# Solved: Spyware Removal...Need help ASAP



## itrocks4u (Nov 27, 2004)

Hi...ok heres the bottom line: MY computer is totally screwed. I mean there are pop-ups everywhere...ok first i start the computer, i get a msg 'error loading beem.dll'...the i get a msg ' failed to load INF installer' like 5 times...then i get popups every 20 seconds.....my homepage is set to 'Home search'..with a pop up tht says my comp is attacked by spyware etc...i tried running spybot...but it shutsdown in the middle....i tried antivirus and trojan remover...but they antivirus dosent delete files and stuff....Well i dont want to format the computer cause it has realy imp documents rite now.....so please help me....here is my Hijack this file .........and service filter file...i was told once b4 not to restart or do anything with the computer...so i would be eagerly wating for ur reply....Thanks in advance.....
------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 3:20:18 PM, on 08/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\WINDOWS\System32\rqxzmml.exe
D:\Program Files\Windows TaskAd\WinTaskAd.exe
D:\Program Files\SED\SED.exe
D:\WINDOWS\system32\sdkfb32.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\PROGRA~1\Toolbar\TBPS.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Windows TaskAd\WinSched.exe
D:\Documents and Settings\Ours\Application Data\huaa.exe
D:\WINDOWS\System32\w?wexec.exe
D:\PROGRA~1\Toolbar\PIB.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\Toolbar\TBPSSvc.exe
D:\Program Files\Common Files\WinTools\WToolsS.exe
D:\WINDOWS\system32\winow32.exe
D:\Program Files\Common Files\WinTools\WSup.exe
D:\Program Files\Common Files\WinTools\WToolsA.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\rsvp.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Documents and Settings\Ours\Desktop\Salman\aim\poolerzaim.exe
D:\Program Files\Windows NT\Accessories\WORDPAD.EXE
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - D:\PROGRA~1\Toolbar\toolbar.dll
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - D:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {D98229FD-6F82-D6ED-5168-F3E9D7E60E5A} - D:\WINDOWS\system32\addfi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [vgtdzwrqrfaqq] D:\WINDOWS\System32\rqxzmml.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe beem.dll, DllRegisterServer
O4 - HKLM\..\Run: [SurfSideKick 2] D:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [Windows TaskAd] D:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [BullsEye Network] D:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SESync] "D:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [sdkfb32.exe] D:\WINDOWS\system32\sdkfb32.exe
O4 - HKLM\..\Run: [TBPS] D:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] D:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Waot] D:\Documents and Settings\Ours\Application Data\huaa.exe
O4 - HKCU\..\Run: [Ppmswo] D:\WINDOWS\System32\w?wexec.exe
O4 - HKCU\..\Run: [SurfSideKick 2] D:\Program Files\SurfSideKick 2\Ssk.exe
O4 - Startup: PalNetaware.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - D:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: d:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\calsp.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://allways.drusearch.com//traf//30657/load.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1613ba87ef033afdee20/netzip/RdxIE601.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.dll
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - D:\PROGRA~1\Toolbar\toolbar.dll

----------------------------------------------------------

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Dec 8, 2004 3:17:56 PM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: KLBLMain
Display Name: Kaspersky Anti-Virus Service
Start Mode: Manual
Start Name: LocalSystem
Description: Provides anti-virus functionality of Kaspersky Anti-Virus Personal Pro installed on the ...
Service Type: Own Process
Path: d:\program files\kaspersky lab\kaspersky anti-virus personal pro 5\kavmm.exe -run bl -n personalpro -v 5.0.0.0 -ttsr 10000000
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: d:\windows\system32\dllhost.exe /processid:{877f5d84-eae3-4a9d-a5d4-7008bd58130c}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: TBPSSvc
Display Name: WebSeach Toolbar support NT service
Start Mode: Auto
Start Name: LocalSystem
Description: This service supports and maintains WebSeach ...
Service Type: Own Process
Path: d:\progra~1\toolbar\tbpssvc.exe
State: Running
Process ID: 1540
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 4
Service Name: WinToolsSvc
Display Name: WinTools for IE service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: d:\program files\common files\wintools\wtoolss.exe
State: Running
Process ID: 1656
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 5
Service Name: %AFå¤¶À¨
Display Name: Remote Procedure Call (RPC) Helper
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: d:\windows\system32\winow32.exe /s
State: Running
Process ID: 1732
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 82 Win32 services on this machine.
5 were unrecognized.

Script Execution Time: 1.5 seconds.
------------------------------------------------------------


----------



## mjack547 (Sep 1, 2003)

Ok you got the lastest from VX2. We have a couple of guys that have been able to remove it from peoples machine. So hang on and one of them will be with you soon.

But first do this

First download lspfix.exe from http://www.spyware911.net/downloads/LSPFix.exe. Open it and move all instances of calsp.dll & aklsp.dll to the remove pane(left hand) and click finish.


----------



## tj416 (Nov 18, 2004)

Download LSP fix from www.cexx.org/lspfix.htm . Open it,check I know what I am doing and add both calsp.dll and aklsp.dll to the remove list and remove it.

Then,download the following:
1.Ad-Aware SE Personal from http://www.majorgeeks.com/download506.html

Install the program and launch it.In the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files. Then, in the main window, Click Start and under Select a scan Mode tick Perform full system scan. Then, deselect Search for negligible risk entries. To start the scan, click the Next button. When the scan is finished mark everything for removal and get rid of it.Reboot your computer.

2.SpyBot Search & Destroy from http://majorgeeks.com/download2471.html

Open the program. Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems''.Reboot your computer again

After this,post another log and we will tell you what to fix.


----------



## itrocks4u (Nov 27, 2004)

Umm...ive tried both adware and spybot....last time it removed MOST of the things and my internet stoped working and i had to format the whole system (thts the only thing i know)....so are u sure i should do that again?
and i ran spybot somtime b4 posting....it finds the things...starts deleting and then stops respoding and closes itself.......


----------



## tj416 (Nov 18, 2004)

You should delete only the entries in RED in Spybot and there shouldn't be a problem if you configure Ad-aware as mentioned above.


----------



## itrocks4u (Nov 27, 2004)

ok so im gonna try doing as u mentioned...and then post another log.....


----------



## itrocks4u (Nov 27, 2004)

hi again...
ok so i followed the steps u told me to ..with the LSP fix....adware and the spybot. However spybot just closed itself 3/4th way through fixing the problems, even though only the red one were selected (all of em were red...and one 'common hijacker' was not checked).
Here is the new Hijackthis file....please help

------------------------------------------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 7:40:40 PM, on 08/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\SED\SED.exe
D:\WINDOWS\system32\sdkfb32.exe
D:\PROGRA~1\Toolbar\TBPS.exe
D:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
D:\WINDOWS\System32\tibs3.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\System32\l?***.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\PROGRA~1\Toolbar\PIB.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\Toolbar\TBPSSvc.exe
D:\Program Files\Common Files\WinTools\WToolsS.exe
D:\WINDOWS\system32\winow32.exe
D:\Program Files\Common Files\WinTools\WSup.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Windows NT\Accessories\WORDPAD.EXE
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - D:\PROGRA~1\Toolbar\toolbar.dll
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - D:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - D:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {D98229FD-6F82-D6ED-5168-F3E9D7E60E5A} - D:\WINDOWS\system32\addfi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - D:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe beem.dll, DllRegisterServer
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SESync] "D:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [sdkfb32.exe] D:\WINDOWS\system32\sdkfb32.exe
O4 - HKLM\..\Run: [Windows AdService] D:\Program Files\Windows AdService\WinAdServ.exe
O4 - HKLM\..\Run: [SurfSideKick 2] D:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [TBPS] D:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] D:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [tibs3] D:\WINDOWS\System32\tibs3.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Njbante] D:\WINDOWS\System32\l?***.exe
O4 - HKCU\..\Run: [SurfSideKick 2] D:\Program Files\SurfSideKick 2\Ssk.exe
O4 - Startup: PalNetaware.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1613ba87ef033afdee20/netzip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - D:\PROGRA~1\Toolbar\toolbar.dll

--------------------------------------------------------------
service filter...POST_THIS:

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Dec 8, 2004 7:39:58 PM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: ISEXEng
Display Name: ISEXEng
Start Mode: Unknown
Start Name: 
Description: ...
Service Type: Unknown
Path: 
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: KLBLMain
Display Name: Kaspersky Anti-Virus Service
Start Mode: Manual
Start Name: LocalSystem
Description: Provides anti-virus functionality of Kaspersky Anti-Virus Personal Pro installed on the ...
Service Type: Own Process
Path: d:\program files\kaspersky lab\kaspersky anti-virus personal pro 5\kavmm.exe -run bl -n personalpro -v 5.0.0.0 -ttsr 10000000
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service #3
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: d:\windows\system32\dllhost.exe /processid:{877f5d84-eae3-4a9d-a5d4-7008bd58130c}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: TBPSSvc
Display Name: WebSeach Toolbar support NT service
Start Mode: Auto
Start Name: LocalSystem
Description: This service supports and maintains WebSeach ...
Service Type: Own Process
Path: d:\progra~1\toolbar\tbpssvc.exe
State: Running
Process ID: 1108
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 5
Service Name: WinToolsSvc
Display Name: WinTools for IE service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: d:\program files\common files\wintools\wtoolss.exe
State: Running
Process ID: 1424
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 6
Service Name: %AFå¤¶À¨
Display Name: Remote Procedure Call (RPC) Helper
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: d:\windows\system32\winow32.exe /s
State: Running
Process ID: 1500
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 83 Win32 services on this machine.
6 were unrecognized.

Script Execution Time: 0.65625 seconds.


----------



## tj416 (Nov 18, 2004)

Go to Add/Remove Programs and uninstall(if there):
*SurfSideKick 2
SESync
Windows Ad Service
Win Tools*

Then run HJT and fix the following entries:
*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - D:\PROGRA~1\Toolbar\toolbar.dll
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - D:\PROGRA~1\COMMON~1\WinTools\WToolsB.dl
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - D:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - D:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SESync] "D:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [SurfSideKick 2] D:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [TBPS] D:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] D:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [tibs3] D:\WINDOWS\System32\tibs3.exe
O4 - Startup: PalNetaware.lnk = ?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1613ba8...ip/RdxIE601.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - D:\PROGRA~1\Toolbar\toolbar.dll
*
After this,restart in safe mode and delete these folders:
*SED*(located in D:\Program Files)
*SurfSideKick 2*(located in D:\Program Files)

and these files:
*toolbar.dll*(located in D:\PROGRA~1\Toolbar)
*TBPS.exe*(located in D:\PROGRA~1\Toolbar)
*tibs3.exe*(located in D:\WINDOWS\System32)

I am very *suspicious* about these entries(I'll leave these entries to the pros):
O2 - BHO: (no name) - {D98229FD-6F82-D6ED-5168-F3E9D7E60E5A} - D:\WINDOWS\system32\addfi.dll
O4 - HKCU\..\Run: [Njbante] D:\WINDOWS\System32\l?***.exe

Finally, reboot and post another log.


----------



## itrocks4u (Nov 27, 2004)

ok ...i did all that u told me to do in HJT and then the safe mode part....Still i get the 'error loading beem.dll' when the computer starts and my internet explorer homepage is still HOME SEARCH....
Heres another HJT log file and POST_THIS....wat do i do now?
-----------------------------------------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 10:36:14 PM, on 08/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\WINDOWS\system32\sdkfb32.exe
D:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\System32\l?***.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\Toolbar\TBPSSvc.exe
D:\Program Files\Common Files\WinTools\WToolsS.exe
D:\WINDOWS\system32\winow32.exe
D:\Program Files\Common Files\WinTools\WSup.exe
d:\progra~1\toolbar\TBPS.exe
D:\PROGRA~1\Toolbar\PIB.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {D98229FD-6F82-D6ED-5168-F3E9D7E60E5A} - D:\WINDOWS\system32\addfi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe beem.dll, DllRegisterServer
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [sdkfb32.exe] D:\WINDOWS\system32\sdkfb32.exe
O4 - HKLM\..\Run: [Windows AdService] D:\Program Files\Windows AdService\WinAdServ.exe
O4 - HKLM\..\Run: [WinTools] D:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] D:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Njbante] D:\WINDOWS\System32\l?***.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

------------------------------------------------------------

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Dec 8, 2004 10:36:47 PM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: KLBLMain
Display Name: Kaspersky Anti-Virus Service
Start Mode: Manual
Start Name: LocalSystem
Description: Provides anti-virus functionality of Kaspersky Anti-Virus Personal Pro installed on the ...
Service Type: Own Process
Path: d:\program files\kaspersky lab\kaspersky anti-virus personal pro 5\kavmm.exe -run bl -n personalpro -v 5.0.0.0 -ttsr 10000000
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: d:\windows\system32\dllhost.exe /processid:{877f5d84-eae3-4a9d-a5d4-7008bd58130c}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: TBPSSvc
Display Name: WebSeach Toolbar support NT service
Start Mode: Auto
Start Name: LocalSystem
Description: This service supports and maintains WebSeach ...
Service Type: Own Process
Path: d:\progra~1\toolbar\tbpssvc.exe
State: Running
Process ID: 920
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 4
Service Name: WinToolsSvc
Display Name: WinTools for IE service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: d:\program files\common files\wintools\wtoolss.exe
State: Running
Process ID: 1088
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 5
Service Name: %AFå¤¶À¨
Display Name: Remote Procedure Call (RPC) Helper
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: d:\windows\system32\winow32.exe /s
State: Running
Process ID: 1152
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 82 Win32 services on this machine.
5 were unrecognized.

Script Execution Time: 0.78125 seconds.


----------



## tj416 (Nov 18, 2004)

I'll ask a moderator to examine your log.


----------



## itrocks4u (Nov 27, 2004)

Hi again...
Umm when will i know wat to do next....my homepage is still different and i still get the 'error loading beem.dll' at the startup...and ofcourse the popups....
heres another HJT log just in case u want it.....
------------------------------------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 2:34:59 PM, on 09/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\WINDOWS\system32\sdkfb32.exe
D:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\PROGRA~1\Toolbar\TBPS.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\System32\l?***.exe
D:\PROGRA~1\Toolbar\PIB.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\Toolbar\TBPSSvc.exe
D:\Program Files\Common Files\WinTools\WToolsS.exe
D:\WINDOWS\system32\winow32.exe
D:\Program Files\Common Files\WinTools\WSup.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
D:\Documents and Settings\Ours\Desktop\Salman\aim\poolerzaim.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - D:\PROGRA~1\Toolbar\toolbar.dll
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - D:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe beem.dll, DllRegisterServer
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [sdkfb32.exe] D:\WINDOWS\system32\sdkfb32.exe
O4 - HKLM\..\Run: [Windows AdService] D:\Program Files\Windows AdService\WinAdServ.exe
O4 - HKLM\..\Run: [WinTools] D:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] D:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Njbante] D:\WINDOWS\System32\l?***.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - D:\PROGRA~1\Toolbar\toolbar.dll

---------------------------------------------------
The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Dec 9, 2004 2:35:45 PM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: KLBLMain
Display Name: Kaspersky Anti-Virus Service
Start Mode: Manual
Start Name: LocalSystem
Description: Provides anti-virus functionality of Kaspersky Anti-Virus Personal Pro installed on the ...
Service Type: Own Process
Path: d:\program files\kaspersky lab\kaspersky anti-virus personal pro 5\kavmm.exe -run bl -n personalpro -v 5.0.0.0 -ttsr 10000000
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: d:\windows\system32\dllhost.exe /processid:{877f5d84-eae3-4a9d-a5d4-7008bd58130c}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: TBPSSvc
Display Name: WebSeach Toolbar support NT service
Start Mode: Auto
Start Name: LocalSystem
Description: This service supports and maintains WebSeach ...
Service Type: Own Process
Path: d:\progra~1\toolbar\tbpssvc.exe
State: Running
Process ID: 872
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 4
Service Name: WinToolsSvc
Display Name: WinTools for IE service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: d:\program files\common files\wintools\wtoolss.exe
State: Running
Process ID: 1300
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 5
Service Name: %AFå¤¶À¨
Display Name: Remote Procedure Call (RPC) Helper
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: d:\windows\system32\winow32.exe /s
State: Running
Process ID: 1444
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 82 Win32 services on this machine.
5 were unrecognized.

Script Execution Time: 0.625 seconds.


----------



## Flrman1 (Jul 26, 2002)

Not only do you have a CWS Hijack that requires special removal procedures, you also have what looks to be a new variant of VX2 (L2M). 

We will remove the CWS hijack first.

It has been several hours since you posted the last Hijack This log so I want you to rescan with Hijack This and post a fresh log.

After you post the next Hijack This log, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.


----------



## itrocks4u (Nov 27, 2004)

ok...heres the new HJT log....

