Thanks for your continued help JR
isrvs/ trojan horse dropper virus
#16
Posted 18 March 2005 - 11:20 AM
Thanks for your continued help JR
#17
Posted 18 March 2005 - 01:59 PM
I've just noticed the nuber 1 hosta are back
Logfile of HijackThis v1.99.1
Scan saved at 19:57:59, on 03/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B371B58-BF4D-4130-9CA8-ED722DAA0130}: NameServer = 194.72.9.39 194.74.65.87
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\en0sl1d71.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
#18
Posted 19 March 2005 - 01:25 PM
- Download finditnt2000xp.zip.
- Unzip the contents of finditnt2000xp.zip to a convenient location.
- Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
- A command prompt will open and it will search your computer for malicious files.
- Once it has finished a Notepad window will pop up with output.txt.
- Copy the entire contents of output.txt into your next post.
#19
Posted 20 March 2005 - 12:55 PM
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Tools
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE
Directory of C:\WINDOWS\System32
03/20/2005 18:21 235,488 guard.tmp
03/20/2005 18:16 234,802 hrlu0539e.dll
03/18/2005 17:15 234,802 pSnmap.dll
03/18/2005 17:15 235,488 q6860glse6q60.dll
03/18/2005 17:07 235,753 dnnu0159e.dll
03/18/2005 16:18 233,101 rzoc3260.dll
03/18/2005 16:18 234,304 gp02l3do1.dll
03/18/2005 14:51 234,162 en60l1jm1.dll
03/16/2005 21:49 233,101 kndaze.dll
03/15/2005 20:25 233,164 pFnmap.dll
03/15/2005 20:13 233,248 cgbcatex.dll
03/15/2005 20:11 234,495 rHsadhlp.dll
03/15/2005 19:50 234,495 wistream.dll
03/15/2005 19:09 233,248 iBssam.dll
03/14/2005 21:27 233,668 dwgest.dll
03/14/2005 21:27 235,493 ir28l5fu1.dll
03/14/2005 18:51 233,611 lv6m09j1e.dll
03/14/2005 18:50 233,611 MIPI.DLL
03/14/2005 18:50 233,668 jtn0075me.dll
03/14/2005 14:45 233,598 Lcpng12n.dll
03/13/2005 20:58 233,253 o8840ilqe8qe0.dll
03/13/2005 20:54 232,765 kldpl1.dll
03/13/2005 18:02 232,765 srfolder.dll
03/12/2005 20:26 235,606 i260lcjm1foa.dll
03/12/2005 16:35 235,606 ugrcoina.dll
03/12/2005 16:33 235,484 mng4dmod.dll
03/12/2005 16:26 234,621 mixex.dll
03/12/2005 14:51 233,011 lmfpx7.dll
03/12/2005 13:47 233,011 rkcns4.dll
03/12/2005 13:47 234,429 h8j4li1q18.dll
03/12/2005 13:33 233,011 sudpapi.dll
03/12/2005 11:39 234,931 aui2cqag.dll
03/11/2005 21:40 234,931 rDschap.dll
03/10/2005 19:53 232,918 cogmgr32.dll
03/10/2005 19:46 235,107 cdgmgr32.dll
03/10/2005 19:42 235,107 mqvfw32.dll
03/10/2005 17:41 234,437 sqmpsnap.dll
03/10/2005 11:33 232,736 kodbene.dll
03/09/2005 19:06 232,736 Ldkrn10n.dll
03/08/2005 20:42 <DIR> dllcache
06/03/2003 21:57 <DIR> Microsoft
39 File(s) 9,129,765 bytes
2 Dir(s) 3,103,731,712 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE
Directory of C:\WINDOWS\System32
03/12/2005 01:55 <DIR> vmss
03/12/2005 01:55 <DIR> wsxsvc
03/08/2005 20:42 <DIR> dllcache
06/03/2003 21:22 488 logonui.exe.manifest
06/03/2003 21:22 488 WindowsLogon.manifest
06/03/2003 21:22 749 sapi.cpl.manifest
06/03/2003 21:22 749 nwc.cpl.manifest
06/03/2003 21:22 749 cdplayer.exe.manifest
06/03/2003 21:22 749 wuaucpl.cpl.manifest
06/03/2003 21:22 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
