# Solved: Trojan attacks



## Shamou

Symantec just sent me the following info:

Source: C:\WINDOWS\system32\ssqrp.dll 
Click for more information about this risk : Download.Trojan 
Action taken: Automatically deleted

Can anyone tell me in plain english what this means.

I have had at least three such attack in the past three weeks.

Shamou


----------



## D_Trojanator

I'll try and make this as easy to understand as possible!

Basically Norton (your anti-virus) has found a trojan on your system (computer) and has deleted it. This trojan may have got there as you have downloaded something dodgy or your settings aren't secure enough.........

The trojan should have gone but as a precaution we should do this:

*Click here *   to download HJTsetup.exe
Save *HJTsetup.exe* to your desktop.

Double click on the *HJTsetup.exe* icon on your desktop.
By default it will install to *C:\Program Files\Hijack This*.
Continue to click *Next* in the setup dialogue boxes until you get to the "*Select Addition Tasks*" dialogue.
Put a check by *Create a desktop icon * then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch *Hijack This*.
Click on the *"Do a system scan and save a log file"* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "*Edit* > *Select All*" then click on "*Edit * > *Copy*" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.*

David


----------



## Shamou

Thank you for the info. I just ran the Spy Sweeper and it only found and deleted some harmless cokies. Do you think I should still follow the procedure that you indicated?
Shamou
PS: Shamou was a famous bulldog (and an English bulldog at that!)


----------



## Cheeseball81

I would. It sounds a lot like Vundo.


----------



## Shamou

Logfile of HijackThis v1.99.1
Scan saved at 20:54:37, on 2005-10-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\mlljj.dll (file missing)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

There you go... I hope I did this right...
Shamou


----------



## Cheeseball81

** Before you proceed with the removal directions below you need to *turn off MS Anti-Spyware's realtime protection * as it will interfere with the changes we are trying to make.

Open MS Anti-Spyware and click on Options>Settings.
Click on "Realtime Protection" in the left pane.
Remove the check by these:
Enable the Microsoft Security Agents on startup. (recommended)
Enable real-time spyware threat protection. (recommended)
Click "Save".
Now right click the MS Anti-spyware icon in your system tray and choose "Shutdown Microsoft Anti-Spyware".
You should re-enable these when we are finished here.

You'll also need to *disable SpySweeper's realtime protection* while we run these fixes.

* Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup". 
On the left click "shields" and then uncheck everything there. 
Uncheck "home page shield". 
Uncheck "automatically restore default without notification". 
Exit the program.

You can re-enable these when we are finished here.

With IE closed, run Hijack This again. 
Put a checkmark on these entries and hit "fix checked":

*O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\mlljj.dll (file missing)

O20 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll (file missing)*

Boot into *Safe Mode * (start tapping the *F8* key at Startup, before the Windows logo screen)

Navigate to the C:\Windows\Temp folder. 
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type *%temp%* in the Run box. 
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. 
On the General tab under "Temporary Internet Files" Click "Delete Files". 
Put a check by "Delete Offline Content" and click OK. 
Click on the Programs tab then click the "Reset Web Settings" button. 
Click Apply then OK.

Empty the Recycle Bin.

Reboot, post a new log.


----------



## D_Trojanator

Thnaks Cheeseball!


----------



## Cheeseball81

:up:


----------



## Shamou

My Windows Firewall keeps on being turned off even though I ask in the window reserved for our preferences that it should be turned on.. Can anyone tell me why that is.
Shamou


----------



## brendandonhu

Run an Online Virus Scan and post the results.

Download and run HijackThis and click *Do a system scan and save a log file*.
Post the log here.


----------



## Cookiegal

As these problems are most likely interrelated, I've merged both of your threads together. Please continue replying in this one.