Logfile of HijackThis v1.98.2
Scan saved at 8:20:53 PM, on 09/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\WINDOWS\system32\sdkfb32.exe
D:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\PROGRA~1\Toolbar\TBPS.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\System32\l?***.exe
D:\PROGRA~1\Toolbar\PIB.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\Toolbar\TBPSSvc.exe
D:\Program Files\Common Files\WinTools\WToolsS.exe
D:\WINDOWS\system32\winow32.exe
D:\Program Files\Common Files\WinTools\WSup.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\qlsfi.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - D:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {D98229FD-6F82-D6ED-5168-F3E9D7E60E5A} - D:\WINDOWS\system32\addfi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe beem.dll, DllRegisterServer
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [sdkfb32.exe] D:\WINDOWS\system32\sdkfb32.exe
O4 - HKLM\..\Run: [Windows AdService] D:\Program Files\Windows AdService\WinAdServ.exe
O4 - HKLM\..\Run: [WinTools] D:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] D:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Njbante] D:\WINDOWS\System32\l?***.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - D:\PROGRA~1\Toolbar\toolbar.dll

-------------------------------------------------------------------------

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Dec 9, 2004 8:21:33 PM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: KLBLMain
Display Name: Kaspersky Anti-Virus Service
Start Mode: Manual
Start Name: LocalSystem
Description: Provides anti-virus functionality of Kaspersky Anti-Virus Personal Pro installed on the ...
Service Type: Own Process
Path: d:\program files\kaspersky lab\kaspersky anti-virus personal pro 5\kavmm.exe -run bl -n personalpro -v 5.0.0.0 -ttsr 10000000
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: d:\windows\system32\dllhost.exe /processid:{877f5d84-eae3-4a9d-a5d4-7008bd58130c}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: TBPSSvc
Display Name: WebSeach Toolbar support NT service
Start Mode: Auto
Start Name: LocalSystem
Description: This service supports and maintains WebSeach ...
Service Type: Own Process
Path: d:\progra~1\toolbar\tbpssvc.exe
State: Running
Process ID: 872
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 4
Service Name: WinToolsSvc
Display Name: WinTools for IE service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: d:\program files\common files\wintools\wtoolss.exe
State: Running
Process ID: 1300
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 5
Service Name: %AFå¤¶À¨
Display Name: Remote Procedure Call (RPC) Helper
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: d:\windows\system32\winow32.exe /s
State: Running
Process ID: 1444
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 82 Win32 services on this machine.
5 were unrecognized.

Script Execution Time: 0.546875 seconds.


----------



## Flrman1 (Jul 26, 2002)

First Click here to download cwsserviceremove.zip and unzip it to your desktop and have it ready to run later.
___________________________________________________________________________

Click here to download CWShredder. *Do Not* run it yet. Download it to the desktop and have it ready to run later.

____________________________________________________________________

Click here to download AboutBuster created by Rubber Ducky.

*Unzip* AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode. 
_____________________________________________________________________

Now go ahead and set your computer to show hidden files like so:

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
______________________________________________________________________

*Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line*. Copy these instructions to notepad and save them on your desktop for easy access. You *must* follow these directions exactly and you *cannot* skip any part of it.
______________________________________________________________________

Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find *Remote Procedure Call (RPC) Helper*.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*CAUTION:* There is also a service named *Remote Procedure Call (RPC) Locator* and one called *Remote Procedure Call (RPC)* . These are the legitimate services. Do not stop those two.
______________________________________________________________________

Restart to safe mode.

How to start your computer in safe mode

Perform the following steps in safe mode:

____________________________________________________________________

Double click on the cwsserviceemove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry. 
____________________________________________________________________

Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

Put a check by these entries in Hijack This and click the "Fix Checked" button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\qlsfi.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\qlsfi.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\qlsfi.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\qlsfi.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\qlsfi.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - D:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {D98229FD-6F82-D6ED-5168-F3E9D7E60E5A} - D:\WINDOWS\system32\addfi.dll

O4 - HKLM\..\Run: [sdkfb32.exe] D:\WINDOWS\system32\sdkfb32.exe

O4 - HKLM\..\Run: [Windows AdService] D:\Program Files\Windows AdService\WinAdServ.exe

O4 - HKLM\..\Run: [WinTools] D:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [TBPS] D:\PROGRA~1\Toolbar\TBPS.exe

O4 - HKCU\..\Run: [Njbante] D:\WINDOWS\System32\l?***.exe

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - D:\PROGRA~1\Toolbar\toolbar.dll

Find and delete these files:

d:\windows\system32\winow32.exe 
D:\WINDOWS\system32\sdkfb32.exe
D:\WINDOWS\System32\l?***.exe ---> This is not a typo. The actual file name is l?***.exe

Delete these folders:

D:\Program Files\Windows AdService
d:\program files\Toolbar
d:\program files\common files\wintools

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Administrator (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

________________________________________________________________________

Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
_______________________________________________________________________

Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
_______________________________________________________________________

Boot back into Windows now.

Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file. 
Go here and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder. 
Find shell.dll and right click on it. Choose Copy from the menu. 
Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.

control.exe may have been deleted. 
See if control.exe is present in C:\windows\system32

If control.exe isn't there, go here, and download control.exe per the instructions at the site.

*IMPORTANT!:* Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.


----------



## itrocks4u (Nov 27, 2004)

Hi again
Thankyou very much for alll your help....i managed to get most of my computer back to normal......but i still get a 'error loading beem.dll...the specific module cannot be found' at the startup....and a few popups every now and then....i installed the google toolbar for IE as a popup blocker but its not of much use.....
anyways heres another HJT log file...please lemme know wat i have to do next.....
----------------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 1:50:39 PM, on 10/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Documents and Settings\Ours\Desktop\Salman\aim\poolerzaim.exe
D:\Program Files\Hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe beem.dll, DllRegisterServer
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

------------------------------------------------------------

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Dec 10, 2004 1:51:13 PM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: KLBLMain
Display Name: Kaspersky Anti-Virus Service
Start Mode: Manual
Start Name: LocalSystem
Description: Provides anti-virus functionality of Kaspersky Anti-Virus Personal Pro installed on the ...
Service Type: Own Process
Path: d:\program files\kaspersky lab\kaspersky anti-virus personal pro 5\kavmm.exe -run bl -n personalpro -v 5.0.0.0 -ttsr 10000000
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: d:\windows\system32\dllhost.exe /processid:{877f5d84-eae3-4a9d-a5d4-7008bd58130c}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: TBPSSvc
Display Name: WebSeach Toolbar support NT service
Start Mode: Auto
Start Name: LocalSystem
Description: This service supports and maintains WebSeach ...
Service Type: Own Process
Path: d:\progra~1\toolbar\tbpssvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: WinToolsSvc
Display Name: WinTools for IE service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: d:\program files\common files\wintools\wtoolss.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 81 Win32 services on this machine.
4 were unrecognized.

Script Execution Time: 0.9375 seconds.
-------------------------------------


----------



## Flrman1 (Jul 26, 2002)

Fix this one with Hijack This and restart your computer:

*O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe beem.dll, DllRegisterServer*

*Click here* to download Findit.zip.

Unzip it and double-click on Find.bat to run it. It should run for a few seconds, then open an Output.txt file. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.

Also *Click Here* and download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the *Click to Find VX2.Betterinternet* button. It will display the files, the Guardian Key and User Agent string. Now click the *Make Log* button. It will open the log in notepad. Copy and paste that log here too. If it doesn't open the log in notepad then just copy it from the Window where the info is displayed in VX2Finder.

After you have posted all that info here, it is very important that you *do not* restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.


----------



## itrocks4u (Nov 27, 2004)

OK here are the two logs

Output.txt:

Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

13/12/2004 08:42 PM 226,157 hbpertrm.dll
13/12/2004 08:42 PM 222,431 k6440ghqe64e0.dll
13/12/2004 01:10 AM 226,157 aza60cdsef060.dll
10/12/2004 03:38 AM 226,246 ktp4l77q1.dll
10/12/2004 02:20 AM 550 TBPS.ini
10/12/2004 01:39 AM dllcache
08/12/2004 07:33 PM 224,644 gru32.dll
08/12/2004 06:50 PM 225,008 l46o0ej3eho.dll
08/12/2004 07:27 AM 226,072 i824lifq182e.dll
04/12/2004 07:18 AM 11,350 mfcbm32.exe
03/12/2004 01:39 AM 10,752 crkv32.exe
23/11/2004 11:43 PM 0 qeidw.dll
23/11/2004 10:00 PM 0 kyiqw.dll
15/11/2004 03:57 AM 11,004 ntbs32.exe
09/11/2004 05:03 PM 11,708 winac.exe
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:16 PM Microsoft
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
23 File(s) 1,747,808 bytes
2 Dir(s) 60,047,880,192 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

10/12/2004 01:39 AM dllcache
04/12/2004 07:18 AM 11,350 mfcbm32.exe
03/12/2004 01:39 AM 10,752 crkv32.exe
23/11/2004 11:43 PM 0 qeidw.dll
23/11/2004 10:00 PM 0 kyiqw.dll
15/11/2004 03:57 AM 11,004 ntbs32.exe
09/11/2004 05:03 PM 11,708 winac.exe
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:00 PM 488 WindowsLogon.manifest
15/10/2004 10:00 PM 488 logonui.exe.manifest
15/10/2004 10:00 PM 749 ncpa.cpl.manifest
15/10/2004 10:00 PM 749 sapi.cpl.manifest
15/10/2004 10:00 PM 749 wuaucpl.cpl.manifest
15/10/2004 10:00 PM 749 cdplayer.exe.manifest
15/10/2004 10:00 PM 749 nwc.cpl.manifest
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
22 File(s) 175,264 bytes
1 Dir(s) 60,047,872,000 bytes free

---------- Files Named "Guard" -------------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

03/08/2004 11:56 PM 1,236,480 ~GLH0014.TMP
03/08/2004 11:56 PM 1,236,480 ~GLH0019.TMP
29/08/2002 07:00 AM 2,577 CONFIG.TMP
3 File(s) 2,475,537 bytes
0 Dir(s) 60,047,872,000 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D82349A0-741F-4CB4-8C7F-9DC915B24165}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\aza60cdsef060.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

The system cannot execute the specified program.

-------------- Locate.com Results ---------------

---

-----------------------------
vx2:

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
AtiExtEvent
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
Shell Extensions
termsrv
wlballoon

Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{D82349A0-741F-4CB4-8C7F-9DC915B24165}


----------



## Flrman1 (Jul 26, 2002)

Download the Hoster from *here* . UnZip the file to your desktop.

*Click here* to download Pocket KillBox.

Unzip the files to the folder of your choice.

Also I am attaching a fix.zip file to this post. Download fix.zip to your desktop and unzip it.

*IMPORTANT!*: Before you continue, close *ALL* running programs. *Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line*. Copy these instructions to notepad and save them on your desktop for easy access.

Double click on the fix.reg file to enter into the registry. Answer yes when asked to have it's contents added to the registry.

Run Pocket Killbox and click on Tools > Delete Temp Files and let it do its thing.

Next in the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. Put a tick by *Standard File Kill* and put a check by *End Explorer Shell While Killing File*. Click on the button with the red circle and an X in the middle after you enter each file. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*D:\WINDOWS\System32\hbpertrm.dll

D:\WINDOWS\System32\k6440ghqe64e0.dll

D:\WINDOWS\System32\aza60cdsef060.dll

D:\WINDOWS\System32\ktp4l77q1.dll

D:\WINDOWS\System32\gru32.dll

D:\WINDOWS\System32\l46o0ej3eho.dll

D:\WINDOWS\System32\i824lifq182e.dll

D:\WINDOWS\System32\mfcbm32.exe

D:\WINDOWS\System32\crkv32.exe

D:\WINDOWS\System32\qeidw.dll

D:\WINDOWS\System32\kyiqw.dll

D:\WINDOWS\System32\ntbs32.exe

D:\WINDOWS\System32\winac.exe*

*Note:* If KillBox tells you the file cannot be deleted, then put a tick by *Delete on Reboot* for that particular file  and then click the button with the red circle and an X in the middle. It will ask for confirmation and if you want to reboot now. Click No then OK on the next prompt. It is also possible that it will tell you that one or more do not exist. Continue on as instructed if that happens.

Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

Next run VX2Finder and click the "Restore Policy" button.

Now restart your computer.

Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. When it is finished, hit any key to close find.bat. When you close find.bat it will ask you if you want to save the changes to output.txt. Click Yes and post the contents of the new output.txt file here along with a new Hijack This log.

Again I remind you, it is very important that you *do not* restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.


----------



## itrocks4u (Nov 27, 2004)

heres the next output.txt. and HJT log file.....

---------------------------------------------
Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

13/12/2004 08:42 PM 226,157 hbpertrm.dll
10/12/2004 02:20 AM 550 TBPS.ini
10/12/2004 01:39 AM dllcache
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:16 PM Microsoft
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
11 File(s) 352,436 bytes
2 Dir(s) 59,972,763,648 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

10/12/2004 01:39 AM dllcache
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:00 PM 488 logonui.exe.manifest
15/10/2004 10:00 PM 488 WindowsLogon.manifest
15/10/2004 10:00 PM 749 ncpa.cpl.manifest
15/10/2004 10:00 PM 749 nwc.cpl.manifest
15/10/2004 10:00 PM 749 wuaucpl.cpl.manifest
15/10/2004 10:00 PM 749 cdplayer.exe.manifest
15/10/2004 10:00 PM 749 sapi.cpl.manifest
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
16 File(s) 130,450 bytes
1 Dir(s) 59,972,759,552 bytes free

---------- Files Named "Guard" -------------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

03/08/2004 11:56 PM 1,236,480 ~GLH0014.TMP
03/08/2004 11:56 PM 1,236,480 ~GLH0019.TMP
29/08/2002 07:00 AM 2,577 CONFIG.TMP
3 File(s) 2,475,537 bytes
0 Dir(s) 59,972,759,552 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D82349A0-741F-4CB4-8C7F-9DC915B24165}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\k6440ghqe64e0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\hbpertrm.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

The system cannot execute the specified program.

-------------- Locate.com Results ---------------

-------------------------------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 11:45:47 PM, on 13/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Program Files\Hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab


----------



## Flrman1 (Jul 26, 2002)

I am attaching a fix2.zip file. Download it and unzip it to your desktop.

Sign off the net as before.

Doubleclick on fix2.rg to enter it into the registry. Answer yes to confirm.

Run Pocket Killbox and click on Tools > Delete Temp Files and let it do its thing.

Next in the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. Put a tick by *Standard File Kill* and put a check by *End Explorer Shell While Killing File*. Click on the button with the red circle and an X in the middle after you enter each file. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*D:\WINDOWS\System32\k6440ghqe64e0.dll

D:\WINDOWS\System32\hbpertrm.dll*

*Note:* If KillBox tells you the file cannot be deleted, then put a tick by *Delete on Reboot* for that particular file and then click the button with the red circle and an X in the middle. It will ask for confirmation and if you want to reboot now. Click No then OK on the next prompt. It is also possible that it will tell you that one or more do not exist. Continue on as instructed if that happens.

Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

Next run VX2Finder and click the "Restore Policy" button.

Now restart your computer.

Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. When it is finished, hit any key to close find.bat. When you close find.bat it will ask you if you want to save the changes to output.txt. Click Yes and post the contents of the new output.txt file here along with a new Hijack This log.

Again I remind you, it is very important that you *do not* restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.


----------



## itrocks4u (Nov 27, 2004)

ok i deleted the 2 files from killbox...but it could not find the first file....
here is the new output.txt...and HJT log
----------------------------------------------

Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

14/12/2004 03:25 PM 222,946 pNnmap.dll
14/12/2004 03:25 PM 223,485 lvlq0935e.dll
14/12/2004 11:35 AM 226,157 mpcans32.dll
14/12/2004 11:35 AM 222,946 ktp4l77q1.dll
10/12/2004 02:20 AM 550 TBPS.ini
10/12/2004 01:39 AM dllcache
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:16 PM Microsoft
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
14 File(s) 1,021,813 bytes
2 Dir(s) 59,990,110,208 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

10/12/2004 01:39 AM dllcache
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:00 PM 488 logonui.exe.manifest
15/10/2004 10:00 PM 488 WindowsLogon.manifest
15/10/2004 10:00 PM 749 ncpa.cpl.manifest
15/10/2004 10:00 PM 749 nwc.cpl.manifest
15/10/2004 10:00 PM 749 wuaucpl.cpl.manifest
15/10/2004 10:00 PM 749 cdplayer.exe.manifest
15/10/2004 10:00 PM 749 sapi.cpl.manifest
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
16 File(s) 130,450 bytes
1 Dir(s) 59,990,106,112 bytes free

---------- Files Named "Guard" -------------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

03/08/2004 11:56 PM 1,236,480 ~GLH0014.TMP
03/08/2004 11:56 PM 1,236,480 ~GLH0019.TMP
29/08/2002 07:00 AM 2,577 CONFIG.TMP
3 File(s) 2,475,537 bytes
0 Dir(s) 59,990,106,112 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D82349A0-741F-4CB4-8C7F-9DC915B24165}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\ktp4l77q1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

The system cannot execute the specified program.

-------------- Locate.com Results ---------------

-------------------------------------------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 3:30:08 PM, on 14/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Program Files\Hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab


----------



## Flrman1 (Jul 26, 2002)

I am attaching a fix3.zip file to this post. Download fix.zip to your desktop and unzip it.

Sign off the net again as you did before.

Double click on the fix3.reg file to enter into the registry. Answer yes when asked to have it's contents added to the registry.

Run Pocket Killbox and click on Tools > Delete Temp Files and let it do its thing.

Next in the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. Put a tick by *Standard File Kill* and put a check by *End Explorer Shell While Killing File*. Click on the button with the red circle and an X in the middle after you enter each file. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*D:\WINDOWS\system32\pNnmap.dll

D:\WINDOWS\system32\lvlq0935e.dll

D:\WINDOWS\system32\mpcans32.dll

D:\WINDOWS\system32\ktp4l77q1.dll

D:\WINDOWS\system32\guard.tmp*

*Note:* If KillBox tells you the file cannot be deleted, then put a tick by *Delete on Reboot* for that particular file and then click the button with the red circle and an X in the middle. It will ask for confirmation and if you want to reboot now. Click No then OK on the next prompt. It is also possible that it will tell you that one or more do not exist. Continue on as instructed if that happens.

Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

Next run VX2Finder and click the "Restore Policy" button.

Now restart your computer.

Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. When it is finished, hit any key to close find.bat. When you close find.bat it will ask you if you want to save the changes to output.txt. Click Yes and post the contents of the new output.txt file here along with a new Hijack This log.

Again I remind you, it is very important that you *do not* restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.


