1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HTJ list help

Discussion in 'Windows - Virus and spyware problems' started by tab007, Jan 28, 2006.

  1. tab007

    tab007 Guest

    Here is my HTJ list I was wonderin if someone could tell me if i need to delete, change or fix something because i keep getting quite a few pop ups. thanks
     
  2. tab007

    tab007 Guest

    i forgot to attach my list here it is:


    Logfile of HijackThis v1.99.1
    Scan saved at 7:53:13 PM, on 1/28/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Network Monitor\netmon.exe
    C:\Program Files\Common Files\AOL\1136429131\ee\aolsoftware.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\ssttr.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\RunServices: [Winzip Application] winzip81.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
    O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
    O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
    O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\regclean.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
    O20 - Winlogon Notify: ssttr - C:\WINDOWS\SYSTEM32\ssttr.dll
    O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\h40q0ed5eh0.dll
    O20 - Winlogon Notify: windtl32 - C:\WINDOWS\SYSTEM32\windtl32.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

     
  3. thugs121

    thugs121 Regular member

    Joined:
    Aug 3, 2004
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    26
    Please download VundoFix.exe to your desktop.

    * Double-click VundoFix.exe to run it.
    * Click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the
    files, click YES
    * Once you click yes, your desktop will go blank as it starts
    removing Vundo.
    * When completed, it will prompt that it will shutdown your
    computer, click OK.
    * Turn your computer back on.
    * Please post the contents of C:\vundofix.txt and a new HiJackThis log.


    Then, run McAfee's Stinger (stand alone virus scanner that scans for a limite number of viruses/worms): http://download.nai.com/products/mcafee-avert/stng259.exe

    Remove these using Hijack This:

    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\ssttr.dll
    O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab


    If this entry:
    [bold]O20 - Winlogon Notify: ssttr - C:\WINDOWS\SYSTEM32\ssttr.dll[/bold] still remains, use Hijack This and delete it.

    Repost a new hijack this log
     
  4. tab007

    tab007 Guest

    here is the vundolist.txt


    VundoFix V4.2.16
    Scan started at 2:15:57 AM 1/29/2006

    Listing files found while scanning....

    C:\WINDOWS\System32\ssttr.dll

    Attempting to delete C:\WINDOWS\System32\ssttr.dll
    C:\WINDOWS\System32\ssttr.dll Could not be deleted.

    Performing Repairs to the registry.
    Done!

    here is the Hijack This log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:33:42 AM, on 1/29/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\REGIST~1\regclean.exe
    C:\Program Files\Common Files\AOL\1136429131\ee\aolsoftware.exe
    C:\Program Files\Network Monitor\netmon.exe
    C:\WINDOWS\System32\winzip81.exe
    C:\PROGRA~1\eBlocs\SpyBlocs\GLF1D.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\ssttr.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Winzip Application] winzip81.exe
    O4 - HKLM\..\RunServices: [Winzip Application] winzip81.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
    O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
    O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\regclean.exe
    O4 - HKCU\..\Run: [SpyBlocs] C:\Program Files\eBlocs\SpyBlocs\GLF1D.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\h40q0ed5eh0.dll
    O20 - Winlogon Notify: ssttr - C:\WINDOWS\SYSTEM32\ssttr.dll
    O20 - Winlogon Notify: windtl32 - C:\WINDOWS\SYSTEM32\windtl32.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe


    I tried using hijack this to delete O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\ssttr.dll and also O20 - Winlogon Notify: ssttr - C:\WINDOWS\SYSTEM32\ssttr.dll but they wouldnt delete.
     
  5. thugs121

    thugs121 Regular member

    Joined:
    Aug 3, 2004
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    26
    Try booting your computer into [bold]Safe Mode[/bold] and then run Vundo Fix, then run McAfee Stinger, then if needed, remove the entry using Hijack This, then reboot and post another log.
     
  6. tab007

    tab007 Guest

    here is my highjack this list in safemode

    Logfile of HijackThis v1.99.1
    Scan saved at 2:14:47 PM, on 1/29/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\pmkjg.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Winzip Application] winzip81.exe
    O4 - HKLM\..\RunServices: [Winzip Application] winzip81.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O20 - Winlogon Notify: pmkjg - C:\WINDOWS\System32\pmkjg.dll
    O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\lvj8091ue.dll
    O20 - Winlogon Notify: windtl32 - C:\WINDOWS\SYSTEM32\windtl32.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

