DMVLite - Autosearch - etc

Help...

Have spent hours between Ad_aware, Spybot & McAfee trying to get this machine back from pop-up and slowness hell... In reading some of the posts inoticed people haveing similar problems, when I went to look at some of the instructions posted, the window goes crazy and gives me an unable to display webpage error. Here is the Hijack log, ANY help is appreciated.


Logfile of HijackThis v1.99.0
Scan saved at 10:03:56 PM, on 3/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Windows\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Windows\Cyb2k.exe
C:\Windows\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\naau.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\QUICKENW\QWDLLS.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Emma\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wpst.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [C2K] C:\Windows\Cyb2k.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe "
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vmss] C:\Windows\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [KavSvc] C:\Windows\system32\vzzakr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Outlook\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c356.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\Windows\System32\nvsvc32.exe

 

Welcome to the forums pat396

Set windows to show hidden extensions file's and folder's.
click for> instructions<.

Start Hijackthis and place a check next to ONLY these items,
Close all browser windows and shut down all other programs that show in the taskbar. (even Folders) [WE do not mean stop the programs in the tray area near the clock]
O4 - HKLM\..\Run: [vmss] C:\Windows\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [KavSvc] C:\Windows\system32\vzzakr.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - =http://static.windupdates.com/cab/C...bridge-c356.cab
====================================
Hit fix checked and close Hijackthis.

Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find and delete (ONLY THESE EXACT) files and folder's (If present)
C:\WINDOWS\SYSTEM32\wsxsvc
C:\WINDOWS\SYSTEM32\VMSS
C:\Documents and Settings\All Users\Application Data\VMSS
C:\Documents and Settings\All Users\Application Data\wsxsvc
C:\Windows\system32\vzzakr.exe

Any problems doing that ?
=====================================
Download L2mfix from one of these two locations:
(Version 1.03 03/12/2004)
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!


Also: go start run type CMD and hit enter, then type CD\ enter again
at the C:\> type
cd C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
enter, Now type
copy naau.exe C:\
Hit enter once more, type exit press enter. Zip up and send that file to me please, Send to filesubmitATnet-integration.net
Replace AT with @ and include a link back to this thread.
if you know how to place a password/encrypt on it do so, use "infected"
More info if needed here http://forums.net-integration.net/index.php?act=ST&f=3&t=27243

 

Logs & Reports

Ok, I did as instructed and emailed everything, Thanks for the help, I'll keep my fingers crossed.

 

Ok thanks, Post that report log from the L2Mfix tool, Its quite large at times , you might have to copy half into one post and the other in the next.

 

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous "=dword:00000000
"DllName "=" "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous "=dword:00000000
"DllName "= "C:\\Windows\\system32\\guard.tmp "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9A1EE039-61E9-2E9B-A5A1-A9890419B191} "=" "

**********************************************************************************
(Edited)

Shell Extension key:
Windows Registry Editor Version 5.00

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "= "iTunes "
"{2A1A6C19-30BB-4787-9B33-362093A25759} "=" "
"{F2FCA3D9-8BAE-4FE3-9D0A-C3F3E296E3E6} "=" "
"{B81354C8-6EAD-4B66-853C-0B4063D55922} "=" "

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2A1A6C19-30BB-4787-9B33-362093A25759}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{2A1A6C19-30BB-4787-9B33-362093A25759}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{2A1A6C19-30BB-4787-9B33-362093A25759}\Implemented

Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{2A1A6C19-30BB-4787-9B33-362093A25759}\InprocServer32]
@= "C:\\Windows\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F2FCA3D9-8BAE-4FE3-9D0A-C3F3E296E3E6}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{F2FCA3D9-8BAE-4FE3-9D0A-C3F3E296E3E6}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{F2FCA3D9-8BAE-4FE3-9D0A-C3F3E296E3E6}\Implemented

Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{F2FCA3D9-8BAE-4FE3-9D0A-C3F3E296E3E6}\InprocServer32]
@= "C:\\Windows\\system32\\guard.tmp "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B81354C8-6EAD-4B66-853C-0B4063D55922}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{B81354C8-6EAD-4B66-853C-0B4063D55922}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{B81354C8-6EAD-4B66-853C-0B4063D55922}\Implemented

Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{B81354C8-6EAD-4B66-853C-0B4063D55922}\InprocServer32]
@= "C:\\Windows\\system32\\muiavi32.dll "
"ThreadingModel "= "Apartment "

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
(Edited)