----------



## itrocks4u (Nov 27, 2004)

ok i did that...heres the new output.txt and HJT log

Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

15/12/2004 10:31 AM 222,946 parfts.dll
15/12/2004 10:31 AM 224,423 ktp4l77q1.dll
10/12/2004 02:20 AM 550 TBPS.ini
10/12/2004 01:39 AM dllcache
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:16 PM Microsoft
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
12 File(s) 573,648 bytes
2 Dir(s) 59,937,349,632 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

10/12/2004 01:39 AM dllcache
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:00 PM 488 logonui.exe.manifest
15/10/2004 10:00 PM 488 WindowsLogon.manifest
15/10/2004 10:00 PM 749 ncpa.cpl.manifest
15/10/2004 10:00 PM 749 nwc.cpl.manifest
15/10/2004 10:00 PM 749 wuaucpl.cpl.manifest
15/10/2004 10:00 PM 749 cdplayer.exe.manifest
15/10/2004 10:00 PM 749 sapi.cpl.manifest
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
16 File(s) 130,450 bytes
1 Dir(s) 59,937,345,536 bytes free

---------- Files Named "Guard" -------------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

03/08/2004 11:56 PM 1,236,480 ~GLH0014.TMP
03/08/2004 11:56 PM 1,236,480 ~GLH0019.TMP
29/08/2002 07:00 AM 2,577 CONFIG.TMP
3 File(s) 2,475,537 bytes
0 Dir(s) 59,937,345,536 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D82349A0-741F-4CB4-8C7F-9DC915B24165}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\lvlq0935e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\pNnmap.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

The system cannot execute the specified program.

-------------- Locate.com Results ---------------

-------------------------------------------------------------------------------
Logfile of HijackThis v1.98.2
Scan saved at 2:26:46 PM, on 15/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Program Files\Hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab


----------



## Flrman1 (Jul 26, 2002)

I am attaching a fix4.zip file to this post. Download fix.zip to your desktop and unzip it.

Sign off the net again as you did before.

Double click on the fix4.reg file to enter into the registry. Answer yes when asked to have it's contents added to the registry.

Run Pocket Killbox and click on Tools > Delete Temp Files and let it do its thing.

Next in the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. Put a tick by *Standard File Kill* and put a check by *End Explorer Shell While Killing File*. Click on the button with the red circle and an X in the middle after you enter each file. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*D:\WINDOWS\System32\parfts.dll

D:\WINDOWS\System32\ktp4l77q1.dll

D:\WINDOWS\System32\lvlq0935e.dll

D:\WINDOWS\System32\pNnmap.dll*

*Note:* If KillBox tells you the file cannot be deleted, then put a tick by *Delete on Reboot* for that particular file and then click the button with the red circle and an X in the middle. It will ask for confirmation and if you want to reboot now. Click No then OK on the next prompt. It is also possible that it will tell you that one or more do not exist. Continue on as instructed if that happens.

Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

Next run VX2Finder and click the "Restore Policy" button.

Now restart your computer.

Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. When it is finished, hit any key to close find.bat. When you close find.bat it will ask you if you want to save the changes to output.txt. Click Yes and post the contents of the new output.txt file here along with a new Hijack This log.

Again I remind you, it is very important that you *do not* restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.


----------



## itrocks4u (Nov 27, 2004)

Ummmm..........when i followed the procedure after fix4, it did not show up any of the files i was suppose to delete.....I sent a post a few days ago but i dont think it went through....ok here is the output.txt. and HJT log again

-------------------------------

Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

16/01/2005 07:59 PM 223,295 dcdskmgr.dll
16/01/2005 07:59 PM 224,551 mvp8l97u1.dll
16/01/2005 07:11 PM 223,295 hr6q05j5e.dll
16/01/2005 07:11 PM dllcache
16/01/2005 01:52 PM 224,614 mvjol9131.dll
16/01/2005 12:30 PM 223,420 j6n20g5oe6.dll
16/01/2005 12:22 PM 223,859 hrr6059se.dll
16/01/2005 11:44 AM 223,164 dn0q01d5e.dll
15/01/2005 06:35 PM 223,164 q8nu0i59e8.dll
15/01/2005 02:34 AM 223,164 e6jm0g11e6.dll
14/01/2005 02:51 PM 223,164 m4nqle551h.dll
07/01/2005 04:16 PM 223,164 m4rm0e91eh.dll
07/01/2005 04:15 PM 223,164 i4lo0e33eh.dll
04/01/2005 01:13 AM 222,985 ir8ql5l51.dll
16/12/2004 03:49 PM 224,423 gp88l3lu1.dll
16/12/2004 03:36 PM 226,088 ir66l5js1.dll
10/12/2004 02:20 AM 550 TBPS.ini
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:16 PM Microsoft
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
25 File(s) 3,481,793 bytes
2 Dir(s) 54,778,798,080 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

16/01/2005 08:00 PM 890 vsconfig.xml
16/01/2005 07:11 PM dllcache
16/01/2005 01:49 PM 4,212 zllictbl.dat
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:00 PM 488 logonui.exe.manifest
15/10/2004 10:00 PM 488 WindowsLogon.manifest
15/10/2004 10:00 PM 749 sapi.cpl.manifest
15/10/2004 10:00 PM 749 ncpa.cpl.manifest
15/10/2004 10:00 PM 749 cdplayer.exe.manifest
15/10/2004 10:00 PM 749 wuaucpl.cpl.manifest
15/10/2004 10:00 PM 749 nwc.cpl.manifest
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
18 File(s) 135,552 bytes
1 Dir(s) 54,778,793,984 bytes free

---------- Files Named "Guard" -------------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

03/08/2004 11:56 PM 1,236,480 ~GLH0014.TMP
03/08/2004 11:56 PM 1,236,480 ~GLH0019.TMP
29/08/2002 07:00 AM 2,577 CONFIG.TMP
3 File(s) 2,475,537 bytes
0 Dir(s) 54,778,793,984 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D82349A0-741F-4CB4-8C7F-9DC915B24165}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\hr6q05j5e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

The system cannot execute the specified program.

-------------- Locate.com Results ---------------

-----------------------------------------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 8:03:32 PM, on 16/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - D:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kalvsys] D:\windows\system32\kalvnif32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab


----------



## Flrman1 (Jul 26, 2002)

I am sending you a beta fix via pm. Follow the directions in the private message and post the resulting logs back here in this thread.


----------



## itrocks4u (Nov 27, 2004)

OK i did as u said...Here are the Look.txt, output.txt, and HJT log.....But there are still too many popups....:-(
------------------------

Most of the following files are legit Windows system files - Don't delete anything without advice.

16/01/2005 10:10 PM 223,295 lqbvpwr.dll
16/01/2005 07:59 PM 223,295 dcdskmgr.dll
16/01/2005 07:59 PM 224,551 mvp8l97u1.dll
16/01/2005 01:52 PM 224,614 mvjol9131.dll
16/01/2005 12:30 PM 223,420 j6n20g5oe6.dll
16/01/2005 12:22 PM 223,859 hrr6059se.dll
16/01/2005 11:44 AM 223,164 dn0q01d5e.dll
15/01/2005 06:35 PM 223,164 q8nu0i59e8.dll
15/01/2005 02:34 AM 223,164 e6jm0g11e6.dll
14/01/2005 02:51 PM 223,164 m4nqle551h.dll
07/01/2005 04:16 PM 223,164 m4rm0e91eh.dll
07/01/2005 04:15 PM 223,164 i4lo0e33eh.dll
04/01/2005 01:13 AM 222,985 ir8ql5l51.dll
16/12/2004 03:49 PM 224,423 gp88l3lu1.dll
16/12/2004 03:36 PM 226,088 ir66l5js1.dll
01/12/2004 12:53 AM 294,912 atiiiexx.dll
01/12/2004 12:18 AM 200,704 ATIDEMGR.dll
30/11/2004 10:12 PM 221,184 ati2dvag.dll
30/11/2004 09:26 PM 249,856 ati2cqag.dll
16/10/2004 03:32 PM 278,528 pncrt.dll
09/07/2004 03:27 AM 230,400 dplayx.dll
09/07/2004 03:27 AM 292,864 ddraw.dll
14/01/2004 08:26 AM 200,704 lexlmpm.dll
14/01/2004 08:21 AM 201,216 LEXP2P32.DLL
28/10/2003 07:33 PM 286,720 pxwave.dll
11/12/2002 11:14 PM 257,024 qcap.dll
11/12/2002 05:09 PM 253,952 msnetobj.dll
11/12/2002 05:09 PM 232,960 blackbox.dll
11/12/2002 04:34 PM 241,664 qasf.dll
11/12/2002 04:34 PM 241,664 mpg4dmod.dll
11/12/2002 04:23 PM 218,112 wmasf.dll
29/08/2002 07:00 AM 273,920 dmdlgs.dll
29/08/2002 07:00 AM 263,168 devmgr.dll
29/08/2002 07:00 AM 227,840 dsquery.dll
29/08/2002 07:00 AM 263,680 duser.dll
29/08/2002 07:00 AM 225,280 es.dll
29/08/2002 07:00 AM 250,368 gdi32.dll
29/08/2002 07:00 AM 285,184 glmf32.dll
29/08/2002 07:00 AM 240,640 hnetcfg.dll
29/08/2002 07:00 AM 247,808 iassdo.dll
29/08/2002 07:00 AM 236,032 icm32.dll
29/08/2002 07:00 AM 204,288 ieaksie.dll
29/08/2002 07:00 AM 221,184 ieakui.dll
29/08/2002 07:00 AM 294,912 iedkcs32.dll
29/08/2002 07:00 AM 231,424 iepeers.dll
29/08/2002 07:00 AM 266,240 inetcfg.dll
29/08/2002 07:00 AM 264,704 wzcsvc.dll
29/08/2002 07:00 AM 272,896 kerberos.dll
29/08/2002 07:00 AM 247,808 wow32.dll
29/08/2002 07:00 AM 202,752 localsec.dll
29/08/2002 07:00 AM 295,936 localspl.dll
29/08/2002 07:00 AM 296,448 wmstream.dll
29/08/2002 07:00 AM 222,208 compstui.dll
29/08/2002 07:00 AM 238,592 compatUI.dll
29/08/2002 07:00 AM 258,048 comdlg32.dll
29/08/2002 07:00 AM 253,952 wmpcd.dll
29/08/2002 07:00 AM 210,944 moricons.dll
29/08/2002 07:00 AM 266,752 MSCTF.dll
29/08/2002 07:00 AM 229,888 msieftp.dll
29/08/2002 07:00 AM 241,695 msjtes40.dll
29/08/2002 07:00 AM 239,616 adsnt.dll
29/08/2002 07:00 AM 213,023 msltus40.dll
29/08/2002 07:00 AM 228,864 msoeacct.dll
29/08/2002 07:00 AM 245,760 msscp.dll
29/08/2002 07:00 AM 250,368 mstask.dll
29/08/2002 07:00 AM 253,983 mstext40.dll
29/08/2002 07:00 AM 241,725 msuni11.dll
29/08/2002 07:00 AM 253,952 msvcrt20.dll
29/08/2002 07:00 AM 228,352 mswsock.dll
29/08/2002 07:00 AM 276,480 winsrv.dll
29/08/2002 07:00 AM 215,040 catsrv.dll
29/08/2002 07:00 AM 214,016 netevent.dll
29/08/2002 07:00 AM 253,952 neth.dll
29/08/2002 07:00 AM 230,400 netui1.dll
29/08/2002 07:00 AM 238,080 newdev.dll
29/08/2002 07:00 AM 271,360 objsel.dll
29/08/2002 07:00 AM 200,704 odbc32.dll
29/08/2002 07:00 AM 270,365 odbcjt32.dll
29/08/2002 07:00 AM 254,976 pdh.dll
29/08/2002 07:00 AM 227,840 avtapi.dll
29/08/2002 07:00 AM 221,696 qmgr.dll
29/08/2002 07:00 AM 217,088 rasapi32.dll
29/08/2002 07:00 AM 260,608 rpcss.dll
29/08/2002 07:00 AM 218,112 sbe.dll
29/08/2002 07:00 AM 297,984 scesrv.dll
29/08/2002 07:00 AM 276,480 slbcsp.dll
29/08/2002 07:00 AM 226,304 srrstr.dll
29/08/2002 07:00 AM 251,904 strmdll.dll
29/08/2002 07:00 AM 233,984 tapisrv.dll
29/08/2002 07:00 AM 200,192 termsrv.dll
29/08/2002 07:00 AM 272,768 atmfd.dll
29/08/2002 07:00 AM 268,800 ulib.dll
29/08/2002 07:00 AM 231,424 upnpui.dll
29/08/2002 07:00 AM 203,264 uxtheme.dll
29/08/2002 07:00 AM 287,263 vmhelper.dll
29/08/2002 07:00 AM 208,896 wavemsp.dll
29/08/2002 07:00 AM 258,048 webcheck.dll
07/06/2002 04:02 AM 212,480 PCDLIB32.DLL
07/06/2002 04:02 AM 285,184 LFCMP11n.DLL
07/06/2002 04:02 AM 262,656 LTDIS11n.dll
06/07/2001 05:24 PM 283,920 ImagXpr5.dll
24/03/2001 02:13 AM 278,528 LTDIS12n.DLL
20/03/2001 09:54 PM 227,840 LTEFX12n.DLL
1255 File(s) 247,678,922 bytes
--------------------------------------------------------------

Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: D:\Documents and Settings\Ours\Desktop\Salman\spy removing 3\NEW Find It NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

16/01/2005 07:59 PM 223,295 dcdskmgr.dll
16/01/2005 07:59 PM 224,551 mvp8l97u1.dll
16/01/2005 07:11 PM dllcache
16/01/2005 01:52 PM 224,614 mvjol9131.dll
16/01/2005 12:30 PM 223,420 j6n20g5oe6.dll
16/01/2005 12:22 PM 223,859 hrr6059se.dll
16/01/2005 11:44 AM 223,164 dn0q01d5e.dll
15/01/2005 06:35 PM 223,164 q8nu0i59e8.dll
15/01/2005 02:34 AM 223,164 e6jm0g11e6.dll
14/01/2005 02:51 PM 223,164 m4nqle551h.dll
07/01/2005 04:16 PM 223,164 m4rm0e91eh.dll
07/01/2005 04:15 PM 223,164 i4lo0e33eh.dll
04/01/2005 01:13 AM 222,985 ir8ql5l51.dll
16/12/2004 03:49 PM 224,423 gp88l3lu1.dll
16/12/2004 03:36 PM 226,088 ir66l5js1.dll
10/12/2004 02:20 AM 550 TBPS.ini
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:16 PM Microsoft
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
24 File(s) 3,258,498 bytes
2 Dir(s) 54,783,905,792 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

16/01/2005 10:10 PM 890 vsconfig.xml
16/01/2005 07:11 PM dllcache
16/01/2005 01:49 PM 4,212 zllictbl.dat
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:00 PM 488 logonui.exe.manifest
15/10/2004 10:00 PM 488 WindowsLogon.manifest
15/10/2004 10:00 PM 749 sapi.cpl.manifest
15/10/2004 10:00 PM 749 ncpa.cpl.manifest
15/10/2004 10:00 PM 749 cdplayer.exe.manifest
15/10/2004 10:00 PM 749 wuaucpl.cpl.manifest
15/10/2004 10:00 PM 749 nwc.cpl.manifest
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
18 File(s) 135,552 bytes
1 Dir(s) 54,783,901,696 bytes free

------------ Files Named "Guard" ---------------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

03/08/2004 11:56 PM 1,236,480 ~GLH0014.TMP
03/08/2004 11:56 PM 1,236,480 ~GLH0019.TMP
29/08/2002 07:00 AM 2,577 CONFIG.TMP
3 File(s) 2,475,537 bytes
0 Dir(s) 54,783,901,696 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D82349A0-741F-4CB4-8C7F-9DC915B24165}"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

D:\WINDOWS\system32\trjscan.trb: .aspack
D:\WINDOWS\system32\trupd.trb: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="D:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"D:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"ATIPTA"="D:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"msnappau"="\"D:\\Program Files\\MSN Apps\\Updater\\01.02.3000.1001\\en-us\\msnappau.exe\""
"Lexmark 2200 Series"="\"D:\\Program Files\\Lexmark 2200 Series\\lxbvbmgr.exe\""
"FaxCenterServer"="\"D:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
@=""
"Athan"="D:\\Program Files\\Athan\\Athan.exe"
"TkBellExe"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Microsoft Works Update Detection"="D:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"NeroFilterCheck"="D:\\WINDOWS\\system32\\NeroCheck.exe"
"TrojanScanner"="D:\\Program Files\\Trojan Remover\\Trjscan.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"kalvsys"="D:\\windows\\system32\\kalvnif32.exe"
"Zone Labs Client"="\"D:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

----------------------------------------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 10:23:38 PM, on 16/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - D:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kalvsys] D:\windows\system32\kalvnif32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

-----------------------------------------


----------



## Flrman1 (Jul 26, 2002)

I am attaching a fix5.zip file to this post. Download it and unzip it to your desktop.

*IMPORTANT!*: Before you continue, close *ALL* running programs. *Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line*. Copy these instructions to notepad and save them on your desktop for easy access.

Doubleclick on fix5.reg to add it to the registry. Answer yes to confirm.

