[Dragon]

could you please post a fresh findit NT-2000-XP log

[Advertisements]

also could you download Escan from http://www.mwti.net/antivirus/mwav.asp then make sure to choose all files and directories, it will take a long time to run. It will, not fix anything but will create a log of all bad files found in the lower of the 2 boxes. hilight the contents of the lower box and then copy and then paste it to the thread.

[Dragon]

also could you download Escan from http://www.mwti.net/antivirus/mwav.asp then make sure to choose all files and directories, it will take a long time to run. It will, not fix anything but will create a log of all bad files found in the lower of the 2 boxes. hilight the contents of the lower box and then copy and then paste it to the thread.

[Portnoy]

OK I will do that .
I ran a registry search and found this:

HKEY_CURRENT_USER\Software\Microsoft\SearchAssistant\ACMRU\5603
and guess what was there?
Yup:nfbqpuco5.exe

I am currently running the mwav virus program. As soon as it is fixed i will post that too.

here is the log for FindIt!

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\temp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 2853-88F8

Directory of C:\WINDOWS\System32

02/26/2005 08:27 AM 229,256 enp6l17s1.dll
02/26/2005 08:16 AM 229,256 odcache.dll
02/26/2005 08:16 AM 229,906 n0n60a5sed.dll
02/25/2005 06:12 PM 229,715 lvn4095qe.dll
02/25/2005 05:18 PM 231,243 kt8ul7l91.dll
02/25/2005 04:13 PM 229,256 oaesvr.dll
02/25/2005 04:13 PM 230,971 irjsl5171.dll
02/25/2005 04:13 PM <DIR> dllcache
02/25/2005 02:20 PM 229,256 wispdmod.dll
02/25/2005 02:20 PM 229,655 lvro0993e.dll
02/25/2005 12:51 PM 229,256 nfrsptb.dll
02/25/2005 12:51 PM 230,393 ktlml7311.dll
02/25/2005 08:31 AM 230,749 gpr4l39q1.dll
02/25/2005 07:44 AM 229,256 n66q0gj5e6o.dll
02/24/2005 09:02 PM 228,714 e4200efmeh2a0.dll
02/24/2005 07:00 PM 229,750 i060lajm1doa.dll
02/24/2005 06:23 PM 232,078 bfowselc.dll
02/24/2005 06:21 PM 228,502 k2pm0c71ef.dll
02/24/2005 04:16 PM 229,021 m246lchs1f46.dll
02/24/2005 04:02 PM 232,078 drband.dll
02/24/2005 04:02 PM 228,405 h0j40a1qed.dll
02/24/2005 08:19 AM 228,600 k0080adued080.dll
02/24/2005 07:50 AM 231,473 hr6605jse.dll
02/23/2005 08:38 PM 231,003 iz41_qcx.dll
02/23/2005 08:38 PM 228,925 enn4l15q1.dll
02/23/2005 04:18 PM 231,003 dpcprop2.dll
02/23/2005 02:21 PM 229,148 cqfview.dll
02/23/2005 02:12 PM 231,003 mhscp.dll
02/23/2005 01:01 PM 229,148 lvcalsec.dll
02/23/2005 12:39 PM 231,003 SLP32.DLL
02/23/2005 12:09 PM 231,191 crrsrv.dll
02/23/2005 11:59 AM 231,003 mpvcp60.dll
02/23/2005 10:30 AM 231,003 uupnpmgr.dll
02/23/2005 10:30 AM 232,248 ir42l5ho1.dll
02/23/2005 10:10 AM 230,836 sclwid.dll
02/22/2005 03:13 PM 230,836 ctrpol.dll
02/22/2005 02:46 PM 230,836 sarmdll.dll
02/22/2005 02:46 PM 231,379 fp4q03h5e.dll
02/19/2005 01:29 PM 229,434 cNpesnpn.dll
02/19/2005 01:27 PM 229,434 lvr2099oe.dll
02/19/2005 01:21 PM 229,434 vua.dll
02/19/2005 01:21 PM 231,065 enl6l13s1.dll
02/19/2005 01:17 PM 229,434 dvofile.dll
02/19/2005 01:17 PM 229,568 g4lm0e31eh.dll
02/18/2005 05:03 PM 228,975 dnlayx.dll
02/18/2005 04:46 PM 229,434 mdrapi.dll
02/18/2005 04:26 PM 228,975 ikwdial.dll
02/16/2005 12:00 PM 229,088 lv0s09d7e.dll
02/16/2005 11:49 AM 229,088 mbgsvc.dll
02/16/2005 11:29 AM 229,088 iornonce.dll
02/16/2005 11:05 AM 229,088 lkasrv.dll
02/15/2005 09:52 AM 229,088 ixakeng.dll
02/15/2005 09:35 AM 228,975 mfrclr40.dll
01/25/2005 09:29 AM <DIR> Microsoft
08/18/2001 04:00 AM 84,112 wsmct.exe
53 File(s) 12,041,634 bytes
2 Dir(s) 14,922,801,152 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 2853-88F8