153 items found: 153 files (39 H/S), 0 directories.
Total of file sizes: 48,319,151 bytes 46.08 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 3C2F-3959

Directory of C:\Windows\System32

03/21/2005 08:15 PM <DIR> dllcache
03/17/2005 08:49 PM 233,248 ltj0271mg.dll
03/17/2005 08:41 PM 233,248 mv4ql9h51.dll
03/17/2005 08:34 PM 233,248 gpp8l37u1.dll
03/17/2005 08:26 PM 233,248 l2l6lc3s1f.dll
03/17/2005 08:17 PM 233,248 i4600ejmehoa0.dll
03/17/2005 08:03 PM 233,248 dnr4019qe.dll
03/17/2005 07:59 PM 233,248 hr8s05l7e.dll
03/17/2005 04:07 PM 233,248 cgbcatex.dll
03/17/2005 09:40 AM 233,248 mv8ul9l91.dll
03/16/2005 08:02 PM 233,248 icdkcs32.dll
03/16/2005 08:02 PM 233,248 hletwiz.dll
03/16/2005 07:02 PM 233,248 spftpub.dll
03/16/2005 07:02 PM 233,248 sdrobj.dll
03/16/2005 06:02 PM 233,248 BE2802040113.dll
03/16/2005 06:02 PM 233,248 akwav.dll
03/16/2005 06:01 PM 233,956 wanshfhc.dll
03/16/2005 06:01 PM 235,532 o6pqlg7516.dll
03/16/2005 05:51 PM 233,956 ktn0l75m1.dll
03/16/2005 05:43 PM 235,059 kidru1.dll
03/15/2005 06:35 PM 232,899 iZwfil.dll
03/14/2005 10:34 PM 235,059 wmnshfhc.dll
03/14/2005 09:47 PM 236,216 o048lahu1d48.dll
03/14/2005 09:52 AM 233,417 nrtapi.dll
03/13/2005 01:14 PM 233,417 wunsta.dll
03/12/2005 05:08 PM 233,417 wy2help.dll
03/12/2005 12:23 PM 233,417 cwcfg32.dll
03/12/2005 12:15 PM 235,039 en6sl1j71.dll
03/12/2005 10:07 AM 233,774 hrr2059oe.dll
03/11/2005 02:36 AM 233,417 l66o0gj3e6o.dll
03/10/2005 09:13 PM 233,479 lv0s09d7e.dll
03/09/2005 10:18 PM 233,417 mloa.dll
03/09/2005 08:42 PM 233,479 rEsmans.dll
03/09/2005 07:14 PM 233,417 dsocx.dll
03/09/2005 06:47 PM 235,421 gvi32.dll
03/09/2005 06:11 PM 232,736 cGmocx.dll
03/09/2005 05:59 PM 233,417 jmdw400.dll
03/09/2005 05:33 PM 232,736 pGpnetsh.dll
03/09/2005 04:39 PM 232,736 vmajet32.dll
03/09/2005 04:39 PM 233,151 hrj4051qe.dll
01/11/2005 09:10 AM 401,408 ??chost.exe
07/04/2004 11:18 AM 512 LsyI62.fg8
06/12/2004 02:38 PM 518 NuaK63H.i9q
06/07/2004 02:52 PM 518 UbgrYPnp.exd
06/06/2004 02:52 PM 518 IpvFme.017
06/06/2004 02:52 PM 518 MliBY92.ze2
06/05/2004 02:52 PM 518 WditZRpq.fye
05/28/2004 04:59 PM 518 Bin9f.x88
11/04/2002 08:04 PM <DIR> Microsoft
47 File(s) 9,516,312 bytes
2 Dir(s) 3,054,069,760 bytes free

 

Thanks

Ok Next:

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option 4 to Merge Winlogon Notify Defaults, Press enter, wait a few moments
Now select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

Note: once the pc has restarted if a text does not open run
Run Hijackthis and fix just this item
O4 - HKLM\..\Run: [second] C:\Documents and Settings\(username)\second.bat
Open the L2mfix folder and doubleclick the "second.bat" file,
after windows has completly restarted if a text doesnt open look in the L2mfix folder for a log.txt file, post it back here in the next reply.