Double-click on Killbox.exe to run it. Now put a tick by *Replace on Reboot*. Under that also put a check in the box by *Use Dummy*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*D:\windows\system32\kalvnif32.exe

D:\WINDOWS\System32\dcdskmgr.dll

D:\WINDOWS\System32\mvp8l97u1.dll

D:\WINDOWS\System32\mvjol9131.dll

D:\WINDOWS\System32\j6n20g5oe6.dll

D:\WINDOWS\System32\hrr6059se.dll

D:\WINDOWS\System32\dn0q01d5e.dll

D:\WINDOWS\System32\q8nu0i59e8.dll

D:\WINDOWS\System32\e6jm0g11e6.dll

D:\WINDOWS\System32\m4nqle551h.dll

D:\WINDOWS\System32\m4rm0e91eh.dll

D:\WINDOWS\System32\i4lo0e33eh.dll

D:\WINDOWS\System32\ir8ql5l51.dll

D:\WINDOWS\System32\gp88l3lu1.dll

D:\WINDOWS\System32\ir66l5js1.dll

D:\WINDOWS\System32\lqbvpwr.dll*

*Note:* It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

O4 - HKLM\..\Run: [kalvsys] D:\windows\system32\kalvnif32.exe*

Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

Next run VX2Finder. Click on the "Click to Find VX2.Betterinternet" button then Click the "Restore Policy" button.

*Now restart your computer.*

Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. Copy that log then, hit any key to close find.bat. Post the contents of the new output.txt file here along with a new Hijack This log and a new log from DLLCompare.

Again I remind you, it is very important that you *do not* restart your computer until we have proceeded to the next step and you are insructed to restart. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.


----------



## itrocks4u (Nov 27, 2004)

Ok i did as u said....u didnt send me a link for DLLCompare....so i found it through google....i hope its the same DLLCompare that you want....

-----------------------------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 9:08:27 PM, on 17/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\Microsoft Office\Office\WINWORD.EXE
D:\Program Files\Microsoft Works\WkDStore.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Program Files\Hijackthis\HijackThis.exe
D:\WINDOWS\system32\NOTEPAD.EXE

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - D:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [kalvsys] D:\windows\system32\kalvnif32.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

--------------------------------------------------
Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: D:\Documents and Settings\Ours\Desktop\Salman\spy removing 3\NEW Find It NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

17/01/2005 09:00 PM 224,676 oubcbcp.dll
17/01/2005 08:59 PM 223,295 c6002gdmg60a2.dll
17/01/2005 08:45 PM 223,295 dq0q01d5e.dll
17/01/2005 08:45 PM 224,676 en8ol1l31.dll
16/01/2005 07:11 PM dllcache
10/12/2004 02:20 AM 550 TBPS.ini
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:16 PM Microsoft
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
14 File(s) 1,022,221 bytes
2 Dir(s) 54,699,634,688 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

17/01/2005 09:00 PM 890 vsconfig.xml
16/01/2005 07:11 PM dllcache
16/01/2005 01:49 PM 4,212 zllictbl.dat
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:00 PM 488 logonui.exe.manifest
15/10/2004 10:00 PM 488 WindowsLogon.manifest
15/10/2004 10:00 PM 749 sapi.cpl.manifest
15/10/2004 10:00 PM 749 ncpa.cpl.manifest
15/10/2004 10:00 PM 749 cdplayer.exe.manifest
15/10/2004 10:00 PM 749 wuaucpl.cpl.manifest
15/10/2004 10:00 PM 749 nwc.cpl.manifest
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
18 File(s) 135,552 bytes
1 Dir(s) 54,699,630,592 bytes free

------------ Files Named "Guard" ---------------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

03/08/2004 11:56 PM 1,236,480 ~GLH0014.TMP
03/08/2004 11:56 PM 1,236,480 ~GLH0019.TMP
29/08/2002 07:00 AM 2,577 CONFIG.TMP
3 File(s) 2,475,537 bytes
0 Dir(s) 54,699,630,592 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D82349A0-741F-4CB4-8C7F-9DC915B24165}"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\en8ol1l31.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

D:\WINDOWS\system32\trjscan.trb: .aspack
D:\WINDOWS\system32\trupd.trb: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="D:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"D:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"ATIPTA"="D:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"msnappau"="\"D:\\Program Files\\MSN Apps\\Updater\\01.02.3000.1001\\en-us\\msnappau.exe\""
"Lexmark 2200 Series"="\"D:\\Program Files\\Lexmark 2200 Series\\lxbvbmgr.exe\""
"FaxCenterServer"="\"D:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
@=""
"Athan"="D:\\Program Files\\Athan\\Athan.exe"
"TkBellExe"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Microsoft Works Update Detection"="D:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"NeroFilterCheck"="D:\\WINDOWS\\system32\\NeroCheck.exe"
"TrojanScanner"="D:\\Program Files\\Trojan Remover\\Trjscan.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Zone Labs Client"="\"D:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"kalvsys"="D:\\windows\\system32\\kalvnif32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------------------------------------------------------------

DLLCompare....

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

D:\WINDOWS\SYSTEM32\addfi.dll Tue Oct 5 2004 3:29:44p A.SH. 98,938 96.62 K
D:\WINDOWS\SYSTEM32\c6002g~1.dll Mon Jan 17 2005 8:59:40p ..S.R 223,295 218.06 K
D:\WINDOWS\SYSTEM32\en8ol1~1.dll Mon Jan 17 2005 8:45:40p ..S.R 224,676 219.41 K
D:\WINDOWS\SYSTEM32\oubcbcp.dll Mon Jan 17 2005 9:00:36p ..S.R 224,676 219.41 K
________________________________________________

1,243 items found: 1,243 files (4 H/S), 0 directories.
Total of file sizes: 244,996,055 bytes 233.64 M

Administrator Account = True

--------------------End log---------------------
----------------------------


----------



## Flrman1 (Jul 26, 2002)

Well we're not making any progress here. We take 1 step forward and two steps back. 

Part of the problem here is the time that is elapsing between posts. We need to do one of two things. We are either going to have to try to both be online at the same time for a few hours so that we can work on this thing until it is gone or I am going to have to give you some general directions as to what to look for as far as the files go and the registry entries so you can work on this without me having to direct every step. I will be back online this evening around 6 or 7 pm EDT and will be online until about midnight. Just let me know which way you'd like to do it.


----------



## Flrman1 (Jul 26, 2002)

I just found out about a new tool to remove this thing so we can try it. We will still need to be online at the same time for a little while. Let me know when you're ready to try it.


----------



## khazars (Feb 15, 2004)

hi flrman, is the new tool escan based on kapersky. I saw this dude clean these up very quickly running escan, he did use a few other tools like fix regs. Sorry, but I can't remember the web site forum he was on, and I can't find it either, but he certainly blitzed the Vx2 infection in no time!

khaz


----------



## Flrman1 (Jul 26, 2002)

As far as I know, it's not.


----------



## khazars (Feb 15, 2004)

ihm, Is one keeping one's new tool close to one's Chest?

Es ist Geheime?

khaz


----------



## Flrman1 (Jul 26, 2002)

It's not a secret. I'll be posting it here shorlty. I need to check it out first.


----------



## Flrman1 (Jul 26, 2002)

Since I don't know when you will be online, I'm going to go ahead and post this.

*Click here* to download L2mfix.

Save the file to your desktop and double click *l2mfix.exe*. Read and Accept the agreement. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click *l2mfix.bat* and select option *#1* for *Run Find Log* by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

*IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!*.


----------



## itrocks4u (Nov 27, 2004)

Ok i got the log from this new program......Btw...I just wanted to know...How dangerous can this VX2 be?

-----------------------------------------------------

L2MFIX find log 1.01
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\h64m0gh1e64.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D82349A0-741F-4CB4-8C7F-9DC915B24165}"=""

**********************************************************************************
Files Found are not all bad files:

D:\WINDOWS\SYSTEM32\
akcore.dll Tue Dec 7 2004 11:47:46p A.... 188,416 184.00 K
aklsp.dll Tue Dec 7 2004 11:47:46p A.... 196,608 192.00 K
akupd.dll Tue Dec 7 2004 11:47:40p A.... 155,648 152.00 K
apizy.dll Thu Nov 11 2004 5:07:08p A.... 11,344 11.08 K
ati2cqag.dll Tue Nov 30 2004 9:26:50p A.... 249,856 244.00 K
ati2dvag.dll Tue Nov 30 2004 10:12:50p A.... 221,184 216.00 K
ati2edxx.dll Tue Nov 30 2004 10:07:10p A.... 30,720 30.00 K
ati2evxx.dll Tue Nov 30 2004 10:06:56p A.... 94,208 92.00 K
ati3duag.dll Tue Nov 30 2004 9:51:06p A.... 2,305,984 2.20 M
atiddc.dll Tue Nov 30 2004 10:04:38p A.... 81,920 80.00 K
atidemgr.dll Wed Dec 1 2004 12:18:46a A.... 200,704 196.00 K
atiiiexx.dll Wed Dec 1 2004 12:53:42a A.... 294,912 288.00 K
atioglxx.dll Tue Nov 30 2004 10:37:34p A.... 6,619,136 6.31 M
atipdlxx.dll Tue Nov 30 2004 10:07:44p A.... 131,072 128.00 K
atitvo32.dll Tue Nov 30 2004 9:35:12p A.... 17,408 17.00 K
ativvaxx.dll Tue Nov 30 2004 9:45:22p A.... 434,496 424.31 K
atliw32.dll Thu Dec 2 2004 1:02:42p A.... 11,344 11.08 K
cacore.dll Wed Dec 8 2004 12:17:42a A.... 151,552 148.00 K
calsp.dll Wed Dec 8 2004 12:17:44a A.... 135,168 132.00 K
carules.dll Wed Dec 8 2004 12:17:42a A.... 45,056 44.00 K
casync.dll Wed Dec 8 2004 12:17:42a A.... 114,688 112.00 K
fhultrep.dll Tue Jan 18 2005 8:00:06p ..S.R 223,441 218.20 K
h64m0g~1.dll Tue Jan 18 2005 3:48:28p ..S.R 223,441 218.20 K
hrn205~1.dll Tue Jan 18 2005 7:59:28p ..S.R 223,295 218.06 K
javaws.dll Thu Dec 2 2004 4:38:32p A.... 11,344 11.08 K
oemdspif.dll Tue Nov 30 2004 10:07:28p A.... 106,496 104.00 K
sporder.dll Tue Dec 7 2004 11:47:46p A.... 8,464 8.27 K
tsccvid.dll Tue Nov 23 2004 2:11:00a A.... 98,304 96.00 K
vsdata.dll Sun Nov 28 2004 5:21:50a A.... 75,032 73.27 K
vsinit.dll Sun Nov 28 2004 5:22:02a A.... 124,184 121.27 K
vsmonapi.dll Sun Nov 28 2004 5:22:10a A.... 107,808 105.28 K
vspubapi.dll Sun Nov 28 2004 5:22:14a A.... 197,920 193.28 K
vsregexp.dll Sun Nov 28 2004 5:22:18a A.... 70,944 69.28 K
vsutil.dll Sun Nov 28 2004 5:22:30a A.... 353,560 345.27 K
vsxml.dll Sun Nov 28 2004 5:22:38a A.... 99,608 97.27 K
zlcomm.dll Sun Nov 28 2004 5:23:00a A.... 75,032 73.27 K
zlcommdb.dll Sun Nov 28 2004 5:23:04a A.... 66,848 65.28 K

37 items found: 37 files (3 H/S), 0 directories.
Total of file sizes: 13,757,145 bytes 13.12 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

18/01/2005 08:00 PM 223,441 fHultrep.dll
18/01/2005 07:59 PM 223,295 hrn2055oe.dll
18/01/2005 03:48 PM 223,441 h64m0gh1e64.dll
16/01/2005 07:11 PM dllcache
10/12/2004 02:20 AM 550 TBPS.ini
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:16 PM Microsoft
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
13 File(s) 796,456 bytes
2 Dir(s) 54,685,102,080 bytes free


----------



## Flrman1 (Jul 26, 2002)

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click *l2mfix.bat* and select option *#2* for *Run Fix* by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

*IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!*


----------



## itrocks4u (Nov 27, 2004)

ok done that...here is the Log and the HJT log.....

-----------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 9:45:36 PM, on 18/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\imapi.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - D:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [kalvsys] D:\windows\system32\kalvnif32.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

----------------------------------------------------------------------------------------------

L2Mfix 1.01

Running From:
D:\Documents and Settings\Ours\Desktop\Salman\spy removing 3\l2mfix

Vbruntimes Found!

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C access for really "Everyone"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

D:\Documents and Settings\Ours\Desktop\Salman\spy removing 3\l2mfix 
System Rebooted!

Running From:
D:\Documents and Settings\Ours\Desktop\Salman\spy removing 3\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1184 'explorer.exe'
Killing PID 1184 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1456 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Desktop.ini sucessfully removed

Zipping up files for submission:
adding: cecho.reg (164 bytes security) (deflated 2%)
adding: echo.reg (164 bytes security) (deflated 11%)
adding: desktop.ini (164 bytes security) (deflated 13%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 70%)
adding: readme.txt (164 bytes security) (deflated 47%)
adding: report.txt (164 bytes security) (deflated 74%)
adding: test.txt (164 bytes security) (stored 0%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for really "Everyone"

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found: 
****************************************************************************

Registry Entries to be Deleted: 
Please verify that the listing looks ok. It shouldn't be longer than 13 lines 
If approved by helper double click the cleanup.reg in the l2mfix folder. 
****************************************************************************
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D82349A0-741F-4CB4-8C7F-9DC915B24165}"=-
****************************************************************************
Desktop.ini Contents: 
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{D82349A0-741F-4CB4-8C7F-9DC915B24165}</IDone>
<IDtwo>BM2</IDtwo>
<VERSION>200</VERSION>
****************************************************************************
Classid's found from regsearch:
****************************************************************************




----------



## Flrman1 (Jul 26, 2002)

Go back to the l2mfix folder on your desktop and double click *cleanup.reg*. Click Yes to the confirmation message, then click OK.

Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - D:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll

O4 - HKLM\..\Run: [kalvsys] D:\windows\system32\kalvnif32.exe*

Restart to safe mode.

*How to start your computer in safe mode*

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete this file:

D:\windows\system32\*kalvnif32.exe*

delete this folder:

D:\WINDOWS\*EliteToolBar*

Boot back into Windows normally and post another Hijack This log. Also run find.bat and post another log from it. I'm not so sure that this has worked.


----------



## itrocks4u (Nov 27, 2004)

umm i still have no idea about what is going on.....i did as u said and here is the new HJT log and output.txt........i tried fixing the 01 hosts( the search ones in HJT log)...but i think they are still there.......

Logfile of HijackThis v1.98.2
Scan saved at 10:55:04 PM, on 18/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\PROGRA~1\VBouncer\VirtualBouncer.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\WINDOWS\System32\cmd.exe
D:\WINDOWS\system32\ntvdm.exe
D:\WINDOWS\system32\strings.exe
D:\WINDOWS\system32\find.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Hijackthis\HijackThis.exe
D:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - D:\Program Files\se\v11\se.DLL
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [kalvsys] D:\windows\system32\kalvnif32.exe
O4 - HKLM\..\Run: [Search-Exe] "D:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [VBouncer] D:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

-----------------------------------------------------------

Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: D:\Documents and Settings\Ours\Desktop\Salman\spy removing 3\NEW Find It NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

18/01/2005 10:53 PM 225,077 csyptnet.dll
18/01/2005 10:53 PM 225,395 g8jo0i13e8.dll
18/01/2005 10:48 PM 225,077 l6l6lg3s16.dll
18/01/2005 07:59 PM 223,295 hrn2055oe.dll
16/01/2005 07:11 PM dllcache
10/12/2004 02:20 AM 550 TBPS.ini
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:16 PM Microsoft
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
14 File(s) 1,025,123 bytes
2 Dir(s) 54,664,937,472 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

18/01/2005 10:53 PM 890 vsconfig.xml
16/01/2005 07:11 PM dllcache
16/01/2005 01:49 PM 4,212 zllictbl.dat
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:00 PM 488 logonui.exe.manifest
15/10/2004 10:00 PM 488 WindowsLogon.manifest
15/10/2004 10:00 PM 749 sapi.cpl.manifest
15/10/2004 10:00 PM 749 ncpa.cpl.manifest
15/10/2004 10:00 PM 749 cdplayer.exe.manifest
15/10/2004 10:00 PM 749 wuaucpl.cpl.manifest
15/10/2004 10:00 PM 749 nwc.cpl.manifest
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
18 File(s) 135,552 bytes
1 Dir(s) 54,664,933,376 bytes free

------------ Files Named "Guard" ---------------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

03/08/2004 11:56 PM 1,236,480 ~GLH0014.TMP
03/08/2004 11:56 PM 1,236,480 ~GLH0019.TMP
29/08/2002 07:00 AM 2,577 CONFIG.TMP
3 File(s) 2,475,537 bytes
0 Dir(s) 54,664,933,376 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3EACCC8D-FF2E-48D0-A4C0-D0E813F7992B}"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\l6l6lg3s16.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

D:\WINDOWS\SYSTEM32\
csyptnet.dll Tue Jan 18 2005 10:53:14p ..S.R 225,077 219.80 K
g8jo0i~1.dll Tue Jan 18 2005 10:53:14p ..S.R 225,395 220.11 K
hrn205~1.dll Tue Jan 18 2005 7:59:28p ..S.R 223,295 218.06 K
iityf.log Sat Oct 30 2004 5:24:10p A.SH. 3,347 3.27 K
jnxgl.log Mon Nov 1 2004 5:01:40p A.SH. 3,347 3.27 K
kzjmn.dat Sun Oct 31 2004 1:52:02a A.SH. 3,347 3.27 K
l6l6lg~1.dll Tue Jan 18 2005 10:48:32p ..S.R 225,077 219.80 K
ljehb.log Sun Oct 31 2004 10:18:12a A.SH. 3,347 3.27 K
tbps.ini Fri Dec 10 2004 2:20:42a ..S.R 550 0.54 K
vsconfig.xml Tue Jan 18 2005 10:53:30p A..H. 890 0.87 K
yafwj.dat Thu Oct 28 2004 3:52:32p A.SH. 3,347 3.27 K
zllictbl.dat Sun Jan 16 2005 1:49:54p ...H. 4,212 4.11 K
zrjbo.txt Tue Oct 26 2004 6:36:02p A.SH. 3,347 3.27 K

13 items found: 13 files, 0 directories.
Total of file sizes: 924,578 bytes 902.91 K

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

D:\WINDOWS\system32\trjscan.trb: .aspack
D:\WINDOWS\system32\trupd.trb: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="D:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"D:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"ATIPTA"="D:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"msnappau"="\"D:\\Program Files\\MSN Apps\\Updater\\01.02.3000.1001\\en-us\\msnappau.exe\""
"Lexmark 2200 Series"="\"D:\\Program Files\\Lexmark 2200 Series\\lxbvbmgr.exe\""
"FaxCenterServer"="\"D:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
@=""
"Athan"="D:\\Program Files\\Athan\\Athan.exe"
"TkBellExe"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Microsoft Works Update Detection"="D:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"NeroFilterCheck"="D:\\WINDOWS\\system32\\NeroCheck.exe"
"TrojanScanner"="D:\\Program Files\\Trojan Remover\\Trjscan.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Zone Labs Client"="\"D:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"kalvsys"="D:\\windows\\system32\\kalvnif32.exe"
"Search-Exe"="\"D:\\Program Files\\se\\v11\\se.EXE\" /H"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




----------



## Flrman1 (Jul 26, 2002)

Well so much for the new removal tool. It didn't work here! 