3 Dir(s) 3,103,727,616 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE
Directory of C:\WINDOWS\System32
03/20/2005 18:21 235,488 guard.tmp
1 File(s) 235,488 bytes
0 Dir(s) 3,103,727,616 bytes free
------ Temp Files in System32 Directory ------
Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE
Directory of C:\WINDOWS\System32
03/20/2005 18:21 235,488 guard.tmp
09/22/2004 18:46 86,016 SET1014.tmp
08/29/2002 12:00 2,577 CONFIG.TMP
3 File(s) 324,081 bytes
0 Dir(s) 3,103,727,616 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{AD26821D-7E32-D26A-56C7-41F320848D99}"=""
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\q6860glse6q60.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
------------- Locate.com Results -------------
C:\WINDOWS\SYSTEM32\
aui2cqag.dll Sat 12 Mar 2005 11:39:04 ..S.R 234,931 229.42 K
cdgmgr32.dll Thu 10 Mar 2005 19:46:26 ..S.R 235,107 229.59 K
cgbcatex.dll Tue 15 Mar 2005 20:13:42 ..S.R 233,248 227.78 K
cogmgr32.dll Thu 10 Mar 2005 19:53:44 ..S.R 232,918 227.46 K
dnnu01~1.dll Fri 18 Mar 2005 17:07:52 ..S.R 235,753 230.23 K
dwgest.dll Mon 14 Mar 2005 21:27:08 ..S.R 233,668 228.19 K
en60l1~1.dll Fri 18 Mar 2005 14:51:58 ..S.R 234,162 228.67 K
gp02l3~1.dll Fri 18 Mar 2005 16:18:12 ..S.R 234,304 228.81 K
guard.tmp Sun 20 Mar 2005 18:21:06 A.S.R 235,488 229.97 K
h8j4li~1.dll Sat 12 Mar 2005 13:47:38 ..S.R 234,429 228.93 K
hrlu05~1.dll Sun 20 Mar 2005 18:16:50 ..S.R 234,802 229.30 K
i260lc~1.dll Sat 12 Mar 2005 20:26:50 ..S.R 235,606 230.08 K
ibssam.dll Tue 15 Mar 2005 19:09:04 ..S.R 233,248 227.78 K
ir28l5~1.dll Mon 14 Mar 2005 21:27:08 ..S.R 235,493 229.97 K
jtn007~1.dll Mon 14 Mar 2005 18:50:48 ..S.R 233,668 228.19 K
kldpl1.dll Sun 13 Mar 2005 20:54:12 ..S.R 232,765 227.31 K
kndaze.dll Wed 16 Mar 2005 21:49:48 ..S.R 233,101 227.64 K
kodbene.dll Thu 10 Mar 2005 11:33:54 ..S.R 232,736 227.28 K
lcpng12n.dll Mon 14 Mar 2005 14:45:16 ..S.R 233,598 228.12 K
ldkrn10n.dll Wed 9 Mar 2005 19:06:04 ..S.R 232,736 227.28 K
lmfpx7.dll Sat 12 Mar 2005 14:51:40 ..S.R 233,011 227.55 K
lv6m09~1.dll Mon 14 Mar 2005 18:51:48 ..S.R 233,611 228.13 K
mipi.dll Mon 14 Mar 2005 18:50:48 ..S.R 233,611 228.13 K
mixex.dll Sat 12 Mar 2005 16:26:28 ..S.R 234,621 229.12 K
mng4dmod.dll Sat 12 Mar 2005 16:33:10 ..S.R 235,484 229.96 K
mqvfw32.dll Thu 10 Mar 2005 19:43:00 ..S.R 235,107 229.59 K
o8840i~1.dll Sun 13 Mar 2005 20:58:06 ..S.R 233,253 227.79 K
pfnmap.dll Tue 15 Mar 2005 20:25:34 ..S.R 233,164 227.70 K
psnmap.dll Fri 18 Mar 2005 17:15:48 ..S.R 234,802 229.30 K
q6860g~1.dll Fri 18 Mar 2005 17:15:48 ..S.R 235,488 229.97 K
rdschap.dll Fri 11 Mar 2005 21:40:50 ..S.R 234,931 229.42 K
rhsadhlp.dll Tue 15 Mar 2005 20:11:12 ..S.R 234,495 228.99 K
rkcns4.dll Sat 12 Mar 2005 13:47:38 ..S.R 233,011 227.55 K
rzoc3260.dll Fri 18 Mar 2005 16:18:12 ..S.R 233,101 227.64 K
sqmpsnap.dll Thu 10 Mar 2005 17:41:26 ..S.R 234,437 228.94 K
srfolder.dll Sun 13 Mar 2005 18:02:46 ..S.R 232,765 227.31 K
sudpapi.dll Sat 12 Mar 2005 13:33:20 ..S.R 233,011 227.55 K
ugrcoina.dll Sat 12 Mar 2005 16:35:50 ..S.R 235,606 230.08 K
wistream.dll Tue 15 Mar 2005 19:51:00 ..S.R 234,495 228.99 K
39 items found: 39 files, 0 directories.