 

L2mfix log 3-23

L2Mfix 1.03

Running From:
C:\Documents and Settings\Emma\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators "
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Emma\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Emma\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'
Killing PID 1664 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\Windows\system32\akwav.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\BE2802040113.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\cgbcatex.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\cGmocx.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\cwcfg32.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\dnr4019qe.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\dsocx.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\en6sl1j71.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\gpp8l37u1.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\gvi32.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\hletwiz.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\hr8s05l7e.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\hrj4051qe.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\hrr2059oe.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\i4600ejmehoa0.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\icdkcs32.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\iZwfil.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\jmdw400.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\kidru1.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\ktn0l75m1.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\l2l6lc3s1f.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\l66o0gj3e6o.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\ltj0271mg.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\lv0s09d7e.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\mloa.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\mv4ql9h51.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\mv8ul9l91.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\nrtapi.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\o048lahu1d48.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\o6pqlg7516.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\pGpnetsh.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\rEsmans.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\sdrobj.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\spftpub.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\vmajet32.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\wanshfhc.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\wmnshfhc.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\wunsta.dll
1 file(s) copied.
Backing Up: C:\Windows\system32\wy2help.dll
1 file(s) copied.
deleting: C:\Windows\system32\akwav.dll
Successfully Deleted: C:\Windows\system32\akwav.dll
deleting: C:\Windows\system32\BE2802040113.dll
Successfully Deleted: C:\Windows\system32\BE2802040113.dll
deleting: C:\Windows\system32\cgbcatex.dll
Successfully Deleted: C:\Windows\system32\cgbcatex.dll
deleting: C:\Windows\system32\cGmocx.dll
Successfully Deleted: C:\Windows\system32\cGmocx.dll
deleting: C:\Windows\system32\cwcfg32.dll
Successfully Deleted: C:\Windows\system32\cwcfg32.dll
deleting: C:\Windows\system32\dnr4019qe.dll
Successfully Deleted: C:\Windows\system32\dnr4019qe.dll
deleting: C:\Windows\system32\dsocx.dll
Successfully Deleted: C:\Windows\system32\dsocx.dll
deleting: C:\Windows\system32\en6sl1j71.dll
Successfully Deleted: C:\Windows\system32\en6sl1j71.dll
deleting: C:\Windows\system32\gpp8l37u1.dll
Successfully Deleted: C:\Windows\system32\gpp8l37u1.dll
deleting: C:\Windows\system32\gvi32.dll
Successfully Deleted: C:\Windows\system32\gvi32.dll
deleting: C:\Windows\system32\hletwiz.dll
Successfully Deleted: C:\Windows\system32\hletwiz.dll
deleting: C:\Windows\system32\hr8s05l7e.dll
Successfully Deleted: C:\Windows\system32\hr8s05l7e.dll
deleting: C:\Windows\system32\hrj4051qe.dll
Successfully Deleted: C:\Windows\system32\hrj4051qe.dll
deleting: C:\Windows\system32\hrr2059oe.dll
Successfully Deleted: C:\Windows\system32\hrr2059oe.dll
deleting: C:\Windows\system32\i4600ejmehoa0.dll
Successfully Deleted: C:\Windows\system32\i4600ejmehoa0.dll
deleting: C:\Windows\system32\icdkcs32.dll
Successfully Deleted: C:\Windows\system32\icdkcs32.dll
deleting: C:\Windows\system32\iZwfil.dll
Successfully Deleted: C:\Windows\system32\iZwfil.dll
deleting: C:\Windows\system32\jmdw400.dll
Successfully Deleted: C:\Windows\system32\jmdw400.dll
deleting: C:\Windows\system32\kidru1.dll
Successfully Deleted: C:\Windows\system32\kidru1.dll
deleting: C:\Windows\system32\ktn0l75m1.dll
Successfully Deleted: C:\Windows\system32\ktn0l75m1.dll
deleting: C:\Windows\system32\l2l6lc3s1f.dll
Successfully Deleted: C:\Windows\system32\l2l6lc3s1f.dll
deleting: C:\Windows\system32\l66o0gj3e6o.dll
Successfully Deleted: C:\Windows\system32\l66o0gj3e6o.dll
deleting: C:\Windows\system32\ltj0271mg.dll
Successfully Deleted: C:\Windows\system32\ltj0271mg.dll
deleting: C:\Windows\system32\lv0s09d7e.dll
Successfully Deleted: C:\Windows\system32\lv0s09d7e.dll
deleting: C:\Windows\system32\mloa.dll
Successfully Deleted: C:\Windows\system32\mloa.dll
deleting: C:\Windows\system32\mv4ql9h51.dll
Successfully Deleted: C:\Windows\system32\mv4ql9h51.dll
deleting: C:\Windows\system32\mv8ul9l91.dll
Successfully Deleted: C:\Windows\system32\mv8ul9l91.dll
deleting: C:\Windows\system32\nrtapi.dll
Successfully Deleted: C:\Windows\system32\nrtapi.dll
deleting: C:\Windows\system32\o048lahu1d48.dll
Successfully Deleted: C:\Windows\system32\o048lahu1d48.dll
deleting: C:\Windows\system32\o6pqlg7516.dll
Successfully Deleted: C:\Windows\system32\o6pqlg7516.dll
deleting: C:\Windows\system32\pGpnetsh.dll
Successfully Deleted: C:\Windows\system32\pGpnetsh.dll
deleting: C:\Windows\system32\rEsmans.dll
Successfully Deleted: C:\Windows\system32\rEsmans.dll
deleting: C:\Windows\system32\sdrobj.dll
Successfully Deleted: C:\Windows\system32\sdrobj.dll
deleting: C:\Windows\system32\spftpub.dll
Successfully Deleted: C:\Windows\system32\spftpub.dll
deleting: C:\Windows\system32\vmajet32.dll
Successfully Deleted: C:\Windows\system32\vmajet32.dll
deleting: C:\Windows\system32\wanshfhc.dll
Successfully Deleted: C:\Windows\system32\wanshfhc.dll
deleting: C:\Windows\system32\wmnshfhc.dll
Successfully Deleted: C:\Windows\system32\wmnshfhc.dll
deleting: C:\Windows\system32\wunsta.dll
Successfully Deleted: C:\Windows\system32\wunsta.dll
deleting: C:\Windows\system32\wy2help.dll
Successfully Deleted: C:\Windows\system32\wy2help.dll


Zipping up files for submission:
adding: akwav.dll (164 bytes security) (deflated 4%)
adding: BE2802040113.dll (164 bytes security) (deflated 4%)
adding: cgbcatex.dll (164 bytes security) (deflated 4%)
adding: cGmocx.dll (164 bytes security) (deflated 4%)
adding: cwcfg32.dll (164 bytes security) (deflated 4%)
adding: dnr4019qe.dll (164 bytes security) (deflated 4%)
adding: dsocx.dll (164 bytes security) (deflated 4%)
adding: en6sl1j71.dll (164 bytes security) (deflated 5%)
adding: gpp8l37u1.dll (164 bytes security) (deflated 4%)
adding: gvi32.dll (164 bytes security) (deflated 5%)
adding: hletwiz.dll (164 bytes security) (deflated 4%)
adding: hr8s05l7e.dll (164 bytes security) (deflated 4%)
adding: hrj4051qe.dll (164 bytes security) (deflated 4%)
adding: hrr2059oe.dll (164 bytes security) (deflated 5%)
adding: i4600ejmehoa0.dll (164 bytes security) (deflated 4%)
adding: icdkcs32.dll (164 bytes security) (deflated 4%)
adding: iZwfil.dll (164 bytes security) (deflated 4%)
adding: jmdw400.dll (164 bytes security) (deflated 4%)
adding: kidru1.dll (164 bytes security) (deflated 5%)
adding: ktn0l75m1.dll (164 bytes security) (deflated 5%)
adding: l2l6lc3s1f.dll (164 bytes security) (deflated 4%)
adding: l66o0gj3e6o.dll (164 bytes security) (deflated 4%)
adding: ltj0271mg.dll (164 bytes security) (deflated 4%)
adding: lv0s09d7e.dll (164 bytes security) (deflated 5%)
adding: mloa.dll (164 bytes security) (deflated 4%)
adding: mv4ql9h51.dll (164 bytes security) (deflated 4%)
adding: mv8ul9l91.dll (164 bytes security) (deflated 4%)
adding: nrtapi.dll (164 bytes security) (deflated 4%)
adding: o048lahu1d48.dll (164 bytes security) (deflated 6%)
adding: o6pqlg7516.dll (164 bytes security) (deflated 5%)
adding: pGpnetsh.dll (164 bytes security) (deflated 4%)
adding: rEsmans.dll (164 bytes security) (deflated 5%)
adding: sdrobj.dll (164 bytes security) (deflated 4%)
adding: spftpub.dll (164 bytes security) (deflated 4%)
adding: vmajet32.dll (164 bytes security) (deflated 4%)
adding: wanshfhc.dll (164 bytes security) (deflated 5%)
adding: wmnshfhc.dll (164 bytes security) (deflated 5%)
adding: wunsta.dll (164 bytes security) (deflated 4%)
adding: wy2help.dll (164 bytes security) (deflated 4%)
adding: clear.reg (164 bytes security) (deflated 46%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 86%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 69%)
adding: test.txt (164 bytes security) (deflated 82%)
adding: test2.txt (164 bytes security) (deflated 27%)
adding: test3.txt (164 bytes security) (deflated 27%)
adding: test5.txt (164 bytes security) (deflated 27%)
adding: xfind.txt (164 bytes security) (deflated 77%)
adding: backregs/2A1A6C19-30BB-4787-9B33-362093A25759.reg (164 bytes security) (deflated 71%)
adding: backregs/B81354C8-6EAD-4B66-853C-0B4063D55922.reg (164 bytes security) (deflated 71%)
adding: backregs/F2FCA3D9-8BAE-4FE3-9D0A-C3F3E296E3E6.reg (164 bytes security) (deflated 71%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