    Here it is not in normal mode:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:23:31 PM, on 1/29/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\winzip81.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\REGIST~1\regclean.exe
    C:\Program Files\eBlocs\SpyBlocs\GLF1D.exe
    C:\Program Files\Common Files\AOL\1136429131\ee\aolsoftware.exe
    c:\program files\common files\aol\1136429131\ee\aim6.exe
    C:\Program Files\Network Monitor\netmon.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\pmkjg.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Winzip Application] winzip81.exe
    O4 - HKLM\..\Run: [WinDLL (steam.dll)] rundll32.exe C:\WINDOWS\System32\steam.dll,start
    O4 - HKLM\..\RunServices: [Winzip Application] winzip81.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
    O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
    O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\regclean.exe
    O4 - HKCU\..\Run: [SpyBlocs] C:\Program Files\eBlocs\SpyBlocs\GLF1D.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\lvj8091ue.dll (file missing)
    O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\pih.dll
    O20 - Winlogon Notify: pmkjg - C:\WINDOWS\System32\pmkjg.dll
    O20 - Winlogon Notify: windtl32 - C:\WINDOWS\SYSTEM32\windtl32.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe



     
  7. tab007

    tab007 Guest

    could somebody help me? i keep getting more and more pop ups and if im gone from the computer for a while i get a message saying i have a corrupted registry.
     
  8. spertti

    spertti Active member

    Joined:
    Jun 1, 2005
    Messages:
    1,222
    Likes Received:
    0
    Trophy Points:
    66
    There is still that vundo.....

    Please download VundoFix.exe ->http://www.atribune.org/ccount/click.php?id=4 to your desktop.
    [*]Double-click VundoFix.exe to run it.
    [*]Click the Scan for Vundo button.
    [*]Once it's done scanning, click the Remove Vundo button.
    [*]You will receive a prompt asking if you want to remove the files, click YES
    [*]Once you click yes, your desktop will go blank as it starts removing Vundo.
    [*]When completed, it will prompt that it will shutdown your computer, click OK.
    [*]Turn your computer back on.
    [*]Please post the contents of C:\vundofix.txt and a new HiJackThis log.
     
  9. bluzeon

    bluzeon Member

    Joined:
    Feb 16, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    I Keep Receving PopUps As Well...Only when i allow rundll32.exe to connect on my firewall settings...if i disable it from connecting it doesn't bring up a few popups... can you help? i tryed the vundofix and it didn't find anything...and i also ran the stinger as well...

    Here Is The Hijack This Log File...

    Logfile of HijackThis v1.99.1
    Scan saved at 9:22:30 AM, on 2/16/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
    C:\Program Files\Common Files\AOL\1139600080\ee\aolsoftware.exe
    c:\program files\common files\aol\1139600080\ee\aim6.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://adelphia.net/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=
    F3 - REG:win.ini: run=C:\WINDOWS\inet20010\winlogon.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: mIRC.lnk = C:\Program Files\mIRC\mirc.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O15 - Trusted Zone: *.crosskirknet.com
    O15 - Trusted Zone: *.dollarrevenue.com
    O15 - Trusted Zone: *.errorsafe.com
    O15 - Trusted Zone: *.filesharingaccess.com
    O15 - Trusted Zone: *.gimmycash.com
    O15 - Trusted Zone: *.gimmysmileys.com
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.kabum.pl
    O15 - Trusted Zone: *.kazaa-forum.com
    O15 - Trusted Zone: *.media-motor.com
    O15 - Trusted Zone: *.mediatickets.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.traffic-stats.org
    O15 - Trusted Zone: *.winantivirus.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.winfixer.com
    O15 - Trusted Zone: *.yoursitebar.com
    O15 - Trusted Zone: *.ysbweb.com
    O15 - Trusted Zone: *.zango.com
    O15 - Trusted Zone: *.zangocash.com
    O15 - Trusted Zone: *.crosskirknet.com (HKLM)
    O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
    O15 - Trusted Zone: *.errorsafe.com (HKLM)
    O15 - Trusted Zone: *.filesharingaccess.com (HKLM)
    O15 - Trusted Zone: *.gimmycash.com (HKLM)
    O15 - Trusted Zone: *.gimmysmileys.com (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.kabum.pl (HKLM)
    O15 - Trusted Zone: *.kazaa-forum.com (HKLM)
    O15 - Trusted Zone: *.media-motor.com (HKLM)
    O15 - Trusted Zone: *.media-motor.net (HKLM)
    O15 - Trusted Zone: *.mediatickets.net (HKLM)
    O15 - Trusted Zone: *.mt-download.com (HKLM)
    O15 - Trusted Zone: *.traffic-stats.org (HKLM)
    O15 - Trusted Zone: *.winantivirus.com (HKLM)
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O15 - Trusted Zone: *.winfixer.com (HKLM)
    O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
    O15 - Trusted Zone: *.yoursitebar.com (HKLM)
    O15 - Trusted Zone: *.ysbweb.com (HKLM)
    O15 - Trusted Zone: *.zango.com (HKLM)
    O15 - Trusted Zone: *.zangocash.com (HKLM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135371099390
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136912575344
    O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://webcam.atomicmods.com//activex/AMC.cab
    O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\lvn2095oe.dll
    O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
    O23 - Service: Windows - Unknown owner - C:\WINNT\srvany.exe (file missing)
    O23 - Service: Windows Overlay Components - Unknown owner - (no file)
    O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

     
  10. thugs121

    thugs121 Regular member

    Joined:
    Aug 3, 2004
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    26
    bluzeon

    Download CoolWebShredder: http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe

    Don't run coolwebshredder just yet...

