Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

isrvs/ trojan horse dropper virus


  • Please log in to reply

#16
mcbirdo

mcbirdo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Just to let you know I'm gettin as many ad pop ups now as before and the computer shuts utself down sometimes. :tazz:

Thanks for your continued help JR
  • 0

Advertisements


#17
mcbirdo

mcbirdo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hey JR

I've just noticed the nuber 1 hosta are back :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 19:57:59, on 03/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B371B58-BF4D-4130-9CA8-ED722DAA0130}: NameServer = 194.72.9.39 194.74.65.87
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\en0sl1d71.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
  • 0

#18
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
We'll have to do this the manual way. Here we go.
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
-=jonnyrotten=- :tazz:
  • 0

#19
mcbirdo

mcbirdo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Here's the log :tazz:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Tools

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE

Directory of C:\WINDOWS\System32

03/20/2005 18:21 235,488 guard.tmp
03/20/2005 18:16 234,802 hrlu0539e.dll
03/18/2005 17:15 234,802 pSnmap.dll
03/18/2005 17:15 235,488 q6860glse6q60.dll
03/18/2005 17:07 235,753 dnnu0159e.dll
03/18/2005 16:18 233,101 rzoc3260.dll
03/18/2005 16:18 234,304 gp02l3do1.dll
03/18/2005 14:51 234,162 en60l1jm1.dll
03/16/2005 21:49 233,101 kndaze.dll
03/15/2005 20:25 233,164 pFnmap.dll
03/15/2005 20:13 233,248 cgbcatex.dll
03/15/2005 20:11 234,495 rHsadhlp.dll
03/15/2005 19:50 234,495 wistream.dll
03/15/2005 19:09 233,248 iBssam.dll
03/14/2005 21:27 233,668 dwgest.dll
03/14/2005 21:27 235,493 ir28l5fu1.dll
03/14/2005 18:51 233,611 lv6m09j1e.dll
03/14/2005 18:50 233,611 MIPI.DLL
03/14/2005 18:50 233,668 jtn0075me.dll
03/14/2005 14:45 233,598 Lcpng12n.dll
03/13/2005 20:58 233,253 o8840ilqe8qe0.dll
03/13/2005 20:54 232,765 kldpl1.dll
03/13/2005 18:02 232,765 srfolder.dll
03/12/2005 20:26 235,606 i260lcjm1foa.dll
03/12/2005 16:35 235,606 ugrcoina.dll
03/12/2005 16:33 235,484 mng4dmod.dll
03/12/2005 16:26 234,621 mixex.dll
03/12/2005 14:51 233,011 lmfpx7.dll
03/12/2005 13:47 233,011 rkcns4.dll
03/12/2005 13:47 234,429 h8j4li1q18.dll
03/12/2005 13:33 233,011 sudpapi.dll
03/12/2005 11:39 234,931 aui2cqag.dll
03/11/2005 21:40 234,931 rDschap.dll
03/10/2005 19:53 232,918 cogmgr32.dll
03/10/2005 19:46 235,107 cdgmgr32.dll
03/10/2005 19:42 235,107 mqvfw32.dll
03/10/2005 17:41 234,437 sqmpsnap.dll
03/10/2005 11:33 232,736 kodbene.dll
03/09/2005 19:06 232,736 Ldkrn10n.dll
03/08/2005 20:42 <DIR> dllcache
06/03/2003 21:57 <DIR> Microsoft
39 File(s) 9,129,765 bytes
2 Dir(s) 3,103,731,712 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE

Directory of C:\WINDOWS\System32

03/12/2005 01:55 <DIR> vmss
03/12/2005 01:55 <DIR> wsxsvc
03/08/2005 20:42 <DIR> dllcache
06/03/2003 21:22 488 logonui.exe.manifest
06/03/2003 21:22 488 WindowsLogon.manifest
06/03/2003 21:22 749 sapi.cpl.manifest
06/03/2003 21:22 749 nwc.cpl.manifest
06/03/2003 21:22 749 cdplayer.exe.manifest
06/03/2003 21:22 749 wuaucpl.cpl.manifest
06/03/2003 21:22 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
3 Dir(s) 3,103,727,616 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE

Directory of C:\WINDOWS\System32

03/20/2005 18:21 235,488 guard.tmp
1 File(s) 235,488 bytes
0 Dir(s) 3,103,727,616 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE

Directory of C:\WINDOWS\System32

03/20/2005 18:21 235,488 guard.tmp
09/22/2004 18:46 86,016 SET1014.tmp
08/29/2002 12:00 2,577 CONFIG.TMP
3 File(s) 324,081 bytes
0 Dir(s) 3,103,727,616 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{AD26821D-7E32-D26A-56C7-41F320848D99}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\q6860glse6q60.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
aui2cqag.dll Sat 12 Mar 2005 11:39:04 ..S.R 234,931 229.42 K
cdgmgr32.dll Thu 10 Mar 2005 19:46:26 ..S.R 235,107 229.59 K
cgbcatex.dll Tue 15 Mar 2005 20:13:42 ..S.R 233,248 227.78 K
cogmgr32.dll Thu 10 Mar 2005 19:53:44 ..S.R 232,918 227.46 K
dnnu01~1.dll Fri 18 Mar 2005 17:07:52 ..S.R 235,753 230.23 K
dwgest.dll Mon 14 Mar 2005 21:27:08 ..S.R 233,668 228.19 K
en60l1~1.dll Fri 18 Mar 2005 14:51:58 ..S.R 234,162 228.67 K
gp02l3~1.dll Fri 18 Mar 2005 16:18:12 ..S.R 234,304 228.81 K
guard.tmp Sun 20 Mar 2005 18:21:06 A.S.R 235,488 229.97 K
h8j4li~1.dll Sat 12 Mar 2005 13:47:38 ..S.R 234,429 228.93 K
hrlu05~1.dll Sun 20 Mar 2005 18:16:50 ..S.R 234,802 229.30 K
i260lc~1.dll Sat 12 Mar 2005 20:26:50 ..S.R 235,606 230.08 K
ibssam.dll Tue 15 Mar 2005 19:09:04 ..S.R 233,248 227.78 K
ir28l5~1.dll Mon 14 Mar 2005 21:27:08 ..S.R 235,493 229.97 K
jtn007~1.dll Mon 14 Mar 2005 18:50:48 ..S.R 233,668 228.19 K
kldpl1.dll Sun 13 Mar 2005 20:54:12 ..S.R 232,765 227.31 K
kndaze.dll Wed 16 Mar 2005 21:49:48 ..S.R 233,101 227.64 K
kodbene.dll Thu 10 Mar 2005 11:33:54 ..S.R 232,736 227.28 K
lcpng12n.dll Mon 14 Mar 2005 14:45:16 ..S.R 233,598 228.12 K
ldkrn10n.dll Wed 9 Mar 2005 19:06:04 ..S.R 232,736 227.28 K
lmfpx7.dll Sat 12 Mar 2005 14:51:40 ..S.R 233,011 227.55 K
lv6m09~1.dll Mon 14 Mar 2005 18:51:48 ..S.R 233,611 228.13 K
mipi.dll Mon 14 Mar 2005 18:50:48 ..S.R 233,611 228.13 K
mixex.dll Sat 12 Mar 2005 16:26:28 ..S.R 234,621 229.12 K
mng4dmod.dll Sat 12 Mar 2005 16:33:10 ..S.R 235,484 229.96 K
mqvfw32.dll Thu 10 Mar 2005 19:43:00 ..S.R 235,107 229.59 K
o8840i~1.dll Sun 13 Mar 2005 20:58:06 ..S.R 233,253 227.79 K
pfnmap.dll Tue 15 Mar 2005 20:25:34 ..S.R 233,164 227.70 K
psnmap.dll Fri 18 Mar 2005 17:15:48 ..S.R 234,802 229.30 K
q6860g~1.dll Fri 18 Mar 2005 17:15:48 ..S.R 235,488 229.97 K
rdschap.dll Fri 11 Mar 2005 21:40:50 ..S.R 234,931 229.42 K
rhsadhlp.dll Tue 15 Mar 2005 20:11:12 ..S.R 234,495 228.99 K
rkcns4.dll Sat 12 Mar 2005 13:47:38 ..S.R 233,011 227.55 K
rzoc3260.dll Fri 18 Mar 2005 16:18:12 ..S.R 233,101 227.64 K
sqmpsnap.dll Thu 10 Mar 2005 17:41:26 ..S.R 234,437 228.94 K
srfolder.dll Sun 13 Mar 2005 18:02:46 ..S.R 232,765 227.31 K
sudpapi.dll Sat 12 Mar 2005 13:33:20 ..S.R 233,011 227.55 K
ugrcoina.dll Sat 12 Mar 2005 16:35:50 ..S.R 235,606 230.08 K
wistream.dll Tue 15 Mar 2005 19:51:00 ..S.R 234,495 228.99 K