 

L2mfix log part 2

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators "
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: akwav.dll
deleting local copy: BE2802040113.dll
deleting local copy: cgbcatex.dll
deleting local copy: cGmocx.dll
deleting local copy: cwcfg32.dll
deleting local copy: dnr4019qe.dll
deleting local copy: dsocx.dll
deleting local copy: en6sl1j71.dll
deleting local copy: gpp8l37u1.dll
deleting local copy: gvi32.dll
deleting local copy: hletwiz.dll
deleting local copy: hr8s05l7e.dll
deleting local copy: hrj4051qe.dll
deleting local copy: hrr2059oe.dll
deleting local copy: i4600ejmehoa0.dll
deleting local copy: icdkcs32.dll
deleting local copy: iZwfil.dll
deleting local copy: jmdw400.dll
deleting local copy: kidru1.dll
deleting local copy: ktn0l75m1.dll
deleting local copy: l2l6lc3s1f.dll
deleting local copy: l66o0gj3e6o.dll
deleting local copy: ltj0271mg.dll
deleting local copy: lv0s09d7e.dll
deleting local copy: mloa.dll
deleting local copy: mv4ql9h51.dll
deleting local copy: mv8ul9l91.dll
deleting local copy: nrtapi.dll
deleting local copy: o048lahu1d48.dll
deleting local copy: o6pqlg7516.dll
deleting local copy: pGpnetsh.dll
deleting local copy: rEsmans.dll
deleting local copy: sdrobj.dll
deleting local copy: spftpub.dll
deleting local copy: vmajet32.dll
deleting local copy: wanshfhc.dll
deleting local copy: wmnshfhc.dll
deleting local copy: wunsta.dll
deleting local copy: wy2help.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous "=dword:00000000
"DllName "= "C:\\Windows\\system32\\guard.tmp "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff "= "ChainWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff "= "CryptnetWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName "= "cscdll.dll "
"Logon "= "WinlogonLogonEvent "
"Logoff "= "WinlogonLogoffEvent "
"ScreenSaver "= "WinlogonScreenSaverEvent "
"Startup "= "WinlogonStartupEvent "
"Shutdown "= "WinlogonShutdownEvent "
"StartShell "= "WinlogonStartShellEvent "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName "= "wlnotify.dll "
"Logon "= "SCardStartCertProp "
"Logoff "= "SCardStopCertProp "
"Lock "= "SCardSuspendCertProp "
"Unlock "= "SCardResumeCertProp "
"Enabled "=dword:00000001
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"StartShell "= "SchedStartShell "
"Logoff "= "SchedEventLogOff "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff "= "WLEventLogoff "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001
"DllName "=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName "= "WlNotify.dll "
"Lock "= "SensLockEvent "
"Logon "= "SensLogonEvent "
"Logoff "= "SensLogoffEvent "
"Safe "=dword:00000001
"MaxWait "=dword:00000258
"StartScreenSaver "= "SensStartScreenSaverEvent "
"StopScreenSaver "= "SensStopScreenSaverEvent "
"Startup "= "SensStartupEvent "
"Shutdown "= "SensShutdownEvent "
"StartShell "= "SensStartShellEvent "
"PostShell "= "SensPostShellEvent "
"Disconnect "= "SensDisconnectEvent "
"Reconnect "= "SensReconnectEvent "
"Unlock "= "SensUnlockEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate "=dword:00000000
"Logoff "= "TSEventLogoff "
"Logon "= "TSEventLogon "
"PostShell "= "TSEventPostShell "
"Shutdown "= "TSEventShutdown "
"StartShell "= "TSEventStartShell "
"Startup "= "TSEventStartup "
"MaxWait "=dword:00000258
"Reconnect "= "TSEventReconnect "
"Disconnect "= "TSEventDisconnect "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName "= "wlnotify.dll "
"Logon "= "RegisterTicketExpiredNotificationEvent "
"Logoff "= "UnregisterTicketExpiredNotificationEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName "= "wzcdlg.dll "
"Logon "= "WZCEventLogon "
"Logoff "= "WZCEventLogoff "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000000