Directory of C:\WINDOWS\System32

02/25/2005 04:13 PM <DIR> dllcache
05/14/2002 05:18 PM 488 WindowsLogon.manifest
05/14/2002 05:18 PM 488 logonui.exe.manifest
05/14/2002 05:18 PM 749 cdplayer.exe.manifest
05/14/2002 05:18 PM 749 wuaucpl.cpl.manifest
05/14/2002 05:18 PM 749 sapi.cpl.manifest
05/14/2002 05:18 PM 749 nwc.cpl.manifest
05/14/2002 05:18 PM 749 ncpa.cpl.manifest
08/18/2001 04:00 AM 84,112 wsmct.exe
8 File(s) 88,833 bytes
1 Dir(s) 14,922,784,768 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 2853-88F8

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 2853-88F8

Directory of C:\WINDOWS\System32

08/18/2001 04:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 14,922,784,768 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{47064461-9804-4E7F-8A40-D554621FCF9A}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe /install"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




[Portnoy]

OK mWAV log is an attachment.
It is 4.5 Mb long....wow!

[Dragon]

use ctrl-c to copy it all and then go ahead an paste it in this thread, that is too large to do an attachment with

[Portnoy]

Nope it crashes the browser.
too big I guess.
PM me and i will send it via email or ICQ me at 2290152

[Siggyx]

Did you copy the lower box or the top box. The lower box is what you wanted. It can be huge sometimes and you may need to post it in 2 or 3 parts.

Sorry for jumping in Efwis

[Dragon]

no problem Siggyx, see ya in chat
he is emailing it to me, so I will post it

[Portnoy]

Go figure. The PC was running all day wothout a freeze and just after sending the mwav.log it froze. Bummer!

[Dragon]

the question is did it get sent?
if not do what Siggyx suggested

[Portnoy]

My bad!
Here is a zipped copy...boy those log files sure shrink in a zip!

Attached Files

•  MWAV.zip   255.94KB   156 downloads

[Dragon]

I hate to say this but it looks as though your machine is not protected very well against viruses, trojans and other malware.

You have a Large Amount of Trojans and Viruses on Your Computer.

Download a Free Trial of Trojan Hunter at http://www.misec.net...rojanHunter.exe first. Next, take a free Online Virus scan at http://www.housecall.trendmicro.com or http://www3.ca.com/v...virusscan.aspx. After this, Reboot and Post a fresh HijackThis log.

[Portnoy]

Ok It found two trojans.
The virus scanner cleaned them up.

Here is the HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 5:35:57 PM, on 2/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: (no name) - {17B66827-9B64-BCDF-4DB2-A4AFDEBA0CDB} - (no file)
O2 - BHO: (no name) - {3CCFF652-33C6-EC88-BC36-50435974539C} - (no file)
O2 - BHO: (no name) - {A4320AC3-C590-D886-ACA9-BD8564A3A813} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Dragon]

now using Hijack this try to remove those BHO's

O2 - BHO: (no name) - {17B66827-9B64-BCDF-4DB2-A4AFDEBA0CDB} - (no file)
O2 - BHO: (no name) - {3CCFF652-33C6-EC88-BC36-50435974539C} - (no file)
O2 - BHO: (no name) - {A4320AC3-C590-D886-ACA9-BD8564A3A813} - (no file)

Edited by Efwis, 26 February 2005 - 07:42 PM.

[Portnoy]

Yeah it doesn't work.
I tried in Safe mode and in regular mode BUT
I located them in the registry!
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

All three are sitting pretty right there.

Can I kill 'em? Please?