Here is my HTJ list I was wonderin if someone could tell me if i need to delete, change or fix something because i keep getting quite a few pop ups. thanks
i forgot to attach my list here it is: Logfile of HijackThis v1.99.1 Scan saved at 7:53:13 PM, on 1/28/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Network Monitor\netmon.exe C:\Program Files\Common Files\AOL\1136429131\ee\aolsoftware.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\ssttr.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\RunServices: [Winzip Application] winzip81.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe" O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\regclean.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab O20 - Winlogon Notify: ssttr - C:\WINDOWS\SYSTEM32\ssttr.dll O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\h40q0ed5eh0.dll O20 - Winlogon Notify: windtl32 - C:\WINDOWS\SYSTEM32\windtl32.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
Please download VundoFix.exe to your desktop. * Double-click VundoFix.exe to run it. * Click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will shutdown your computer, click OK. * Turn your computer back on. * Please post the contents of C:\vundofix.txt and a new HiJackThis log. Then, run McAfee's Stinger (stand alone virus scanner that scans for a limite number of viruses/worms): http://download.nai.com/products/mcafee-avert/stng259.exe Remove these using Hijack This: R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\System32\ssttr.dll O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe" O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab If this entry: [bold]O20 - Winlogon Notify: ssttr - C:\WINDOWS\SYSTEM32\ssttr.dll[/bold] still remains, use Hijack This and delete it. Repost a new hijack this log
here is the vundolist.txt VundoFix V4.2.16 Scan started at 2:15:57 AM 1/29/2006 Listing files found while scanning.... C:\WINDOWS\System32\ssttr.dll Attempting to delete C:\WINDOWS\System32\ssttr.dll C:\WINDOWS\System32\ssttr.dll Could not be deleted. Performing Repairs to the registry. Done! here is the Hijack This log: Logfile of HijackThis v1.99.1 Scan saved at 2:33:42 AM, on 1/29/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\REGIST~1\regclean.exe C:\Program Files\Common Files\AOL\1136429131\ee\aolsoftware.exe C:\Program Files\Network Monitor\netmon.exe C:\WINDOWS\System32\winzip81.exe C:\PROGRA~1\eBlocs\SpyBlocs\GLF1D.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\ssttr.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Winzip Application] winzip81.exe O4 - HKLM\..\RunServices: [Winzip Application] winzip81.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\regclean.exe O4 - HKCU\..\Run: [SpyBlocs] C:\Program Files\eBlocs\SpyBlocs\GLF1D.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\h40q0ed5eh0.dll O20 - Winlogon Notify: ssttr - C:\WINDOWS\SYSTEM32\ssttr.dll O20 - Winlogon Notify: windtl32 - C:\WINDOWS\SYSTEM32\windtl32.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe I tried using hijack this to delete O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\ssttr.dll and also O20 - Winlogon Notify: ssttr - C:\WINDOWS\SYSTEM32\ssttr.dll but they wouldnt delete.
Try booting your computer into [bold]Safe Mode[/bold] and then run Vundo Fix, then run McAfee Stinger, then if needed, remove the entry using Hijack This, then reboot and post another log.
here is my highjack this list in safemode Logfile of HijackThis v1.99.1 Scan saved at 2:14:47 PM, on 1/29/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\Explorer.EXE C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\pmkjg.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Winzip Application] winzip81.exe O4 - HKLM\..\RunServices: [Winzip Application] winzip81.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O20 - Winlogon Notify: pmkjg - C:\WINDOWS\System32\pmkjg.dll O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\lvj8091ue.dll O20 - Winlogon Notify: windtl32 - C:\WINDOWS\SYSTEM32\windtl32.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe Here it is not in normal mode: Logfile of HijackThis v1.99.1 Scan saved at 2:23:31 PM, on 1/29/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\winzip81.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\REGIST~1\regclean.exe C:\Program Files\eBlocs\SpyBlocs\GLF1D.exe C:\Program Files\Common Files\AOL\1136429131\ee\aolsoftware.exe c:\program files\common files\aol\1136429131\ee\aim6.exe C:\Program Files\Network Monitor\netmon.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\pmkjg.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Winzip Application] winzip81.exe O4 - HKLM\..\Run: [WinDLL (steam.dll)] rundll32.exe C:\WINDOWS\System32\steam.dll,start O4 - HKLM\..\RunServices: [Winzip Application] winzip81.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\regclean.exe O4 - HKCU\..\Run: [SpyBlocs] C:\Program Files\eBlocs\SpyBlocs\GLF1D.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\lvj8091ue.dll (file missing) O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\pih.dll O20 - Winlogon Notify: pmkjg - C:\WINDOWS\System32\pmkjg.dll O20 - Winlogon Notify: windtl32 - C:\WINDOWS\SYSTEM32\windtl32.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
could somebody help me? i keep getting more and more pop ups and if im gone from the computer for a while i get a message saying i have a corrupted registry.