----------



## Shamou

I finally worked the courage to try the procedure indicated by Cheeseball81.
Things went well until I tried to find the two first items that had to be "fix checked" but I could not find them. I was able to find "*020 - Winlogon Notify: mlljj - C:\WINDOWS\system32\mlljj.dll (file missing)* But when I tried to go into safe mode that is when things got realy messed up. I was able to reboot into normal mode. I re-activated MS anti-Spyware ok. After that I tried to re-activate Spy Sweeper but I could not recall what I had unchecked so I re-activated everything.

Then I ran another scan on the Hyjack program and here is what it gave me:
Logfile of HijackThis v1.99.1
Scan saved at 17:43:51, on 2005-10-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

My PC seems to be working OK. But I sure don't know if I've fixed anything.
Sorry folks if I'm such an amateur... I'm trying to learn... but I've got ways to go 

Shamou


----------



## Cheeseball81

Looks clean 

How's the firewall issue now?


----------



## Shamou

The Firewall was off again but I don't think I checked it after I did the HiJack procedure. However, I had done a Spy Sweepere scan before and for the first time I had no cookies. Usually, every time I scanned with Spy Sweeper, I always had from 15 to 20 cookies. I will keep on monitoring the Firewall and keep you posted. Thank you for the help. You are super!!!  
Shamou


----------



## Cheeseball81

You're welcome 

When you're ready, you can mark your thread "Solved" from the *Thread Tools* drop down menu.


----------



## Shamou

Will do. But right now the NY Rangers are beating the "S" out of the Montreal Canadian 3 to 0. It is a sad day for us "Frenchies."
Thank you. Cheeseball81 est l'homme de l'heure. (Translation - Cheseball81 is the main man.) :up: 
Shamou


----------



## Cheeseball81

How can we translate Cheeseball81 is the main woman?


----------



## Shamou

Cheeseball81 said:


> How can we translate Cheeseball81 is the main woman?


Madame, vous êtes la femme de l'heure!!!  And that ain't whistling Dixie  
Shamou


----------



## Cheeseball81




----------



## Shamou

Good night... bonne nuit... have sweet dreams... fais de bons rêves  
Shamou


----------



## Cheeseball81

Goodnight


----------



## Shamou

This morning, again, the Firewall was turned off without my asking it to do so. It seems that it does that only when the PC is closed for a long time (like all night.) If I just do a restart the Firewall stays on.

Also, this morning I looked in the "Always Keep" Options of Spy Sweeper and I noticed that it included "*AD* virtumonde and *AD* winantispyware 2005. Should I ask Spy Sweeper to remove these two. (I also noticed that these two were also in the "Always Remove" section.
Shamou


----------



## Cheeseball81

Please post a new Hijack This log.


----------



## Shamou

You are the most patient person I know. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 14:57:26, on 2005-10-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Shamou


----------



## Cookiegal

Bonjour Shamou!

Bonjour Fromage!

If you guys don't mind, I'd like to check to see if there are still some remnants left. Please do this:

Click here: http://forums.techguy.org/attachment.php?attachmentid=46183 to download Find It NT-2K-XP.zip.

Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.

Download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.


----------



## Cheeseball81

Go for it Cookie!


----------



## Shamou

I don't even know how to (Unzip it and double-click on Find.bat to run it)
Man, what a green-horn I am  
Shamou


----------



## Shamou

I finally found the procedure to Unzip a file. But now when I click on http://forum.techguy.org/attachmen. achmentid=46183 Find It NT-2K-XP.zip it simply freezes on me. 
I had clicked on the "save" button previously and downloaded it but subsequently deleted it. Maybe, we cannot download that file after having downloaded it and deleted it???
Shamou


----------



## Cookiegal

Here is the link for VX2Finder, which I didn't give you before. Please do that part and post the log it creates.

http://www.downloads.subratam.org/VX2Finder.exe

As for the find.bat, you should click on save and save it to your desktop. Then unzip it and follow the rest of the instructions. Try this again please.


----------



## Cheeseball81

Link?


----------



## Cookiegal

Cheeseball81 said:


> Link?


Yeah, it's there, can't you see it?


----------



## Cheeseball81

Yes after you edited it!


----------



## Cookiegal




----------



## Shamou

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon
WRNotifier


Guardian Key--- is called: 

Guardian Key--- : 

User Agent String---
SV1 

Hope I did this correctly. Will keep on working on the Unzip file.
Just love you  
Shamou


----------



## Cookiegal

Yes, that looks fine and I doubt the find.bat will turn up anything.

I notice that you have two anti-virus programs, Norton and Avast. You need to remove one of them as they could be causing a conflict.

When you go into the Security Center does it say that there is no firewall on at all?

There is a firewall in NIS and when using that, the XP firewall should be turned off.


----------



## Shamou

Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Raymond\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is ACB1-EA56

Directory of C:\WINDOWS\System32

2005-10-16 14:47 348ÿ413 jjllm.ini2
2005-10-16 14:33 347ÿ349 jjllm.bak2
2005-10-08 16:15 338ÿ386 jjllm.tmp
2005-10-08 13:39 338ÿ106 jjllm.ini
2005-06-30 19:28 DLLCACHE
2005-05-02 07:17 Microsoft
4 File(s) 1ÿ372ÿ254 bytes
2 Dir(s) 69ÿ056ÿ880ÿ640 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is ACB1-EA56

Directory of C:\WINDOWS\System32

2005-10-16 14:47 348ÿ413 jjllm.ini2
2005-10-16 14:33 347ÿ349 jjllm.bak2
2005-10-08 16:15 338ÿ386 jjllm.tmp
2005-10-08 13:39 338ÿ106 jjllm.ini
2005-06-30 19:28 DLLCACHE
2004-08-10 13:03 488 logonui.exe.manifest
2004-08-10 13:03 488 WindowsLogon.manifest
2004-08-10 13:02 749 nwc.cpl.manifest
2004-08-10 13:02 749 sapi.cpl.manifest
2004-08-10 13:02 749 ncpa.cpl.manifest
2004-08-10 13:02 749 cdplayer.exe.manifest
2004-08-10 13:02 749 wuaucpl.cpl.manifest
11 File(s) 1ÿ376ÿ975 bytes
1 Dir(s) 69ÿ056ÿ876ÿ544 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is ACB1-EA56

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is ACB1-EA56

Directory of C:\WINDOWS\System32

2005-10-08 16:15 338ÿ386 jjllm.tmp
2004-08-04 05:00 2ÿ577 CONFIG.TMP
2 File(s) 340ÿ963 bytes
0 Dir(s) 69ÿ056ÿ872ÿ448 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
jjllm.ini Sat Oct 8 2005 1:39:20p A.SH. 338,106 330.18 K
jjllm.tmp Sat Oct 8 2005 4:15:16p A.SH. 338,386 330.45 K
jjllm~1.bak Sun Oct 16 2005 2:33:38p A.SH. 347,349 339.21 K
jjllm~1.ini Sun Oct 16 2005 2:47:38p A.SH. 348,413 340.25 K

4 items found: 4 files, 0 directories.
Total of file sizes: 1,372,254 bytes 1.31 M

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack)
C:\WINDOWS\SYSTEM32\MRT.exe: (AsPack2k)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 1.00b)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.1)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.12)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.11)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.000)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.001)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.11x)
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack2000
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.61
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.084
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.083
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.07b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.05b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.02
C:\WINDOWS\SYSTEM32\MRT.exe: ASPACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\NTDLL.DLL: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_05\\bin\\jusched.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

I just briefly read your last message. I just wanted to send you this.. then I'll see what you had to say.
Shamou


----------



## Shamou

That could be it. As you say "There is a firewall in NIS and when using that, the XP firewall should be turned off." Maybe it's my NIS that is turning off the "Window Firewall."
When I boot my PC, Avast tells me that some part of Avast it is not compatible with NIS and it will turn off. 
You should change your name from Cookiegall to Mother Theresa and I'll change mine from Shamou to DumbBunny  But I'm learning a lot of stuff and I'm most thankfull to you and "Fromage" as you say. Thank you sooo much.
Shamou
__________________


----------



## Cookiegal

Does the Security Center show that a (not necessarily Windows) firewall is running?

