Hello, I've had a horrible few days trying to deal with what I believe is nasty malware. I may have downloaded and run something I shouldn't have when I was looking for a label program on the Internet. Since the 13 of December I have been downloading every kind of adware - spyware - trojon software that I could find. I currently have Spyware Blaster - Scan Spyware - Ad-aware SE Personal and Spybot Search and Destroy. I have downloaded CW Shredder - HiJack This - VX2Finder(126) - LPSFIX and several other programs to try and figure out how to get rid of this malware. My HOSTS file is totally compromised and is changed as fast as I edit it. I have immunized my system to block most of the malware but it is persistant. The only thing that has kept me being able to access the links that I want is to run ad-aware right after start-up , remove the VX2 and other malware and then use killadd popup blocker immediately upon accessing the internet. I usually get an error message [An exception occurred while trying to run ""C:\WINNT\System32\guard.tmp",uMonitor"

I have been reading the other threads and think that I have a new varient of the look2me/vx2 infection that kill2me doesn't eliminate. I would greatly appreciate any help I can get with regard to this problem. Regards (RevTed)

in order to help you we will need a hijack this log post it in here then we will help you remove it

Thank you for the quick response - Here is my hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 4:19:22 PM, on 12/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\WINNT\system32\khooker.exe
C:\WINNT\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\KillAdd\killad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\Ted1\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mythnlynx.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mythnlynx.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11f239b5ee46e54a1f17/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38323.5929282407
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB2C3D67-4ADB-4591-BD45-D58BCED2E420}: NameServer = 216.167.144.1 216.167.161.1

Hi. First of all you need to update hijackthis to version 1.99. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. (http://computercops.biz/downloads-file-328.html) Remove the old version by opening the program, going to config\misc tools, then uninstall & exit. You then have to delete the file manually. Unzip the new version into the hijackthis folder.
Please do the following;

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

Download LSPfix from here (http://www.computercops.biz/downloads-file-334.html)
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "calsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.

Go to c:\winnt\system32\ and delete the file manually.

Download and run VX2Finder(.exe).
http://www.downloads.subratam.org/VX2Finder.exe

Open the program and click the 'Click to Find VX2.aBetterInternet' button. This will attempt to find all VX2 related files and registry keys and when present display them in its logfile. To create a logfile, click the button named: 'Make Log'. This will open logfile using Notepad. Please post (copy/paste) the results and post them in this topic.

Download these two tools:

http://www.downloads.subratam.org/DllCompare.exe
&
http://www.downloads.subratam.org/KillBox.exe

Run Dllcompare, by clicking the "Run Locate.com" then click Compare button... when done post that log here..do not reboot until I say because all the filenames will change otherwise.

Here are the new log files, I ran the highjack file last - RevTed:

Logfile of HijackThis v1.99.0
Scan saved at 5:37:09 PM, on 12/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\WINNT\system32\khooker.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.mythnlynx.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.mythnlynx.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator

5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE

-r
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE

4.0\SetHook.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted IP range: (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://software-dl.real.com/11f239b5ee46e54a1f17/netzip/RdxIE601.cab
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp.

- C:\WINNT\System32\dmadmin.exe
O23 - Service: WebSeach Toolbar support NT service - Unknown -

C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)





Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
App Paths
AtiExtEvent
crypt32chain
cryptnet
cscdll
Reliability
sclgntfy
SensLogn
wzcnotif


Guardian Key--- is called:

User Agent String---
{BEDAB044-6242-43AF-8E51-AF2D4BC08938}



* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\cammdlg.dll Mon Dec 13 2004 9:09:36p ..S.R 226,133