There is still that vundo..... Please download VundoFix.exe ->http://www.atribune.org/ccount/click.php?id=4 to your desktop. [*]Double-click VundoFix.exe to run it. [*]Click the Scan for Vundo button. [*]Once it's done scanning, click the Remove Vundo button. [*]You will receive a prompt asking if you want to remove the files, click YES [*]Once you click yes, your desktop will go blank as it starts removing Vundo. [*]When completed, it will prompt that it will shutdown your computer, click OK. [*]Turn your computer back on. [*]Please post the contents of C:\vundofix.txt and a new HiJackThis log.
I Keep Receving PopUps As Well...Only when i allow rundll32.exe to connect on my firewall settings...if i disable it from connecting it doesn't bring up a few popups... can you help? i tryed the vundofix and it didn't find anything...and i also ran the stinger as well... Here Is The Hijack This Log File... Logfile of HijackThis v1.99.1 Scan saved at 9:22:30 AM, on 2/16/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe C:\Program Files\Common Files\AOL\1139600080\ee\aolsoftware.exe c:\program files\common files\aol\1139600080\ee\aim6.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Zero Knowledge\Freedom\Freedom.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://adelphia.net/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R3 - Default URLSearchHook is missing F2 - REG:system.ini: Shell= F3 - REG:win.ini: run=C:\WINDOWS\inet20010\winlogon.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: mIRC.lnk = C:\Program Files\mIRC\mirc.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O15 - Trusted Zone: *.crosskirknet.com O15 - Trusted Zone: *.dollarrevenue.com O15 - Trusted Zone: *.errorsafe.com O15 - Trusted Zone: *.filesharingaccess.com O15 - Trusted Zone: *.gimmycash.com O15 - Trusted Zone: *.gimmysmileys.com O15 - Trusted Zone: *.imagesrvr.com O15 - Trusted Zone: *.kabum.pl O15 - Trusted Zone: *.kazaa-forum.com O15 - Trusted Zone: *.media-motor.com O15 - Trusted Zone: *.mediatickets.net O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.traffic-stats.org O15 - Trusted Zone: *.winantivirus.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.winfixer.com O15 - Trusted Zone: *.yoursitebar.com O15 - Trusted Zone: *.ysbweb.com O15 - Trusted Zone: *.zango.com O15 - Trusted Zone: *.zangocash.com O15 - Trusted Zone: *.crosskirknet.com (HKLM) O15 - Trusted Zone: *.dollarrevenue.com (HKLM) O15 - Trusted Zone: *.errorsafe.com (HKLM) O15 - Trusted Zone: *.filesharingaccess.com (HKLM) O15 - Trusted Zone: *.gimmycash.com (HKLM) O15 - Trusted Zone: *.gimmysmileys.com (HKLM) O15 - Trusted Zone: *.imagesrvr.com (HKLM) O15 - Trusted Zone: *.kabum.pl (HKLM) O15 - Trusted Zone: *.kazaa-forum.com (HKLM) O15 - Trusted Zone: *.media-motor.com (HKLM) O15 - Trusted Zone: *.media-motor.net (HKLM) O15 - Trusted Zone: *.mediatickets.net (HKLM) O15 - Trusted Zone: *.mt-download.com (HKLM) O15 - Trusted Zone: *.traffic-stats.org (HKLM) O15 - Trusted Zone: *.winantivirus.com (HKLM) O15 - Trusted Zone: *.windupdates.com (HKLM) O15 - Trusted Zone: *.winfixer.com (HKLM) O15 - Trusted Zone: *.xxxtoolbar.com (HKLM) O15 - Trusted Zone: *.yoursitebar.com (HKLM) O15 - Trusted Zone: *.ysbweb.com (HKLM) O15 - Trusted Zone: *.zango.com (HKLM) O15 - Trusted Zone: *.zangocash.com (HKLM) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135371099390 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136912575344 O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://webcam.atomicmods.com//activex/AMC.cab O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\lvn2095oe.dll O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe O23 - Service: Windows - Unknown owner - C:\WINNT\srvany.exe (file missing) O23 - Service: Windows Overlay Components - Unknown owner - (no file) O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)
