Spotresults...

nev · #1 (**permalink**) 17-03-2005, 06:39 AM

Hi, a newbie to the forum here...

I've recently been tormented by a search engine hijacker that intermittently directs my search results to www.spotresults.com, adw-a-r-e.com and produces a popup that advertises, ironically, a spyware-stopping software. So far, the spyware has only activated whenever I use Google. Here is my HijackThis logfile; please tell me what I need to do or what other info you require. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 9:32:26 PM, on 3/16/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\r_server.exe
D:\WINDOWS\system32\regsvc.exe
D:\WINDOWS\system32\MSTask.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
D:\WINDOWS\System32\WBEM\WinMgmt.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\loadqm.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotmail.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] D:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: AudioDeck.lnk = D:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0309390d249361f...p/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/pro...tor/WebSWK.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O20 - Winlogon Notify: Explorer - D:\WINDOWS\system32\h0n00a5med.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINDOWS\System32\dmadmin.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: radmm - Unknown owner - D:\WINDOWS\System32\r_server.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Tmntsrv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - D:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

ukantcme · #2 (**permalink**) 17-03-2005, 08:58 AM

This "May" be your problems:

O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) -

With Hijack This, put a check next to each of the entries I bolded below. After those are all checked, click the "Fix Checked" button in Hijack This. Then reboot, scan again with Hijack This and post another log here.

You can also get a copy of :the free »www.windowsstartup.com/ program. You can see exactly what your startup consists of and even check the Consult button of entries that you are not familiar with.

Can also Start > Run > Msconfig > Startup and see whats taking place. If there is something there that you do not understand. Write back and we will see if we can figure it out.

And just for the heck of it go to www.microsoft.com and get a copy of the SasserWorm removal tool. Just an idea.

quick question : has this bug infected your desktop wallpaper in the background? Telling you to go to www."something".com Something being a generic address for a many number of different so called adware removal software sites.

owen · #3 (**permalink**) 17-03-2005, 11:33 PM

What ukantcme said was true, they could well be causing the problems. But there is a little more. Heres a full fix so that you know what to do:

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0309390d249361...ip/RdxIE601.cab
O20 - Winlogon Notify: Explorer - D:\WINDOWS\system32\h0n00a5med.dll
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Tmntsrv.exe (file missing)

Click Fix Checked

Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

Delete the following files and folders:
c:\freescan
D:\WINDOWS\system32\h0n00a5med.dll

Reboot and post a fresh log

ukantcme · #4 (**permalink**) 18-03-2005, 02:37 AM

Beautiful work Owen

nev · #5 (**permalink**) 18-03-2005, 05:29 AM

Hi guys,

Thanks for you help so far. Unfortunately, I could not do some of the things you suggested...I couldn't find either c:/freescan or d:/windows/system32/h0n00a5med.dll on my computer; all hidden files were shown, even the ones for the operating system.

I tried to remove all the entries you have suggested, but two kept on returning:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\SYSTEM\blank.htm
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Tmntsrv.exe (file missing)
and a new one appeared:
O20 - Winlogon Notify: Internet Settings - D:\WINDOWS\system32\o0660ajsedo60.dll

Furthermore, when I was about to post a reply in this forum, I was redirected to http://www.ad-w-a-r-e.com/cgi-bin/KeywordV2?query=43518, although the page could not be loaded. The Windowsstartup program and the Sasser worm detection program both did not find anything suspicious. My Spysweeper did detect something was trying to change my homepage, but I stopped that from happening.
Here's an updated logfile. Thanks again for your hard work!

Logfile of HijackThis v1.99.1
Scan saved at 8:27:56 PM, on 3/17/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\system32\regsvc.exe
D:\WINDOWS\system32\MSTask.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
D:\WINDOWS\System32\WBEM\WinMgmt.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\loadqm.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotmail.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\SYSTEM\blank.htm
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] D:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: AudioDeck.lnk = D:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O20 - Winlogon Notify: Internet Settings - D:\WINDOWS\system32\o0660ajsedo60.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINDOWS\System32\dmadmin.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Tmntsrv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - D:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

owen · #6 (**permalink**) 18-03-2005, 09:08 AM

Download VX2Finder from this link:
For XP & Nt systems Only
http://tools.zerosrealm.com/VX2Finder.exe
Or from here
http://www.downloads.subratam.org/VX2Finder.exe

Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Close the tool and Copy and paste the contents of the log into your next reply here.

nev · #7 (**permalink**) 19-03-2005, 02:27 AM

Here's the vx2 log.

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
Internet Settings
sclgntfy
SensLogn

Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{B2703D02-F58D-F5E7-ABEE-F2A05B7662E9}

It seems like the problem is getting worse...I suspect winlogon has something to do with it. Before all these problems came up, I never had my Zonealarm ask me if I wanted the Winlogon NT Application to access the internet. Now, each time I startup my computer, this message will always appear. Whenever I try to delete the O20 value in safe mode, I can never find it; moreover, when I run hijackthis, I find that the name of the O20 value keeps on changing, and that I cannot delete it (in safe mode) because of a sharing/use violation. Regardless of the name of the .dll, the variants are all classified as "Winlogin Notify" by HijackThis.

