Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Fatal System Error undeletable viruses [RESOLVED]


  • This topic is locked This topic is locked

#16
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Weird! Ok, I need you to run option #1 again and post the log so I can see all the files...I'm going to have you download a program called Killbox to delete the files. But, it's going to be about 40-50 files that we'll have to delete!! :tazz:
  • 0

Advertisements


#17
markjohannsson

markjohannsson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Nice! I had a feeling my computer was crying out for: :tazz:

Here's the log! :


L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\aza809fue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dgmsrpcn.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\i424lefq1h2e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
stlb2.dll Wed Apr 13 2005 5:40:16p A.... 229,376 224.00 K
spmsg.dll Thu Feb 24 2005 7:35:06p ..... 14,048 13.72 K
tyisyry.dll Mon May 2 2005 7:33:36p A.... 27,136 26.50 K
browseui.dll Thu Mar 10 2005 4:02:34a A.... 1,016,832 993.00 K
iepeers.dll Thu Mar 10 2005 4:02:34a A.... 250,880 245.00 K
msi.dll Mon Mar 21 2005 3:00:20p A.... 2,890,240 2.75 M
arkdr.dll Mon May 2 2005 7:33:36p A.... 4,096 4.00 K
msihnd.dll Mon Mar 21 2005 3:00:22p A.... 271,360 265.00 K
msimsg.dll Mon Mar 21 2005 3:00:22p A.... 884,736 864.00 K
msisip.dll Mon Mar 21 2005 3:00:22p A.... 15,360 15.00 K
winsrv.dll Wed Mar 2 2005 2:09:30p A.... 291,328 284.50 K
user32.dll Wed Mar 2 2005 2:09:30p A.... 577,024 563.50 K
authz.dll Wed Mar 2 2005 2:09:30p A.... 56,832 55.50 K
shell32.dll Mon Feb 28 2005 7:11:18p A.... 8,450,048 8.06 M
wininet.dll Thu Mar 10 2005 4:02:36a A.... 656,896 641.50 K
urlmon.dll Thu Mar 10 2005 4:02:36a A.... 607,744 593.50 K
shlwapi.dll Thu Mar 10 2005 4:02:34a A.... 473,600 462.50 K
shdocvw.dll Thu Mar 10 2005 4:02:34a A.... 1,483,264 1.41 M
msrating.dll Thu Mar 10 2005 4:02:34a A.... 146,432 143.00 K
mshtml.dll Thu Mar 10 2005 4:02:34a A.... 3,010,560 2.87 M
inseng.dll Thu Mar 10 2005 4:02:34a A.... 96,256 94.00 K
cdfview.dll Thu Mar 10 2005 4:02:34a A.... 151,040 147.50 K
winup2~1.dll Wed Mar 23 2005 6:19:38a A.... 5,632 5.50 K
mcinsctl.dll Mon Mar 7 2005 3:05:30p A.... 341,568 333.56 K
mcgdmgr.dll Tue Feb 15 2005 11:34:18a A.... 277,616 271.11 K

25 items found: 25 files, 0 directories.
Total of file sizes: 22,229,904 bytes 21.20 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 3F5D-29DB

Directory of C:\WINDOWS\System32

09/09/2003 01:46 AM <DIR> Microsoft
09/09/2003 01:20 AM <DIR> dllcache
0 File(s) 0 bytes
2 Dir(s) 126,285,479,936 bytes free
  • 0

#18
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, that's even more weird :tazz: The files "disappeared". hmm...

Please read these instructions carefully

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\WINDOWS\system32\aza809fue.dll
C:\WINDOWS\system32\dgmsrpcn.dll
C:\WINDOWS\system32\i424lefq1h2e.dll
C:\WINDOWS\SYSTEM32\stlb2.dll
C:\WINDOWS\SYSTEM32\tyisyry.dll
C:\WINDOWS\SYSTEM32\arkdr.dll


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts. If you receive any "PendingRenameOperation..." prompt click NO. restart your computer if it doesn't automatically restart.

Post a new HiJackThis log.
  • 0

#19
markjohannsson

markjohannsson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay, files deleted and new HiJack This log complete:

Logfile of HijackThis v1.99.1
Scan saved at 7:13:40 PM, on 5/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\isrvs\desktop.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Highjack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xqrzf.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqrzf.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093256666546
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\aza809fue.dll (file missing)
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\dgmsrpcn.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\i424lefq1h2e.dll (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
  • 0

#20
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Run HijackThis. Click on "none of the above just start the program", Click on "Config...", "Misc Tools", "Open process manager". Select the following files (IF FOUND) and click on "Kill process". Answer Yes to the "Are you sure..." question.
*desktop.exe
*edmond.exe
*ffisearch.exe

Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save as Type" to "All Files" and Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!:

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_CLASSES_ROOT\CLSID\{950238fb-c706-4791-8674-4d429f85897e}]

[-HKEY_CLASSES_ROOT\mfiltis]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\desktop search]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ffis]

[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\legacy_delprot]

[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\delprot]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000000

[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDevMgrUpdate"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"NoUpdateCheck"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate]
"DisableWindowsUpdateAccess"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000000

Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
Restart your computer.

Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Save it as Unreg.bat and save it on your Desktop.

regsvr32 /u C:\Windows\isrvs\msfiltis.dll
regsvr32 /u C:\Windows\isrvs\msdbhk.dll
regsvr32 /u C:\Windows\isrvs\sysupd.dll

Locate Unreg.bat on your Desktop and double-click on it.

Delete the following files/folders (if present) in C:\Windows or C:\Windows\System32:

*delprot.ini
*delprot.log
*desktop.exe
*isrvs (delete the entire folder)

Delete the following file: C:\Windows\System32\Drivers\Delprot.sys

Delete the following files/folder (if present) in C:\Documents and Settings\<your user name>\Desktop

*anal exploits.url
*big [bleep] school for 2.95.url
*evidence eraser.lnk
*popup blocker stops popups.lnk
*spyware avenger.lnk
*virus hunter security.lnk
*your platinum visa.lnk

Post a new log from HijackThis.
  • 0

#21
markjohannsson

markjohannsson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Results:

edmond.exe and ffisearch.exe not found on the file list (I know, you said delete the files that I can find from that list of 3 but thought I'd let you know that the desktop.exe was the only one there). ;)

Unreg.bat gave this message: A window called 'RegSvr 32' and the error message: LoadLibrary("C:\Windows\isrvs\msfiltis.dll") failed - The specified module could not be found.

Then, another RegSvr 32 window: C:\Windows\isrvs\msdbhk.dll was loaded, but the DllUnregisterServer entry point was not found. This file can not be registered.

Final window for RegSvr 32: DllUnregister Server in C:\Windows\isrvs\sysupd.dll succeeded.

Note: I've noticed that every time I open windows explorer, my McAfee brings up a message saying that a file in my temporary internet files was infected by the trajan 'Downlader-YH.dr'

Cannot delete delprot.ini - access denied.
Cannot delete folder isrvs - access denied.

Files you wanted me to delete from my desktop (very dirty names for the first two btw): none of them were in my desktop folder *whew* :tazz:


New HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:33:06 PM, on 5/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\isrvs\desktop.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Highjack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xqrzf.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqrzf.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093256666546
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\aza809fue.dll (file missing)
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\dgmsrpcn.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\i424lefq1h2e.dll (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
  • 0

#22
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
We're getting there, slowly, but surely :tazz:

Download: http://www.mvps.org/.../DelDomains.inf to your desktop.

To use: RIGHT-CLICK on DelDomain.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Download, install, and run CleanUp! - this will clear ALL temporary internet files as well as items in other temp folders. If you have anything you need in temp folders, back it up or move it to a permanent folder prior to running Cleanup!

After that, please reboot into Safe Mode You can do this by restarting your computer and continually tapping the F8 key until a menu appears. use your up arrow to highlight Safe Mode then hit enter.

While in Safe Mode, delete this folder:
C:\Windows\isrvs

And delete this file:
C:\Windows\System32\Drivers\Delprot.sys

Reboot into Normal Mode.

Then, please run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log - this is so I can see all the files on your computer that still need to be killed. Hopefully you will be able to run ActiveScan!

Edited by bananafanafo, 05 May 2005 - 06:56 PM.