Let's go through what we were doing before again.

I am attaching a fix.zip file to this post. Download fix.zip to your desktop and unzip it.

*IMPORTANT!*: Before you continue, close *ALL* running programs. *Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line*. Copy these instructions to notepad and save them on your desktop for easy access.

Double click on the fix.reg file to enter into the registry. Answer yes when asked to have it's contents added to the registry.

Double-click on Killbox.exe to run it. Now put a tick by *Replace on Reboot*. Under that also put a check in the box by *Use Dummy*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*D:\WINDOWS\System32\g8jo0i13e8.dll

D:\WINDOWS\System32\l6l6lg3s16.dll

D:\WINDOWS\System32\hrn2055oe.dll

D:\windows\system32\kalvnif32.exe*

*Note:* It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

Next run VX2Finder. Click on the "Click to Find VX2.Betterinternet" button then Click the "Restore Policy" button.

*Now restart your computer.*

Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. Copy that log then, hit any key to close find.bat. Post the contents of the new output.txt file here along with a new Hijack This log and a new log from DLLCompare.

Again I remind you, it is very important that you *do not* restart your computer until we have proceeded to the next step and you are insructed to restart. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.


----------



## Flrman1 (Jul 26, 2002)

itrocks4u said:


> Hey....I'm still doing all what you said...but i really need your help on this one....after i did all you said...now my internet explorer is not letting me sign in to anything.....
> I open Hotmail, and it asks me to sign in again and again...Same is the case with yahoo or any other login i try on any site...it just refuses to log in....yahoo said something about the cookies....... is there a problem with the settings???
> 
> Plus....how dangerous is that VX2? I can i keep going without removing it?
> ...


Did you check your privacy settings to see if anything has changed. We didn't do anything that should have affected that.

No you can't keep going without removing it.

I don't understand why we are having so much trouble removing this on yours. It usually takes several steps to get it, but not like this.

Please post another Hijack This log and another Find.bat log.


----------



## shadowwar (Apr 16, 2004)

could you please send me the zip from the tool so i can diagnose what happened that it didnt work?

my email address is in the readme file. 

Thanks

It may have to do with trojanscan running in the background. or any av.


----------



## Mosaic1 (Aug 17, 2001)

Not to interfere or cause confusion. So look at me as consulting a little.

I just read this long thread again. My impression is that you were clean. And then it resintalled itself. I think too you should to finish the clean up of the leftovers from your CWS infection. You show some CWS files in your system32 folder. I would go and get another online AV scan here:

http://housecall.trendmicro.com/housecall/start_corp.asp

Allow it to clean. 
-------------------------------
csyptnet.dll This file looks to be a part of the infection too.

Take a look at the Hijackthis log ,at the running processes after you cleaned up using the last utility.

See imapi.exe?

I always have that running when I am able to run their installer. And unless you are burning to disk, that shouldn't appear.

I wonder if you would post a startuplist for us please.

In Hijackthis press the Config Button
Click Misc Tools
*Check both boxes under the Generate StartupList log* and then click the generate startuplist log button.

Also your last Hijackthis log was from an older version. Please update Hijackthis.

Paste the contents into your next reply here, please. It will show a few things which Hijackthis won't. You still have to clear up other issues.

Also, I know this is a zone labs file, but I'd like to have a quick look at it too.
D:\WINDOWS\System32\vsconfig.xml

If you would please make a zipped file by right clicking on it and choosing send to>Compressed.

Then upload the compressed file as an attachment here. Dont' use quick reply. Instead , press the Post Reply button. This will bring up a new page. You can use the Manage Attachments function to upload the file.

HAve a look in D:\windows\*system* Not system32

See if you have this file:
UpdInstall.exe

That's their installer. But it will not always run. There is some trick to it. Right click on that and choose properties. See when it was last modified. Then delete the file.

Finally, after you post again, go and get some extra protections. This is urgent!
Follow the advice and get the free downloads to help avoid some of these things from installing in the future.
http://www.computercops.biz/postt7736.html


----------



## itrocks4u (Nov 27, 2004)

ok that last post totally got me confused....Mosaic....you need to tell me what files do you want....i didnt get u properly....Plus where do i get the new HJT from? and i just recently installed the zone alarm, the file u were wondering about.


----------



## Mosaic1 (Aug 17, 2001)

I am just curious to see what entries there are in your vsconfig.xml file. I know it is a part of Zone Alarm. 


To update Hijackthis:

Open Hijackthis. Click the config Button. On the new Windows which will open, clci kthe Misc Tools Button.

This will open another page. Click the Check for update online button. 

Go back and read the rest of my post. Post a Startuplist.

Get the protections from the link I posted.


----------



## Flrman1 (Jul 26, 2002)

The L2mFix was updated last night so please delete the old l2mfix folder from your desktop and *click here* to download the new version of L2mfix.

Save the file to your desktop and double click *l2mfix.exe*. Read and Accept the agreement. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click *l2mfix.bat* and select option *#1* for *Run Find Log* by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

*IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!*.


----------



## itrocks4u (Nov 27, 2004)

ok...i ran the updated l2mfix...i hope it works.........

L2MFIX find log 1.02
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\mv6ql9j51.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3EACCC8D-FF2E-48D0-A4C0-D0E813F7992B}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{52B87208-9CCF-42C9-B88E-069281105805}"="Trojan Remover Shell Extension"
"{E2596304-C370-41B5-B724-98F59E669D49}"=""
"{3572C13B-EE31-446A-97F6-09EF9432A185}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E2596304-C370-41B5-B724-98F59E669D49}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2596304-C370-41B5-B724-98F59E669D49}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2596304-C370-41B5-B724-98F59E669D49}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2596304-C370-41B5-B724-98F59E669D49}\InprocServer32]
@="D:\\WINDOWS\\system32\\aSaamon.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3572C13B-EE31-446A-97F6-09EF9432A185}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3572C13B-EE31-446A-97F6-09EF9432A185}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3572C13B-EE31-446A-97F6-09EF9432A185}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3572C13B-EE31-446A-97F6-09EF9432A185}\InprocServer32]
@="D:\\WINDOWS\\system32\\ebentcls.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

D:\WINDOWS\SYSTEM32\
akcore.dll Tue Dec 7 2004 11:47:46p A.... 188,416 184.00 K
aklsp.dll Tue Dec 7 2004 11:47:46p A.... 196,608 192.00 K
akupd.dll Tue Dec 7 2004 11:47:40p A.... 155,648 152.00 K
apizy.dll Thu Nov 11 2004 5:07:08p A.... 11,344 11.08 K
asaamon.dll Sun Jan 23 2005 1:12:22p ..... 225,395 220.11 K
ati2cqag.dll Tue Nov 30 2004 9:26:50p A.... 249,856 244.00 K
ati2dvag.dll Tue Nov 30 2004 10:12:50p A.... 221,184 216.00 K
ati2edxx.dll Tue Nov 30 2004 10:07:10p A.... 30,720 30.00 K
ati2evxx.dll Tue Nov 30 2004 10:06:56p A.... 94,208 92.00 K
ati3duag.dll Tue Nov 30 2004 9:51:06p A.... 2,305,984 2.20 M
atiddc.dll Tue Nov 30 2004 10:04:38p A.... 81,920 80.00 K
atidemgr.dll Wed Dec 1 2004 12:18:46a A.... 200,704 196.00 K
atiiiexx.dll Wed Dec 1 2004 12:53:42a A.... 294,912 288.00 K
atioglxx.dll Tue Nov 30 2004 10:37:34p A.... 6,619,136 6.31 M
atipdlxx.dll Tue Nov 30 2004 10:07:44p A.... 131,072 128.00 K
atitvo32.dll Tue Nov 30 2004 9:35:12p A.... 17,408 17.00 K
ativvaxx.dll Tue Nov 30 2004 9:45:22p A.... 434,496 424.31 K
atliw32.dll Thu Dec 2 2004 1:02:42p A.... 11,344 11.08 K
cacore.dll Wed Dec 8 2004 12:17:42a A.... 151,552 148.00 K
calsp.dll Wed Dec 8 2004 12:17:44a A.... 135,168 132.00 K
carules.dll Wed Dec 8 2004 12:17:42a A.... 45,056 44.00 K
casync.dll Wed Dec 8 2004 12:17:42a A.... 114,688 112.00 K
dlutil.dll Tue Jan 18 2005 9:43:38p A.... 223,441 218.20 K
e2202c~1.dll Sun Jan 23 2005 3:02:58a ..S.R 225,395 220.11 K
ebentcls.dll Tue Jan 18 2005 10:48:32p A.... 223,441 218.20 K
h60qlg~1.dll Fri Jan 21 2005 11:29:24a ..S.R 225,077 219.80 K
hrn205~1.dll Tue Jan 18 2005 7:59:28p ..S.R 223,295 218.06 K
javaws.dll Thu Dec 2 2004 4:38:32p A.... 11,344 11.08 K
mv6ql9~1.dll Sat Jan 22 2005 12:26:30p ..S.R 225,395 220.11 K
oemdspif.dll Tue Nov 30 2004 10:07:28p A.... 106,496 104.00 K
sporder.dll Tue Dec 7 2004 11:47:46p A.... 8,464 8.27 K
tsccvid.dll Tue Nov 23 2004 2:11:00a A.... 98,304 96.00 K
vsdata.dll Sun Nov 28 2004 5:21:50a A.... 75,032 73.27 K
vsinit.dll Sun Nov 28 2004 5:22:02a A.... 124,184 121.27 K
vsmonapi.dll Sun Nov 28 2004 5:22:10a A.... 107,808 105.28 K
vspubapi.dll Sun Nov 28 2004 5:22:14a A.... 197,920 193.28 K
vsregexp.dll Sun Nov 28 2004 5:22:18a A.... 70,944 69.28 K
vsutil.dll Sun Nov 28 2004 5:22:30a A.... 353,560 345.27 K
vsxml.dll Sun Nov 28 2004 5:22:38a A.... 99,608 97.27 K
zlcomm.dll Sun Nov 28 2004 5:23:00a A.... 75,032 73.27 K
zlcommdb.dll Sun Nov 28 2004 5:23:04a A.... 66,848 65.28 K

41 items found: 41 files (4 H/S), 0 directories.
Total of file sizes: 14,658,407 bytes 13.98 M
Locate .tmp files:

D:\WINDOWS\SYSTEM32\
guard.tmp Sun Jan 23 2005 1:48:22p A.... 225,395 220.11 K

1 item found: 1 file, 0 directories.
Total of file sizes: 225,395 bytes 220.11 K
**********************************************************************************
Directory Listing of system files:
Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

23/01/2005 03:02 AM 225,395 e2202cfmgf2a2.dll
22/01/2005 12:26 PM 225,395 mv6ql9j51.dll
21/01/2005 11:29 AM 225,077 h60qlgd5160.dll
18/01/2005 07:59 PM 223,295 hrn2055oe.dll
16/01/2005 07:11 PM dllcache
10/12/2004 02:20 AM 550 TBPS.ini
01/11/2004 05:01 PM 3,347 jnxgl.log
31/10/2004 10:18 AM 3,347 ljehb.log
31/10/2004 01:52 AM 3,347 kzjmn.dat
30/10/2004 05:24 PM 3,347 iityf.log
28/10/2004 03:52 PM 3,347 yafwj.dat
26/10/2004 06:36 PM 3,347 zrjbo.txt
15/10/2004 10:16 PM Microsoft
06/10/2004 10:27 PM 3,347 giqmz.log
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
14 File(s) 1,025,441 bytes
2 Dir(s) 54,653,771,776 bytes free


----------



## Flrman1 (Jul 26, 2002)

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click *l2mfix.bat* and select option *#2* for *Run Fix* by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

*IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!*


----------



## itrocks4u (Nov 27, 2004)

Hey...I need help ASAP...I'm off from work for a while..so i got back to 'fixing' the computer and now the internet explorer homepage has changed. I open a website, and it changes it back to a 'search' page...Please help me ASAP...Heres the HJT log file....Please help.....

Logfile of HijackThis v1.98.2
Scan saved at 2:30:57 PM, on 12/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Common Files\CMEII\CMESys.exe
D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE
D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\windows\system32\rk.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\GMT\GMT.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\System32\rsvp.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Ours\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Ours\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - D:\Program Files\se\v11\se.DLL
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O2 - BHO: (no name) - {2490425F-A936-4CFB-A066-DC66DB82DB33} - D:\WINDOWS\System32\ijdl.dll
O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - D:\Program Files\DashBar\DashBar21.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kalvsys] D:\windows\system32\kalvnif32.exe
O4 - HKLM\..\Run: [Search-Exe] "D:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [CMESys] "D:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [MW1HelperStartUp] D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1
O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 D:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [OSS] d:\windows\system32\rk.exe -boot
O4 - HKLM\..\Run: [sp] rundll32 D:\WINDOWS\TEMP\se.dll,DllInstall
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: GStartup.lnk = D:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Filter: text/html - {2F9D16B1-AEA2-4158-93D8-1D319F6C762E} - D:\WINDOWS\System32\ijdl.dll
O18 - Filter: text/plain - {2F9D16B1-AEA2-4158-93D8-1D319F6C762E} - D:\WINDOWS\System32\ijdl.dll


----------



## Flrman1 (Jul 26, 2002)

Copy the contents of the quote box to Notepad. 
Name the file Appinit.bat 
Save as type All Files 
Save on the Desktop.



> Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
> ren windows1.hiv windows.txt


Double click on Appinit.bat 
This will create a file on the desktop named windows.txt 
*Attach the windows.txt file here to your next post please. Don't copy and paste it.*
----------------

Which version of XP are you running? Pro or Home? 
Also which file system? FAT32 or NTFS? Check the properties of the C Drive in my computer to get the file system.


----------



## itrocks4u (Nov 27, 2004)

ok...i copied the content that was in the "quotes", and am attaching the windows.txt file.....
Im using Widnows XP Home Edition...
My drive C: is FAT32 and D: is NTFS. Windows XP is installed on drive D (i think that is the Default Drive).
(Btw, this refers to the last post of mine where i sent the HJT log file. I did not run the LS2fix....as it wasnt working...but i'll try again once i can get the homepage back)...... Please Help.....


----------



## Flrman1 (Jul 26, 2002)

Now go ahead and rescan with Hijack This and post a fresh log so I can be sure it is still the same before I post removal directions.


----------



## itrocks4u (Nov 27, 2004)

ok here is the log file again...i found the HJT v1.99.....so i got this log file from that version....

Logfile of HijackThis v1.99.0
Scan saved at 11:00:29 PM, on 12/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Common Files\CMEII\CMESys.exe
D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE
D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\windows\system32\rk.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\GMT\GMT.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\System32\rsvp.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Documents and Settings\Ours\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - D:\Program Files\se\v11\se.DLL
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - D:\Program Files\DashBar\DashBar21.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kalvsys] D:\windows\system32\kalvnif32.exe
O4 - HKLM\..\Run: [Search-Exe] "D:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [CMESys] "D:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [MW1HelperStartUp] D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1
O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 D:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [OSS] d:\windows\system32\rk.exe -boot
O4 - HKLM\..\Run: [sp] rundll32 D:\WINDOWS\TEMP\se.dll,DllInstall
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: GStartup.lnk = D:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Filter: text/html - {2F9D16B1-AEA2-4158-93D8-1D319F6C762E} - D:\WINDOWS\System32\ijdl.dll
O18 - Filter: text/plain - {2F9D16B1-AEA2-4158-93D8-1D319F6C762E} - D:\WINDOWS\System32\ijdl.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus Service - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WebSeach Toolbar support NT service - Unknown - D:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinTools for IE service - Unknown - D:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)


----------



## Flrman1 (Jul 26, 2002)

Go here and download Adaware SE. Install the program then in the main window look in the bottom right corner and click on *Check for updates now* then click *Connect* and download the latest reference files. but don't run it.

Also click here to download CWSinstall.exe. CWSinstall.exe file and it will install CWShredder, but don't run it yet either.

Set your folder options to show hidden files like so:

Click on My Computer then click Tools > Folder Options. In Folder options click on the View tab. Under Files and Folders tick "Show hidden files and folders" then uncheck "Hide file extensions for known file types" and uncheck "Hide protected operating system files (recommended)". Now click "Like current folder" then "Apply" and "OK"

Now copy these instructions to notepad and save them to a convenient location like your desktop. You will need them to refer to in safe mode.

Restart into Safe mode.

How to start your computer in safe mode

Do all of the following in safe mode:

Run Hijack This and put a check by all of the following entries then click the "Fix Checked" button.