Please run this tool:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html

*Click Here* and download Killbox and save it to your desktop but dont run it yet.

Now boot to safe mode.

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*
C:\WINDOWS\System32\jjllm.ini2

C:\WINDOWS\System32\jjllm.bak2

C:\WINDOWS\System32\jjllm.tmp

C:\WINDOWS\System32\jjllm.ini
*

*Note: * It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.


----------



## Shamou

Thank you. I will run he procedure you indicated as soon as I find the nerves to do it (maybe tonight.) For some reasons, running into Safe mode scares me silly  The first time I ever tried it, I got stuck with a black screen with nothing on it but, as I recall the words "Safe mode" written on each side at the bottom of the screen. Took me a whole afternoon to get out of that. 

However, I know that if I want to learn something, I have to walk out of the beaten path. So I'll do it.

Have a good day... and seen you soon.
Shamou


----------



## Cookiegal

If that should happen then do this:

When you come to the point where the black screen appears and the text "safe mode" is displayed in the corners, open the Task Manager (Ctrl+Alt+Del) and find "explorer.exe . Click on it in the list and click "Terminate". This will probably take several minutes.
Once Explorer is terminated, navigating with the mouse will be easy, however you will have a desktop without icons.

Now, remember where you installed the "VundoFix" . Open the Task Manager again, and click "File>Run" in the toolbar. Type in the filepath to the VundoFix in the scrollbar and hit enter.
The default location of the VundoFix is here :
C:\Documents and Settings\YOUR USERNAME\Desktop\VundoFix\KillVundo.bat . Replace "your username" with your actual one.
Then click "ok" and if everything works as planned, you will now be able to run the VundoFix and go on with the procedure I already posted.

Since you during this operation cant navigate via Explorer, its important that you print those instructions, both the ones here and the entire cleaning procedure for the Vundo.


----------



## Shamou

Hello Cookiegal

When you say change your user name in: (C:\Documents and Settings\YOUR USERNAME\Desktop\VundoFix\KillVundo.bat ) do you mean my computer's name which happens to be Raymond or my actual name?  

Shamou


----------



## Cookiegal

It means the name of your user profile when you log on to the computer.


----------



## Shamou

Cookiegal said:


> Does the Security Center show that a (not necessarily Windows) firewall is running?
> 
> Please run this tool:
> 
> http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
> 
> *Click Here* and download Killbox and save it to your desktop but don?t run it yet.
> 
> Now boot to safe mode.
> 
> *How to restart to safe mode*
> 
> Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.
> 
> *
> C:\WINDOWS\System32\jjllm.ini2
> 
> C:\WINDOWS\System32\jjllm.bak2
> 
> C:\WINDOWS\System32\jjllm.tmp
> 
> C:\WINDOWS\System32\jjllm.ini
> *
> 
> *Note: * It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.
> 
> Exit the Killbox.


Hello Cookiegal
I ran "http://securityresponse.symantec.co...moval.tool.html" a long time before I ever found out about Tech Suport Guy. And the romoval tool could not find Vundo in my PC.
I've also downloaded "KilBox" but I'm not ready to follow the procedure yet... but I'll do it soon.
Thank you so much for your help and support. You're a very nice lady.  
Shamou


----------



## Cookiegal

OK, let us know how it went when you're ready.


----------



## bearone2

only use one av program.


----------



## Shamou

bearone2 said:


> only use one av program.


I believe this landed in the wrong place. If not, would you explain what it's all about.
Shamou


----------



## bearone2

Shamou said:


> I believe this landed in the wrong place. If not, would you explain what it's all about.
> Shamou


i don't think so.
you posted about a message from norton but your hjt log also shows avast, a 2nd av program.