bluzeon Download CoolWebShredder: http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe Don't run coolwebshredder just yet... Download and install Ad-Aware SE: http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-4-1 Update after installation! Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Download the VX2 plugin for Ad-Aware: http://updates.ls-servers.com/vx2cleaner_inst.exe To run this tool go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. before running any scans, we'll need to configure Ad-Aware, go ahead and read this: http://www.greyknight17.com/spyware.php (scroll down to #4) Reboot your computer to go into [bold]safe mode[/bold] (tapping F8 when your bios loads) Using Hijack This, remove these entries: R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R3 - Default URLSearchHook is missing F2 - REG:system.ini: Shell= F3 - REG:win.ini: run=C:\WINDOWS\inet20010\winlogon.exe O15 - Trusted Zone: *.crosskirknet.com O15 - Trusted Zone: *.dollarrevenue.com O15 - Trusted Zone: *.errorsafe.com O15 - Trusted Zone: *.filesharingaccess.com O15 - Trusted Zone: *.gimmycash.com O15 - Trusted Zone: *.gimmysmileys.com O15 - Trusted Zone: *.imagesrvr.com O15 - Trusted Zone: *.kabum.pl O15 - Trusted Zone: *.kazaa-forum.com O15 - Trusted Zone: *.media-motor.com O15 - Trusted Zone: *.mediatickets.net O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.traffic-stats.org O15 - Trusted Zone: *.winantivirus.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.winfixer.com O15 - Trusted Zone: *.yoursitebar.com O15 - Trusted Zone: *.ysbweb.com O15 - Trusted Zone: *.zango.com O15 - Trusted Zone: *.zangocash.com O15 - Trusted Zone: *.crosskirknet.com (HKLM) O15 - Trusted Zone: *.dollarrevenue.com (HKLM) O15 - Trusted Zone: *.errorsafe.com (HKLM) O15 - Trusted Zone: *.filesharingaccess.com (HKLM) O15 - Trusted Zone: *.gimmycash.com (HKLM) O15 - Trusted Zone: *.gimmysmileys.com (HKLM) O15 - Trusted Zone: *.imagesrvr.com (HKLM) O15 - Trusted Zone: *.kabum.pl (HKLM) O15 - Trusted Zone: *.kazaa-forum.com (HKLM) O15 - Trusted Zone: *.media-motor.com (HKLM) O15 - Trusted Zone: *.media-motor.net (HKLM) O15 - Trusted Zone: *.mediatickets.net (HKLM) O15 - Trusted Zone: *.mt-download.com (HKLM) O15 - Trusted Zone: *.traffic-stats.org (HKLM) O15 - Trusted Zone: *.winantivirus.com (HKLM) O15 - Trusted Zone: *.windupdates.com (HKLM) O15 - Trusted Zone: *.winfixer.com (HKLM) O15 - Trusted Zone: *.xxxtoolbar.com (HKLM) O15 - Trusted Zone: *.yoursitebar.com (HKLM) O15 - Trusted Zone: *.ysbweb.com (HKLM) O15 - Trusted Zone: *.zango.com (HKLM) O15 - Trusted Zone: *.zangocash.com (HKLM) O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://webcam.atomicmods.com//activex/AMC.cab O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\lvn2095oe.dll Run coolwebshredder and choose [bold]Fix[/bold] Now run Ad-Aware, choose [bold]Full System Scan[/bold]...then run the VX2 cleaner within Ad-Aware... Reboot your computer normally. Do a search for for this fileand delete if it exists: C:\WINDOWS\system32\[bold]lvn2095oe.dll[/bold] After you have done those, go back to My Computer >Tools >Folder Options >View tab and disable it (default setting) Post another Hijack This log after you have completed the tasks above... If needed, print the thread out so you can follow it offline...
@thugs121: This line -> O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\lvn2095oe.dll is look2me and requires a special fix. Deleting that dll doesn't work, it has multiple dlls which aren't visible in HjT log. Also, bluzeon doesn't have nail. And I already cleaned bluzeon's computer -> http://forums.afterdawn.com/thread_view.cfm/305174
Cool, I had no idea that he/she had multiposted about his/her issue...I just saw this thread was updated in my account...