    Download and install Ad-Aware SE: http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-4-1

    Update after installation!

    Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

    Download the VX2 plugin for Ad-Aware: http://updates.ls-servers.com/vx2cleaner_inst.exe
    To run this tool go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection.

    before running any scans, we'll need to configure Ad-Aware, go ahead and read this: http://www.greyknight17.com/spyware.php (scroll down to #4)

    Reboot your computer to go into [bold]safe mode[/bold] (tapping F8 when your bios loads)

    Using Hijack This, remove these entries:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=
    F3 - REG:win.ini: run=C:\WINDOWS\inet20010\winlogon.exe
    O15 - Trusted Zone: *.crosskirknet.com
    O15 - Trusted Zone: *.dollarrevenue.com
    O15 - Trusted Zone: *.errorsafe.com
    O15 - Trusted Zone: *.filesharingaccess.com
    O15 - Trusted Zone: *.gimmycash.com
    O15 - Trusted Zone: *.gimmysmileys.com
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.kabum.pl
    O15 - Trusted Zone: *.kazaa-forum.com
    O15 - Trusted Zone: *.media-motor.com
    O15 - Trusted Zone: *.mediatickets.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.traffic-stats.org
    O15 - Trusted Zone: *.winantivirus.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.winfixer.com
    O15 - Trusted Zone: *.yoursitebar.com
    O15 - Trusted Zone: *.ysbweb.com
    O15 - Trusted Zone: *.zango.com
    O15 - Trusted Zone: *.zangocash.com
    O15 - Trusted Zone: *.crosskirknet.com (HKLM)
    O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
    O15 - Trusted Zone: *.errorsafe.com (HKLM)
    O15 - Trusted Zone: *.filesharingaccess.com (HKLM)
    O15 - Trusted Zone: *.gimmycash.com (HKLM)
    O15 - Trusted Zone: *.gimmysmileys.com (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.kabum.pl (HKLM)
    O15 - Trusted Zone: *.kazaa-forum.com (HKLM)
    O15 - Trusted Zone: *.media-motor.com (HKLM)
    O15 - Trusted Zone: *.media-motor.net (HKLM)
    O15 - Trusted Zone: *.mediatickets.net (HKLM)
    O15 - Trusted Zone: *.mt-download.com (HKLM)
    O15 - Trusted Zone: *.traffic-stats.org (HKLM)
    O15 - Trusted Zone: *.winantivirus.com (HKLM)
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O15 - Trusted Zone: *.winfixer.com (HKLM)
    O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
    O15 - Trusted Zone: *.yoursitebar.com (HKLM)
    O15 - Trusted Zone: *.ysbweb.com (HKLM)
    O15 - Trusted Zone: *.zango.com (HKLM)
    O15 - Trusted Zone: *.zangocash.com (HKLM)
    O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://webcam.atomicmods.com//activex/AMC.cab
    O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\lvn2095oe.dll

    Run coolwebshredder and choose [bold]Fix[/bold]

    Now run Ad-Aware, choose [bold]Full System Scan[/bold]...then run the VX2 cleaner within Ad-Aware...

    Reboot your computer normally. Do a search for for this fileand delete if it exists: C:\WINDOWS\system32\[bold]lvn2095oe.dll[/bold]

    After you have done those, go back to My Computer >Tools >Folder Options >View tab and disable it (default setting)

    Post another Hijack This log after you have completed the tasks above...

    If needed, print the thread out so you can follow it offline...
     
    Last edited: Feb 20, 2006
  11. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    @thugs121: This line -> O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\lvn2095oe.dll
    is look2me and requires a special fix. Deleting that dll doesn't work, it has multiple dlls which aren't visible in HjT log. Also, bluzeon doesn't have nail. And I already cleaned bluzeon's computer ->
    http://forums.afterdawn.com/thread_view.cfm/305174 ;)
     
  12. thugs121

    thugs121 Regular member

    Joined:
    Aug 3, 2004
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    26
    Cool, I had no idea that he/she had multiposted about his/her issue...I just saw this thread was updated in my account...
     

Share This Page