220.83 K
C:\WINNT\SYSTEM32\dbvacm.dll Mon Dec 13 2004 2:01:58p ..S.R 224,883

219.61 K
C:\WINNT\SYSTEM32\en8ul1~1.dll Tue Dec 14 2004 7:09:04a ..S.R 224,844

219.57 K
C:\WINNT\SYSTEM32\g2400c~1.dll Thu Dec 16 2004 5:03:14p ..S.R 224,488

219.23 K
C:\WINNT\SYSTEM32\gplsl3~1.dll Mon Dec 13 2004 8:49:38p ..S.R 223,074

217.84 K
C:\WINNT\SYSTEM32\h04mla~1.dll Sat Dec 18 2004 5:31:26p ..S.R 225,877

220.58 K
C:\WINNT\SYSTEM32\ianathlp.dll Mon Dec 13 2004 8:03:04p ..S.R 223,042

217.81 K
C:\WINNT\SYSTEM32\ikagx5.dll Mon Dec 13 2004 5:38:04p ..S.R 224,988

219.71 K
C:\WINNT\SYSTEM32\inmui.dll Tue Dec 14 2004 12:06:00p ..S.R 223,360

218.13 K
C:\WINNT\SYSTEM32\ir42l5~1.dll Mon Dec 13 2004 6:19:04p ..S.R 225,466

220.18 K
C:\WINNT\SYSTEM32\ir6ul5~1.dll Wed Dec 15 2004 8:42:20a ..S.R 225,325

220.04 K
C:\WINNT\SYSTEM32\jtn007~1.dll Tue Dec 14 2004 7:46:42p ..S.R 223,369

218.13 K
C:\WINNT\SYSTEM32\ktl4l7~1.dll Sat Dec 18 2004 12:38:24a ..S.R 224,069

218.82 K
C:\WINNT\SYSTEM32\ktp2l7~1.dll Sat Dec 18 2004 7:28:22a ..S.R 224,737

219.47 K
C:\WINNT\SYSTEM32\kydne.dll Mon Dec 13 2004 8:32:50p ..S.R 223,183

217.95 K
C:\WINNT\SYSTEM32\l62s0g~1.dll Tue Dec 14 2004 9:41:28p ..S.R 223,360

218.13 K
C:\WINNT\SYSTEM32\lcmac13n.dll Thu Dec 16 2004 11:29:56a ..S.R 224,234

218.98 K
C:\WINNT\SYSTEM32\lkafp13n.dll Mon Dec 13 2004 2:27:56p ..S.R 225,178

219.90 K
C:\WINNT\SYSTEM32\myxmlr.dll Wed Dec 15 2004 11:19:12a ..S.R 224,542

219.28 K
C:\WINNT\SYSTEM32\plstwpp.dll Sat Dec 18 2004 4:46:46p ..S.R 224,737

219.47 K
C:\WINNT\SYSTEM32\qwgrprxy.dll Mon Dec 13 2004 1:03:12p ..S.R 223,337

218.10 K
C:\WINNT\SYSTEM32\rvnd.dll Mon Dec 13 2004 3:05:12p ..S.R 223,716

218.47 K
C:\WINNT\SYSTEM32\whnrul~1.dll Mon Dec 13 2004 6:33:08p ..S.R 225,664

220.38 K
________________________________________________

1,155 items found: 1,155 files (23 H/S), 0 directories.
Total of file sizes: 214,426,608 bytes 204.49 M

Administrator Account = True

--------------------End log---------------------

I am going through it now. Will not be long :).

It is important not to reboot until all the following files have been entered.

Stay offline when doing the following fix.

Open killbox and paste in C:\WINDOWS\SYSTEM32\C:\WINNT\SYSTEM32\cammdlg.dll

With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

Repeat the above for each of these;

C:\WINNT\SYSTEM32\dbvacm.dll
C:\WINNT\SYSTEM32\en8ul1~1.dll
C:\WINNT\SYSTEM32\g2400c~1.dll
C:\WINNT\SYSTEM32\gplsl3~1.dll
C:\WINNT\SYSTEM32\h04mla~1.dll
C:\WINNT\SYSTEM32\ianathlp.dll
C:\WINNT\SYSTEM32\ikagx5.dll
C:\WINNT\SYSTEM32\inmui.dll
C:\WINNT\SYSTEM32\ir42l5~1.dll
C:\WINNT\SYSTEM32\ir6ul5~1.dll
C:\WINNT\SYSTEM32\jtn007~1.dll
C:\WINNT\SYSTEM32\ktl4l7~1.dll
C:\WINNT\SYSTEM32\ktp2l7~1.dll
C:\WINNT\SYSTEM32\kydne.dll
C:\WINNT\SYSTEM32\l62s0g~1.dll
C:\WINNT\SYSTEM32\lcmac13n.dll
C:\WINNT\SYSTEM32\lkafp13n.dll
C:\WINNT\SYSTEM32\myxmlr.dll
C:\WINNT\SYSTEM32\plstwpp.dll
C:\WINNT\SYSTEM32\qwgrprxy.dll
C:\WINNT\SYSTEM32\rvnd.dll
C:\WINNT\SYSTEM32\whnrul~1.dll
C:\Windows\System32\Guard.tmp

On that last file, close all programs and Reboot your computer.

Open the registry editor and go to:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and export that key to your desktop. Call it notify.reg
Right click on it and then edit. Copy and paste the results here.

Post another log from dllcompare please. And another hijackthis log please.

Here is the latest group of log files - RevTed:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reliability]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\l28mlcl11fq.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\h04mlah11d4.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000



* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\cammdlg.dll Mon Dec 13 2004 9:09:36p ..S.R 226,133 220.83 K
C:\WINNT\SYSTEM32\ir6ul5~1.dll Wed Dec 15 2004 8:42:20a ..S.R 225,325 220.04 K
C:\WINNT\SYSTEM32\qwgrprxy.dll Mon Dec 13 2004 1:03:12p ..S.R 223,337 218.10 K
C:\WINNT\SYSTEM32\rvnd.dll Mon Dec 13 2004 3:05:12p ..S.R 223,716 218.47 K
________________________________________________

1,154 items found: 1,154 files (4 H/S), 0 directories.
Total of file sizes: 210,164,521 bytes 200.43 M

Administrator Account = True

--------------------End log---------------------



Logfile of HijackThis v1.99.0
Scan saved at 7:11:54 PM, on 12/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\WINNT\system32\khooker.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mythnlynx.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mythnlynx.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted IP range: (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11f239b5ee46e54a1f17/netzip/RdxIE601.cab
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: WebSeach Toolbar support NT service - Unknown - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)

Just spotted a typo I made in my previous post which is probably the reason there are still files to remove :(.

Go offline now.

Open killbox and paste in C:\WINNT\SYSTEM32\cammdlg.dll

With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

Repeat the above for each of these;

C:\WINNT\SYSTEM32\ir6ul5~1.dll
C:\WINNT\SYSTEM32\qwgrprxy.dll
C:\WINNT\SYSTEM32\rvnd.dll
C:\Windows\System32\Guard.tmp

Reboot.

Go here (http://computercops.biz/zx/Zupe/Find-It%20Beta.zip) and download FindIt.zip to your Desktop, unzip it and open the the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.
Post another dllcompare log too please.

Thank you for your patience. Here is the latest that you requested - RevTed:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is C432-EAB0

Directory of C:\WINNT\System32

12/16/2004 01:57p <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 30,733,938,688 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is C432-EAB0

Directory of C:\WINNT\System32

12/16/2004 01:57p <DIR> dllcache
12/02/2004 02:49p <DIR> GroupPolicy
12/02/2004 02:44p 21,692 folder.htt
12/02/2004 02:44p 271 desktop.ini
2 File(s) 21,963 bytes
2 Dir(s) 30,733,938,688 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is C432-EAB0

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is C432-EAB0

Directory of C:\WINNT\System32

12/07/1999 05:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 30,733,938,688 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User

Agent\Post Platform]
"{BEDAB044-6242-43AF-8E51-AF2D4BC08938}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\Reliability]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\l28mlcl11fq.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\h04mlah11d4.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


---------------- Xfind Results -----------------

'Xfind' is not recognized as an internal or external command,
operable program or batch file.

-------------- Locate.com Results ---------------




* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,154 items found: 1,154 files, 0 directories.
Total of file sizes: 209,266,234 bytes 199.57 M

Administrator Account = True

--------------------End log---------------------

Looking better :).

Open Killbox and Copy & Paste the path to the Desktop.ini for recycle bin.
ie:

C:\RECYCLER\Desktop.ini

Click Red X to delete it.

Also paste in C:\Windows\System32\Guard.tmp again and click the red X to delete that.

Run VX2Finder and click the *Click to find etc* button. Then hit the *restore policy* button and follow the prompts. Click the *UserAgent$* button and follow the prompts. Exit the program.

Open regedit and go to *HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify* and delete the *Reliability* sub-key and the *SharedDLLs* sub-key .
NOTE. Please back up the *notify* key by exporting it to a safe location. Call it notify.reg.

Please reboot when done and post an hijackthis log, a VX2Finder log and a dllcompare log.

System feels better already. Here are the latest files - RevTed:

Logfile of HijackThis v1.99.0
Scan saved at 8:31:07 PM, on 12/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\WINNT\system32\khooker.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.mythnlynx.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.mythnlynx.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD

Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50]

C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program

Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted IP range: (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://software-dl.real.com/11f239b5ee46e54a1f17/netzip/RdxIE601.cab
O23 - Service: Logical Disk Manager Administrative Service - VERITAS

Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: WebSeach Toolbar support NT service - Unknown -

C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,154 items found: 1,154 files, 0 directories.
Total of file sizes: 209,266,234 bytes 199.57 M

Administrator Account = True

--------------------End log---------------------


Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
AtiExtEvent
crypt32chain
cryptnet
cscdll
sclgntfy
SensLogn
wzcnotif


Guardian Key--- is called:

Guardian Key--- :

User Agent String---

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O15 - Trusted IP range: (HKLM)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11f239b...ip/RdxIE601.cab

O23 - Service: WebSeach Toolbar support NT service - Unknown - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)

When you next reboot, run hijackthis and check for those 01 entries. If gone, you are clear :).

Download, install and keep updated, Spywareblaster from www.javacoolsoftware.com to help keep your system clean.

It does seem that I am now all clear.

I will definitely safeguard my computer a little more closely from now on.

Thank you for all your time and assistance. It is greatly appreciated.

Happy Holidays to you and the whole SWAT Team.

to make sure my pc is clean of spyware i run ad-aware and spybot search and desroy and spy-subtract
to make sure your free of spyware you need to run them atleast once a week
also to remove some types of spyware you have to reboot into safemode (F8)
i also use a program called hoster (allows you to check the host file and has a option to change host file back to microsofts original )

i recomend you use all of the programs listed above to make sure your compleatly free of spyware

At Short-Media, we are aware of Hoster, but don't usually recommend it for several reasons:

- many users have custom HOSTS defined as a result of using various anti-spyware applicatons. Hoster would wipre those out, by simply restoring a blank HOSTS file. a much better method is to keep backup copy of your own HOSTS file under a different name in the same directory (C:\WINDOWS\system32\drivers\etc) Then if you have bad HOSTS added by spyware, you can just copy your backup over top of the HOSTS file

- any HOSTS can also be managed quickly and easily using Hijack This, you can view them, and remove any bad HOSTS right in the Scan window, and using the advanced tools (Under Config -> Misc Tools) you can open a HOSTS file manager and remove entried there as well.

- You can also make your HOSTS file READ ONLY to help prevent spyware from altering it. This is not foolproof, as spyware can change the permission back and then alter it anyway, but it is helpful in some instances.

Dexter...