  • 0

#23
markjohannsson

markjohannsson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Active Scan results (yes, I was able to run it! wo-hoo!):


Incident Status Location

Virus:Trj/Small.HQ Disinfected Operating system
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\wsxsvc\wsx.dll
Adware:Adware/BrowserAid No disinfected C:\WINDOWS\system32\E6F1873B.DLL
Adware:Adware/BrowserAid No disinfected C:\WINDOWS\system32\D0CE0C16B1.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
Adware:Adware/BrowserAid No disinfected C:\WINDOWS\system32\E6F1873B.DLL
Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/SaveNow No disinfected C:\Program Files\BearShare\RunMSC.dll
Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/KeenValue No disinfected C:\Program Files\PerfectNav
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL
Adware:Adware/SearchAid No disinfected Windows Registry
Adware:Adware/AdDestroyer No disinfected C:\Program Files\AdDestroyer
Adware:Adware/VirtualBouncer No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\farmmext.ini
Adware:Adware/DealHelper No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\Program Files\windows controlad
Adware:Adware/PowerSearch No disinfected Windows Registry
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.???
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\WINDOWS\inst
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050131-205922.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050131-205943.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050325-181744.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050325-181747.backup
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\wsxsvc\wsx.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\wsxsvc\wsx.ocx
Adware:Adware/PowerSearch No disinfected C:\WINDOWS\system32\stlb2.xml
Adware:Adware/BrowserAid No disinfected C:\WINDOWS\system32\E6F1873B.DLL
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\system32\CALSP.DLL
Adware:Adware/BrowserAid No disinfected C:\WINDOWS\system32\D0CE0C16B1.DLL
Virus:Trj/Small.HQ Disinfected C:\WINDOWS\system32\winup2date.dll
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\farmmext.ini
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\ceres.dll
Adware:Adware/ISearch No disinfected C:\WINDOWS\delprot.ini
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\MDG\Application Data\Sskknwrd.dll
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
New HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 5:47:38 AM, on 5/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Highjack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xqrzf.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqrzf.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093256666546
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\aza809fue.dll (file missing)
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\dgmsrpcn.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\i424lefq1h2e.dll (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
  • 0

#24
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please read these instructions carefully - We're using Killbox a different way from last time!

I need you to copy all of the Killbox instructions below and paste them into Notepad and save it.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C:

C:\WINDOWS\system32\wsxsvc\wsx.dll
C:\WINDOWS\system32\E6F1873B.DLL
C:\WINDOWS\system32\D0CE0C16B1.dll
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\E6F1873B.DLL
C:\WINDOWS\CERES.DLL
C:\WINDOWS\farmmext.ini
C:\WINDOWS\Downloaded Program Files\YSBactivex.???
C:\WINDOWS\system32\wsxsvc\wsx.ocx
C:\WINDOWS\system32\stlb2.xml
C:\WINDOWS\system32\CALSP.DLL
C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
C:\WINDOWS\deskbar.ini
C:\WINDOWS\delprot.ini
C:\Documents and Settings\MDG\Application Data\Sskknwrd.dll
C:\keys.ini


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After your computer reboots, please download Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.

Once the updates are installed do the following:
  • Reboot into Safe Mode, then run Ewido.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
After running Ewido, while still in Safe Mode, delete these folders (in bold):

C:\WINDOWS\system32\wsxsvc
C:\Program Files\PerfectNav
C:\Program Files\AdDestroyer
C:\WINDOWS\inst
C:\Program Files\windows controlad

Reboot your machine into normal mode and post a new HiJackThis log along with the ewido .txt log file you saved.

Edited by bananafanafo, 06 May 2005 - 04:10 AM.

  • 0

#25
markjohannsson

markjohannsson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay, all finished. First off, just in case this means anything, since the last two sets of fixes we've been doing, I now get these two messages coming up on starting windows:

RUNDLL
Error loading D0CE0C16B1
The specified module could not be found

RUNDLL
Error loading E6F1873B.DLL
The specified module could not be found


Now the ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:37:54 AM, 5/7/2005
+ Report-Checksum: 78B153A3

+ Date of database: 5/6/2005
+ Version of scan engine: v3.0

+ Duration: 61 min
+ Scanned Files: 95639
+ Speed: 26.02 Files/Second
+ Infected files: 96
+ Removed files: 96
+ Files put in quarantine: 96
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\system32\carules.dll -> Spyware.CouponAge -> Cleaned with backup
C:\Documents and Settings\MDG\Cookies\mdg@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP278\A0032601.exe -> Spyware.AdURL.c -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP280\A0032660.exe -> TrojanDownloader.Agent.hw -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP281\A0032729.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP282\A0032756.exe -> TrojanDropper.Small.fl -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP283\A0032874.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP283\A0032881.exe -> Spyware.AdURL.c -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP284\A0032917.exe -> TrojanDropper.Small.fl -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP285\A0032942.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP285\A0033009.DLL -> TrojanDownloader.Agent.br -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP285\A0033011.DLL -> TrojanDownloader.Braidupdate.d -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP287\A0033171.exe -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP287\A0033178.exe -> Spyware.VirtualBouncer.i -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP287\A0033220.exe -> Spyware.DealHelper.aa -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP287\A0033222.exe -> Spyware.AdURL.c -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP287\A0033225.SYS -> Trojan.Delprot.a -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP287\A0033226.exe -> Trojan.Isearch -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP287\A0033228.DLL -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP287\A0033229.exe -> Spyware.Isearch -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP287\A0033230.DLL -> Spyware.Isearch.a -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP287\A0033231.EXE -> Spyware.ISearch.d -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP287\A0033232.DLL -> Spyware.ISearch.d -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP288\A0033462.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP290\A0033468.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP290\A0033471.exe -> TrojanDropper.Small.fl -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP290\A0033483.exe -> Spyware.DealHelper.aa -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP290\A0033532.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP290\A0033533.exe -> Spyware.AdURL.c -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP290\A0033535.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP290\A0033549.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP291\A0033550.exe -> Spyware.AdURL.c -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP291\A0033555.exe -> TrojanDropper.Small.fl -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP291\A0033586.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP291\A0033593.exe -> TrojanDropper.Small.fl -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP291\A0033626.exe -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP291\A0033627.exe -> Spyware.VirtualBouncer.i -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP291\A0033692.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP291\A0033710.exe -> Spyware.AdURL.c -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP292\A0033719.exe -> TrojanDropper.Small.fl -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP292\A0033773.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP292\A0033774.exe -> Spyware.AdURL.c -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP293\A0033779.exe -> TrojanDropper.Small.fl -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP293\A0033793.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP293\A0033794.exe -> Spyware.AdURL.c -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP294\A0033797.exe -> TrojanDropper.Small.fl -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP294\A0033823.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP294\A0033826.exe -> Spyware.AdURL.c -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP295\A0033917.exe -> Spyware.AdURL.c -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP298\A0034260.exe -> Spyware.VirtualBouncer.i -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP299\A0034460.exe -> Spyware.Ucmore.a -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP299\A0034464.EXE -> Spyware.MyWay.b -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP299\A0034466.DLL -> Spyware.MyWay.e -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP299\A0034469.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP299\A0034476.EXE -> TrojanDropper.SurfSide.a -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP299\A0034479.EXE -> Spyware.DelphinMediaViewer.c -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP303\A0035706.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP306\A0036129.EXE -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP306\A0036146.dll -> TrojanDownloader.Braidupdate.d -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP306\A0036147.DLL -> Spyware.SmartPops -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP306\A0036148.exe -> Spyware.SmartPops -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP306\A0036150.exe -> Spyware.Altnet.b -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP308\A0036326.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP310\A0037436.dll -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP310\A0037437.dll -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP312\A0037717.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP313\A0037836.dll -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP313\A0037838.dll -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP314\A0037876.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP314\A0037958.dll -> Spyware.Look2Me.ab -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP314\A0037961.dll -> Spyware.Look2Me.ab -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP317\A0038151.exe -> Spyware.VirtualBouncer.i -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP317\A0038162.exe -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP319\A0038237.dll -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP319\A0038239.dll -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP320\A0038247.exe -> TrojanDownloader.Qoologoc.i -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP320\A0038284.DLL -> TrojanDownloader.Braidupdate.d -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP320\A0038285.DLL -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP320\A0038286.dll -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038371.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038372.exe -> Spyware.AdURL.c -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038391.dll -> Spyware.ISearch.d -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038392.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038393.dll -> Spyware.Isearch.a -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038394.exe -> Spyware.Isearch -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038395.dll -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038396.exe -> Trojan.Isearch -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038399.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038409.EXE -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038432.dll -> Spyware.Small.et -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038447.DLL -> Spyware.DelphinMediaViewer.c -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038448.DLL -> TrojanDownloader.Braidupdate.d -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038450.EXE -> Spyware.DelphinMediaViewer.c -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038451.DLL -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038453.ocx -> Spyware.DelphinMediaViewer.c -> Cleaned with backup
C:\System Volume Information\_restore{CAA15EBE-7C28-47DF-9D3D-9A241BC1A184}\RP322\A0038454.DLL -> TrojanDownloader.Agent.br -> Cleaned with backup