39 items found: 39 files, 0 directories.
Total of file sizes: 9,129,765 bytes 8.70 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"KAVPersonal50"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe\" /minimize"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#20
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\hrlu0539e.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:pSnmap.dll
    q6860glse6q60.dll
    dnnu0159e.dll
    rzoc3260.dll
    gp02l3do1.dll
    en60l1jm1.dll
    kndaze.dll
    pFnmap.dll
    cgbcatex.dll
    rHsadhlp.dll
    wistream.dll
    iBssam.dll
    dwgest.dll
    ir28l5fu1.dll
    lv6m09j1e.dll
    MIPI.DLL
    jtn0075me.dll
    Lcpng12n.dll
    o8840ilqe8qe0.dll
    kldpl1.dll
    srfolder.dll
    i260lcjm1foa.dll
    ugrcoina.dll
    mng4dmod.dll
    mixex.dll
    lmfpx7.dll
    rkcns4.dll
    h8j4li1q18.dll
    sudpapi.dll
    aui2cqag.dll
    rDschap.dll
    cogmgr32.dll
    cdgmgr32.dll
    mqvfw32.dll
    sqmpsnap.dll
    kodbene.dll
    Ldkrn10n.dll
    >>>Remember you have to put c:\windows\system32\ before each file in order for the killbox to delete it.<<<
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • You may get this message>>>"Pending File Rename Operations Registry Data has been Removed by External Process!" This is okay, you will just have to manually restart your pc.
  • Double-click on find.bat and post the new output.txt.
Don't reboot after this time until you have further instructions.

-=jonnyrotten=- :tazz:
  • 0

#21
mcbirdo

mcbirdo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Did as you said :tazz:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Tools

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE

Directory of C:\WINDOWS\System32

03/08/2005 20:42 <DIR> dllcache
06/03/2003 21:57 <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 3,134,062,592 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE

Directory of C:\WINDOWS\System32

03/12/2005 01:55 <DIR> vmss
03/12/2005 01:55 <DIR> wsxsvc
03/08/2005 20:42 <DIR> dllcache
06/03/2003 21:22 488 logonui.exe.manifest
06/03/2003 21:22 488 WindowsLogon.manifest
06/03/2003 21:22 749 sapi.cpl.manifest
06/03/2003 21:22 749 nwc.cpl.manifest
06/03/2003 21:22 749 cdplayer.exe.manifest
06/03/2003 21:22 749 wuaucpl.cpl.manifest
06/03/2003 21:22 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
3 Dir(s) 3,134,058,496 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE

Directory of C:\WINDOWS\System32

03/20/2005 21:27 56 Guard.tmp
1 File(s) 56 bytes
0 Dir(s) 3,134,058,496 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 88C5-1ECE

Directory of C:\WINDOWS\System32

03/20/2005 21:27 56 Guard.tmp
09/22/2004 18:46 86,016 SET1014.tmp
08/29/2002 12:00 2,577 CONFIG.TMP
3 File(s) 88,649 bytes
0 Dir(s) 3,134,058,496 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{AD26821D-7E32-D26A-56C7-41F320848D99}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hrlu0539e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

No matches found.

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"KAVPersonal50"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe\" /minimize"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#22
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Copy and paste the quoted text below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\XXXXX]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

  • Download VX2Finder.
  • Double-click on VX2Finder.exe.
  • Click "Restore Policy".
  • In the File menu click "Exit".
  • Double-click on KillBox.exe.
  • In the File menu click "Delete all Dummy files".
  • In the Tools menu click "Delete Temp Files".
  • Choose "Standard File Kill" if not already selected.
  • Paste these files one by one into the top "Full Path of File to Delete" box.
    • C:\RECYCLER\desktop.ini
    • C:\WINDOWS\System32\drivers\etc\HOSTS
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Confirm Delete prompt.
  • It should give you a successful "File was deleted" prompt for each one.
Reboot and post a new Hijack This log.

-=jonnyrotten=-:tazz:
  • 0

#23
mcbirdo

mcbirdo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
At last things seem to be running more smoothly :tazz: Thankyou so much. Is there anything else to do??

Logfile of HijackThis v1.99.1
Scan saved at 18:57:57, on 03/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B371B58-BF4D-4130-9CA8-ED722DAA0130}: NameServer = 194.72.9.39 194.74.65.87
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\hrlu0539e.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
  • 0

#24
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Nice! You look clean now. Things running good? Follow the next steps for a little clean up.

Spybot Search & Destroy Download and install. Start Spybot S&D, Click the Search for updates button, if any are found then click the Download Updates button. After all updates are downloaded, click the Check for problems button. When the scan is complete, place a check next to anything marked in red, then click the Fix selected problems button. You may need to run Spybot S&D multiple times to remove all infections.

Download Ad-aware from: http://www.geekstogo...n=download&id=5

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

-> Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
-> Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
-> Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
-> Click on Proceed to save the settings.

-> Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
-> Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

-> Save the log file when it asks and then click Finish

-> When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

-> Reboot your computer.

I am checking on this entry here:

O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\hrlu0539e.dll

It looks like a bad one, and we haven't been able to get rid of it. I will let you know what I find.

-=jonnyrotten=- :tazz:
  • 0

#25
mcbirdo

mcbirdo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Just back to London from a trip to New York. Had computer on for a while and all seems fine. Did the clean up that you suggested. Did you find out about the nasty virus?
  • 0

Advertisements


#26
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Well I haven't been able to find any answers to this. If something comes up let me know, and we'll get it taken care of. :tazz:

-=jonnyrotten=- ;)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP