|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
01-18-2006, 04:28 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jan 2006
Posts: 13
OS: Windows XP Pro
|
Ad-ware opens tabs in Firefox
Ive tried everything, run every scanner i could find, there are no processes that shouldnt be there in task manager. Nothing in startup or in services of MSCONFIG. Im stumped. Every couple minutes a new tab will open in firefox(Or if Ff is not open then it will open) With and address that will have a website and then end "normal/yyy102.html"
For example http://www.bigdiscountbuy.com/normal/yyy102.html Where "http://www.bigdiscountbuy.com/" will change for other websites Weird thing is the tab will just be Blank, nothing in there. I had installed a something which gave m,e some spyware, but this was removed with Ad-aware, spybot, and webroot spysweeper. But this still clings on.. Heres my logfile. Logfile of HijackThis v1.99.1 Scan saved at 23:26:54, on 18/01/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\BitComet\BitComet.exe C:\Program Files\Winamp\winamp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LVComsX.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Sanjay\Desktop\Tempy\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\i0420ahoed4c0.dll O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\ O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O21 - SSODL: gSiZXLuauyb - {28E14708-824B-EDA2-320A-54905E06A656} - C:\WINDOWS\system32\qg.dll Many Thanks, Twisted |
|
     |
|
01-18-2006, 04:59 PM
|
#2 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP
|
I see you have disabled some startuo items with Msconfig. Please open it and select normal startup. I need to see everything that is running on your PC to help you clean it out, you may return it to the way it was when we are finished.
You have the latest version of VX2. Download L2mfix from one of these two locations: http://www.atribune.org/downloads/l2mfix.exe http://www.downloads.subratam.org/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. Close any programs you have open since this step requires a reboot. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! If after the reboot the log does not open double click on it in the l2mfix folder. |
|
|
|
|
01-19-2006, 12:25 PM
|
#3 (permalink) |
|
Registered User
Join Date: Jan 2006
Posts: 13
OS: Windows XP Pro
|
My L2MFIXLOG Prior to reboot and fix.
L2MFIX find log 010406 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NetCache] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\i2420choef4c0.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WBSrv] "Impersonate"=dword:00000000 "Logoff"="LogOut" "DllName"="C:\\PROGRA~1\\STARDOCK\\OBJECT~1\\WINDOW~1\\wbsrv.dll" "LogOn"="StartSys" "Unlock"="Sys" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{DA0DB8F0-0425-54C5-CF3C-1AA936CF7358}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{2F5AC606-70CF-461C-BFE1-734234536262}"="WindowBlinds CPL Extension" "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band" "{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders" "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{C031575D-922A-4AB7-82DC-6C0100172F0C}"="" "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration" "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{C031575D-922A-4AB7-82DC-6C0100172F0C}] @="" [HKEY_CLASSES_ROOT\CLSID\{C031575D-922A-4AB7-82DC-6C0100172F0C}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{C031575D-922A-4AB7-82DC-6C0100172F0C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{C031575D-922A-4AB7-82DC-6C0100172F0C}\InprocServer32] @="C:\\WINDOWS\\system32\\szclogon.dll" "ThreadingModel"="Apartment" ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ mstime.dll Fri 21 Oct 2005 3:39:30 A.... 530,944 518.50 K msrating.dll Fri 21 Oct 2005 3:39:30 A.... 146,432 143.00 K mshtmled.dll Fri 21 Oct 2005 3:39:30 A.... 448,512 438.00 K mshtml.dll Thu 24 Nov 2005 1  34 A.... 3,015,680 2.88 Miepeers.dll Fri 21 Oct 2005 3:39:28 A.... 251,392 245.50 K dxtrans.dll Fri 21 Oct 2005 3:39:28 A.... 205,312 200.50 K danim.dll Sat 5 Nov 2005 3:16:24 A.... 1,054,208 1.00 M browseui.dll Thu 24 Nov 2005 1 34 A.... 1,022,464 998.50 Kcdfview.dll Fri 21 Oct 2005 3:39:26 A.... 151,040 147.50 K sirenacm.dll Wed 14 Dec 2005 0:24:42 A.... 118,784 116.00 K frapsvid.dll Sat 3 Dec 2005 10:25:32 A.... 36,864 36.00 K rmoc3260.dll Tue 15 Nov 2005 9:38:10 A.... 176,167 172.04 K wininet.dll Fri 21 Oct 2005 3:39:30 A.... 658,432 643.00 K urlmon.dll Sat 5 Nov 2005 3:16:28 A.... 609,280 595.00 K shlwapi.dll Fri 21 Oct 2005 3:39:30 A.... 473,600 462.50 K shdocvw.dll Thu 1 Dec 2005 3:59:30 A.... 1,492,480 1.42 M pngfilt.dll Fri 21 Oct 2005 3:39:30 A.... 39,424 38.50 K inseng.dll Fri 21 Oct 2005 3:39:28 A.... 96,256 94.00 K extmgr.dll Fri 21 Oct 2005 3:39:28 ..... 55,808 54.50 K wrlzma.dll Wed 14 Dec 2005 19:17:16 A.... 17,920 17.50 K mxperf.dll Wed 18 Jan 2006 22:38:22 ..S.R 236,115 230.58 K szclogon.dll Thu 19 Jan 2006 9:13:12 ..S.R 236,597 231.05 K gdi32.dll Thu 29 Dec 2005 2:54:36 A.... 280,064 273.50 K msctl32.dll Wed 18 Jan 2006 18:36:16 A.... 68,096 66.50 K fpju03~1.dll Wed 18 Jan 2006 22:48:18 ..S.R 236,355 230.81 K dcom_12.dll Wed 18 Jan 2006 18:36:38 A.... 66,048 64.50 K i2420c~1.dll Wed 18 Jan 2006 22:46:18 ..S.R 236,597 231.05 K wrlogo~1.dll Wed 14 Dec 2005 19:17:20 A.... 492,544 481.00 K vchreg.dll Tue 3 Jan 2006 17:13:08 A.... 671,744 656.00 K 29 items found: 29 files (4 H/S), 0 directories. Total of file sizes: 13,125,159 bytes 12.52 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Volume in drive C is WINDOWS ETC Volume Serial Number is 28E1-4707 Directory of C:\WINDOWS\System32 19/01/2006 09:13 236,597 szclogon.dll 18/01/2006 22:48 236,355 fpju0319e.dll 18/01/2006 22:46 236,597 i2420choef4c0.dll 18/01/2006 22:38 236,115 mxperf.dll 27/01/2005 17:57 56 25D3F9B7F3.sys 18/12/2004 13:48 <DIR> Microsoft 18/12/2004 12:27 <DIR> dllcache 5 File(s) 945,720 bytes 2 Dir(s) 2,036,965,376 bytes free Hijack this log, with normal MSconfig Startup, also prior L2MFIX/reboot Logfile of HijackThis v1.99.1 Scan saved at 17:17:45, on 19/01/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\Explorer.EXE C:\windows\winsysban.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\paytime.exe C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\ICQLite\ICQLite.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\FilmLoop Player\FilmLoopService.exe C:\Program Files\DigitalPeers\CamTrack\dptracker.exe C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe C:\Program Files\BearShare\BearShare.exe C:\WINDOWS\system32\LSASS.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\BitComet\BitComet.exe C:\winstall.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Winamp\winamp.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Documents and Settings\Sanjay\Desktop\Tempy\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20010\services.exe O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [StarSkin] C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] winDSL.exe O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\system32\msoff.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [knob lite bows pile] C:\Documents and Settings\All Users\Application Data\puredeleteknoblite\Idolonline.exe O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [GreenHorseTickerBar] C:\Program Files\Tickerbar\TickerBar.exe O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoopService.exe" O4 - HKLM\..\Run: [dptracker] C:\Program Files\DigitalPeers\CamTrack\dptracker.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\bootskin.exe" /StartupJobs O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe" O4 - HKCU\..\Run: [rqro] C:\PROGRA~1\COMMON~1\rqro\rqrom.exe O4 - HKCU\..\Run: [Raha] "C:\Program Files\totu\cusp.exe" -vt yazr O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Sanjay\Desktop\Misc\FreeRAM XP Pro 1.40.exe" -win O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe O4 - Startup: TickerBar.lnk = C:\Program Files\Tickerbar\TickerBar.exe O4 - Startup: Matrix Screen Locker.lnk = C:\Program Files\Matrix Screen Locker\matrix.exe O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: MSN Messenger 7.0.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Free WebSite Tools.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\ O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\fpju0319e.dll O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O21 - SSODL: gSiZXLuauyb - {28E14708-824B-EDA2-320A-54905E06A656} - C:\WINDOWS\system32\qg.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - C:\WINDOWS\system32\perfont.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe Heres the L2MFIX log a after the fix and reboot L2MFIX find log 010406 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NetCache] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\i2420choef4c0.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WBSrv] "Impersonate"=dword:00000000 "Logoff"="LogOut" "DllName"="C:\\PROGRA~1\\STARDOCK\\OBJECT~1\\WINDOW~1\\wbsrv.dll" "LogOn"="StartSys" "Unlock"="Sys" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{DA0DB8F0-0425-54C5-CF3C-1AA936CF7358}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{2F5AC606-70CF-461C-BFE1-734234536262}"="WindowBlinds CPL Extension" "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band" "{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders" "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{C031575D-922A-4AB7-82DC-6C0100172F0C}"="" "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration" "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{C031575D-922A-4AB7-82DC-6C0100172F0C}] @="" [HKEY_CLASSES_ROOT\CLSID\{C031575D-922A-4AB7-82DC-6C0100172F0C}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{C031575D-922A-4AB7-82DC-6C0100172F0C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{C031575D-922A-4AB7-82DC-6C0100172F0C}\InprocServer32] @="C:\\WINDOWS\\system32\\szclogon.dll" "ThreadingModel"="Apartment" ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ mstime.dll Fri 21 Oct 2005 3:39:30 A.... 530,944 518.50 K msrating.dll Fri 21 Oct 2005 3:39:30 A.... 146,432 143.00 K mshtmled.dll Fri 21 Oct 2005 3:39:30 A.... 448,512 438.00 K mshtml.dll Thu 24 Nov 2005 1 34 A.... 3,015,680 2.88 Miepeers.dll Fri 21 Oct 2005 3:39:28 A.... 251,392 245.50 K dxtrans.dll Fri 21 Oct 2005 3:39:28 A.... 205,312 200.50 K danim.dll Sat 5 Nov 2005 3:16:24 A.... 1,054,208 1.00 M browseui.dll Thu 24 Nov 2005 1 34 A.... 1,022,464 998.50 Kcdfview.dll Fri 21 Oct 2005 3:39:26 A.... 151,040 147.50 K sirenacm.dll Wed 14 Dec 2005 0:24:42 A.... 118,784 116.00 K frapsvid.dll Sat 3 Dec 2005 10:25:32 A.... 36,864 36.00 K rmoc3260.dll Tue 15 Nov 2005 9:38:10 A.... 176,167 172.04 K wininet.dll Fri 21 Oct 2005 3:39:30 A.... 658,432 643.00 K urlmon.dll Sat 5 Nov 2005 3:16:28 A.... 609,280 595.00 K shlwapi.dll Fri 21 Oct 2005 3:39:30 A.... 473,600 462.50 K shdocvw.dll Thu 1 Dec 2005 3:59:30 A.... 1,492,480 1.42 M pngfilt.dll Fri 21 Oct 2005 3:39:30 A.... 39,424 38.50 K inseng.dll Fri 21 Oct 2005 3:39:28 A.... 96,256 94.00 K extmgr.dll Fri 21 Oct 2005 3:39:28 ..... 55,808 54.50 K wrlzma.dll Wed 14 Dec 2005 19:17:16 A.... 17,920 17.50 K mxperf.dll Wed 18 Jan 2006 22:38:22 ..S.R 236,115 230.58 K szclogon.dll Thu 19 Jan 2006 9:13:12 ..S.R 236,597 231.05 K gdi32.dll Thu 29 Dec 2005 2:54:36 A.... 280,064 273.50 K msctl32.dll Wed 18 Jan 2006 18:36:16 A.... 68,096 66.50 K fpju03~1.dll Wed 18 Jan 2006 22:48:18 ..S.R 236,355 230.81 K dcom_12.dll Wed 18 Jan 2006 18:36:38 A.... 66,048 64.50 K i2420c~1.dll Wed 18 Jan 2006 22:46:18 ..S.R 236,597 231.05 K wrlogo~1.dll Wed 14 Dec 2005 19:17:20 A.... 492,544 481.00 K vchreg.dll Tue 3 Jan 2006 17:13:08 A.... 671,744 656.00 K 29 items found: 29 files (4 H/S), 0 directories. Total of file sizes: 13,125,159 bytes 12.52 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Volume in drive C is WINDOWS ETC Volume Serial Number is 28E1-4707 Directory of C:\WINDOWS\System32 19/01/2006 09:13 236,597 szclogon.dll 18/01/2006 22:48 236,355 fpju0319e.dll 18/01/2006 22:46 236,597 i2420choef4c0.dll 18/01/2006 22:38 236,115 mxperf.dll 27/01/2005 17:57 56 25D3F9B7F3.sys 18/12/2004 13:48 <DIR> Microsoft 18/12/2004 12:27 <DIR> dllcache 5 File(s) 945,720 bytes 2 Dir(s) 2,036,965,376 bytes free Many Thanks for your help so far. Twisted |
|
|
|
|
01-19-2006, 12:39 PM
|
#4 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP
|
Close any programs you have open since this step requires a reboot.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! If after the reboot the log does not open double click on it in the l2mfix folder. |
|
|
|
|
01-19-2006, 12:48 PM
|
#5 (permalink) |
|
Registered User
Join Date: Jan 2006
Posts: 13
OS: Windows XP Pro
|
Whoops musta muddled them, is this what you want?
L2mfix 010406 Creating Account. The command completed successfully. Adding Administrative privleges. The command completed successfully. Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful Checking for L2MFix account(0=no 1=yes): 0 Zipping up files for submission: zip warning: name not matched: dlls\*.* zip error: Nothing to do! (backup.zip) adding: backregs/notibac.reg (deflated 88%) Thanks again, Twisted |
|
|
|
|
01-19-2006, 01:03 PM
|
#6 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP
|
Looks like L2meFix failed
 Second one in two days.Alright we'll try a different tactic. After completing this fix please do not reboot your computer. I will give you the next instructions as soon as I can after I recieve the logs.Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Downloads(make sure to save these in a permanent location) Cleanup! (Alternate Link)- Install it. You will use this later. *NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups. Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB) When SpySweeper starts, please accept any prompts to update definitions. Then close Spywsweeper. Next, please reboot your computer in SafeMode by doing the following:
Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following:
Click OK, Press the CleanUp! button to start the program and reboot(Normal Mode) when prompted. Launch Spysweeper. Then configure it as follows:
After rebooting, launch SpySweeper & select Results from the left pane Click the 'Session Log' tab & choose Save to File to create a log. Open the l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. In your next post please include:
|
|
|
|
|
01-19-2006, 02:03 PM
|
#7 (permalink) |
|
Registered User
Join Date: Jan 2006
Posts: 13
OS: Windows XP Pro
|
L2MFIX find log 010406
These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\o2nslc571f.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WBSrv] "Impersonate"=dword:00000000 "Logoff"="LogOut" "DllName"="C:\\PROGRA~1\\STARDOCK\\OBJECT~1\\WINDOW~1\\wbsrv.dll" "LogOn"="StartSys" "Unlock"="Sys" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{DA0DB8F0-0425-54C5-CF3C-1AA936CF7358}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{2F5AC606-70CF-461C-BFE1-734234536262}"="WindowBlinds CPL Extension" "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band" "{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders" "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{C031575D-922A-4AB7-82DC-6C0100172F0C}"="" "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration" "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{C031575D-922A-4AB7-82DC-6C0100172F0C}] @="" [HKEY_CLASSES_ROOT\CLSID\{C031575D-922A-4AB7-82DC-6C0100172F0C}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{C031575D-922A-4AB7-82DC-6C0100172F0C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{C031575D-922A-4AB7-82DC-6C0100172F0C}\InprocServer32] @="C:\\WINDOWS\\system32\\wladss.dll" "ThreadingModel"="Apartment" ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ mstime.dll Fri 21 Oct 2005 3:39:30 A.... 530,944 518.50 K msrating.dll Fri 21 Oct 2005 3:39:30 A.... 146,432 143.00 K mshtmled.dll Fri 21 Oct 2005 3:39:30 A.... 448,512 438.00 K mshtml.dll Thu 24 Nov 2005 1 34 A.... 3,015,680 2.88 Miepeers.dll Fri 21 Oct 2005 3:39:28 A.... 251,392 245.50 K dxtrans.dll Fri 21 Oct 2005 3:39:28 A.... 205,312 200.50 K danim.dll Sat 5 Nov 2005 3:16:24 A.... 1,054,208 1.00 M browseui.dll Thu 24 Nov 2005 1 34 A.... 1,022,464 998.50 Kcdfview.dll Fri 21 Oct 2005 3:39:26 A.... 151,040 147.50 K sirenacm.dll Wed 14 Dec 2005 0:24:42 A.... 118,784 116.00 K frapsvid.dll Sat 3 Dec 2005 10:25:32 A.... 36,864 36.00 K rmoc3260.dll Tue 15 Nov 2005 9:38:10 A.... 176,167 172.04 K wininet.dll Fri 21 Oct 2005 3:39:30 A.... 658,432 643.00 K urlmon.dll Sat 5 Nov 2005 3:16:28 A.... 609,280 595.00 K shlwapi.dll Fri 21 Oct 2005 3:39:30 A.... 473,600 462.50 K shdocvw.dll Thu 1 Dec 2005 3:59:30 A.... 1,492,480 1.42 M pngfilt.dll Fri 21 Oct 2005 3:39:30 A.... 39,424 38.50 K inseng.dll Fri 21 Oct 2005 3:39:28 A.... 96,256 94.00 K extmgr.dll Fri 21 Oct 2005 3:39:28 ..... 55,808 54.50 K wrlzma.dll Wed 14 Dec 2005 19:17:16 A.... 17,920 17.50 K mxperf.dll Wed 18 Jan 2006 22:38:22 ..S.R 236,115 230.58 K gdi32.dll Thu 29 Dec 2005 2:54:36 A.... 280,064 273.50 K msctl32.dll Wed 18 Jan 2006 18:36:16 A.... 68,096 66.50 K dcom_12.dll Wed 18 Jan 2006 18:36:38 A.... 66,048 64.50 K wrlogo~1.dll Wed 14 Dec 2005 19:17:20 A.... 492,544 481.00 K vchreg.dll Tue 3 Jan 2006 17:13:08 A.... 671,744 656.00 K s6pu0g~1.dll Thu 19 Jan 2006 19:11:12 ..S.R 235,649 230.13 K hrl805~1.dll Thu 19 Jan 2006 19:17:26 ..S.R 235,508 229.99 K ktjml7~1.dll Thu 19 Jan 2006 19:43:08 ..S.R 235,790 230.26 K lsamcpl.dll Thu 19 Jan 2006 20:17:14 ..S.R 235,461 229.94 K o2nslc~1.dll Thu 19 Jan 2006 20:35:42 ..S.R 236,425 230.88 K j4p00e~1.dll Thu 19 Jan 2006 20:46:42 ..S.R 234,673 229.17 K wladss.dll Thu 19 Jan 2006 20:50:04 ..S.R 236,425 230.88 K 33 items found: 33 files (8 H/S), 0 directories. Total of file sizes: 14,065,541 bytes 13.41 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Volume in drive C is WINDOWS ETC Volume Serial Number is 28E1-4707 Directory of C:\WINDOWS\System32 19/01/2006 20:50 236,425 wladss.dll 19/01/2006 20:46 234,673 j4p00e7meh.dll 19/01/2006 20:35 236,425 o2nslc571f.dll 19/01/2006 20:17 235,461 LSamCpl.dll 19/01/2006 19:43 235,790 ktjml7111.dll 19/01/2006 19:17 235,508 hrl8053ue.dll 19/01/2006 19:11 235,649 s6pu0g79e6.dll 18/01/2006 22:38 236,115 mxperf.dll 27/01/2005 17:57 56 25D3F9B7F3.sys 18/12/2004 13:48 <DIR> Microsoft 18/12/2004 12:27 <DIR> dllcache 9 File(s) 1,886,102 bytes 2 Dir(s) 2,827,632,640 bytes free Last edited by Twisted-Metal : 01-19-2006 at 02:08 PM. Reason: Messed up copy and paste of Logs :S :P |
|
|
|
|
01-19-2006, 02:11 PM
|
#8 (permalink) |
|
Registered User
Join Date: Jan 2006
Posts: 13
OS: Windows XP Pro
|
******** 22:03: | Start of Session, 18 January 2006 | 22:03: Spy Sweeper started 22:03: Sweep initiated using definitions version 602 22:03: Found Adware: look2me 22:03: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\syncmgr\ || dllname (ID = 129987) 22:03: lvp6097se.dll (ID = 129987) 22:03: Starting Memory Sweep 22:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 22:05: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 22:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 22:05: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 22 The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com22 The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com22 The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com22 The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com22:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 22:07: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 22:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 22:07: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 22:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 22:08: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 22:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 22:08: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 22:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 22:10: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 22:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 22:10: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 22:11: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 22:11: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 22:11: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 22:11: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 22:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 22:12: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 22:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 22:12: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 22:12: Found Trojan Horse: trojan-backdoor-superbgirlz 22:12: Detected running threat: C:\WINDOWS\system32\child.dll (ID = 183971) 22:12: Memory Sweep Complete, Elapsed Time: 00:09:43 22:12: Starting Registry Sweep 22:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 22:13: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 22:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 22:13: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 22:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 22:15: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com 22:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 22:15: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com 22:15: Found Adware: websearch toolbar 22:15: HKLM\software\microsoft\windows\currentversion\installer\userdata\sto\ (1 subtraces) (ID = 146480) 22:16: Found Trojan Horse: trojan-backdoor-msdcom32 22:16: HKCR\clsid\{2c1cd3d7-86ac-4068-93bc-a02304bb8c34}\ (3 subtraces) (ID = 366335) 22:16: HKLM\software\classes\clsid\{2c1cd3d7-86ac-4068-93bc-a02304bb8c34}\ (3 subtraces) (ID = 366355) 22:16: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || dcom server (ID = 385950) 22:16: Found Adware: dollarrevenue 22:16: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795) 22:16: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {4f141cba-1457-6cca-03a7-7aa21b61ea0f} (ID = 954575) 22:16: Found Adware: command 22:16: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064) 22:16: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072) 22:16: Found Trojan Horse: manwithnoname_spamrelayer 22:16: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\msctl32.dll\ (5 subtraces) (ID = 1021403) 22:16: Found Trojan Horse: trojan-downloader-hochladen 22:16: HKLM\system\currentcontrolset\services\i386p\ (11 subtraces) (ID = 1021419) 22:16: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756) 22:16: Found Adware: coolwebsearch (cws) 22:16: HKU\S-1-5-21-1844237615-1177238915-1417001333-1003\software\microsoft\internet explorer\keywords\ (16 subtraces) (ID = 109820) 22:16: HKU\S-1-5-21-1844237615-1177238915-1417001333-1003\software\microsoft\internet explorer\sites\ (1 subtraces) (ID = 109822) 22:16: Found Adware: lopdotcom 22:16: HKU\S-1-5-21-1844237615-1177238915-1417001333-1003\software\microsoft\internet explorer\new windows\allow\ || searchweb2.com (ID = 130288) 22:16: HKU\S-1-5-21-1844237615-1177238915-1417001333-1003\software\microsoft\internet explorer\new windows\allow\ || www.searchweb2.com (ID = 130290) 22:16: HKU\S-1-5-21-1844237615-1177238915-1417001333-1003\software\classes\clsid\{4f141cba-1457-6cca-03a7-7aa21b61ea0f}\ (3 subtraces) (ID = 954563) 22:16: Found Trojan Horse: komforochka smtp relay 22:16: HKU\S-1-5-21-1844237615-1177238915-1417001333-1003\software\microsoft\internet explorer\keywords\ (16 subtraces) (ID = 1035782) 22:16: Registry Sweep Complete, Elapsed Time:00:03:30 22:16: Starting Cookie Sweep 22:16: |