Total of file sizes: 9,129,765 bytes 8.70 M
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
C:\WINDOWS\system32\ntdll.dll: .aspack
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"KAVPersonal50"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe\" /minimize"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
#20
Posted 20 March 2005 - 01:21 PM
- Download the Pocket Killbox.
- Unzip the contents of KillBox.zip to a convenient location.
- Double-click on KillBox.exe.
- Click "Replace on Reboot" and check the "Use Dummy" box.
- Paste this file into the top "Full Path of File to Delete" box.
- C:\WINDOWS\System32\hrlu0539e.dll
- Click the "Delete File" button which looks like a stop sign.
- Click "Yes" at the Replace on Reboot prompt.
- Click "No" at the Pending Operations prompt.
- Repeat steps 4-8 above for these files:pSnmap.dll
q6860glse6q60.dll
dnnu0159e.dll
rzoc3260.dll
gp02l3do1.dll
en60l1jm1.dll
kndaze.dll
pFnmap.dll
cgbcatex.dll
rHsadhlp.dll
wistream.dll
iBssam.dll
dwgest.dll
ir28l5fu1.dll
lv6m09j1e.dll
MIPI.DLL
jtn0075me.dll
Lcpng12n.dll
o8840ilqe8qe0.dll
kldpl1.dll
srfolder.dll
i260lcjm1foa.dll
ugrcoina.dll
mng4dmod.dll
mixex.dll
lmfpx7.dll
rkcns4.dll
h8j4li1q18.dll
sudpapi.dll
aui2cqag.dll
rDschap.dll
cogmgr32.dll
cdgmgr32.dll
mqvfw32.dll
sqmpsnap.dll
kodbene.dll
Ldkrn10n.dll
>>>Remember you have to put c:\windows\system32\ before each file in order for the killbox to delete it.<<<
- Click "Replace on Reboot" and check the "Use Dummy" box.
- Paste this file into the top "Full Path of File to Delete" box.
- C:\WINDOWS\System32\Guard.tmp
- Click the "Delete File" button which looks like a stop sign.
- Click "Yes" at the Replace on Reboot prompt.
- Click "Yes" at the Pending Operations prompt to restart your computer.
- You may get this message>>>"Pending File Rename Operations Registry Data has been Removed by External Process!" This is okay, you will just have to manually restart your pc.
- Double-click on find.bat and post the new output.txt.