I now get redirected to a bunch of different sites whenever I use the internet; for example, when I clicked on my favourites to access this page, I got redirected to http://www.thefreedictionary.com/_/topad.htm and got a popup with URL http://www.redzip.com/index.htm. If you want, I can tell you what website I visited that started this whole mess; I don't want anybody else to suffer through this!

owen · #8 (**permalink**) 19-03-2005, 04:10 PM

The Winlogon Notify has a lot to do with the problem. You won't be prompted about it accessing the net by Zone Alarm because its a DLL file that can inject itself into other applications.

Please download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

nev · #9 (**permalink**) 19-03-2005, 09:40 PM

Hi Owen,

Thanks for your continuing help. When I executed the program, a warning message appeared, telling me that D:Windows\System32\AUTOEXEC.NT is not suited to run in MS-DOS or as a Windows application, and I should either close or ignore the problem. After a couple of tries with the same message, a report.txt was printed:

L2MFIX find log 1.03
These are the registry keys present
************************************************** ********************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33, 00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e, 00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74, 00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\l0j8la1u1d.d ll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

************************************************** ********************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
"{B2703D02-F58D-F5E7-ABEE-F2A05B7662E9}"=""

************************************************** ********************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Scripting Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Merge Shell Folder"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Microsoft SearchBand"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{7D688A77-C613-11D0-999B-00C04FD655E1}"="SlowFile Icon Overlay"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{c2c1d8a0-016a-11d1-a7fa-444553540000}"="Shell Extension Sample"
"{f802f260-519b-11d1-bb5d-0060974c6013}"="ICQ Shell Extension"
"{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension"
"{7605B310-BE4E-4039-A4EA-87882B380FE5}"=""
"{12879504-45A1-4686-BA0C-A7526522AEDD}"=""
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{72A99745-FC0A-492F-9A1C-9997B99802C4}"=""

************************************************** ********************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7605B310-BE4E-4039-A4EA-87882B380FE5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7605B310-BE4E-4039-A4EA-87882B380FE5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7605B310-BE4E-4039-A4EA-87882B380FE5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7605B310-BE4E-4039-A4EA-87882B380FE5}\InprocServer32]
@="D:\\WINDOWS\\system32\\dkvxdec_0407.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{12879504-45A1-4686-BA0C-A7526522AEDD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12879504-45A1-4686-BA0C-A7526522AEDD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12879504-45A1-4686-BA0C-A7526522AEDD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12879504-45A1-4686-BA0C-A7526522AEDD}\InprocServer32]
@="D:\\WINDOWS\\system32\\dtlay.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{72A99745-FC0A-492F-9A1C-9997B99802C4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{72A99745-FC0A-492F-9A1C-9997B99802C4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{72A99745-FC0A-492F-9A1C-9997B99802C4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{72A99745-FC0A-492F-9A1C-9997B99802C4}\InprocServer32]
@="D:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

************************************************** ********************************
Files Found are not all bad files:
Directory Listing of system files:
Volume in drive D is GAMES
Volume Serial Number is 19D5-3779

Directory of D:\WINDOWS\System32

03/19/2005 12:27p 233,129 dtlay.dll
03/19/2005 03:27a 234,853 irpsl5771.dll
03/18/2005 06:20p 233,129 l0j8la1u1d.dll
03/17/2005 07:42p 234,853 mgdtcui.dll
03/15/2005 11:33p 233,691 fp4403hqe.dll
03/15/2005 11:33p 233,248 dkvxdec_0407.dll
09/21/2003 02:45p 32 {355CACAE-C9A9-44CC-BB81-F4B2CF9ED2C9}.dat
09/21/2003 02:44p 32 {DE8F2FDD-4E62-4609-8626-6B33549F5C4B}.dat
09/21/2003 02:43p 32 {A16A7DB3-60E2-4C26-9D0D-9AC07AEE0406}.dat
09/21/2003 02:41p 32 {9D6792FA-1F52-4F42-93F6-0DC8EF045EF8}.dat
09/21/2003 02:41p 32 {5625B77C-94D1-421D-B4CB-B77B733FF89D}.dat
09/21/2003 02:41p 32 {D5C5CF66-9598-4CAD-B10F-F5E8ED17F615}.dat
09/21/2003 02:39p 32 {F5928F92-993A-4996-BFB2-DCA701982150}.dat
06/28/2003 06:36p <DIR> dllcache
05/22/2001 01:00a 22,016 borlndmm.dll
14 File(s) 1,425,143 bytes
1 Dir(s) 948,408,320 bytes free

owen · #10 (**permalink**) 19-03-2005, 11:18 PM

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!