The following are the files found:
****************************************************************************
C:\Windows\system32\akwav.dll
C:\Windows\system32\BE2802040113.dll
C:\Windows\system32\cgbcatex.dll
C:\Windows\system32\cGmocx.dll
C:\Windows\system32\cwcfg32.dll
C:\Windows\system32\dnr4019qe.dll
C:\Windows\system32\dsocx.dll
C:\Windows\system32\en6sl1j71.dll
C:\Windows\system32\gpp8l37u1.dll
C:\Windows\system32\gvi32.dll
C:\Windows\system32\hletwiz.dll
C:\Windows\system32\hr8s05l7e.dll
C:\Windows\system32\hrj4051qe.dll
C:\Windows\system32\hrr2059oe.dll
C:\Windows\system32\i4600ejmehoa0.dll
C:\Windows\system32\icdkcs32.dll
C:\Windows\system32\iZwfil.dll
C:\Windows\system32\jmdw400.dll
C:\Windows\system32\kidru1.dll
C:\Windows\system32\ktn0l75m1.dll
C:\Windows\system32\l2l6lc3s1f.dll
C:\Windows\system32\l66o0gj3e6o.dll
C:\Windows\system32\ltj0271mg.dll
C:\Windows\system32\lv0s09d7e.dll
C:\Windows\system32\mloa.dll
C:\Windows\system32\mv4ql9h51.dll
C:\Windows\system32\mv8ul9l91.dll
C:\Windows\system32\nrtapi.dll
C:\Windows\system32\o048lahu1d48.dll
C:\Windows\system32\o6pqlg7516.dll
C:\Windows\system32\pGpnetsh.dll
C:\Windows\system32\rEsmans.dll
C:\Windows\system32\sdrobj.dll
C:\Windows\system32\spftpub.dll
C:\Windows\system32\vmajet32.dll
C:\Windows\system32\wanshfhc.dll
C:\Windows\system32\wmnshfhc.dll
C:\Windows\system32\wunsta.dll
C:\Windows\system32\wy2help.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{2A1A6C19-30BB-4787-9B33-362093A25759} "=-
"{F2FCA3D9-8BAE-4FE3-9D0A-C3F3E296E3E6} "=-
"{B81354C8-6EAD-4B66-853C-0B4063D55922} "=-
[-HKEY_CLASSES_ROOT\CLSID\{2A1A6C19-30BB-4787-9B33-362093A25759}]
[-HKEY_CLASSES_ROOT\CLSID\{F2FCA3D9-8BAE-4FE3-9D0A-C3F3E296E3E6}]
[-HKEY_CLASSES_ROOT\CLSID\{B81354C8-6EAD-4B66-853C-0B4063D55922}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1 "=" "
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


 

Hijack Log after L2mfix

Logfile of HijackThis v1.99.0
Scan saved at 10:06:13 PM, on 3/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\nvsvc32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Windows\Cyb2k.exe
C:\Windows\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\system32\vzzakr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\Imapi.exe
C:\Windows\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\ctfmon.exe
C:\Documents and Settings\Emma\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wpst.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [C2K] C:\Windows\Cyb2k.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe "
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KavSvc] C:\Windows\system32\vzzakr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Outlook\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\Windows\System32\nvsvc32.exe

 

Hello
Download this file to your desktop
http://forums.net-integration.net/index.php?act=Attach&type=post&id=140027
Its a zip so must first be unzipped/extracted, Open the folder, open the
FindQoologic folder then run the Find-Qoologic.bat file, when it is finished a text will open, post that back here in your next reply, then open the find L2m folder and run the Find-L2m.bat, post back with those results also.