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - D:\Program Files\se\v11\se.DLL

O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - D:\Program Files\DashBar\DashBar21.dll

O4 - HKLM\..\Run: [kalvsys] D:\windows\system32\kalvnif32.exe

O4 - HKLM\..\Run: [Search-Exe] "D:\Program Files\se\v11\se.EXE" /H

O4 - HKLM\..\Run: [CMESys] "D:\Program Files\Common Files\CMEII\CMESys.exe"

O4 - HKLM\..\Run: [OSS] d:\windows\system32\rk.exe -boot

O4 - HKLM\..\Run: [sp] rundll32 D:\WINDOWS\TEMP\se.dll,DllInstall

O4 - Global Startup: GStartup.lnk = D:\Program Files\Common Files\GMT\GMT.exe

O18 - Filter: text/html - {2F9D16B1-AEA2-4158-93D8-1D319F6C762E} - D:\WINDOWS\System32\ijdl.dll

O18 - Filter: text/plain - {2F9D16B1-AEA2-4158-93D8-1D319F6C762E} - D:\WINDOWS\System32\ijdl.dll

O23 - Service: WebSeach Toolbar support NT service - Unknown - D:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)

O23 - Service: WinTools for IE service - Unknown - D:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)*

Find and delete these files:

d:\windows\system32\*rk.exe* 
D:\windows\system32\*kalvnif32.exe*

Delete these folders:

D:\Program Files\*se*
D:\Program Files\*DashBar*
D:\Program Files\Common Files\*CMEII*
D:\Program Files\Common Files\*GMT*

Also in safe mode navigate to the C:\WINNT\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type *%temp%* in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin

*Run CWShredder* Click on the cwshredder.exe then click *"Fix" (Not "Scan only")* and let it do it's thing.

Next run Adaware according to these insrructions:

From main window :Click *Start* then under *Select a scan Mode* tick *Perform full system scan*.

Next deselect *Search for negligible risk entries*.

Now to scan just click the *Next* button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose *select all* from the drop down menu and click *Next*)

*Restart your computer* back into Windows normally now.

Download DelDomains.inf from here:

http://www.mvps.org/winhelp2002/DelDomains.inf

Rightclick DelDomains.inf and choose install.

Go to Add/Remove programs and uninstall New.Net (NewDotNet). If that doesn't work, do the following:

First *Click here* to download LspFix

You may not need it, but go ahead and download it just in case.

Now go *here* and scroll to the bottom of the page to *Precedure 4* and download and run the New.Net uninstaller.

If you lose your internet connection after running the New.Net uninstaller, Run LspFix, and click Finish. (Don't do anything else)

That should restore the internet connection.


----------



## itrocks4u (Nov 27, 2004)

ok flrman....i did all that, and i hope it went fine....i got the homepage back atleast....So really wanna thank you for that....Here is another HJT log file...i still keep getting popup from this website: "http//e.rn11.com/adbuys/a405-admed-ron" 
and can you please let me know if there is some other problem with the computer (spyware and addware) or will if be okay now?
Plus, i have one more problem.....I try emptying my recycle bin...but i dont think it deletes the items in it.....I'm sure ive deleted more than 1000 items by now...but it still give the same msg, whenever i try to empty it: "are you sure you want to delete these 2 items?". I click yes, and the next time it gives the same msg again. I dont want to restore all the items, cause i'm sure it will ruin the computer again....If u have a solution to that...please let me know....

------------------------------------------

Logfile of HijackThis v1.99.0
Scan saved at 12:58:25 AM, on 13/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE
D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\Ours\Desktop\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MW1HelperStartUp] D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1
O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus Service - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - D:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Flrman1 (Jul 26, 2002)

You still have the VX2/L2M infection because you did not continue to follow up before when we were working on removing it. I last posted instructions for the L2M fix on Jan. 23 and you showed back up 3 weeks later with your last reply. If you want to get this thing clean, you will have to stick with it until all is clear and not allow so much time to elapse between followups.

Do you have multiple user accounts on this box?

Now let's start over with VX2:

*Click here* to download Find It NT-2K-XP.zip.

Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.

Also *click here* to download L2mfix.

Save the file to your desktop and double click *l2mfix.exe*. Read and Accept the agreement. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click *l2mfix.bat* and select option *#1* for *Run Find Log* by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

*IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!*.


----------



## itrocks4u (Nov 27, 2004)

ok i'm gonna do that both....And no i dont have multiple accounts...i couldnt get hold of the computer for a while...cause the removing of VX2 was taking a lot of time....But now im free for a while.....
Anyways......My Homepage is Hijacked again....like it was before...i try to open a website, and it changes the page back again....What do i do now?


----------



## Flrman1 (Jul 26, 2002)

flrman1 said:


> *Click here* to download Find It NT-2K-XP.zip.
> 
> Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.
> 
> ...


----------



## itrocks4u (Nov 27, 2004)

ok Here is the output.txt and the L2mfix log files....i posting them separately, otherwise it says that the text is too long.....

Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: D:\Documents and Settings\Ours\Desktop\Salman\spy removing-february\Find It NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

13/02/2005 11:25 AM 225,363 mjxml2r.dll
13/02/2005 11:25 AM 222,766 e6jmlg1116.dll
13/02/2005 12:49 AM 225,363 lv0s09d7e.dll
13/02/2005 12:37 AM 225,366 fp0003dme.dll
12/02/2005 11:37 AM 225,363 mtvideo.dll
10/02/2005 01:47 AM 223,323 dn4401hqe.dll
09/02/2005 12:23 PM 223,685 l26o0cj3efo.dll
09/02/2005 11:56 AM 223,323 irrol5931.dll
09/02/2005 02:04 AM 224,471 l22s0cf7ef2.dll
04/02/2005 09:59 AM 226,047 lqtif11n.dll
04/02/2005 09:30 AM 222,342 k8620ijoe8oc0.dll
04/02/2005 12:08 AM 225,874 jtr0079me.dll
03/02/2005 08:22 PM 226,265 o8840ilqe8qe0.dll
03/02/2005 08:14 PM 222,843 l0p2la7o1d.dll
03/02/2005 08:10 PM 225,164 n2l80c3uef.dll
28/01/2005 02:04 AM 225,395 e802lido180c.dll
18/01/2005 07:59 PM 223,295 hrn2055oe.dll
16/01/2005 07:11 PM dllcache
15/10/2004 10:16 PM Microsoft
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
19 File(s) 3,918,548 bytes
2 Dir(s) 53,647,233,024 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

27/01/2005 01:37 AM 890 vsconfig.xml
16/01/2005 07:11 PM dllcache
16/01/2005 01:49 PM 4,212 zllictbl.dat
15/10/2004 10:00 PM 488 WindowsLogon.manifest
15/10/2004 10:00 PM 488 logonui.exe.manifest
15/10/2004 10:00 PM 749 nwc.cpl.manifest
15/10/2004 10:00 PM 749 sapi.cpl.manifest
15/10/2004 10:00 PM 749 cdplayer.exe.manifest
15/10/2004 10:00 PM 749 ncpa.cpl.manifest
15/10/2004 10:00 PM 749 wuaucpl.cpl.manifest
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
11 File(s) 112,123 bytes
1 Dir(s) 53,647,228,928 bytes free

------------ Files Named "Guard" ---------------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

03/08/2004 11:56 PM 1,236,480 ~GLH0014.TMP
03/08/2004 11:56 PM 1,236,480 ~GLH0019.TMP
29/08/2002 07:00 AM 2,577 CONFIG.TMP
3 File(s) 2,475,537 bytes
0 Dir(s) 53,647,228,928 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3EACCC8D-FF2E-48D0-A4C0-D0E813F7992B}"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\lv0s09d7e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

D:\WINDOWS\SYSTEM32\
dn4401~1.dll Thu Feb 10 2005 1:47:58a ..S.R 223,323 218.09 K
e6jmlg~1.dll Sun Feb 13 2005 11:25:38a ..S.R 222,766 217.54 K
e802li~1.dll Fri Jan 28 2005 2:04:52a ..S.R 225,395 220.11 K
fp0003~1.dll Sun Feb 13 2005 12:37:44a ..S.R 225,366 220.08 K
hrn205~1.dll Tue Jan 18 2005 7:59:28p ..S.R 223,295 218.06 K
irrol5~1.dll Wed Feb 9 2005 11:56:58a ..S.R 223,323 218.09 K
jtr007~1.dll Fri Feb 4 2005 12:08:42a ..S.R 225,874 220.58 K
k8620i~1.dll Fri Feb 4 2005 9:30:48a ..S.R 222,342 217.13 K
l0p2la~1.dll Thu Feb 3 2005 8:14:30p ..S.R 222,843 217.62 K
l22s0c~1.dll Wed Feb 9 2005 2:04:52a ..S.R 224,471 219.21 K
l26o0c~1.dll Wed Feb 9 2005 12:23:18p ..S.R 223,685 218.44 K
lqtif11n.dll Fri Feb 4 2005 9:59:26a ..S.R 226,047 220.75 K
lv0s09~1.dll Sun Feb 13 2005 12:49:36a ..S.R 225,363 220.08 K
mjxml2r.dll Sun Feb 13 2005 11:25:38a ..S.R 225,363 220.08 K
mtvideo.dll Sat Feb 12 2005 11:38:00a ..S.R 225,363 220.08 K
n2l80c~1.dll Thu Feb 3 2005 8:10:20p ..S.R 225,164 219.89 K
o8840i~1.dll Thu Feb 3 2005 8:22:08p ..S.R 226,265 220.96 K
vsconfig.xml Thu Jan 27 2005 1:37:10a A..H. 890 0.87 K
zllictbl.dat Sun Jan 16 2005 1:49:54p ...H. 4,212 4.11 K

19 items found: 19 files, 0 directories.
Total of file sizes: 3,821,350 bytes 3.64 M

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="D:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"D:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"ATIPTA"="D:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"msnappau"="\"D:\\Program Files\\MSN Apps\\Updater\\01.02.3000.1001\\en-us\\msnappau.exe\""
"Lexmark 2200 Series"="\"D:\\Program Files\\Lexmark 2200 Series\\lxbvbmgr.exe\""
"FaxCenterServer"="\"D:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
@=""
"Athan"="D:\\Program Files\\Athan\\Athan.exe"
"TkBellExe"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Microsoft Works Update Detection"="D:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"NeroFilterCheck"="D:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MW1HelperStartUp"="D:\\PROGRA~1\\MAGICW~1\\MW1HEL~1.EXE /partner MW1"
"CloudPlugin"="\"D:\\Program Files\\IMT Labs Messenger Plugin\\Cloud.exe\""
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"sp"="rundll32 D:\\WINDOWS\\TEMP\\se.dll,DllInstall"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"






----------



## itrocks4u (Nov 27, 2004)

L2mfix....

L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\lv0s09d7e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3EACCC8D-FF2E-48D0-A4C0-D0E813F7992B}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{52B87208-9CCF-42C9-B88E-069281105805}"="Trojan Remover Shell Extension"
"{E2596304-C370-41B5-B724-98F59E669D49}"=""
"{3572C13B-EE31-446A-97F6-09EF9432A185}"=""
"{30573088-5581-4617-9CF8-3A14438F44E5}"=""
"{65774D37-B89A-428A-AED0-8FAD76E483C6}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E2596304-C370-41B5-B724-98F59E669D49}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2596304-C370-41B5-B724-98F59E669D49}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2596304-C370-41B5-B724-98F59E669D49}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3572C13B-EE31-446A-97F6-09EF9432A185}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3572C13B-EE31-446A-97F6-09EF9432A185}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3572C13B-EE31-446A-97F6-09EF9432A185}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{30573088-5581-4617-9CF8-3A14438F44E5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{30573088-5581-4617-9CF8-3A14438F44E5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{30573088-5581-4617-9CF8-3A14438F44E5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{65774D37-B89A-428A-AED0-8FAD76E483C6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65774D37-B89A-428A-AED0-8FAD76E483C6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65774D37-B89A-428A-AED0-8FAD76E483C6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65774D37-B89A-428A-AED0-8FAD76E483C6}\InprocServer32]
@="D:\\WINDOWS\\system32\\mjxml2r.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

D:\WINDOWS\SYSTEM32\
adlp.dll Sun Feb 13 2005 11:31:52a A.... 41,472 40.50 K
akcore.dll Tue Dec 7 2004 11:47:46p A.... 188,416 184.00 K
aklsp.dll Tue Dec 7 2004 11:47:46p A.... 196,608 192.00 K
akupd.dll Tue Dec 7 2004 11:47:40p A.... 155,648 152.00 K
ati2cqag.dll Tue Nov 30 2004 9:26:50p A.... 249,856 244.00 K
ati2dvag.dll Tue Nov 30 2004 10:12:50p A.... 221,184 216.00 K
ati2edxx.dll Tue Nov 30 2004 10:07:10p A.... 30,720 30.00 K
ati2evxx.dll Tue Nov 30 2004 10:06:56p A.... 94,208 92.00 K
ati3duag.dll Tue Nov 30 2004 9:51:06p A.... 2,305,984 2.20 M
atiddc.dll Tue Nov 30 2004 10:04:38p A.... 81,920 80.00 K
atidemgr.dll Wed Dec 1 2004 12:18:46a A.... 200,704 196.00 K
atiiiexx.dll Wed Dec 1 2004 12:53:42a A.... 294,912 288.00 K
atioglxx.dll Tue Nov 30 2004 10:37:34p A.... 6,619,136 6.31 M
atipdlxx.dll Tue Nov 30 2004 10:07:44p A.... 131,072 128.00 K
atitvo32.dll Tue Nov 30 2004 9:35:12p A.... 17,408 17.00 K
ativvaxx.dll Tue Nov 30 2004 9:45:22p A.... 434,496 424.31 K
atliw32.dll Thu Dec 2 2004 1:02:42p A.... 11,344 11.08 K
 cacore.dll Wed Dec 8 2004 12:17:42a A.... 151,552 148.00 K
calsp.dll Wed Dec 8 2004 12:17:44a A.... 135,168 132.00 K
carules.dll Wed Dec 8 2004 12:17:42a A.... 45,056 44.00 K
casync.dll Wed Dec 8 2004 12:17:42a A.... 114,688 112.00 K
cofview.dll Sun Feb 13 2005 12:38:36a A.... 225,363 220.08 K
dlutil.dll Tue Jan 18 2005 9:43:38p A.... 223,441 218.20 K
dn4401~1.dll Thu Feb 10 2005 1:47:58a ..S.R 223,323 218.09 K
e6jmlg~1.dll Sun Feb 13 2005 11:25:38a ..S.R 222,766 217.54 K
e802li~1.dll Fri Jan 28 2005 2:04:52a ..S.R 225,395 220.11 K
fp0003~1.dll Sun Feb 13 2005 12:37:44a ..S.R 225,366 220.08 K
hrn205~1.dll Tue Jan 18 2005 7:59:28p ..S.R 223,295 218.06 K
ijdl.dll Sat Feb 12 2005 12:59:14p A.... 41,472 40.50 K
irrol5~1.dll Wed Feb 9 2005 11:56:58a ..S.R 223,323 218.09 K
javaws.dll Thu Dec 2 2004 4:38:32p A.... 11,344 11.08 K
jtr007~1.dll Fri Feb 4 2005 12:08:42a ..S.R 225,874 220.58 K
k8620i~1.dll Fri Feb 4 2005 9:30:48a ..S.R 222,342 217.13 K
l0p2la~1.dll Thu Feb 3 2005 8:14:30p ..S.R 222,843 217.62 K
l22s0c~1.dll Wed Feb 9 2005 2:04:52a ..S.R 224,471 219.21 K
l26o0c~1.dll Wed Feb 9 2005 12:23:18p ..S.R 223,685 218.44 K
lqtif11n.dll Fri Feb 4 2005 9:59:26a ..S.R 226,047 220.75 K
lv0s09~1.dll Sun Feb 13 2005 12:49:36a ..S.R 225,363 220.08 K
mjxml2r.dll Sun Feb 13 2005 11:25:38a ..S.R 225,363 220.08 K
mtvideo.dll Sat Feb 12 2005 11:38:00a ..S.R 225,363 220.08 K
n2l80c~1.dll Thu Feb 3 2005 8:10:20p ..S.R 225,164 219.89 K
o8840i~1.dll Thu Feb 3 2005 8:22:08p ..S.R 226,265 220.96 K
oemdspif.dll Tue Nov 30 2004 10:07:28p A.... 106,496 104.00 K
osmim.dll Mon Nov 29 2004 9:39:06a A.... 303,104 296.00 K
sporder.dll Tue Dec 7 2004 11:47:46p A.... 8,464 8.27 K
tsccvid.dll Tue Nov 23 2004 2:11:00a A.... 98,304 96.00 K
vsdata.dll Sun Nov 28 2004 5:21:50a A.... 75,032 73.27 K
vsinit.dll Sun Nov 28 2004 5:22:02a A.... 124,184 121.27 K
vsmonapi.dll Sun Nov 28 2004 5:22:10a A.... 107,808 105.28 K
vspubapi.dll Sun Nov 28 2004 5:22:14a A.... 197,920 193.28 K
vsregexp.dll Sun Nov 28 2004 5:22:18a A.... 70,944 69.28 K
vsutil.dll Sun Nov 28 2004 5:22:30a A.... 353,560 345.27 K
vsxml.dll Sun Nov 28 2004 5:22:38a A.... 99,608 97.27 K
wpafbdrv.dll Sun Feb 13 2005 12:37:44a ..... 225,363 220.08 K
zlcomm.dll Sun Nov 28 2004 5:23:00a A.... 75,032 73.27 K
zlcommdb.dll Sun Nov 28 2004 5:23:04a A.... 66,848 65.28 K

56 items found: 56 files (17 H/S), 0 directories.
Total of file sizes: 17,952,087 bytes 17.12 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

13/02/2005 11:25 AM 225,363 mjxml2r.dll
13/02/2005 11:25 AM 222,766 e6jmlg1116.dll
13/02/2005 12:49 AM 225,363 lv0s09d7e.dll
13/02/2005 12:37 AM 225,366 fp0003dme.dll
12/02/2005 11:37 AM 225,363 mtvideo.dll
10/02/2005 01:47 AM 223,323 dn4401hqe.dll
09/02/2005 12:23 PM  223,685 l26o0cj3efo.dll
09/02/2005 11:56 AM 223,323 irrol5931.dll
09/02/2005 02:04 AM 224,471 l22s0cf7ef2.dll
04/02/2005 09:59 AM 226,047 lqtif11n.dll
04/02/2005 09:30 AM 222,342 k8620ijoe8oc0.dll
04/02/2005 12:08 AM 225,874 jtr0079me.dll
03/02/2005 08:22 PM 226,265 o8840ilqe8qe0.dll
03/02/2005 08:14 PM 222,843 l0p2la7o1d.dll
03/02/2005 08:10 PM 225,164 n2l80c3uef.dll
28/01/2005 02:04 AM 225,395 e802lido180c.dll
18/01/2005 07:59 PM 223,295 hrn2055oe.dll
16/01/2005 07:11 PM dllcache
15/10/2004 10:16 PM Microsoft
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
19 File(s) 3,918,548 bytes
2 Dir(s) 53,646,630,912 bytes free


----------



## Flrman1 (Jul 26, 2002)

Post the l2mfix log.


