Many problems; winlogon.exe, spyware background [CLOSED] - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Many problems; winlogon.exe, spyware background [CLOSED] need help!

#1 clearvampire

  • Group: Member
  • Posts: 5
  • Joined: 12-March 06

Posted 12 March 2006 - 09:54 PM

Hello,

I've read about the problem of a system's desktop background having the locked "Spyware infection" blue screen with a black box. My computer is doing the same but I didn't follow the steps that were given because everyone seemed to be working with Windows XP, I have Windows 2000. I wasn't sure if there was a difference and I would just end up making things worst on my system.

My computer seems to have many problems and I have no clue what to do. Most of the times it boots up, it reboots after a few seconds giving a "winlogon.exe" error. My internet explorer no longer works, nor does firefox. I'm currently using a browser provided by a torrent program. There is also a svchost.exe problem every time I boot up and some programs in my task manager>pocesses that don't seem right and reappear every time I try to end the process.

I'm usually always careful when using the internet but it seems my computer has become so corrupt, if anyone could help me out it would be greatly appreciated.

I ran a hijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 7:29:13 PM, on 3/12/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINDOWSA\System32\smss.exe
C:\WINDOWSA\system32\csrss.exe
C:\WINDOWSA\system32\winlogon.exe
C:\WINDOWSA\system32\services.exe
C:\WINDOWSA\system32\lsass.exe
C:\WINDOWSA\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWSA\system32\spoolsv.exe
C:\WINDOWSA\Sm9yZGFuIEtoYWphdmlwb3Vy\command.exe
C:\WINDOWSA\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWSA\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWSA\system32\MSTask.exe
C:\WINDOWSA\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWSA\System32\WBEM\WinMgmt.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\Explorer.EXE
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWSA\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWSA\system32\rwinosap.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWSA\ICROSO~1.NET\fast.exe
C:\Program Files\Bit Lord 1.1\BitLord.exe
C:\DOCUME~1\ADMINI~1.JOR\LOCALS~1\Temp\Rar$EX00.973\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://deluxe-se.com...re/1/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1.JOR\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F3 - REG:win.ini: run=C:\WINDOWSA\inet20003\winlogon.exe
O2 - BHO: ICOOExternal Class - {0519A9C9-064A-4cbc-BC47-D0EACD581477} - C:\Program Files\ICOO Loader\addons\icooue.dll
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWSA\system32\nsa7.dll
O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} - C:\Program Files\ICOO Loader\addons\icoou.dll
O2 - BHO: (no name) - {52252E6F-C5FE-E25E-A56A-9B1CF2E5EFEF} - C:\WINDOWSA\system32\qne.dll
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWSA\inet20003\3.00.13.dll (file missing)
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWSA\system32\nsg17.dll
O2 - BHO: sxpdr32.MyBHO - {5D0F16E6-47DF-11DA-8802-00024493948B} - C:\WINDOWSA\system32\sxpdr32.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWSA\system32\irsmlcjz.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWSA\system32\nse8.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWSA\system32\nvms.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: C:\WINDOWSA\adsldpbf.dll - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINDOWSA\adsldpbj.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWSA\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1.JOR\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWSA\\\etb\\pokapoka79.exe
O4 - HKLM\..\Run: [Phase One Media Reader] C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [-2147483646] C:\WINDOWSA\system32\winuc386.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWSA\inet20003\winlogon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWSA\system32\lppgxk.exe reg_run
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWSA\system32\rwinosap.exe FI002
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ntdll.dll] C:\WINDOWSA\system32\lppgxk.exe reg_run
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [stratas] lockx.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000166.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINDOWSA\system32\paytime.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWSA\inet20003\winlogon.exe
O4 - HKCU\..\Run: [Etgq] C:\WINDOWSA\system32\r?ndll.exe
O4 - HKCU\..\Run: [Ooao] "C:\WINDOWSA\ICROSO~1.NET\fast.exe" -vt ndrv
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWSA\system32\irssyncd.exe
O4 - Startup: Zeno.lnk = C:\WINDOWSA\system32\rwinosap.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: xzzh.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL (file missing)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWSA\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWSA\system32\wuauclt.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWSA\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWSA\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07d36b80227835...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126159306710
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126828940042
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.18...ges/PopupSh.ocx
O18 - Protocol: icoo - {86FE362E-74FA-4F71-8B69-B94D28880628} - C:\Program Files\ICOO Loader\addons\icoou.dll
O18 - Filter: text/plain - {F2BE204A-ACEF-49EF-A722-42CB17D47D2F} - C:\WINDOWSA\System32\hmel.dll
O20 - Winlogon Notify: browsela - C:\WINDOWSA\system32\browsela.dll
O20 - Winlogon Notify: ssldr - C:\WINDOWSA\SYSTEM32\ssldr32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWSA\Sm9yZGFuIEtoYWphdmlwb3Vy\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWSA\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe





PLEASE HELP!

#2 RiP

  • Group: Retired Staff
  • Posts: 8,430
  • Joined: 05-December 05

Posted 12 March 2006 - 10:21 PM

I apologize for the delay in getting to your log; the helpers here have been very busy lately. I am currently analyzing your log and will post a fix for you shortly.

#3 clearvampire

  • Group: Member
  • Posts: 5
  • Joined: 12-March 06

Posted 13 March 2006 - 12:00 AM

Thank you so much for doing this! It's greatly appreciated!

#4 RiP

  • Group: Retired Staff
  • Posts: 8,430
  • Joined: 05-December 05

Posted 13 March 2006 - 04:17 PM

Hello, clearvampire.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will most likely be a multiple step process due to the amount of infections you currently have. Please make sure you have Administrative rights before carrying out any of the following fixes.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://deluxe-se.com...re/1/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1.JOR\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F3 - REG:win.ini: run=C:\WINDOWSA\inet20003\winlogon.exe
O2 - BHO: ICOOExternal Class - {0519A9C9-064A-4cbc-BC47-D0EACD581477} - C:\Program Files\ICOO Loader\addons\icooue.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWSA\system32\nsa7.dll
O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} - C:\Program Files\ICOO Loader\addons\icoou.dll
O2 - BHO: (no name) - {52252E6F-C5FE-E25E-A56A-9B1CF2E5EFEF} - C:\WINDOWSA\system32\qne.dll
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWSA\inet20003\3.00.13.dll (file missing)
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWSA\system32\nsg17.dll
O2 - BHO: sxpdr32.MyBHO - {5D0F16E6-47DF-11DA-8802-00024493948B} - C:\WINDOWSA\system32\sxpdr32.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWSA\system32\irsmlcjz.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWSA\system32\nse8.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWSA\system32\nvms.dll (file missing)
O2 - BHO: C:\WINDOWSA\adsldpbf.dll - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINDOWSA\adsldpbj.dll
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1.JOR\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWSA\\\etb\\pokapoka79.exe
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [-2147483646] C:\WINDOWSA\system32\winuc386.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWSA\system32\lppgxk.exe reg_run
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWSA\system32\rwinosap.exe FI002
O4 - HKLM\..\Run: [ntdll.dll] C:\WINDOWSA\system32\lppgxk.exe reg_run
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [stratas] lockx.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000166.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINDOWSA\system32\paytime.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWSA\inet20003\winlogon.exe
O4 - HKCU\..\Run: [Etgq] C:\WINDOWSA\system32\r?ndll.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWSA\system32\irssyncd.exe
O4 - Global Startup: xzzh.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWSA\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWSA\system32\wuauclt.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWSA\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWSA\web\related.htm
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.18...ges/PopupSh.ocx
O18 - Protocol: icoo - {86FE362E-74FA-4F71-8B69-B94D28880628} - C:\Program Files\ICOO Loader\addons\icoou.dll
O18 - Filter: text/plain - {F2BE204A-ACEF-49EF-A722-42CB17D47D2F} - C:\WINDOWSA\System32\hmel.dll
O20 - Winlogon Notify: browsela - C:\WINDOWSA\system32\browsela.dll
O20 - Winlogon Notify: ssldr - C:\WINDOWSA\SYSTEM32\ssldr32.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWSA\Sm9yZGFuIEtoYWphdmlwb3Vy\command.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote

Files to delete:
C:\WINDOWSA\system32\regsvc.exe
c:\secure32.html
C:\WINDOWSA\system32\nsa7.dll
C:\WINDOWSA\system32\qne.dll
C:\WINDOWSA\system32\nsg17.dll
C:\WINDOWSA\system32\sxpdr32.dll
C:\WINDOWSA\system32\irsmlcjz.dll
C:\WINDOWSA\system32\nse8.dll
C:\WINDOWSA\adsldpbj.dll
C:\DOCUME~1\ADMINI~1.JOR\LOCALS~1\Temp\se.dll
C:\WINDOWSA\system32\winuc386.exe
C:\WINDOWSA\system32\lppgxk.exe
C:\WINDOWSA\system32\rwinosap.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000166.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\WINDOWSA\system32\paytime.exe
C:\WINDOWSA\system32\irssyncd.exe
C:\WINDOWSA\system32\wuauclt.dll
C:\WINDOWSA\web\related.htm
C:\WINDOWSA\System32\hmel.dll
C:\WINDOWSA\system32\browsela.dll
C:\WINDOWSA\SYSTEM32\ssldr32.dll

Folders to Delete:
C:\WINDOWSA\Sm9yZGFuIEtoYWphdmlwb3Vy
C:\WINDOWSA\inet20003
C:\Program Files\ICOO Loader
C:\Program Files\PSGuard
C:\WINDOWSA\etb
C:\Program Files\Network


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Please also do the following for me:

I need to get you to move HijackThis.exe to a folder of its own so that nothing gets deleted by mistake
1. Right click in an empty space on your desktop.
2. From the Menu, click New, then Folder and a folder will appear on your desktop.
3. Name the folder HJT
4. Cut and Paste your current copy of HijackThis.exe into the new Folder that was just created.
5. Now, run the program and post a fresh HJT log for review.

#5 clearvampire

  • Group: Member
  • Posts: 5
  • Joined: 12-March 06

Posted 13 March 2006 - 06:13 PM

Thank you so much! My desktop is back to normal already and the winlogon.exe doesn't seem to be appearing when booted. I followed all steps perfectly, here's the fresh HJT log and Avenger log. There is still an explorer.exe error alert on startup.



Logfile of HijackThis v1.99.1
Scan saved at 4:09:10 PM, on 3/13/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINDOWSA\System32\smss.exe
C:\WINDOWSA\system32\winlogon.exe
C:\WINDOWSA\system32\services.exe
C:\WINDOWSA\system32\lsass.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\system32\spoolsv.exe
C:\WINDOWSA\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWSA\system32\regsvc.exe
C:\WINDOWSA\system32\MSTask.exe
C:\WINDOWSA\system32\stisvc.exe
C:\WINDOWSA\System32\WBEM\WinMgmt.exe
C:\WINDOWSA\system32\svchost.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\WINDOWSA\explorer.exe
C:\WINDOWSA\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWSA\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator.JORDAN\Desktop\HJT\HijackThis.exe

O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWSA\system32\nsr81.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWSA\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [Phase One Media Reader] C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [xp_system] C:\WINDOWSA\inet20003\winlogon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWSA\system32\waaiqy.exe reg_run
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ugdgpxka] C:\nkjgnefu.bat
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ooao] "C:\WINDOWSA\ICROSO~1.NET\fast.exe" -vt ndrv
O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWSA\alt.exe
O4 - Startup: Zeno.lnk = C:\WINDOWSA\system32\rwinosap.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126159306710
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126828940042
O20 - Winlogon Notify: browsela - C:\WINDOWSA\system32\browsela.dll
O20 - Winlogon Notify: msctl32.dll - msctl32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWSA\Sm9yZGFuIEtoYWphdmlwb3Vy\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWSA\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe





Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\uqbfnstf

*******************

Script file located at: \??\C:\tafxtkyf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\WINDOWSA\Sm9yZGFuIEtoYWphdmlwb3Vy deleted successfully.


Folder C:\WINDOWSA\inet20003 not found!
Deletion of folder C:\WINDOWSA\inet20003 failed!

Could not process line:
C:\WINDOWSA\inet20003
Status: 0xc0000034

Folder C:\Program Files\ICOO Loader deleted successfully.


Folder C:\Program Files\PSGuard not found!
Deletion of folder C:\Program Files\PSGuard failed!

Could not process line:
C:\Program Files\PSGuard
Status: 0xc0000034



Folder C:\WINDOWSA\etb not found!
Deletion of folder C:\WINDOWSA\etb failed!

Could not process line:
C:\WINDOWSA\etb
Status: 0xc0000034



Folder C:\Program Files\Network not found!
Deletion of folder C:\Program Files\Network failed!

Could not process line:
C:\Program Files\Network
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.



thanks!
jordan.

#6 RiP

  • Group: Retired Staff
  • Posts: 8,430
  • Joined: 05-December 05

Posted 13 March 2006 - 07:23 PM

Hello, clearvampire.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

-------------------------------------------------- Part 1

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Please download the Killbox by Option^Explicit. ( Save it to your desktop. )

Note: In the event you already have Killbox, this is a new version that I need you to download.

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

-------------------------------------------------- Part 2

Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.
Post the contents of the logfile c:\windelf.txt.

-------------------------------------------------- Part 3

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWSA\system32\nsr81.dll
O4 - HKLM\..\Run: [xp_system] C:\WINDOWSA\inet20003\winlogon.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWSA\system32\waaiqy.exe reg_run
O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWSA\alt.exe
O20 - Winlogon Notify: browsela - C:\WINDOWSA\system32\browsela.dll
O20 - Winlogon Notify: msctl32.dll - msctl32.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWSA\Sm9yZGFuIEtoYWphdmlwb3Vy\command.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

-------------------------------------------------- Part 4

Please copy the following text in the box to Notepad. Save it as "All Files" and name it fix12.bat. Please save it on your desktop.

Quote

sc stop cmdService
sc delete cmdService
exit


Double click Fix12.bat. A window will open and close. This is normal.

Run ATF Cleaner:
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Using Windows Explorer delete the following folder (if present): (To get into Windows Explorer, right click the START button and select "explore.")

C:\WINDOWSA\inet20003

Run Killbox:
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWSA\system32\regsvc.exe
    C:\WINDOWSA\system32\nsr81.dll
    C:\WINDOWSA\system32\waaiqy.exe
    C:\WINDOWSA\alt.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.

  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Reboot into Safe Mode.

-------------------------------------------------- Part 5

Open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

Reboot into Normal Mode.

In your next reply please include the following:
  • A new HijackThis log.
  • The c:\windelf.txt log.
  • The WinPFind log.

#7 clearvampire

  • Group: Member
  • Posts: 5
  • Joined: 12-March 06

Posted 13 March 2006 - 11:54 PM

Ok, I finished all five parts.

There seems to be an error message every time I boot up in normal load that reads; "The drive or network connection that the shortcut "Zeno.ink" refers to is unavailable....." I was unable to catch the rest before I accidentally hit the 'ok' button.

Here is the fresh Hijack This log, I updated my FireFox now that it's working with plug-ins, so there is probably some new programs that pop up.


