system32\jrsd400.dll 
C:\WINDOWS\system32\k280lclm1fqa.dll 
C:\WINDOWS\system32\kadnec.dll 
C:\WINDOWS\system32\kcuser.dll 
C:\WINDOWS\system32\kkdinbe1.dll 
C:\WINDOWS\system32\ksdmac.dll 
C:\WINDOWS\system32\LEBFCUR.DLL 
C:\WINDOWS\system32\lzxlmpm.dll 
C:\WINDOWS\system32\mlvcr71.dll 
C:\WINDOWS\system32\mnmxsdk.dll 
C:\WINDOWS\system32\mqihnd.dll 
C:\WINDOWS\system32\muaatext.dll 
C:\WINDOWS\system32\mv8ql9l51.dll 
C:\WINDOWS\system32\mvn2l95o1.dll 
C:\WINDOWS\system32\mvpol9731.dll 
C:\WINDOWS\system32\mzrd3x40.dll 
C:\WINDOWS\system32\nawrssl.dll 
C:\WINDOWS\system32\nbrszhc.dll 
C:\WINDOWS\system32\ntwrsru.dll 
C:\WINDOWS\system32\p8n8li5u18.dll 
C:\WINDOWS\system32\paofmap.dll 
C:\WINDOWS\system32\pdlstore.dll 
C:\WINDOWS\system32\pirfdisk.dll 
C:\WINDOWS\system32\pyrfproc.dll 
C:\WINDOWS\system32\RCCRES.dll 
C:\WINDOWS\system32\rzched20.dll 
C:\WINDOWS\system32\skrio600.dll 
C:\WINDOWS\system32\SMLights.dll 
C:\WINDOWS\system32\snc.dll 
C:\WINDOWS\system32\solwid.dll 
C:\WINDOWS\system32\swndmail.dll 
C:\WINDOWS\system32\syrialui.dll 
C:\WINDOWS\system32\tjd32.dll 
C:\WINDOWS\system32\tvkwks.dll 
C:\WINDOWS\system32\ukrv42a.dll 
C:\WINDOWS\system32\uwlmon.dll 
C:\WINDOWS\system32\wssdmoe2.dll 
C:\WINDOWS\system32\wtvdmoe.dll 
 
Registry Entries that were Deleted: 
Please verify that the listing looks ok.  
If there was something deleted wrongly there are backups in the backreg folder. 
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A4193AA0-2DAD-4E4C-A9F9-CEA4FF4A09AF}"=-
"{C9FB244E-D8B1-4B77-9C3B-78684680793F}"=-
[-HKEY_CLASSES_ROOT\CLSID\{A4193AA0-2DAD-4E4C-A9F9-CEA4FF4A09AF}]
[-HKEY_CLASSES_ROOT\CLSID\{C9FB244E-D8B1-4B77-9C3B-78684680793F}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents: 
****************************************************************************
****************************************************************************

Let me know what you think, and thanks again for all your help!

guestolo · « **Reply #9 on:** March 17, 2005, 09:17:11 PM »

I think that's got it

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
FYI>>IE-Spyad works also with Windows XP SP2

Watchman_987 · « **Reply #10 on:** March 18, 2005, 07:58:49 AM »

I want to thank you again for your patience and assistance through this.

I've downloaded the tools you've suggested and will certainly use them. This infection I got occurred with updated versions of both Spy Sweeper and Norton's both actively running without even giving an alert. This was a bad one....

Thanks again!

guestolo · « **Reply #11 on:** March 18, 2005, 09:28:07 PM »

Thanks for posting back

I'll lock this thread as your problems appear resolved
If you need it reopened please PM a Mod or the site Admin and supply a link to this thread

Take Care

TheTechGuide Forum

News:

Author Topic: Persistent VX2 problem (Read 3298 times)

Watchman_987

Persistent VX2 problem

guestolo

Persistent VX2 problem

Watchman_987

Persistent VX2 problem

guestolo

Persistent VX2 problem

Watchman_987

Persistent VX2 problem

guestolo

Persistent VX2 problem

Watchman_987

Persistent VX2 problem

guestolo

Persistent VX2 problem

Watchman_987

Persistent VX2 problem

guestolo

Persistent VX2 problem

Watchman_987

Persistent VX2 problem

guestolo

Persistent VX2 problem