-=jonnyrotten=-
#21
Posted 20 March 2005 - 03:45 PM
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Tools
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE
Directory of C:\WINDOWS\System32
03/08/2005 20:42 <DIR> dllcache
06/03/2003 21:57 <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 3,134,062,592 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE
Directory of C:\WINDOWS\System32
03/12/2005 01:55 <DIR> vmss
03/12/2005 01:55 <DIR> wsxsvc
03/08/2005 20:42 <DIR> dllcache
06/03/2003 21:22 488 logonui.exe.manifest
06/03/2003 21:22 488 WindowsLogon.manifest
06/03/2003 21:22 749 sapi.cpl.manifest
06/03/2003 21:22 749 nwc.cpl.manifest
06/03/2003 21:22 749 cdplayer.exe.manifest
06/03/2003 21:22 749 wuaucpl.cpl.manifest
06/03/2003 21:22 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
3 Dir(s) 3,134,058,496 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE
Directory of C:\WINDOWS\System32
03/20/2005 21:27 56 Guard.tmp
1 File(s) 56 bytes
0 Dir(s) 3,134,058,496 bytes free
------ Temp Files in System32 Directory ------
Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE
Directory of C:\WINDOWS\System32
03/20/2005 21:27 56 Guard.tmp
09/22/2004 18:46 86,016 SET1014.tmp
08/29/2002 12:00 2,577 CONFIG.TMP
3 File(s) 88,649 bytes
0 Dir(s) 3,134,058,496 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{AD26821D-7E32-D26A-56C7-41F320848D99}"=""
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hrlu0539e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
------------- Locate.com Results -------------
No matches found.
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
C:\WINDOWS\system32\ntdll.dll: .aspack
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"KAVPersonal50"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe\" /minimize"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
#22
Posted 20 March 2005 - 07:39 PM
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\XXXXX]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
- Download VX2Finder.
- Double-click on VX2Finder.exe.
- Click "Restore Policy".
- In the File menu click "Exit".
- Double-click on KillBox.exe.
- In the File menu click "Delete all Dummy files".
- In the Tools menu click "Delete Temp Files".
- Choose "Standard File Kill" if not already selected.
- Paste these files one by one into the top "Full Path of File to Delete" box.
- C:\RECYCLER\desktop.ini
- C:\WINDOWS\System32\drivers\etc\HOSTS
- Click the "Delete File" button which looks like a stop sign.
- Click "Yes" at the Confirm Delete prompt.
- It should give you a successful "File was deleted" prompt for each one.
-=jonnyrotten=-
#23
Posted 22 March 2005 - 01:03 PM
Logfile of HijackThis v1.99.1
Scan saved at 18:57:57, on 03/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B371B58-BF4D-4130-9CA8-ED722DAA0130}: NameServer = 194.72.9.39 194.74.65.87
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\hrlu0539e.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
#24
Posted 22 March 2005 - 10:07 PM
Spybot Search & Destroy Download and install. Start Spybot S&D, Click the Search for updates button, if any are found then click the Download Updates button. After all updates are downloaded, click the Check for problems button. When the scan is complete, place a check next to anything marked in red, then click the Fix selected problems button. You may need to run Spybot S&D multiple times to remove all infections.
Download Ad-aware from: http://www.geekstogo...n=download&id=5
Install the program and launch it.
First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.
Next, we need to configure Ad-aware for a full scan.
-> Click on the Gear icon (second from the left) to access the preferences/settings window
1. In the General window make sure the following are selected:
- Automatically save log-file
- Automatically quarantine objects prior to removal
- Safe Mode (always request confirmation)
- Scan Within Archives
- Scan Active Processes
- Scan Registry
- Deep Scan Registry
- Scan my IE favorites for banned URL’s
- Scan my Hosts file
- Under Click here to select drives + folders, choose:
- All of your hard drives
- Include additional process information
- Include additional file information
- Include environment information
- Include additional object details
- Under the Scanning Engine:
- Unload recognized processes during scanning
- Include basic Ad-aware settings in logfile
- Include additional Ad-aware settings in logfile
- Under the Cleaning Engine:
- Let Windows remove files in use at next reboot
-> Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
- Use Custom Scanning Options
-> Save the log file when it asks and then click Finish
-> When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
-> Reboot your computer.
I am checking on this entry here:
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\hrlu0539e.dll
It looks like a bad one, and we haven't been able to get rid of it. I will let you know what I find.
-=jonnyrotten=-
#25
Posted 31 March 2005 - 06:40 PM
#26
Posted 01 April 2005 - 12:01 PM
-=jonnyrotten=-
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users