Logfile of HijackThis v1.99.1
Scan saved at 9:49:31 PM, on 3/13/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINDOWSA\System32\smss.exe
C:\WINDOWSA\system32\winlogon.exe
C:\WINDOWSA\system32\services.exe
C:\WINDOWSA\system32\lsass.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\system32\spoolsv.exe
C:\WINDOWSA\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWSA\system32\regsvc.exe
C:\WINDOWSA\system32\MSTask.exe
C:\WINDOWSA\system32\stisvc.exe
C:\WINDOWSA\System32\WBEM\WinMgmt.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\Explorer.EXE
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWSA\ICROSO~1.NET\fast.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWSA\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator.JORDAN\Desktop\HJT\HijackThis.exe

O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWSA\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [Phase One Media Reader] C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ooao] "C:\WINDOWSA\ICROSO~1.NET\fast.exe" -vt ndrv
O4 - Startup: Zeno.lnk = C:\WINDOWSA\system32\rwinosap.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126159306710
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126828940042
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWSA\Sm9yZGFuIEtoYWphdmlwb3Vy\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWSA\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe




The windelf Log:


************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie


BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------
adsldpbg.dll
adsldpbj.dll
adsldpbg.dll
alt.exe

File(s) found in system32 folder
--------------------------------
browsela.dll

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{4F141CBA-1457-6CCA-03A7-7AA21B61EA0F} REG_SZ OutPost FireWall
{31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browsera

Notify key
----------
subkey browsela is present!



AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{4F141CBA-1457-6CCA-03A7-7AA21B61EA0F} REG_SZ OutPost FireWall

Notify key
----------




And the WinPFind log:


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 9/13/2005 10:55:24 PM 6146 C:\q949096.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PECompact2 1/4/2006 7:41:02 PM 2827616 C:\WINDOWSA\SYSTEM32\MRT.exe
aspack 1/4/2006 7:41:02 PM 2827616 C:\WINDOWSA\SYSTEM32\MRT.exe
UPX! 3/4/2006 3:15:22 PM 97280 C:\WINDOWSA\SYSTEM32\nsa7.dll
PEC2 1/26/2006 10:36:02 AM 574976 C:\WINDOWSA\SYSTEM32\nsqB1.tmp
PECompact2 1/26/2006 10:36:02 AM 574976 C:\WINDOWSA\SYSTEM32\nsqB1.tmp
Umonitor 1/12/2005 11:39:46 AM 531216 C:\WINDOWSA\SYSTEM32\RASDLG.DLL
UPX! 10/30/2005 8:49:02 PM 42496 C:\WINDOWSA\SYSTEM32\swreg.exe
winsync 7/24/2002 4:00:00 AM 1309184 C:\WINDOWSA\SYSTEM32\wbdbase.deu
69.59.186.63 1/23/2006 10:42:04 AM 30720 C:\WINDOWSA\SYSTEM32\__delete_on_reboot__wuauclt.dll
209.66.67.134 1/23/2006 10:42:04 AM 30720 C:\WINDOWSA\SYSTEM32\__delete_on_reboot__wuauclt.dll
66.63.167.97 1/23/2006 10:42:04 AM 30720 C:\WINDOWSA\SYSTEM32\__delete_on_reboot__wuauclt.dll
66.63.167.77 1/23/2006 10:42:04 AM 30720 C:\WINDOWSA\SYSTEM32\__delete_on_reboot__wuauclt.dll
web-nex 1/23/2006 10:42:04 AM 30720 C:\WINDOWSA\SYSTEM32\__delete_on_reboot__wuauclt.dll
winsync 1/23/2006 10:42:04 AM 30720 C:\WINDOWSA\SYSTEM32\__delete_on_reboot__wuauclt.dll
rec2_run 1/23/2006 10:42:04 AM 30720 C:\WINDOWSA\SYSTEM32\__delete_on_reboot__wuauclt.dll

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWSA\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
3/13/2006 4:14:28 PM H 54156 C:\WINDOWSA\QTFont.qfn
3/13/2006 9:13:30 PM H 553134 C:\WINDOWSA\ShellIconCache
3/13/2006 9:15:02 PM S 64 C:\WINDOWSA\CSC\00000001
3/13/2006 9:00:56 PM S 64 C:\WINDOWSA\CSC\00000002
3/13/2006 7:59:10 PM S 64 C:\WINDOWSA\CSC\csc1.tmp
3/2/2006 7:54:12 AM RHS 405504 C:\WINDOWSA\system32\r?ndll.exe
3/13/2006 9:13:32 PM H 6 C:\WINDOWSA\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 7/24/2002 4:00:00 AM 67344 C:\WINDOWSA\SYSTEM32\access.cpl
Microsoft Corporation 6/19/2003 11:05:04 AM 301328 C:\WINDOWSA\SYSTEM32\appwiz.cpl
Microsoft Corporation 6/19/2003 11:05:04 AM 237328 C:\WINDOWSA\SYSTEM32\DESK.CPL
Microsoft Corporation 7/24/2002 4:00:00 AM 128272 C:\WINDOWSA\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINDOWSA\SYSTEM32\inetcpl.cpl
Microsoft Corporation 7/24/2002 4:00:00 AM 118032 C:\WINDOWSA\SYSTEM32\intl.cpl
Microsoft Corporation 7/24/2002 4:00:00 AM 36112 C:\WINDOWSA\SYSTEM32\irprops.cpl
Microsoft Corporation 7/24/2002 4:00:00 AM 60688 C:\WINDOWSA\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWSA\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 7/24/2002 4:00:00 AM 122128 C:\WINDOWSA\SYSTEM32\main.cpl
Microsoft Corporation 7/24/2002 4:00:00 AM 303888 C:\WINDOWSA\SYSTEM32\mmsys.cpl
Microsoft Corporation 7/24/2002 4:00:00 AM 17168 C:\WINDOWSA\SYSTEM32\ncpa.cpl
Microsoft Corporation 7/24/2002 4:00:00 AM 41232 C:\WINDOWSA\SYSTEM32\nwc.cpl
Microsoft Corporation 6/19/2003 11:05:04 AM 41232 C:\WINDOWSA\SYSTEM32\odbccp32.cpl
Microsoft Corporation 6/19/2003 11:05:04 AM 90896 C:\WINDOWSA\SYSTEM32\powercfg.cpl
Microsoft Corporation 6/19/2003 11:05:04 AM 83216 C:\WINDOWSA\SYSTEM32\sticpl.cpl
Microsoft Corporation 6/19/2003 11:05:04 AM 125712 C:\WINDOWSA\SYSTEM32\SYSDM.CPL
Microsoft Corporation 7/24/2002 4:00:00 AM 5904 C:\WINDOWSA\SYSTEM32\telephon.cpl
Microsoft Corporation 7/24/2002 4:00:00 AM 61200 C:\WINDOWSA\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWSA\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINDOWSA\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 1/12/2005 11:40:00 AM 64784 C:\WINDOWSA\SYSTEM32\dllcache\msmq.cpl
IBM Corporation 9/23/1999 5:44:36 PM 94208 C:\WINDOWSA\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation 7/24/2002 4:00:00 AM 41232 C:\WINDOWSA\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWSA\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/24/2005 9:38:24 AM 1741 C:\Documents and Settings\All Users.WINDOWSA\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
3/11/2006 7:24:46 PM 1764 C:\Documents and Settings\All Users.WINDOWSA\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
2/27/2006 9:25:42 PM 561 C:\Documents and Settings\Administrator.JORDAN\Start Menu\Programs\Startup\Zeno.lnk

Checking files in %USERPROFILE%\Application Data folder...
6/28/2004 1:03:48 PM 0 C:\Documents and Settings\Administrator.JORDAN\Application Data\dm.ini
12/26/2005 12:07:38 AM 1853447 C:\Documents and Settings\Administrator.JORDAN\Application Data\Install.dat
3/6/2004 11:30:24 PM 16 C:\Documents and Settings\Administrator.JORDAN\Application Data\QNVW601P.dll
9/3/2005 11:29:18 AM 39 C:\Documents and Settings\Administrator.JORDAN\Application Data\Sskcwrd.dll
9/3/2005 11:26:50 AM 451277 C:\Documents and Settings\Administrator.JORDAN\Application Data\Sskknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
acc=jocker =
acc=none =
acc= =
(none) =
DeluxeNetwork =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fyynsgks
{90145c04-e1f6-45eb-a6b9-657264b706d5} = C:\WINDOWSA\system32\fmmeq.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\StuffIt Compress Menu
{3FBFD0B0-EB46-4797-9101-615610E87DA6} = C:\Program Files\Aladdin Systems\StuffIt\CompressMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StuffIt Compress Menu
{3FBFD0B0-EB46-4797-9101-615610E87DA6} = C:\Program Files\Aladdin Systems\StuffIt\CompressMenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\CoreShellAgent
{516EC4D3-4AD9-11D5-AA6A-00E0189008B3} = C:\PROGRA~1\CORECO~1\THECOR~1\System\CORESH~1.CLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0561EC90-CE54-4f0c-9C55-E226110A740C}
= C:\Program Files\Haali\MatroskaSplitter\mmfinfo.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINDOWSA\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}
= C:\WINDOWSA\system32\wuauclt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINDOWSA\System32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1F2E844B-8211-46ff-8262-772F03295CF4}
PopupFilter Class = C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = @msdxmLC.dll,-1@1033,&Radio : C:\WINDOWSA\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINDOWSA\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
ANIWZCSService C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
D-Link Air Utility C:\Program Files\D-Link\Air Utility\AirCFG.exe
Phase One Media Reader C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AIM C:\Program Files\AIM\aim.exe -cnetwait.odl
Ooao "C:\WINDOWSA\ICROSO~1.NET\fast.exe" -vt ndrv

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallpaper 0
NoComponents 0
NoAddingComponents 0
NoDeletingComponents 0
NoEditingComponents 0
NoHTMLWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
CDRAutoRun 0
NoActiveDesktop 0
ClassicShell 0
ForceActiveDesktopOn 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINDOWSA\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWSA\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 3/13/2006 9:26:41 PM





Again, thank you so much for everything that you're doing!

#8 RiP

  • Group: Retired Staff
  • Posts: 8,430
  • Joined: 05-December 05

Posted 14 March 2006 - 06:36 PM

Link: http://www.geekstogo.com/forum/index.php?a...T&f=37&t=101986

Hello, clearvampire.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please download ATF Cleaner by Atribune. ( Only if you deleted it since we last used it. )
This program is for XP and Windows 2000 only

Please download the Killbox by Option^Explicit. ( Save it to your desktop. ) ( Only if you deleted it since we last used it. )

Note: In the event you already have Killbox, this is a new version that I need you to download.

Please copy the following text in the box to Notepad. Save it as "All Files" and name it fixservice.bat. Please save it on your desktop.

Quote

sc stop cmdService
sc delete cmdService
exit


Double click Fixservice.bat. A window will open and close. This is normal.


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - Startup: Zeno.lnk = C:\WINDOWSA\system32\rwinosap.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Run ATF Cleaner:
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please delete the following file for me:
3/2/2006 7:54:12 AM RHS 405504 C:\WINDOWSA\system32\r?ndll.exe ( Please note: the file I'm asking you to delete will look like the real windows file rundll.exe, the only reason it appears as a question mark here is because it uses a character that looks exactly like the letter "u" that Hijackthis doesn't recognize. So when you find the file rundll.exe right click it and select properties, make sure it says it was created on 3/2/2006 at 7:54:12 AM before you delete it, please. It is also possible it will have no icon.