 

FindQlogic Report

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* qoologic C:\Windows\System32\CUUIQG.DLL
* urllogic C:\Windows\JNNRZ.DLL

* ad-behNÿ¿wÿior.com C:\Windows\System32\ARROU.DLL
* ad-behavior.com C:\Windows\System32\TYYERPR.DLL
* ad-behavior.com C:\Windows\System32\BAAXMCM.EXE
* ad-behNior.com C:\Windows\System32\VZZAKR.EXE
* ad-behNior.com C:\Windows\System32\PUUGK.DAT

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* ad-behNior.com C:\docume~1\alluse~1\startm~1\programs\startup\NAAU.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fyysxg
<NO NAME> REG_SZ {5e96732d-4e8f-422a-9d82-ec614ddb417e}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fyysxgxk
<NO NAME> REG_SZ {006888f6-da26-4269-94fc-512704a24021}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup ", version1, launched at: 21:07
Operating System: Windows XP SP2


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player "
\StubPath = "C:\Windows\inf\unregmp2.exe /ShowWMP" [MS]
">{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default)" = "Outlook Express "
\StubPath = "C:\Windows\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
"bcfe2b70-8f4f-46cc-9e4e-e9ed5c1e80c7\(Default)" = " "
\StubPath = "C:\Windows\system32\baaxmcm.exe" [null data]

 

L2find report

It looks like this is all of the text


PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

 

Hello

Download the ttached txt file, right click on it and rename it to
pat396 reg file.REG

We will use it a little further down.

Please copy this to a text for referance

Download Pocket Killbox.ver 2.0.0.76
Or from here
http://www.downloads.subratam.org/KillBox.exe
If you already have Killbox ensure its this version
>>Unzip<< the contents of KillBox.zip to a convenient location.
Close all Browsers and programs that show in the windows taskbar
Start KillBox.exe.
place a check next to "Delete on Reboot "
Copy then Paste (not type or browse) this file and path into the top "Full Path of File to Delete" box.

C:\docume~1\alluse~1\startm~1\programs\startup\NAAU.EXE

You will need to edit out the space in NA AU.EXE our forum software does that

Click the "Delete File" button which looks like a stop sign.
Click "Yes" the first promt
Click "No" at the second
Repeat those same steps for each of these files one at a time.

C:\Windows\System32\CUUIQG.DLL
C:\Windows\JNNRZ.DLL
C:\Windows\System32\ARROU.DLL
C:\Windows\System32\TYYERPR.DLL
C:\Windows\System32\BAAXMCM.EXE
C:\Windows\System32\VZZAKR.EXE
C:\Windows\System32\PUUGK.DAT




Exit Killbox
Double click on pat396 reg file.REG and answer yes to the prompts

Now restart your PC

Post a fresh Hijackthis log, be sure to mention any current problems

 

still going...

The KillBox program would not delete this file

C:\Windows\System32\TYYERPR.DLL

and I only received 1 prompt, it said backup & delete, after i said yes, it just game me an OK for file deleted.

I now have a 180 search assistant icon in the tray near the clock, and a web search bob on my desktop that stays on top.

I appreciate all of the help, what the heck do i have here? The Back Plague of malware?

Here is the lates hijack log

Logfile of HijackThis v1.99.0
Scan saved at 10:17:26 PM, on 3/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Windows\Cyb2k.exe
C:\Windows\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\salm.exe
C:\windows\system32\fudovg.exe
C:\WINDOWS\wdskctl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\ypkvaxmp.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\windows\system32\packager.exe
C:\Windows\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
C:\Windows\system32\vzzakr.exe
C:\Documents and Settings\Emma\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wpst.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\Windows\Pynix.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\Windows\systb.dll
O2 - BHO: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\Windows\systb.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\Windows\system32\mscb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\Windows\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [C2K] C:\Windows\Cyb2k.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe "
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [salm] c:\windows\salm.exe
O4 - HKLM\..\Run: [farmmext] C:\Windows\farmmext.exe
O4 - HKLM\..\Run: [fudovg] c:\windows\system32\fudovg.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\Windows\wupdt.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe "
O4 - HKLM\..\Run: [ypkvaxmp] C:\WINDOWS\ypkvaxmp.exe
O4 - HKLM\..\Run: [KavSvc] C:\Windows\system32\vzzakr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Outlook\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\Windows\systb.dll
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\Windows\systb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (HKCU)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\Windows\System32\nvsvc32.exe

 

Hi

If you look back at the killbox instruction's delete on reboot was suggested, not standard file kill.

Run the find-qoologic tool again and post its log After using the pc for a few hours.

Meanwhile Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
Basicly just replace the existing hosts file
If any problems feel free to ask

The first one we took out, L2M loads all sorts of other crapps. it appears gone, this happens often, taking out one can alow other to surface, stick with us

 

Still going...thanks

OK, here is the newest log.

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»


* ad-behNÿ¿wÿior.com C:\Windows\System32\ARROU.DLL
* ad-behavior.com C:\Windows\System32\TYYERPR.DLL
* ad-behavior.com C:\Windows\System32\BAAXMCM.EXE
* ad-behNior.com C:\Windows\System32\VZZAKR.EXE
* ad-behNior.com C:\Windows\System32\PUUGK.DAT

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* ad-behNior.com C:\docume~1\alluse~1\startm~1\programs\startup\NAAU.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fyysxgxk
<NO NAME> REG_SZ {da721bc0-cbad-4b77-9872-6295d5865a0b}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup ", version1, launched at: 10:25
Operating System: Windows XP SP2


HKLM\Software\Microsoft\Active Setup\Installed Components\
"6d0d30f8-1479-4f49-9414-e7f3627d904a\(Default)" = " "
\StubPath = "C:\Windows\system32\baaxmcm.exe" [null data]
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player "
\StubPath = "C:\Windows\inf\unregmp2.exe /ShowWMP" [MS]
">{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default)" = "Outlook Express "
\StubPath = "C:\Windows\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

 

Hi pat396

Download this attached file to your desktop (near bottom of this post)

Rightclick on it then > rename to winzip.zip

Close all programs that show in the windows taskbar.
Extract/unzip the file's inside,To Root, meaning C:\
Double click on RunOnce.reg and answer yes to the prompt.

Restart your PC, just before windows load's a dos box will briefly appear,
after windows loads and you have returned then make and post a fresh Hijackthis and find-qoologic log's.

 

the battle continues..

Hi Lonny...Thanks again for the help. Here is the latest Hijack log and I will post a qooligic log in another reply. The download and extract worked fine, and it gave me the prompt. But I do not think I saw a DOS box when it restarted.



Logfile of HijackThis v1.99.0
Scan saved at 11:39:28 AM, on 3/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Windows\Cyb2k.exe
C:\Windows\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Windows\System32\svchost.exe
C:\Documents and Settings\Emma\My Documents\HijackThis.exe
C:\Windows\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wpst.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\Windows\Pynix.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\Windows\systb.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [C2K] C:\Windows\Cyb2k.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe "
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [farmmext] C:\Windows\farmmext.exe
O4 - HKLM\..\Run: [fudovg] c:\windows\system32\fudovg.exe
O4 - HKLM\..\Run: [KavSvc] C:\Windows\system32\vzzakr.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\Windows\wupdt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Outlook\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\Windows\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\Windows\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\Windows\System32\nvsvc32.exe

 

Find Qoologic Log

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\Windows\JNNRZ.DLL

* ad-behNÿ¿wÿior.com C:\Windows\System32\ARROU.DLL
* ad-behavior.com C:\Windows\System32\TYYERPR.DLL
* ad-behavior.com C:\Windows\System32\BAAXMCM.EXE
* ad-behNior.com C:\Windows\System32\VZZAKR.EXE
* ad-behNior.com C:\Windows\System32\PUUGK.DAT

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* ad-behNior.com C:\docume~1\alluse~1\startm~1\programs\startup\NAAU.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fyysxgxk
<NO NAME> REG_SZ {7e231d19-3926-4375-bc73-b066423ae494}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup ", version1, launched at: 11:43
Operating System: Windows XP SP2


HKLM\Software\Microsoft\Active Setup\Installed Components\
"84c863a3-2818-4052-a6d2-11387f49349c\(Default)" = " "
\StubPath = "C:\Windows\system32\baaxmcm.exe" [null data]
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player "
\StubPath = "C:\Windows\inf\unregmp2.exe /ShowWMP" [MS]
">{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default)" = "Outlook Express "
\StubPath = "C:\Windows\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

 

Hello


Run Hijackthis place a check next to these items, close all browsers then hit fix checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\Windows\Pynix.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\Windows\systb.dll (file missing)
O4 - HKLM\..\Run: [farmmext] C:\Windows\farmmext.exe
O4 - HKLM\..\Run: [fudovg] c:\windows\system32\fudovg.exe
O4 - HKLM\..\Run: [KavSvc] C:\Windows\system32\vzzakr.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\Windows\wupdt.exe
Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
======================================
Restart your PC

The narrator/qoologic tool has been changed a bit, delete the one you have and re-download extract then run it again and post its file text please.