----------



## Flrman1 (Jul 26, 2002)

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click *l2mfix.bat* and select option *#2* for *Run Fix* by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

*IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!*


----------



## itrocks4u (Nov 27, 2004)

ok here is the log that notpad opened....and the HJT log file....
----------------------------------------------------
L2Mfix 1.02b

Running From:
D:\Documents and Settings\Ours\Desktop\Salman\spy removing-february\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C access for really "Everyone"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

D:\Documents and Settings\Ours\Desktop\Salman\spy removing-february\l2mfix 
System Rebooted!

Running From:
D:\Documents and Settings\Ours\Desktop\Salman\spy removing-february\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'
Killing PID 1304 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1516 'rundll32.exe'
Killing PID 1840 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: D:\WINDOWS\system32\cofview.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\dlutil.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\dn4401hqe.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\e6jmlg1116.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\e802lido180c.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\fp0003dme.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\hrn2055oe.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\irrol5931.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\jtr0079me.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\k8620ijoe8oc0.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\l0p2la7o1d.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\l22s0cf7ef2.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\l26o0cj3efo.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\lqtif11n.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\mjxml2r.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\mtvideo.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\n2l80c3uef.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\o8840ilqe8qe0.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\qBsf.dll
1 file(s) copied.
Backing Up: D:\WINDOWS\system32\wpafbdrv.dll
1 file(s) copied.
deleting: D:\WINDOWS\system32\cofview.dll 
Successfully Deleted: D:\WINDOWS\system32\cofview.dll
deleting: D:\WINDOWS\system32\dlutil.dll 
Successfully Deleted: D:\WINDOWS\system32\dlutil.dll
deleting: D:\WINDOWS\system32\dn4401hqe.dll 
Successfully Deleted: D:\WINDOWS\system32\dn4401hqe.dll
deleting: D:\WINDOWS\system32\e6jmlg1116.dll 
Successfully Deleted: D:\WINDOWS\system32\e6jmlg1116.dll
deleting: D:\WINDOWS\system32\e802lido180c.dll 
Successfully Deleted: D:\WINDOWS\system32\e802lido180c.dll
deleting: D:\WINDOWS\system32\fp0003dme.dll 
Successfully Deleted: D:\WINDOWS\system32\fp0003dme.dll
deleting: D:\WINDOWS\system32\hrn2055oe.dll 
Successfully Deleted: D:\WINDOWS\system32\hrn2055oe.dll
deleting: D:\WINDOWS\system32\irrol5931.dll 
Successfully Deleted: D:\WINDOWS\system32\irrol5931.dll
deleting: D:\WINDOWS\system32\jtr0079me.dll 
Successfully Deleted: D:\WINDOWS\system32\jtr0079me.dll
deleting: D:\WINDOWS\system32\k8620ijoe8oc0.dll 
Successfully Deleted: D:\WINDOWS\system32\k8620ijoe8oc0.dll
deleting: D:\WINDOWS\system32\l0p2la7o1d.dll 
Successfully Deleted: D:\WINDOWS\system32\l0p2la7o1d.dll
deleting: D:\WINDOWS\system32\l22s0cf7ef2.dll 
Successfully Deleted: D:\WINDOWS\system32\l22s0cf7ef2.dll
deleting: D:\WINDOWS\system32\l26o0cj3efo.dll 
Successfully Deleted: D:\WINDOWS\system32\l26o0cj3efo.dll
deleting: D:\WINDOWS\system32\lqtif11n.dll 
Successfully Deleted: D:\WINDOWS\system32\lqtif11n.dll
deleting: D:\WINDOWS\system32\mjxml2r.dll 
Successfully Deleted: D:\WINDOWS\system32\mjxml2r.dll
deleting: D:\WINDOWS\system32\mtvideo.dll 
Successfully Deleted: D:\WINDOWS\system32\mtvideo.dll
deleting: D:\WINDOWS\system32\n2l80c3uef.dll 
Successfully Deleted: D:\WINDOWS\system32\n2l80c3uef.dll
deleting: D:\WINDOWS\system32\o8840ilqe8qe0.dll 
Successfully Deleted: D:\WINDOWS\system32\o8840ilqe8qe0.dll
deleting: D:\WINDOWS\system32\qBsf.dll 
Successfully Deleted: D:\WINDOWS\system32\qBsf.dll
deleting: D:\WINDOWS\system32\wpafbdrv.dll 
Successfully Deleted: D:\WINDOWS\system32\wpafbdrv.dll

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: cofview.dll (164 bytes security) (deflated 5%)
adding: dlutil.dll (164 bytes security) (deflated 4%)
adding: dn4401hqe.dll (164 bytes security) (deflated 4%)
adding: e6jmlg1116.dll (164 bytes security) (deflated 3%)
adding: e802lido180c.dll (164 bytes security) (deflated 4%)
adding: fp0003dme.dll (164 bytes security) (deflated 5%)
adding: hrn2055oe.dll (164 bytes security) (deflated 4%)
adding: irrol5931.dll (164 bytes security) (deflated 4%)
adding: jtr0079me.dll (164 bytes security) (deflated 5%)
adding: k8620ijoe8oc0.dll (164 bytes security) (deflated 3%)
adding: l0p2la7o1d.dll (164 bytes security) (deflated 3%)
adding: l22s0cf7ef2.dll (164 bytes security) (deflated 4%)
adding: l26o0cj3efo.dll (164 bytes security) (deflated 4%)
adding: lqtif11n.dll (164 bytes security) (deflated 5%)
adding: mjxml2r.dll (164 bytes security) (deflated 5%)
adding: mtvideo.dll (164 bytes security) (deflated 5%)
adding: n2l80c3uef.dll (164 bytes security) (deflated 4%)
adding: o8840ilqe8qe0.dll (164 bytes security) (deflated 5%)
adding: qBsf.dll (164 bytes security) (deflated 5%)
adding: wpafbdrv.dll (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 52%)
adding: echo.reg (164 bytes security) (deflated 12%)
adding: desktop.ini (164 bytes security) (deflated 14%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 82%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 67%)
adding: test.txt (164 bytes security) (deflated 77%)
adding: test2.txt (164 bytes security) (deflated 35%)
adding: test3.txt (164 bytes security) (deflated 35%)
adding: test5.txt (164 bytes security) (deflated 35%)
adding: xfind.txt (164 bytes security) (deflated 71%)
adding: backregs/30573088-5581-4617-9CF8-3A14438F44E5.reg (164 bytes security) (deflated 69%)
adding: backregs/3572C13B-EE31-446A-97F6-09EF9432A185.reg (164 bytes security) (deflated 69%)
adding: backregs/65774D37-B89A-428A-AED0-8FAD76E483C6.reg (164 bytes security) (deflated 70%)
adding: backregs/E2596304-C370-41B5-B724-98F59E669D49.reg (164 bytes security) (deflated 69%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for really "Everyone"

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: cofview.dll 
deleting local copy: dlutil.dll 
deleting local copy: dn4401hqe.dll 
deleting local copy: e6jmlg1116.dll 
deleting local copy: e802lido180c.dll 
deleting local copy: fp0003dme.dll 
deleting local copy: hrn2055oe.dll 
deleting local copy: irrol5931.dll 
deleting local copy: jtr0079me.dll 
deleting local copy: k8620ijoe8oc0.dll 
deleting local copy: l0p2la7o1d.dll 
deleting local copy: l22s0cf7ef2.dll 
deleting local copy: l26o0cj3efo.dll 
deleting local copy: lqtif11n.dll 
deleting local copy: mjxml2r.dll 
deleting local copy: mtvideo.dll 
deleting local copy: n2l80c3uef.dll 
deleting local copy: o8840ilqe8qe0.dll 
deleting local copy: qBsf.dll 
deleting local copy: wpafbdrv.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found: 
****************************************************************************
D:\WINDOWS\system32\cofview.dll 
D:\WINDOWS\system32\dlutil.dll 
D:\WINDOWS\system32\dn4401hqe.dll 
D:\WINDOWS\system32\e6jmlg1116.dll 
D:\WINDOWS\system32\e802lido180c.dll 
D:\WINDOWS\system32\fp0003dme.dll 
D:\WINDOWS\system32\hrn2055oe.dll 
D:\WINDOWS\system32\irrol5931.dll 
D:\WINDOWS\system32\jtr0079me.dll 
D:\WINDOWS\system32\k8620ijoe8oc0.dll 
D:\WINDOWS\system32\l0p2la7o1d.dll 
D:\WINDOWS\system32\l22s0cf7ef2.dll 
D:\WINDOWS\system32\l26o0cj3efo.dll 
D:\WINDOWS\system32\lqtif11n.dll 
D:\WINDOWS\system32\mjxml2r.dll 
D:\WINDOWS\system32\mtvideo.dll 
D:\WINDOWS\system32\n2l80c3uef.dll 
D:\WINDOWS\system32\o8840ilqe8qe0.dll 
D:\WINDOWS\system32\qBsf.dll 
D:\WINDOWS\system32\wpafbdrv.dll

Registry Entries that were Deleted: 
Please verify that the listing looks ok. 
If there was something deleted wrongly there are backups in the backreg folder. 
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{E2596304-C370-41B5-B724-98F59E669D49}"=-
"{3572C13B-EE31-446A-97F6-09EF9432A185}"=-
"{30573088-5581-4617-9CF8-3A14438F44E5}"=-
"{65774D37-B89A-428A-AED0-8FAD76E483C6}"=-
[-HKEY_CLASSES_ROOT\CLSID\{E2596304-C370-41B5-B724-98F59E669D49}]
[-HKEY_CLASSES_ROOT\CLSID\{3572C13B-EE31-446A-97F6-09EF9432A185}]
[-HKEY_CLASSES_ROOT\CLSID\{30573088-5581-4617-9CF8-3A14438F44E5}]
[-HKEY_CLASSES_ROOT\CLSID\{65774D37-B89A-428A-AED0-8FAD76E483C6}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3EACCC8D-FF2E-48D0-A4C0-D0E813F7992B}"=-
****************************************************************************
Desktop.ini Contents: 
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{3EACCC8D-FF2E-48D0-A4C0-D0E813F7992B}</IDone>
<IDtwo>AD</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

-------------------------------------------------------------------

Logfile of HijackThis v1.99.0
Scan saved at 3:53:54 PM, on 13/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Athan\Athan.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE
D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Documents and Settings\Ours\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Ours\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Ours\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MW1HelperStartUp] D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1
O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [sp] rundll32 D:\WINDOWS\TEMP\se.dll,DllInstall
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Filter: text/html - {033C72C4-2910-4602-9C1F-EBEBDC70F97E} - D:\WINDOWS\System32\adlp.dll
O18 - Filter: text/plain - {033C72C4-2910-4602-9C1F-EBEBDC70F97E} - D:\WINDOWS\System32\adlp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus Service - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - D:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Flrman1 (Jul 26, 2002)

Go here and download Adaware SE. Install the program then in the main window look in the bottom right corner and click on *Check for updates now* then click *Connect* and download the latest reference files. but don't run it.

Also click here to download CWSinstall.exe. CWSinstall.exe file and it will install CWShredder, but don't run it yet either.

Set your folder options to show hidden files like so:

Click on My Computer then click Tools > Folder Options. In Folder options click on the View tab. Under Files and Folders tick "Show hidden files and folders" then uncheck "Hide file extensions for known file types" and uncheck "Hide protected operating system files (recommended)". Now click "Like current folder" then "Apply" and "OK"

Now copy these instructions to notepad and save them to a convenient location like your desktop. You will need them to refer to in safe mode.

Restart into Safe mode.

How to start your computer in safe mode

Do all of the following in safe mode:

Run Hijack This and put a check by all of the following entries then click the "Fix Checked" button.

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Ours\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\DOCUME~1\Ours\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O4 - HKLM\..\Run: [sp] rundll32 D:\WINDOWS\TEMP\se.dll,DllInstall

O18 - Filter: text/html - {033C72C4-2910-4602-9C1F-EBEBDC70F97E} - D:\WINDOWS\System32\adlp.dll
O18 - Filter: text/plain - {033C72C4-2910-4602-9C1F-EBEBDC70F97E} - D:\WINDOWS\System32\adlp.dll*

Also in safe mode navigate to the C:\WINNT\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type *%temp%* in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin

*Run CWShredder* Click on the cwshredder.exe then click *"Fix" (Not "Scan only")* and let it do it's thing.

Next run Adaware according to these insrructions:

From main window :Click *Start* then under *Select a scan Mode* tick *Perform full system scan*.

Next deselect *Search for negligible risk entries*.

Now to scan just click the *Next* button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose *select all* from the drop down menu and click *Next*)

*Restart your computer*.

*Check this out* for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

*IMPORTANT!:* I see that you do not have an antivirus running or a firewall. If I may so this without being rude, with the net as it is these days it is quite foolish to be without an antivirus and a firewall. By all means get both *ASAP!*. See *This* thread for some good free ones.


----------



## itrocks4u (Nov 27, 2004)

OK...i did all that...but there are still a lot of popups.....And now i cant open the websites that i usually could using Internet Explorer....It opens another webpage again...with a whole bunch of popups.....But is The Vx2 thing gone now or do i still have to do something else? Here is HJT log file just in case....

Logfile of HijackThis v1.99.0
Scan saved at 4:49:06 PM, on 13/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\Ours\Desktop\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MW1HelperStartUp] D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1
O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus Service - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - D:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Flrman1 (Jul 26, 2002)

Your log looks fine now.

What page are you being redirected to?

You still don't have an AV, firewall or a popup blocker. you need to get these ASAP.


----------



## itrocks4u (Nov 27, 2004)

Thank you for all your help.....i got the page working again somehow...Really appreciate all your help...... I got ZoneAlarm for the firewall...but still lookin for a good AV and popup blocker.


----------



## Flrman1 (Jul 26, 2002)

My pleasure!


----------



## itrocks4u (Nov 27, 2004)

ok....flrman...i have one question again...now i open the IE i get a 'ÿ' written on the page....is that ok...or do i have to worry about that....heres the HJT log file...
Logfile of HijackThis v1.99.0
Scan saved at 11:24:23 PM, on 14/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE
D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe
D:\Program Files\ISTsvc\istsvc.exe
D:\WINDOWS\exgqfnn.exe
D:\Program Files\Internet Optimizer\optimize.exe
D:\program files\180solutions\sais.exe
D:\WINDOWS\ptcore.exe
D:\WINDOWS\System32\Rfieqb.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Web_Rebates\WebRebates1.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Web_Rebates\WebRebates0.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Documents and Settings\Ours\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=1002144
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=1002144
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=1002144
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - D:\WINDOWS\nem220.dll
O2 - BHO: LT Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - D:\WINDOWS\System32\lmf32v.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - D:\Program Files\SideFind\sfbho.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - D:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MW1HelperStartUp] D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1
O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IST Service] D:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Kt0Fl8] D:\WINDOWS\exgqfnn.exe
O4 - HKLM\..\Run: [Internet Optimizer] "D:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] d:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] D:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [version] D:\WINDOWS\System32\Gklwgu.exe
O4 - HKLM\..\Run: [ijrbbpd] D:\WINDOWS\ptcore.exe
O4 - HKLM\..\Run: [dwxadyv] D:\WINDOWS\dwxadyv.exe
O4 - HKLM\..\Run: [secure] D:\WINDOWS\System32\Rfieqb.exe
O4 - HKLM\..\Run: [WebRebates0] "D:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://D:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - D:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108331482796
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - D:\WINDOWS\System32\lmf32v.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus Service - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - D:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## itrocks4u (Nov 27, 2004)

ok..i have now installed Zone Alarm for the firewall..and google toolbar for the popup blocker....i couldnt find a good antivirus...but i heard there are really good online virus scanners....or do i still need to install it?


----------



## Flrman1 (Jul 26, 2002)

I don't know what the heck you are doing, but stop it. Every time we get you clean you come back with some new malware. I have given you info that you need to help prevent this crap, but it doesn't look like you have done any of it yet! 

Before I even attempt to clean your log again I want you to go *here* and follow the advice in that thread. It is a waste of my time and yours to keep removing this stuff over and over again if you're not going to take steps to prevent it.

An online virus scanner will do nothing to protect you from attack. You need to install one of the free antiviruses *here*.