Run Killbox.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWSA\SYSTEM32\nsa7.dll
    C:\WINDOWSA\SYSTEM32\__delete_on_reboot__wuauclt.dll
    C:\Documents and Settings\Administrator.JORDAN\Application Data\QNVW601P.dll
    C:\Documents and Settings\Administrator.JORDAN\Application Data\Sskcwrd.dll
    C:\Documents and Settings\Administrator.JORDAN\Application Data\Sskknwrd.dll
    C:\WINDOWSA\system32\fmmeq.dll
    C:\WINDOWSA\system32\wuauclt.dll


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.

  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Reboot into Normal Mode.

Open notepad and copy (Ctrl C) and paste (Ctrl V) the following text in the quote:

Quote

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fyynsgks]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]


Save it to your desktop as fix13.reg and as Type "All files"
Double click on fix.reg and allow when prompted to let it merge with the registry.

Please do an online scan with Kaspersky WebScanner ( Please note: You MUST use Internet Explorer for this scan to work. )

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer

  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:

  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next post please include the following:
  • A new HijackThis log.
  • An update on how your computer is running.
  • The Kaspersky Webscanner log.

#9 clearvampire

  • Group: Member
  • Posts: 5
  • Joined: 12-March 06

Posted 16 March 2006 - 05:52 PM

Thanks again! Sorry for the delayed response, school has got me over worked. I followed all of the steps with the expections of:

I wasn't able to find the r?ndll.exe file in my system32 at all. I had the view folder options on "Show hidden files and folders" and I had "Hide protected operating systems files" and "Hide file extensions for known file type" UNchecked when I searched.


Also, the Kasperspy Online Scanner isn't working for me. When I open my internet explorer and go to the page, I click on the "Kasperspy Online Scanner" button with the magnifying glass image and nothing happens. I've tried many times to get it to work.

Is there something I'm doing wrong?



Here's my up-to-date HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 3:46:55 PM, on 3/16/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINDOWSA\System32\smss.exe
C:\WINDOWSA\system32\winlogon.exe
C:\WINDOWSA\system32\services.exe
C:\WINDOWSA\system32\lsass.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\system32\spoolsv.exe
C:\WINDOWSA\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWSA\system32\regsvc.exe
C:\WINDOWSA\system32\MSTask.exe
C:\WINDOWSA\system32\stisvc.exe
C:\WINDOWSA\System32\WBEM\WinMgmt.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\Explorer.EXE
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWSA\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator.JORDAN\Desktop\HJT\HijackThis.exe

O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWSA\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [Phase One Media Reader] C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ooao] "C:\WINDOWSA\ICROSO~1.NET\fast.exe" -vt ndrv
O4 - HKCU\..\Run: [Zuwj] C:\Documents and Settings\Administrator.JORDAN\Application Data\?ymbols\?xplorer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126159306710
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126828940042
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWSA\Sm9yZGFuIEtoYWphdmlwb3Vy\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWSA\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#10 RiP

  • Group: Retired Staff
  • Posts: 8,430
  • Joined: 05-December 05

Posted 16 March 2006 - 07:49 PM

Hello, clearvampire.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

It's fine that you didn't find the r?ndlle.exe file, it might have already been deleted. Some people have trouble with Kaspersky webscanner because of Active X settings, but whatever the case we'll just try something else :tazz:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKCU\..\Run: [Zuwj] C:\Documents and Settings\Administrator.JORDAN\Application Data\?ymbols\?xplorer.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Using Windows Explorer delete the following folder (if present): (To get into Windows Explorer, right click the START button and select "explore.")

C:\Documents and Settings\Administrator.JORDAN\Application Data\?ymbols

Open notepad and copy (Ctrl C) and paste (Ctrl V) the following text in the quote:

Quote

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]
"cmdService"=-


Save it to your desktop as fix13.reg and as Type "All files"
Double click on fix.reg and allow when prompted to let it merge with the registry.

Reboot into Normal Mode.

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe.
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

In your next post please include the following:

A new HijackThis log.
The MWav infected items list.

#11 therock247uk

  • Group: Expert
  • Posts: 14,670
  • Joined: 05-February 05

Posted 30 March 2006 - 08:21 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this topic:


Page 1 of 1