----------



## Shamou

A "Pilot" holy sh... I'm getting advice from heaven  But seriously, I thank you for the advice and I will disable Avast but being a beginner I simply do not know what the rest of your message means. At first reading, I did not even know what "AV" was.

Thank you. I appreciate the input.
Shamou


----------



## Cheeseball81

Were you able to do Cookie's last instructions?


----------



## bearone2

Shamou said:


> A "Pilot" holy sh... I'm getting advice from heaven  But seriously, I thank you for the advice and I will disable Avast but being a beginner I simply do not know what the rest of your message means. At first reading, I did not even know what "AV" was.
> 
> Thank you. I appreciate the input.
> Shamou


yes my son.

don't have 2 anti-virus/av's systems going at the same time.

they don't play well together.


----------



## Shamou

Thank you & will do.
This is the stuff that was confusing me in your first message:
p4/2.8/512/xphome/sp2/80
p4/1.7/512/xppro/sp1a/40/sblive/spybot1.3
amd-k2/350/98se/6.2/128//sblive/spybot1.3
amd/1.0/20/512/w2kpro/sp4/spybot1.3
laptop/p2/366/6/128/w2kpro/sp4/spybot1.4
laptop/p3/600/6/160/w2kpro/sp4/spybot1.4
nav
linksys 4 port router/proxim rg 1000 wap 
Shamou


----------



## Shamou

Cheeseball81 said:


> Were you able to do Cookie's last instructions?


Not yet. Going into "safe mode" scares me silly  . I only do that on week-end when I have lots of time.  
Shamou


----------



## Cheeseball81

Ah okay


----------



## bearone2

safe mode is no big deal.

usually tap f8 as it's booting up, select safemode with networking/return, so you can get on the internet if need be.
you'll be asked if you want to go into safe mode for sure/ok.

safemode doesn't load all drivers and isn't functional for everything but you'll be able to remove what you need to.


----------



## Shamou

Thank you for the info from "hula-hula" paradise land  
Shamou


----------



## bearone2

your welcome and have fun with it.


----------



## Shamou

Cookiegal said:


> Does the Security Center show that a (not necessarily Windows) firewall is running?
> 
> Please run this tool:
> 
> http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
> 
> *Click Here* and download Killbox and save it to your desktop but don?t run it yet.
> 
> Now boot to safe mode.
> 
> *How to restart to safe mode*
> 
> Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.
> 
> *
> C:\WINDOWS\System32\jjllm.ini2
> 
> C:\WINDOWS\System32\jjllm.bak2
> 
> C:\WINDOWS\System32\jjllm.tmp
> 
> C:\WINDOWS\System32\jjllm.ini
> *
> 
> *Note: * It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.
> 
> Exit the Killbox.


Should I run :http://securityresponse.symantec.co...moval.tool.html again, even if I ran it before?
Shamou


----------



## Cookiegal

Yes please.


----------



## Shamou

While you were sending me the message (yes please) I was in safe mode doing the Killbox.exe.
I successfully deleted:
C:\WINDOWS\System32\jjllm.ini2

C:\WINDOWS\System32\jjllm.bak2

C:\WINDOWS\System32\jjllm.tmp

C:\WINDOWS\System32\jjllm.ini

and came back to normal. Wow  what a trip. Waahoo!!!!  

Shamou


----------



## Cheeseball81

Shamou  :up: :up:


----------



## Cookiegal

How's everything running now?


----------



## Shamou

Cookiegal said:


> How's everything running now?


Everything is running just fine (but it seemed to be running fine before I deleted those four files.)
The only thing is that when I turn the PC on I get a security warning that ask me permission to run a 'strings.exe' file. I keep choosing 'cancel' and I do not recall downloading such a file and I cannot seem to be able to get rid of it.It says that the file comes from: C:\Docments and settings\All Users\Start Menu\P"
Shamou


----------



## Shamou

Cheeseball81 said:


> Shamou  :up: :up:


What do you think of your student now  
I know I'm bragging... but mostly, I wanted to thank you for your help. You are an angel :up: 
Shamou


----------



## Cookiegal

That file is part of the Findit program. You can navigate to it and delete it.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER & SPYWAREGUARD* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin*.


----------



## Cheeseball81

Shamou said:


> What do you think of your student now
> I know I'm bragging... but mostly, I wanted to thank you for your help. You are an angel :up:
> Shamou


I'm very proud 

You're welcome. Don't forget Cookie too!


----------



## Shamou

Cookiegal said:


> That file is part of the Findit program. You can navigate to it and delete it.
> 
> I did everything you said right up and including emptying the recycle bin. It seems to work out OK. However, do you think I should download: SPYWAREBLASTER & SPYWAREGUARD since I have Spy Sweeper?
> 
> I also deleted the Findit program but I am still getting that annoying Security Warning about the "strings.exe" program. Should I just click the "don't ask me that again" option?
> 
> You have been extremely patient with me and I appreciate it no end. So, I'll just say *THANK YOU* for now... but I'll send you a passionate love letter when this is over  So far, I've had a lot of fun doing this
> Shamou
> PS- I feel that I'm learning a lot... which was my original goal in joining TSG.


----------



## Cheeseball81

I personally have Spyware Blaster and love it 

Quick question, do you have a program called* Bugzilla* installed?


----------



## Shamou

Cheeseball81 said:


> I'm very proud
> 
> You're welcome. Don't forget Cookie too!


You are so kind. Have a good night and sweet dreams. 
Shamou  
PS- I certainly will not forget Cookiegal.


----------



## Cookiegal

Did you delete the strings.exe file?

Can't wait for that letter.


----------



## Shamou

Cookiegal said:


> Did you delete the strings.exe file?
> Can't wait for that letter.


Bonjour Cookiegal
I believe I did. Also if I click "run" on that prompt, nothing happens.
As for the letter, you may not be ready for that  . I'm French Canadian you know  
Shamou


----------



## Shamou

Cheeseball81 said:


> I personally have Spyware Blaster and love it
> 
> Quick question, do you have a program called* Bugzilla* installed?


Hello Cheeseball81
Can you have the two (Spyware Blaster and Spy Sweeper) installed at the same time? I paid $30.00 for Spy Sweeper two weeks ago. I'd hate to flush it down the drain  
No, I do not have "Bugzilla." Is that the new CD of a Rock Band  
Shamou


----------



## Cookiegal

Click on the "don't ask me again option" then.

How's everything else?


----------



## Shamou

Cookiegal said:


> Click on the "don't ask me again option" then.
> 
> How's everything else?


Everything else is just fine except that I lost the beautiful icons that I had choosen to replace those ugly E and I also had the sites' logo changed by those ugly E. But that's OK. I can get those pretty icons back on.
Shamou


----------



## Cookiegal

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER & SPYWAREGUARD* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin*.


----------



## Shamou

I am so fast that I did all that last night  Cookiegall asked me to do it and I did it successfully. I guess that this thread is getting so long that it is easy to get lost in it. Anyway, thank for the attention that you are giving me. I'm enjoying myself so much that I can't wait to get another virus so that I can clean it up again 
Shamou


----------



## Cookiegal

Sorry for the repetition.


----------



## Cheeseball81

Shamou said:


> No, I do not have "Bugzilla." Is that the new CD of a Rock Band


LOL, no just curious. I've seen that file related to that program is all.


----------



## Shamou

Now don't tell me I've got the BUGZILLA and don't even know about it  . Hope it is not fatal  
Shamou


----------



## Cheeseball81

I think you'll survive


----------



## Shamou

bearone2 said:


> only use one av program.


I have SAV and Avast on the PC but when I boot, Avast automatically turns off. 
Shamou  
PS- How's the water down there?


----------