Run CWShredder again and then run Adaware again exacly like so:

First in the main window look in the bottom right corner and click on *Check for updates now* then click *Connect* and download the latest reference files.

From main window :Click *Start* then under *Select a scan Mode* tick *Perform full system scan*.

Next deselect *Search for negligible risk entries*.

Now to scan just click the *Next* button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose *select all* from the drop down menu and click *Next*)

*Restart your computer*.

Come back here and post another Hijack This log and we'll get rid of what's left.


----------



## Flrman1 (Jul 26, 2002)

Also do this:

*Click here* to download Find It NT-2K-XP.zip.

Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.


----------



## itrocks4u (Nov 27, 2004)

ok flrman....Now i have ZoneAlarm for the Firewall (which is hard to get), Symantec Antivirus, All the windows updates, And a popup blocker.... I ran the adware program as you told, and also the antivirus just to make sure there are no viruses....Well there were two files which the AV found and deleted......

Well, after doing all that, i couldnt get the gmail or hotmail to open and it referred to Active X settings...so i reset the security settings of IE to medium instead of custom level, that you once told me to do......So now i got that sites to open....Should i set the custom level again, or should i keep the medium security settings....

Moreover, are these two files safe: 'ptcore.exe' and 'svchost.exe'? These files are always blocked by Zonealarm, and the only two files that are shown in the log viewer of zonealarm....And i just realised, firewall is not easy to use.....

anyways....here are the two log files..im posting them separately, otherwise it says tht the text is too long.......please help.....

Logfile of HijackThis v1.99.0
Scan saved at 5:27:16 PM, on 16/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe
D:\WINDOWS\exgqfnn.exe
D:\WINDOWS\System32\Gklwgu.exe
D:\WINDOWS\ptcore.exe
D:\WINDOWS\System32\Rfieqb.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\ISTsvc\istsvc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Documents and Settings\Ours\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MW1HelperStartUp] D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1
O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Kt0Fl8] D:\WINDOWS\exgqfnn.exe
O4 - HKLM\..\Run: [version] D:\WINDOWS\System32\Gklwgu.exe
O4 - HKLM\..\Run: [ijrbbpd] D:\WINDOWS\ptcore.exe
O4 - HKLM\..\Run: [secure] D:\WINDOWS\System32\Rfieqb.exe
O4 - HKLM\..\Run: [Kt0Fl80+¿nü]mú*àaîD:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\exgqfnn.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IST Service] D:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Kt0+¿ìtü]mú*àaîigßD:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\exgqfnn.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108331482796
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## itrocks4u (Nov 27, 2004)

Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: D:\Documents and Settings\Ours\Desktop\Salman\spy removing-february\Find It NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

16/02/2005 01:31 AM dllcache
15/10/2004 10:16 PM Microsoft
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
2 File(s) 102,300 bytes
2 Dir(s) 52,184,211,456 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

16/02/2005 05:20 PM 945 vsconfig.xml
16/02/2005 01:31 AM dllcache
15/02/2005 02:12 PM 4,212 zllictbl.dat
15/10/2004 10:00 PM 488 WindowsLogon.manifest
15/10/2004 10:00 PM 488 logonui.exe.manifest
15/10/2004 10:00 PM 749 nwc.cpl.manifest
15/10/2004 10:00 PM 749 sapi.cpl.manifest
15/10/2004 10:00 PM 749 cdplayer.exe.manifest
15/10/2004 10:00 PM 749 ncpa.cpl.manifest
15/10/2004 10:00 PM 749 wuaucpl.cpl.manifest
05/10/2004 03:29 PM 98,938 addfi.dll
04/10/2004 06:28 AM 3,362 fespd.txt
11 File(s) 112,178 bytes
1 Dir(s) 52,184,207,360 bytes free

------------ Files Named "Guard" ---------------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive D has no label.
Volume Serial Number is 24FF-173F

Directory of D:\WINDOWS\System32

03/08/2004 11:56 PM 1,236,480 ~GLH0014.TMP
03/08/2004 11:56 PM 1,236,480 ~GLH0019.TMP
29/08/2002 07:00 AM 2,577 CONFIG.TMP
3 File(s) 2,475,537 bytes
0 Dir(s) 52,184,207,360 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="D:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

D:\WINDOWS\SYSTEM32\
vsconfig.xml Wed Feb 16 2005 5:20:32p A..H. 945 0.92 K
zllictbl.dat Tue Feb 15 2005 2:12:20p ...H. 4,212 4.11 K

2 items found: 2 files, 0 directories.
Total of file sizes: 5,157 bytes 5.04 K

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="D:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"D:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"ATIPTA"="D:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"msnappau"="\"D:\\Program Files\\MSN Apps\\Updater\\01.02.3000.1001\\en-us\\msnappau.exe\""
"Lexmark 2200 Series"="\"D:\\Program Files\\Lexmark 2200 Series\\lxbvbmgr.exe\""
"FaxCenterServer"="\"D:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
@=""
"Athan"="D:\\Program Files\\Athan\\Athan.exe"
"TkBellExe"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Microsoft Works Update Detection"="D:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"NeroFilterCheck"="D:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MW1HelperStartUp"="D:\\PROGRA~1\\MAGICW~1\\MW1HEL~1.EXE /partner MW1"
"CloudPlugin"="\"D:\\Program Files\\IMT Labs Messenger Plugin\\Cloud.exe\""
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"Kt0Fl8"="D:\\WINDOWS\\exgqfnn.exe"
"version"="D:\\WINDOWS\\System32\\Gklwgu.exe"
"ijrbbpd"="D:\\WINDOWS\\ptcore.exe"
"secure"="D:\\WINDOWS\\System32\\Rfieqb.exe"
"Kt0Fl80+¿nü]mú*àaîD:\\Program Files\\ISTsvc\\istsvc.exe"="D:\\WINDOWS\\exgqfnn.exe"
"ccApp"="\"D:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="D:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"IST Service"="D:\\Program Files\\ISTsvc\\istsvc.exe"
"Kt0+¿ìtü]mú*àaîigßD:\\Program Files\\ISTsvc\\istsvc.exe"="D:\\WINDOWS\\exgqfnn.exe"
"Zone Labs Client"="\"D:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




----------



## Flrman1 (Jul 26, 2002)

*Click Here* and download the the new version of Killbox and save it to your desktop.

Double-click on Killbox.exe to run it. Now put a tick by *Delete on Reboot*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*D:\WINDOWS\exgqfnn.exe

D:\WINDOWS\System32\Gklwgu.exe

D:\WINDOWS\ptcore.exe

D:\WINDOWS\System32\Rfieqb.exe

D:\Program Files\ISTsvc\istsvc.exe

D:\WINDOWS\exgqfnn.exe*

Exit the Killbox.

Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

O4 - HKLM\..\Run: [Kt0Fl8] D:\WINDOWS\exgqfnn.exe

O4 - HKLM\..\Run: [version] D:\WINDOWS\System32\Gklwgu.exe

O4 - HKLM\..\Run: [ijrbbpd] D:\WINDOWS\ptcore.exe

O4 - HKLM\..\Run: [secure] D:\WINDOWS\System32\Rfieqb.exe

O4 - HKLM\..\Run: [Kt0Fl80+¿nü]mú*àaîD:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\exgqfnn.exe

O4 - HKLM\..\Run: [IST Service] D:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [Kt0+¿ìtü]mú*àaîigßD:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\exgqfnn.exe*

Now *restart your computer.*


----------



## itrocks4u (Nov 27, 2004)

ok...i did tht...i hope the computer is fine now...please lemme now...heres the new HJT log

Logfile of HijackThis v1.99.0
Scan saved at 3:49:02 PM, on 17/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Documents and Settings\Ours\Desktop\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MW1HelperStartUp] D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1
O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Kt0Fl80+¿nü]mú*àaîD:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\exgqfnn.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Kt0+¿ìtü]mú*àaîigßD:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\exgqfnn.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IST Service] D:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108331482796
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Flrman1 (Jul 26, 2002)

Download the Registry Search Tool here:

http://www.billsway.com/vbspage/

Unzip it and run it. If your antivirus inteferres you may have to disable script blocking in the antivirus. Copy and Paste the following in the search box:

*D:\Program Files\ISTsvc\istsvc.exe*

Copy and paste the results here.


----------



## itrocks4u (Nov 27, 2004)

ok when i typed D:\Program Files\ISTsvc\istsvc.exe...it said no instances found.....but when i typed only istsvc.exe....it displayed this.....

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "istsvc.exe" 17/02/2005 7:32:03 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc]
"app_name"="istsvc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kt0Fl80+¿nü]mú*àaîD:\\Program Files\\ISTsvc\\istsvc.exe"="D:\\WINDOWS\\exgqfnn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kt0+¿ìtü]mú*àaîigßD:\\Program Files\\ISTsvc\\istsvc.exe"="D:\\WINDOWS\\exgqfnn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IST Service"="D:\\Program Files\\ISTsvc\\istsvc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTsvc]
"UninstallString"="D:\\Program Files\\ISTsvc\\istsvc.exe /remove"


----------



## Flrman1 (Jul 26, 2002)

Got to Add/Remove programs and see if you can uninstall ISTsvc.

Also a new version of Hijack This has been released so get rid of the old one and *Click here* to download the new one, come back here and post the log from it.


----------



## itrocks4u (Nov 27, 2004)

i did try uninstalling it through Add/Remove Programs, but it didnt work...it said something like it is already uninstalled.....Anyways, heres the new HJT log....

Logfile of HijackThis v1.99.1
Scan saved at 9:16:03 PM, on 18/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\CTsvcCDA.EXE
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Documents and Settings\Ours\Desktop\Salman\spy removing-february\hijackthis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MW1HelperStartUp] D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1
O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Kt0Fl80+¿nü]mú*àaîD:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\exgqfnn.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Kt0+¿ìtü]mú*àaîigßD:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\exgqfnn.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IST Service] D:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108331482796
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Flrman1 (Jul 26, 2002)

First please look and make sure the D:\Program Files\ISTsvc folder has been deleted.

Let me know if it is still there or not.


----------



## itrocks4u (Nov 27, 2004)

Yes...i deleted the folder...


----------



## Flrman1 (Jul 26, 2002)

Go to start Run and Type in *regedit*. Click OK.

Navigate the this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Right click on the *Run* key in the left pane and choose "Export". Name it Run.reg and save it to your desktop.

Go to your Desktop to the Run.reg file you just exported. Right click it and choose "Edit". It will open in notepad. Copy and paste it's contents here.


----------



## sportscrazy (Nov 27, 2004)

I think everyone should use hijack this after they've done the following: 1)go to www.download.com and download bazooka scanner (very small size). 2) scan with it 
3) whatever it finds click on the name and it opens a website telling you the removal instructions 4) after removing all of them 5) download "Microsoft AntiSpyware Beta 1" (its a scanner from microsoft-www.microsoft.com, offering realtime protection etc.) 6) if still not removed use hijack this to delete suspicious entries...everything should be all good!


----------



## sportscrazy (Nov 27, 2004)

Oh yeah...never download screensavers or those adorable smileys...they;ll mess you up! Unless its from a trusted site!....Oh and somebody help me out on my thread....just click my name and look at my latest thread, Thanks!


----------



## itrocks4u (Nov 27, 2004)

ok here it is.....

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="D:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"D:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"ATIPTA"="D:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"msnappau"="\"D:\\Program Files\\MSN Apps\\Updater\\01.02.3000.1001\\en-us\\msnappau.exe\""
"Lexmark 2200 Series"="\"D:\\Program Files\\Lexmark 2200 Series\\lxbvbmgr.exe\""
"FaxCenterServer"="\"D:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
@=""
"Athan"="D:\\Program Files\\Athan\\Athan.exe"
"TkBellExe"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Microsoft Works Update Detection"="D:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"NeroFilterCheck"="D:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MW1HelperStartUp"="D:\\PROGRA~1\\MAGICW~1\\MW1HEL~1.EXE /partner MW1"
"CloudPlugin"="\"D:\\Program Files\\IMT Labs Messenger Plugin\\Cloud.exe\""
"UserFaultCheck"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,64,00,75,00,6d,00,70,00,72,00,65,00,70,00,20,00,30,00,20,00,2d,00,75,00,\
00,00
"Kt0Fl80+¿nü]mú*àaîD:\\Program Files\\ISTsvc\\istsvc.exe"="D:\\WINDOWS\\exgqfnn.exe"
"ccApp"="\"D:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="D:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Kt0+¿ìtü]mú*àaîigßD:\\Program Files\\ISTsvc\\istsvc.exe"="D:\\WINDOWS\\exgqfnn.exe"
"Zone Labs Client"="\"D:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"IST Service"="D:\\Program Files\\ISTsvc\\istsvc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


----------



## Mosaic1 (Aug 17, 2001)

Can I interject here please? The forum software often messes up the formatting of registry files. It would be better to have it attached . Can you please find that file again and right click on it and send to >Compressed.

Upload the compressed file. Do not use Quick Reply. Instead use the Post Reply button. This will bring up a new page. Click the Manage Attachments button to upload your file.

Sorry for the interruption. Back to flrman1.


----------



## Flrman1 (Jul 26, 2002)

Mosaic1 said:


> Can I interject here please? The forum software often messes up the formatting of registry files. It would be better to have it attached . Can you please find that file again and right click on it and send to >Compressed.
> 
> Upload the compressed file. Do not use Quick Reply. Instead use the Post Reply button. This will bring up a new page. Click the Manage Attachments button to upload your file.
> 
> Sorry for the interruption. Back to flrman1.


Good point Mo! :up: Please do as Mo says and attach the file.


----------



## sportscrazy (Nov 27, 2004)

ummm.....yeah....You can try my suggestion too, you know if you want...I've found it to work all the time. P.s. I need help on my thread if someone can just answer my question....click this link and it'll take you there (my thread):http://forums.techguy.org/t332490.html .....Thanks


----------



## itrocks4u (Nov 27, 2004)

k here it is....im 99% sure im sending you the right file ....But is the computer out of danger now?


----------



## Flrman1 (Jul 26, 2002)

Yes you should be out of the woods. We just need to remove those run entries.

I am attaching a runfix.zip file to this post. Download it and unzip it to your desktop. 

Doubleclick on the runfix.reg file to add it to the registry. Answer Yes to confirm.

Restart and post a new HJT log.


----------



## itrocks4u (Nov 27, 2004)

flrman....when i click yes, it says cannot import d:\(file path) Not all data was successfully written to the registry. Some keys are open by the system or other processes......
i shutdowned the firewall...and disabled the AV auto-protect...but it still gave the same message...


----------



## itrocks4u (Nov 27, 2004)

Anyways...heres the new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 2:07:22 PM, on 20/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\CTsvcCDA.EXE
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Documents and Settings\Ours\Desktop\Salman\spy removing-february\hijackthis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Ours\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "D:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MW1HelperStartUp] D:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1
O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108331482796
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Flrman1 (Jul 26, 2002)

Clean! :up:

Now turn off System Restore: 

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.


----------



## Mosaic1 (Aug 17, 2001)

May I add something? The Subkeys under run may not have been added back. I would sign off, close any email programs and close all Internet Explorers. Then run the registry file again. See if you get the same message.


----------



## itrocks4u (Nov 27, 2004)

Hey...Thanks Flrman ...i just have one more question....Well i cant use IE to send Emails, using Hotmail or Gmail....I click on send but nothing happens? is there something wrong with the settings? 
Plus 'svchost'.....Is this file dangerous...cause the firewall logos&alert, shows this file blocked everytime i do something on the internet......

Once again..really appreciate all your help....

Mosaic...i closed all the program before clicking on the registry file.....IE, email, even the firewall & AV autoprotect......But i guess as Flrman said...the computer is clean now?


----------



## Mosaic1 (Aug 17, 2001)

Remember how you exported and attached the run key before? Woudl you do that again so we can be sure it is as it should be please?


----------



## itrocks4u (Nov 27, 2004)

Here it is...Again 98% sure this is the right file....


----------



## Mosaic1 (Aug 17, 2001)

Good. That looks ok. I guess windows was torturing you again. LOL


Also svchost is the generic Service host. It often has to go out to the internet. But it hosts (runs) most of the services in XP programs, so it's hard to say, but it generally is allowed access.


----------



## itrocks4u (Nov 27, 2004)

so Zonealarm blocks 'svchost' a LOT...should i allow it to pass through...even though i dont know how to do that....
Plus im not able to send email through hotmail or gmail when i use IE....any ideas wat i should do there???


----------



## Flrman1 (Jul 26, 2002)

Yes you need to allow svchost.

Tell us exactly what happens when you try to send email in Hotmail and GMail. Are you getting any errors? If so, tell us exactly what they are.


----------



## itrocks4u (Nov 27, 2004)

Well...when i open the 'new message' page from hotmail it says 'done with errors on the page' and the Hotmail rich text toolbar dosent open either although it is 'on' from the hotmail menu....Plus when i try to send email....i click on 'send' and it acts like nothing happend.....
GMail....says 'loading' when i log in...and then MOST of the time gets stuck there....

Plus, how do i allow svchost thorough ZoneAlarm....it says 'svshost.exe' blocked....When i try to Add the program svchost.exe, it dosnet show up in the zonealarm programs list.......So please let me know how to do that as well....


----------



## Flrman1 (Jul 26, 2002)

Have you tried adjusting your security settings in internet options to see if that helps with the email?

Open Zone Alarm and click on Program Control in the left column of the main window. Now click on the Programs tab. Scroll down and find "Generic Host Process". In the bottom pane under "Entry detail" there should be referenc to C:\Windows\System32\svchost.exe. Place your cursor Beside Generic Host Process under "Allow" and click there in both the Internet and Trusted zones. It should present you with the option to Allow it. Click that.


----------



## itrocks4u (Nov 27, 2004)

yea i reset the internet settings to default......but still no use.....any ideas on what i should do?


----------