::Report End


And, latest HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:44:07 AM, on 5/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Highjack this\HijackThis.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xqrzf.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqrzf.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093256666546
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\aza809fue.dll (file missing)
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\dgmsrpcn.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\i424lefq1h2e.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
  • 0

Advertisements


#26
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
RUNDLL
Error loading D0CE0C16B1
The specified module could not be found

RUNDLL
Error loading E6F1873B.DLL
The specified module could not be found

This is a good thing! It's because these files were loading on Startup, we killed the files, but your system is still trying to load them on Startup (because we haven't removed them with HiJackThis yet.)

Now, I'm going to work on your log! I'll brb!
  • 0

#27
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis and place a check next to the following items and click FIX CHECKED:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xqrzf.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xqrzf.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

O2 - BHO: (no name) - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - (no file)

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\aza809fue.dll (file missing)
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\dgmsrpcn.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\i424lefq1h2e.dll (file missing)


Reboot into Safe Mode and delete this file:
C:\WINDOWS\system32\xqrzf.dll

Post a new HiJackThis log!
  • 0

#28
markjohannsson

markjohannsson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay, only thing that didn't work was the very last step. Upon rebooting in Safe Mode, couldn't find the file:

C:\WINDOWS\system32\xqrzf.dll


Here's the HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 4:25:13 PM, on 5/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Highjack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093256666546
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

btw - I can already see huge improvements in the computer's performance! (but you probably knew that would happen) :tazz:
  • 0

#29
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Your log looks so, so much better! (Nothing else to get rid of on it! :tazz: )

So let's go back to this part, just to make sure there aren't any remnants of the CoolWebSearch infection.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continuously tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run AboutBuster and save the logs
*Browse to where you saved AboutBuster and run AboutBuster.exe.
*Click "OK" at the directions Read: Important! prompt.
*Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
*Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
*Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
*When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
Click "Exit" and "Exit" again to exit AboutBuster.

Run CleanUp!
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
Reconfigure Ad-Aware for Full Scan as per the following instructions:
In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom left side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects.

Reboot in normal mode.

Then, we have to make absolutely sure Narrator/Qoologic is gone (a trojan which showed up in your first log).

*Download finditnt2000xp.zip
*Unzip the contents of finditnt2000xp.zip to a convenient location.
*Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
*A command prompt will open and it will search your computer for malicious files (takes a while!).
*Once it has finished a Notepad window will pop up with output.txt.
*Copy the entire contents of output.txt into your next post.

We're almost there!!!
  • 0

#30
markjohannsson

markjohannsson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I'm so excited!!! Computer's running sooooooooooooo much better!!!!

Here's the log from Find It:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Program Files\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3F5D-29DB

Directory of C:\WINDOWS\System32

09/09/2003 01:46 AM <DIR> Microsoft
09/09/2003 01:20 AM <DIR> dllcache
0 File(s) 0 bytes
2 Dir(s) 126,474,878,976 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3F5D-29DB

Directory of C:\WINDOWS\System32

01/22/2005 09:43 AM <DIR> vmss
09/09/2003 01:32 AM 488 logonui.exe.manifest
09/09/2003 01:32 AM 488 WindowsLogon.manifest
09/09/2003 01:32 AM 749 sapi.cpl.manifest
09/09/2003 01:32 AM 749 wuaucpl.cpl.manifest
09/09/2003 01:32 AM 749 cdplayer.exe.manifest
09/09/2003 01:32 AM 749 nwc.cpl.manifest
09/09/2003 01:32 AM 749 ncpa.cpl.manifest
09/09/2003 01:20 AM <DIR> dllcache
7 File(s) 4,721 bytes
2 Dir(s) 126,474,846,208 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 3F5D-29DB

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 3F5D-29DB

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

No matches found.

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"SoundMan"="SOUNDMAN.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"Lexmark X1100 Series"="\"C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\""
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\\\Unload\\hpqcmon.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"AceGain LiveUpdate"="C:\\Program Files\\AceGain\\LiveUpdate\\LiveUpdate.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"MPFExe"="C:\\PROGRA~1\\MCAFEE.COM\\PERSON~1\\MPFTRAY.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP