Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

multiple trojans, malware, viruses, etc.

Started by anita1973 , Nov 25 2006 02:25 AM

This topic is locked

#1
anita1973

Posted 25 November 2006 - 02:25 AM

Member

Member
55 posts

I "rescued" a discarded Gateway E-4200 computer with win 2000 on it. It runs very slow. I ran adaware, spybot and Command antivirus. All found numerous viruses, trojans or malware. Some problems could not be disinfected by these programs. I tried to manually delete some of the viruses but the computer said they were in use and wouldn't let me delete them. I ran Command antivirus in Safe Mode and it still couldn't get rid of all the viruses, etc. I just ran Hijackthis and was hoping someone would interpret the results and tell me what to delete.

I'm not really a computer wiz but know a little. :whistling:

Please give instructions with simple me in mind. I've never seen a computer that had so much crud on it. So far, I think the only things wrong with this computer are the viruses, etc. It had an outdated antivirus program on it and no anti-spyware sofware. :blink:

Thanks for any help. :help:

Here are the results of the Hijackthis scan:

Logfile of HijackThis v1.99.1
Scan saved at 2:02:19 AM, on 11/25/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\netdde.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\LTMSG.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\Program Files\NZSearch\nzspc.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.como'p
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINNT\system32\ws_3s32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [mfckh32.exe] C:\WINNT\mfckh32.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINNT\system32\msmsgs.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Microsoft Windows System] wegmhaaa.exe
O4 - HKLM\..\Run: [rpfmdeek] C:\WINNT\system32\rpfmdeek.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] wegmhaaa.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\system32\hookdump.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [rpfmdeek] C:\WINNT\system32\rpfmdeek.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.co...aploader_v6.cab
O20 - AppInit_DLLs: C:\WINNT\system32\dekusemk.dll
O20 - Winlogon Notify: biyvkfcn - C:\WINNT\SYSTEM32\biyvkfcn.dll
O20 - Winlogon Notify: bkkqnwut - C:\WINNT\SYSTEM32\bkkqnwut.dll
O20 - Winlogon Notify: elyutudy - C:\WINNT\SYSTEM32\elyutudy.dll
O20 - Winlogon Notify: gkargbkc - C:\WINNT\SYSTEM32\gkargbkc.dll
O20 - Winlogon Notify: iwukhwmn - C:\WINNT\SYSTEM32\iwukhwmn.dll
O20 - Winlogon Notify: kyjrhyoi - C:\WINNT\SYSTEM32\kyjrhyoi.dll
O20 - Winlogon Notify: lkcdmefe - C:\WINNT\SYSTEM32\lkcdmefe.dll
O20 - Winlogon Notify: mcetijni - C:\WINNT\SYSTEM32\mcetijni.dll
O20 - Winlogon Notify: mwssallj - C:\WINNT\SYSTEM32\mwssallj.dll
O20 - Winlogon Notify: njlrmjqn - C:\WINNT\SYSTEM32\njlrmjqn.dll
O20 - Winlogon Notify: skyctewh - C:\WINNT\SYSTEM32\skyctewh.dll
O20 - Winlogon Notify: slgkdcgc - C:\WINNT\SYSTEM32\slgkdcgc.dll
O20 - Winlogon Notify: uhhccwsc - C:\WINNT\SYSTEM32\uhhccwsc.dll
O20 - Winlogon Notify: wgabvwci - C:\WINNT\SYSTEM32\wgabvwci.dll
O20 - Winlogon Notify: wipixspg - C:\WINNT\SYSTEM32\wipixspg.dll
O20 - Winlogon Notify: ws_3s32 - C:\WINNT\SYSTEM32\ws_3s32.dll
O20 - Winlogon Notify: ygevlqqq - C:\WINNT\SYSTEM32\ygevlqqq.dll
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: BK Bossd - Unknown owner - C:\CS3000\PROGRAM\BKHBosSvc.exe (file missing)
O23 - Service: BK FMS - Unknown owner - C:\CS3000\PROGRAM\BKHFms.exe (file missing)
O23 - Service: BK Logd - Unknown owner - C:\CS3000\Program\BKCLogSvr.exe (file missing)
O23 - Service: BK OPKB - Unknown owner - C:\CS3000\PROGRAM\BKHOPKBService.exe (file missing)
O23 - Service: BK ROOT - Unknown owner - C:\CS3000\Program\BKCRoot.exe (file missing)
O23 - Service: BK SIMMGR - Unknown owner - C:\CS3000\program\BKESimmgr.exe"/s (file missing)
O23 - Service: BK SyncTime - Unknown owner - C:\CS3000\PROGRAM\BKNSyncTime.exe (file missing)
O23 - Service: BK Timerd - Unknown owner - C:\WINNT\system32\TimerNthmi.exe
O23 - Service: BK Vhfd - Unknown owner - C:\WINNT\system32\VhfNthmi.exe
O23 - Service: BK Vhfd_SM - Unknown owner - C:\WINNT\system32\VhfNthmiSM.exe
O23 - Service: BK VLmon - Unknown owner - C:\WINNT\system32\BKNVLmon.exe
O23 - Service: BK WDT - Unknown owner - C:\WINNT\system32\BKNWdt.exe
O23 - Service: BK Web Data Source Server - Unknown owner - C:\CS3000\Program\BKHDataServer.exe (file missing)
O23 - Service: BK Web Extended Data Souce Server - Unknown owner - C:\CS3000\Program\BKHExtendedDataServer.exe (file missing)
O23 - Service: BK Web Trend Data Source Server - Unknown owner - C:\CS3000\Program\BKHTrendDataServer.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: OPCEnum (OpcEnum) - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE (file missing)
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: PI-Ping Data Measurement Program (basic version) (piping_basic) - Unknown owner - C:\Program Files\pipc\Interfaces\PING_basic\piping_basic.exe (file missing)
O23 - Service: RSLinx Enterprise (RSLinxNG) - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe" /service (file missing)
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe

#2
Daemon

Posted 25 November 2006 - 03:07 AM

Security Expert

Retired Staff
4,356 posts

Please download SUPERAntiSpyware Home Edition (free version)

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quarantining.
- Please leave the others unchecked.
- Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
To retrieve the removal information for me please do the following:
- After reboot, double-click the SUPERAntispyware icon on your desktop.
- Click Preferences. Click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- It will open in your default text editor (such as Notepad/Wordpad).
- Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.
Please paste that information here for me with a new HJT log.

#3
anita1973

Posted 25 November 2006 - 01:57 PM

Member

Topic Starter
Member
55 posts

Thanks so much for your response! I ran the SuperAntiSpyware program and here is the log:

SUPERAntiSpyware Scan Log
Generated 11/25/2006 at 01:47 PM

Application Version : 3.3.1020

Core Rules Database Version : 3107
Trace Rules Database Version: 1133

Scan type : Complete Scan
Total Scan Time : 01:05:22

Memory items scanned : 328
Memory threats detected : 0
Registry items scanned : 6823
Registry threats detected : 17
File items scanned : 44564
File threats detected : 108

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@roiservice[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@superstats[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@admarketplace[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@dealtime[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@qnsr[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1070246910[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@nextag[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cj[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adorigin[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@indextools[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@belnk[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adknowledge[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@regalinteractive[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bizrate[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@42572515[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cedarstore[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@indexstats[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@41186290[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@spamblockerutility[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1066950392[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@46473808[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@70307935[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@92267575[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clickability[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1069811017[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@7153726[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@49111037[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@partner2profit[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@21375168[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@55698692[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@keywordmax[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@88287119[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@c[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1070875379[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@straight3[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1072615367[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@belnk[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@burstnet[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@falkag[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@nextag[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tacoda[2].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][1].txt
C:\WINNT\Cookies\[email protected][2].txt
C:\WINNT\Cookies\administrator@atwola[1].txt
C:\WINNT\Cookies\[email protected][1].txt
C:\WINNT\Cookies\[email protected][1].txt
C:\WINNT\Cookies\administrator@nextag[2].txt
C:\WINNT\Cookies\[email protected][2].txt
C:\WINNT\Cookies\[email protected][1].txt
C:\WINNT\Cookies\[email protected][2].txt
C:\WINNT\Cookies\[email protected][1].txt
C:\WINNT\Cookies\[email protected][1].txt
C:\WINNT\Cookies\[email protected][1].txt

Unclassified.Unknown Origin
HKCR\CLSID\{F5FEE936-897D-3DD4-5340-AE9ECDA4010E}
HKCR\CLSID\{F5FEE936-897D-3DD4-5340-AE9ECDA4010E}\Data
C:\MS32.TMP

Parasite.CoolWebSearch Variant
HKCR\CLSID\{FA5F020A-4CB6-3D19-569C-35F571234778}
HKCR\CLSID\{FA5F020A-4CB6-3D19-569C-35F571234778}\Data

Adware.Vundo Variant
HKCR\CLSID\{F85E86D8-F796-4C97-AAA2-26664A98A42C}
HKCR\CLSID\{F85E86D8-F796-4C97-AAA2-26664A98A42C}#AppID
HKCR\CLSID\{F85E86D8-F796-4C97-AAA2-26664A98A42C}\InprocServer32
HKCR\CLSID\{F85E86D8-F796-4C97-AAA2-26664A98A42C}\InprocServer32#ThreadingModel
HKCR\CLSID\{F85E86D8-F796-4C97-AAA2-26664A98A42C}\ProgID
HKCR\CLSID\{F85E86D8-F796-4C97-AAA2-26664A98A42C}\Programmable
HKCR\CLSID\{F85E86D8-F796-4C97-AAA2-26664A98A42C}\TypeLib
HKCR\CLSID\{F85E86D8-F796-4C97-AAA2-26664A98A42C}\VersionIndependentProgID

Trojan.Vundo
HKCR\IEpl.IEpl
HKCR\IEpl.IEpl\CLSID
HKCR\IEpl.IEpl\CurVer
HKCR\IEpl.IEPl.1
HKCR\IEpl.IEPl.1\CLSID

Trojan.Command/Root
C:\COMMAND.EXE

Trojan.Downloader-Crew
C:\WINNT\SYSTEM32\HBTMMNUX.DLL
C:\WINNT\SYSTEM32\JPNQYNEQ.DLL
C:\WINNT\SYSTEM32\NRMTUWPG.DLL
C:\WINNT\SYSTEM32\PWLFMECU.DLL

#4
anita1973

Posted 25 November 2006 - 02:10 PM

Member

Topic Starter
Member
55 posts

I forgot to give you the new hijackthis scan log, sorry: :whistling:

Logfile of HijackThis v1.99.1
Scan saved at 2:27:21 PM, on 11/25/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\netdde.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\LTMSG.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle....bin/scraper.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.como'p
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINNT\system32\ws_3s32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [mfckh32.exe] C:\WINNT\mfckh32.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Microsoft Windows System] wegmhaaa.exe
O4 - HKLM\..\Run: [rpfmdeek] C:\WINNT\system32\rpfmdeek.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] wegmhaaa.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [rpfmdeek] C:\WINNT\system32\rpfmdeek.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.co...aploader_v6.cab
O20 - AppInit_DLLs: C:\WINNT\system32\dekusemk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: biyvkfcn - C:\WINNT\SYSTEM32\biyvkfcn.dll
O20 - Winlogon Notify: bkkqnwut - C:\WINNT\SYSTEM32\bkkqnwut.dll
O20 - Winlogon Notify: elyutudy - C:\WINNT\SYSTEM32\elyutudy.dll
O20 - Winlogon Notify: gkargbkc - C:\WINNT\SYSTEM32\gkargbkc.dll
O20 - Winlogon Notify: iwukhwmn - C:\WINNT\SYSTEM32\iwukhwmn.dll
O20 - Winlogon Notify: kyjrhyoi - C:\WINNT\SYSTEM32\kyjrhyoi.dll
O20 - Winlogon Notify: lkcdmefe - C:\WINNT\SYSTEM32\lkcdmefe.dll
O20 - Winlogon Notify: mcetijni - C:\WINNT\SYSTEM32\mcetijni.dll
O20 - Winlogon Notify: mwssallj - C:\WINNT\SYSTEM32\mwssallj.dll
O20 - Winlogon Notify: njlrmjqn - C:\WINNT\SYSTEM32\njlrmjqn.dll
O20 - Winlogon Notify: skyctewh - C:\WINNT\SYSTEM32\skyctewh.dll
O20 - Winlogon Notify: slgkdcgc - C:\WINNT\SYSTEM32\slgkdcgc.dll
O20 - Winlogon Notify: uhhccwsc - C:\WINNT\SYSTEM32\uhhccwsc.dll
O20 - Winlogon Notify: wgabvwci - C:\WINNT\SYSTEM32\wgabvwci.dll
O20 - Winlogon Notify: wipixspg - C:\WINNT\SYSTEM32\wipixspg.dll
O20 - Winlogon Notify: ws_3s32 - C:\WINNT\SYSTEM32\ws_3s32.dll
O20 - Winlogon Notify: ygevlqqq - C:\WINNT\SYSTEM32\ygevlqqq.dll
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: BK Bossd - Unknown owner - C:\CS3000\PROGRAM\BKHBosSvc.exe (file missing)
O23 - Service: BK FMS - Unknown owner - C:\CS3000\PROGRAM\BKHFms.exe (file missing)
O23 - Service: BK Logd - Unknown owner - C:\CS3000\Program\BKCLogSvr.exe (file missing)
O23 - Service: BK OPKB - Unknown owner - C:\CS3000\PROGRAM\BKHOPKBService.exe (file missing)
O23 - Service: BK ROOT - Unknown owner - C:\CS3000\Program\BKCRoot.exe (file missing)
O23 - Service: BK SIMMGR - Unknown owner - C:\CS3000\program\BKESimmgr.exe"/s (file missing)
O23 - Service: BK SyncTime - Unknown owner - C:\CS3000\PROGRAM\BKNSyncTime.exe (file missing)
O23 - Service: BK Timerd - Unknown owner - C:\WINNT\system32\TimerNthmi.exe
O23 - Service: BK Vhfd - Unknown owner - C:\WINNT\system32\VhfNthmi.exe
O23 - Service: BK Vhfd_SM - Unknown owner - C:\WINNT\system32\VhfNthmiSM.exe
O23 - Service: BK VLmon - Unknown owner - C:\WINNT\system32\BKNVLmon.exe
O23 - Service: BK WDT - Unknown owner - C:\WINNT\system32\BKNWdt.exe
O23 - Service: BK Web Data Source Server - Unknown owner - C:\CS3000\Program\BKHDataServer.exe (file missing)
O23 - Service: BK Web Extended Data Souce Server - Unknown owner - C:\CS3000\Program\BKHExtendedDataServer.exe (file missing)
O23 - Service: BK Web Trend Data Source Server - Unknown owner - C:\CS3000\Program\BKHTrendDataServer.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: OPCEnum (OpcEnum) - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE (file missing)
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: PI-Ping Data Measurement Program (basic version) (piping_basic) - Unknown owner - C:\Program Files\pipc\Interfaces\PING_basic\piping_basic.exe (file missing)
O23 - Service: RSLinx Enterprise (RSLinxNG) - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe" /service (file missing)
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe

#5
Daemon

Posted 25 November 2006 - 05:09 PM

Security Expert

Retired Staff
4,356 posts

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINNT\system32\ws_3s32.dll
O4 - HKLM\..\Run: [mfckh32.exe] C:\WINNT\mfckh32.exe
O4 - HKLM\..\Run: [Microsoft Windows System] wegmhaaa.exe
O4 - HKLM\..\Run: [rpfmdeek] C:\WINNT\system32\rpfmdeek.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] wegmhaaa.exe
O4 - HKCU\..\Run: [rpfmdeek] C:\WINNT\system32\rpfmdeek.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.co...aploader_v6.cab
O20 - AppInit_DLLs: C:\WINNT\system32\dekusemk.dll
O20 - Winlogon Notify: biyvkfcn - C:\WINNT\SYSTEM32\biyvkfcn.dll
O20 - Winlogon Notify: bkkqnwut - C:\WINNT\SYSTEM32\bkkqnwut.dll
O20 - Winlogon Notify: elyutudy - C:\WINNT\SYSTEM32\elyutudy.dll
O20 - Winlogon Notify: gkargbkc - C:\WINNT\SYSTEM32\gkargbkc.dll
O20 - Winlogon Notify: iwukhwmn - C:\WINNT\SYSTEM32\iwukhwmn.dll
O20 - Winlogon Notify: kyjrhyoi - C:\WINNT\SYSTEM32\kyjrhyoi.dll
O20 - Winlogon Notify: lkcdmefe - C:\WINNT\SYSTEM32\lkcdmefe.dll
O20 - Winlogon Notify: mcetijni - C:\WINNT\SYSTEM32\mcetijni.dll
O20 - Winlogon Notify: mwssallj - C:\WINNT\SYSTEM32\mwssallj.dll
O20 - Winlogon Notify: njlrmjqn - C:\WINNT\SYSTEM32\njlrmjqn.dll
O20 - Winlogon Notify: skyctewh - C:\WINNT\SYSTEM32\skyctewh.dll
O20 - Winlogon Notify: slgkdcgc - C:\WINNT\SYSTEM32\slgkdcgc.dll
O20 - Winlogon Notify: uhhccwsc - C:\WINNT\SYSTEM32\uhhccwsc.dll
O20 - Winlogon Notify: wgabvwci - C:\WINNT\SYSTEM32\wgabvwci.dll
O20 - Winlogon Notify: wipixspg - C:\WINNT\SYSTEM32\wipixspg.dll
O20 - Winlogon Notify: ws_3s32 - C:\WINNT\SYSTEM32\ws_3s32.dll
O20 - Winlogon Notify: ygevlqqq - C:\WINNT\SYSTEM32\ygevlqqq.dll

Exit HijackThis when done. Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINNT\system32\rpfmdeek.exe
C:\WINNT\system32\dekusemk.dll
C:\WINNT\SYSTEM32\biyvkfcn.dll
C:\WINNT\SYSTEM32\bkkqnwut.dll
C:\WINNT\SYSTEM32\elyutudy.dll
C:\WINNT\SYSTEM32\gkargbkc.dll
C:\WINNT\SYSTEM32\iwukhwmn.dll
C:\WINNT\SYSTEM32\kyjrhyoi.dll
C:\WINNT\SYSTEM32\lkcdmefe.dll
C:\WINNT\SYSTEM32\mcetijni.dll
C:\WINNT\SYSTEM32\mwssallj.dll
C:\WINNT\SYSTEM32\njlrmjqn.dll
C:\WINNT\SYSTEM32\skyctewh.dll
C:\WINNT\SYSTEM32\slgkdcgc.dll
C:\WINNT\SYSTEM32\uhhccwsc.dll
C:\WINNT\SYSTEM32\wgabvwci.dll
C:\WINNT\SYSTEM32\wipixspg.dll
C:\WINNT\SYSTEM32\ws_3s32.dll
C:\WINNT\SYSTEM32\ygevlqqq.dll
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt.

If after a while, your computer does not restart automatically, please restart it manually.

Rescan with HijackThis and post a new log here.

#6
anita1973

Posted 25 November 2006 - 06:20 PM

Member

Topic Starter
Member
55 posts

I did all you said and here is the latest HijackThis scan log:

Logfile of HijackThis v1.99.1
Scan saved at 6:39:38 PM, on 11/25/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\netdde.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\LTMSG.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Documents and Settings\Administrator\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle....bin/scraper.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.como'p
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINNT\system32\ws_3s32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: aqdywclx - C:\WINNT\SYSTEM32\aqdywclx.dll
O20 - Winlogon Notify: biyvkfcn - C:\WINNT\SYSTEM32\biyvkfcn.dll
O20 - Winlogon Notify: bkkqnwut - C:\WINNT\SYSTEM32\bkkqnwut.dll
O20 - Winlogon Notify: elyutudy - C:\WINNT\SYSTEM32\elyutudy.dll
O20 - Winlogon Notify: gkargbkc - C:\WINNT\SYSTEM32\gkargbkc.dll
O20 - Winlogon Notify: iwukhwmn - C:\WINNT\SYSTEM32\iwukhwmn.dll
O20 - Winlogon Notify: kyjrhyoi - C:\WINNT\SYSTEM32\kyjrhyoi.dll
O20 - Winlogon Notify: lkcdmefe - C:\WINNT\SYSTEM32\lkcdmefe.dll
O20 - Winlogon Notify: mcetijni - C:\WINNT\SYSTEM32\mcetijni.dll
O20 - Winlogon Notify: mwssallj - C:\WINNT\SYSTEM32\mwssallj.dll
O20 - Winlogon Notify: njlrmjqn - C:\WINNT\SYSTEM32\njlrmjqn.dll
O20 - Winlogon Notify: skyctewh - C:\WINNT\SYSTEM32\skyctewh.dll
O20 - Winlogon Notify: slgkdcgc - C:\WINNT\SYSTEM32\slgkdcgc.dll
O20 - Winlogon Notify: uhhccwsc - C:\WINNT\SYSTEM32\uhhccwsc.dll
O20 - Winlogon Notify: wgabvwci - C:\WINNT\SYSTEM32\wgabvwci.dll
O20 - Winlogon Notify: wipixspg - C:\WINNT\SYSTEM32\wipixspg.dll
O20 - Winlogon Notify: ws_3s32 - C:\WINNT\SYSTEM32\ws_3s32.dll
O20 - Winlogon Notify: ygevlqqq - C:\WINNT\SYSTEM32\ygevlqqq.dll
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: BK Bossd - Unknown owner - C:\CS3000\PROGRAM\BKHBosSvc.exe (file missing)
O23 - Service: BK FMS - Unknown owner - C:\CS3000\PROGRAM\BKHFms.exe (file missing)
O23 - Service: BK Logd - Unknown owner - C:\CS3000\Program\BKCLogSvr.exe (file missing)
O23 - Service: BK OPKB - Unknown owner - C:\CS3000\PROGRAM\BKHOPKBService.exe (file missing)
O23 - Service: BK ROOT - Unknown owner - C:\CS3000\Program\BKCRoot.exe (file missing)
O23 - Service: BK SIMMGR - Unknown owner - C:\CS3000\program\BKESimmgr.exe"/s (file missing)
O23 - Service: BK SyncTime - Unknown owner - C:\CS3000\PROGRAM\BKNSyncTime.exe (file missing)
O23 - Service: BK Timerd - Unknown owner - C:\WINNT\system32\TimerNthmi.exe
O23 - Service: BK Vhfd - Unknown owner - C:\WINNT\system32\VhfNthmi.exe
O23 - Service: BK Vhfd_SM - Unknown owner - C:\WINNT\system32\VhfNthmiSM.exe
O23 - Service: BK VLmon - Unknown owner - C:\WINNT\system32\BKNVLmon.exe
O23 - Service: BK WDT - Unknown owner - C:\WINNT\system32\BKNWdt.exe
O23 - Service: BK Web Data Source Server - Unknown owner - C:\CS3000\Program\BKHDataServer.exe (file missing)
O23 - Service: BK Web Extended Data Souce Server - Unknown owner - C:\CS3000\Program\BKHExtendedDataServer.exe (file missing)
O23 - Service: BK Web Trend Data Source Server - Unknown owner - C:\CS3000\Program\BKHTrendDataServer.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: OPCEnum (OpcEnum) - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE (file missing)
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: PI-Ping Data Measurement Program (basic version) (piping_basic) - Unknown owner - C:\Program Files\pipc\Interfaces\PING_basic\piping_basic.exe (file missing)
O23 - Service: RSLinx Enterprise (RSLinxNG) - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe" /service (file missing)
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe

#7
Daemon

Posted 25 November 2006 - 07:22 PM

Security Expert

Retired Staff
4,356 posts

Please download
VundoFix.exe
to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

#8
anita1973

Posted 25 November 2006 - 07:53 PM

Member

Topic Starter
Member
55 posts

Boy, I'm having browser problems or something. It took me forever to get anywhere with IE. All of the things on this webpage aren't there too. I had trouble getting to the vundofix download but I finally did. I ran it and it said it didn't find anything. I re-ran HijackThis and here is it's scan log:

Logfile of HijackThis v1.99.1
Scan saved at 8:05:51 PM, on 11/25/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\netdde.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\LTMSG.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Documents and Settings\Administrator\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle....bin/scraper.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.como'p
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINNT\system32\ws_3s32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: aqdywclx - C:\WINNT\SYSTEM32\aqdywclx.dll
O20 - Winlogon Notify: biyvkfcn - C:\WINNT\SYSTEM32\biyvkfcn.dll
O20 - Winlogon Notify: bkkqnwut - C:\WINNT\SYSTEM32\bkkqnwut.dll
O20 - Winlogon Notify: elyutudy - C:\WINNT\SYSTEM32\elyutudy.dll
O20 - Winlogon Notify: gkargbkc - C:\WINNT\SYSTEM32\gkargbkc.dll
O20 - Winlogon Notify: iwukhwmn - C:\WINNT\SYSTEM32\iwukhwmn.dll
O20 - Winlogon Notify: kyjrhyoi - C:\WINNT\SYSTEM32\kyjrhyoi.dll
O20 - Winlogon Notify: lkcdmefe - C:\WINNT\SYSTEM32\lkcdmefe.dll
O20 - Winlogon Notify: mcetijni - C:\WINNT\SYSTEM32\mcetijni.dll
O20 - Winlogon Notify: mwssallj - C:\WINNT\SYSTEM32\mwssallj.dll
O20 - Winlogon Notify: njlrmjqn - C:\WINNT\SYSTEM32\njlrmjqn.dll
O20 - Winlogon Notify: skyctewh - C:\WINNT\SYSTEM32\skyctewh.dll
O20 - Winlogon Notify: slgkdcgc - C:\WINNT\SYSTEM32\slgkdcgc.dll
O20 - Winlogon Notify: uhhccwsc - C:\WINNT\SYSTEM32\uhhccwsc.dll
O20 - Winlogon Notify: wgabvwci - C:\WINNT\SYSTEM32\wgabvwci.dll
O20 - Winlogon Notify: wipixspg - C:\WINNT\SYSTEM32\wipixspg.dll
O20 - Winlogon Notify: ws_3s32 - C:\WINNT\SYSTEM32\ws_3s32.dll
O20 - Winlogon Notify: ygevlqqq - C:\WINNT\SYSTEM32\ygevlqqq.dll
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: BK Bossd - Unknown owner - C:\CS3000\PROGRAM\BKHBosSvc.exe (file missing)
O23 - Service: BK FMS - Unknown owner - C:\CS3000\PROGRAM\BKHFms.exe (file missing)
O23 - Service: BK Logd - Unknown owner - C:\CS3000\Program\BKCLogSvr.exe (file missing)
O23 - Service: BK OPKB - Unknown owner - C:\CS3000\PROGRAM\BKHOPKBService.exe (file missing)
O23 - Service: BK ROOT - Unknown owner - C:\CS3000\Program\BKCRoot.exe (file missing)
O23 - Service: BK SIMMGR - Unknown owner - C:\CS3000\program\BKESimmgr.exe"/s (file missing)
O23 - Service: BK SyncTime - Unknown owner - C:\CS3000\PROGRAM\BKNSyncTime.exe (file missing)
O23 - Service: BK Timerd - Unknown owner - C:\WINNT\system32\TimerNthmi.exe
O23 - Service: BK Vhfd - Unknown owner - C:\WINNT\system32\VhfNthmi.exe
O23 - Service: BK Vhfd_SM - Unknown owner - C:\WINNT\system32\VhfNthmiSM.exe
O23 - Service: BK VLmon - Unknown owner - C:\WINNT\system32\BKNVLmon.exe
O23 - Service: BK WDT - Unknown owner - C:\WINNT\system32\BKNWdt.exe
O23 - Service: BK Web Data Source Server - Unknown owner - C:\CS3000\Program\BKHDataServer.exe (file missing)
O23 - Service: BK Web Extended Data Souce Server - Unknown owner - C:\CS3000\Program\BKHExtendedDataServer.exe (file missing)
O23 - Service: BK Web Trend Data Source Server - Unknown owner - C:\CS3000\Program\BKHTrendDataServer.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: OPCEnum (OpcEnum) - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE (file missing)
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: PI-Ping Data Measurement Program (basic version) (piping_basic) - Unknown owner - C:\Program Files\pipc\Interfaces\PING_basic\piping_basic.exe (file missing)
O23 - Service: RSLinx Enterprise (RSLinxNG) - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe" /service (file missing)
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe

#9
Daemon

Posted 26 November 2006 - 01:54 AM

Security Expert

Retired Staff
4,356 posts

Hmmm... there are still signs of an infection in your log - the O2 and O20 entries that I asked you to remove earlier are still there. Do this for me. Download and run Silent Runners.vbs from HERE

It generates a log, please post the information back in this thread

#10
anita1973

Posted 26 November 2006 - 10:58 AM

Member

Topic Starter
Member
55 posts

Here's the silentrunners scan log:

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"spc_w" = ""C:\Program Files\NZSearch\nzspc.exe" -w" ["United Online, Inc."]
"NetZero_uoltray" = "C:\Program Files\NetZero\exec.exe regrun" ["NetZero"]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"untd_recovery" = ""C:\Program Files\NetZero\qsacc\x1exec.exe"" ["NetZero, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"HP CD-Writer" = "C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe" [file not found]
"CreateCD50" = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r" ["Roxio"]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"CountrySelection" = "pctptt.exe" ["PCtel, Inc."]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"iexplore.exe" = "C:\Program Files\Internet Explorer\iexplore.exe" [MS]
"LTMSG" = "LTMSG.exe 7" ["Agere Systems"]
"untray" = "C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe" ["Authentium, Inc."]
"CSAV_CheckViruses" = "C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe" ["Authentium, Inc."]
"dvprpt" = "C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe" ["Authentium, Inc."]
"avtray" = "C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe" ["Authentium, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{F85E86D8-F796-4C97-AAA2-26664A98A42C}\(Default) = (no title provided)
-> {HKLM...CLSID} = "CIEPl Object"
\InProcServer32\(Default) = "C:\WINNT\system32\ws_3s32.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{e0d79300-84be-11ce-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" ["Nico Mak Computing, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {HKLM...CLSID} = "Adaptec DirectCD Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> aqdywclx\DLLName = "aqdywclx.dll" [null data]
<<!>> biyvkfcn\DLLName = "biyvkfcn.dll" [null data]
<<!>> bkkqnwut\DLLName = "bkkqnwut.dll" [null data]
<<!>> elyutudy\DLLName = "elyutudy.dll" [null data]
<<!>> gkargbkc\DLLName = "gkargbkc.dll" [null data]
<<!>> iwukhwmn\DLLName = "iwukhwmn.dll" [null data]
<<!>> kyjrhyoi\DLLName = "kyjrhyoi.dll" [null data]
<<!>> lkcdmefe\DLLName = "lkcdmefe.dll" [null data]
<<!>> mcetijni\DLLName = "mcetijni.dll" [null data]
<<!>> mwssallj\DLLName = "mwssallj.dll" [null data]
<<!>> njlrmjqn\DLLName = "njlrmjqn.dll" [null data]
<<!>> skyctewh\DLLName = "skyctewh.dll" [null data]
<<!>> slgkdcgc\DLLName = "slgkdcgc.dll" [null data]
<<!>> uhhccwsc\DLLName = "uhhccwsc.dll" [null data]
<<!>> wgabvwci\DLLName = "wgabvwci.dll" [null data]
<<!>> wipixspg\DLLName = "wipixspg.dll" [null data]
<<!>> ws_3s32\DLLName = "ws_3s32.dll" [null data]
<<!>> ygevlqqq\DLLName = "ygevlqqq.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
FProtMenu\(Default) = "{4a479be0-3333-11d0-b519-00400519153f}"
-> {HKLM...CLSID} = "TxtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Authentium\Command AntiVirus\avshext.dll" ["Authentium, Inc."]
WinZip\(Default) = "{e0d79300-84be-11ce-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" ["Nico Mak Computing, Inc."]

#11
Daemon

Posted 26 November 2006 - 01:05 PM

Security Expert

Retired Staff
4,356 posts

Download The Avenger by Swandog46, and save it to your Desktop. Extract avenger.exe from the Zip file and save it to your desktop

Run avenger.exe by double-clicking on it.
Check the 'Input script manually' box.
Click on the magnifying glass icon.
Copy everything in the code box below (don't copy the word "CODE in the box header, just the box contents starting at Files to delete) and paste it in the box that opens:

WARNING: This script is not a general fix. If you are not this user, running this script could damage your system

Files to delete:
C:\WINNT\SYSTEM32\aqdywclx.dll
C:\WINNT\SYSTEM32\biyvkfcn.dll
C:\WINNT\SYSTEM32\elyutudy.dll
C:\WINNT\SYSTEM32\gkargbkc.dll
C:\WINNT\SYSTEM32\iwukhwmn.dll
C:\WINNT\SYSTEM32\kyjrhyoi.dll
C:\WINNT\SYSTEM32\lkcdmefe.dll
C:\WINNT\SYSTEM32\mcetijni.dll
C:\WINNT\SYSTEM32\mwssallj.dll
C:\WINNT\SYSTEM32\njlrmjqn.dll
C:\WINNT\SYSTEM32\skyctewh.dll
C:\WINNT\SYSTEM32\slgkdcgc.dll
C:\WINNT\SYSTEM32\uhhccwsc.dll
C:\WINNT\SYSTEM32\wgabvwci.dll
C:\WINNT\SYSTEM32\wipixspg.dll
C:\WINNT\SYSTEM32\ws_3s32.dll
C:\WINNT\SYSTEM32\ygevlqqq.dll

Now click the 'Done' button.
Click on the traffic light icon and OK the prompt.
You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it manually.

Please post a new HijackThis log and the log file from Avenger at C:\avenger.txt

#12
anita1973

Posted 26 November 2006 - 07:15 PM

Member

Topic Starter
Member
55 posts

Here's the avenger scan log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cvglsmhs

*******************

Script file located at: \??\C:\WINNT\system32\bbmualwn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\SYSTEM32\aqdywclx.dll deleted successfully.
File C:\WINNT\SYSTEM32\biyvkfcn.dll deleted successfully.
File C:\WINNT\SYSTEM32\elyutudy.dll deleted successfully.
File C:\WINNT\SYSTEM32\gkargbkc.dll deleted successfully.
File C:\WINNT\SYSTEM32\iwukhwmn.dll deleted successfully.
File C:\WINNT\SYSTEM32\kyjrhyoi.dll deleted successfully.
File C:\WINNT\SYSTEM32\lkcdmefe.dll deleted successfully.
File C:\WINNT\SYSTEM32\mcetijni.dll deleted successfully.
File C:\WINNT\SYSTEM32\mwssallj.dll deleted successfully.
File C:\WINNT\SYSTEM32\njlrmjqn.dll deleted successfully.
File C:\WINNT\SYSTEM32\skyctewh.dll deleted successfully.
File C:\WINNT\SYSTEM32\slgkdcgc.dll deleted successfully.
File C:\WINNT\SYSTEM32\uhhccwsc.dll deleted successfully.
File C:\WINNT\SYSTEM32\wgabvwci.dll deleted successfully.
File C:\WINNT\SYSTEM32\wipixspg.dll deleted successfully.
File C:\WINNT\SYSTEM32\ws_3s32.dll deleted successfully.
File C:\WINNT\SYSTEM32\ygevlqqq.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Here's the new hijackthis scan log:

Logfile of HijackThis v1.99.1
Scan saved at 7:33:52 PM, on 11/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\netdde.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\LTMSG.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Documents and Settings\Administrator\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle....bin/scraper.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.como'p
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: aqdywclx - C:\WINNT\SYSTEM32\aqdywclx.dll
O20 - Winlogon Notify: biyvkfcn - C:\WINNT\SYSTEM32\biyvkfcn.dll
O20 - Winlogon Notify: bkkqnwut - C:\WINNT\SYSTEM32\bkkqnwut.dll
O20 - Winlogon Notify: elyutudy - C:\WINNT\SYSTEM32\elyutudy.dll
O20 - Winlogon Notify: gkargbkc - C:\WINNT\SYSTEM32\gkargbkc.dll
O20 - Winlogon Notify: iwukhwmn - C:\WINNT\SYSTEM32\iwukhwmn.dll
O20 - Winlogon Notify: kyjrhyoi - C:\WINNT\SYSTEM32\kyjrhyoi.dll
O20 - Winlogon Notify: lkcdmefe - C:\WINNT\SYSTEM32\lkcdmefe.dll
O20 - Winlogon Notify: mcetijni - C:\WINNT\SYSTEM32\mcetijni.dll
O20 - Winlogon Notify: mwssallj - C:\WINNT\SYSTEM32\mwssallj.dll
O20 - Winlogon Notify: njlrmjqn - C:\WINNT\SYSTEM32\njlrmjqn.dll
O20 - Winlogon Notify: skyctewh - C:\WINNT\SYSTEM32\skyctewh.dll
O20 - Winlogon Notify: slgkdcgc - C:\WINNT\SYSTEM32\slgkdcgc.dll
O20 - Winlogon Notify: uhhccwsc - C:\WINNT\SYSTEM32\uhhccwsc.dll
O20 - Winlogon Notify: wgabvwci - C:\WINNT\SYSTEM32\wgabvwci.dll
O20 - Winlogon Notify: wipixspg - C:\WINNT\SYSTEM32\wipixspg.dll
O20 - Winlogon Notify: ws_3s32 - ws_3s32.dll (file missing)
O20 - Winlogon Notify: ygevlqqq - C:\WINNT\SYSTEM32\ygevlqqq.dll
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: BK Bossd - Unknown owner - C:\CS3000\PROGRAM\BKHBosSvc.exe (file missing)
O23 - Service: BK FMS - Unknown owner - C:\CS3000\PROGRAM\BKHFms.exe (file missing)
O23 - Service: BK Logd - Unknown owner - C:\CS3000\Program\BKCLogSvr.exe (file missing)
O23 - Service: BK OPKB - Unknown owner - C:\CS3000\PROGRAM\BKHOPKBService.exe (file missing)
O23 - Service: BK ROOT - Unknown owner - C:\CS3000\Program\BKCRoot.exe (file missing)
O23 - Service: BK SIMMGR - Unknown owner - C:\CS3000\program\BKESimmgr.exe"/s (file missing)
O23 - Service: BK SyncTime - Unknown owner - C:\CS3000\PROGRAM\BKNSyncTime.exe (file missing)
O23 - Service: BK Timerd - Unknown owner - C:\WINNT\system32\TimerNthmi.exe
O23 - Service: BK Vhfd - Unknown owner - C:\WINNT\system32\VhfNthmi.exe
O23 - Service: BK Vhfd_SM - Unknown owner - C:\WINNT\system32\VhfNthmiSM.exe
O23 - Service: BK VLmon - Unknown owner - C:\WINNT\system32\BKNVLmon.exe
O23 - Service: BK WDT - Unknown owner - C:\WINNT\system32\BKNWdt.exe
O23 - Service: BK Web Data Source Server - Unknown owner - C:\CS3000\Program\BKHDataServer.exe (file missing)
O23 - Service: BK Web Extended Data Souce Server - Unknown owner - C:\CS3000\Program\BKHExtendedDataServer.exe (file missing)
O23 - Service: BK Web Trend Data Source Server - Unknown owner - C:\CS3000\Program\BKHTrendDataServer.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: OPCEnum (OpcEnum) - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE (file missing)
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: PI-Ping Data Measurement Program (basic version) (piping_basic) - Unknown owner - C:\Program Files\pipc\Interfaces\PING_basic\piping_basic.exe (file missing)
O23 - Service: RSLinx Enterprise (RSLinxNG) - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe" /service (file missing)
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe

#13
Daemon

Posted 26 November 2006 - 07:30 PM

Security Expert

Retired Staff
4,356 posts

Let's see how we get on this time. Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.como'p
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O20 - Winlogon Notify: aqdywclx - C:\WINNT\SYSTEM32\aqdywclx.dll
O20 - Winlogon Notify: biyvkfcn - C:\WINNT\SYSTEM32\biyvkfcn.dll
O20 - Winlogon Notify: bkkqnwut - C:\WINNT\SYSTEM32\bkkqnwut.dll
O20 - Winlogon Notify: elyutudy - C:\WINNT\SYSTEM32\elyutudy.dll
O20 - Winlogon Notify: gkargbkc - C:\WINNT\SYSTEM32\gkargbkc.dll
O20 - Winlogon Notify: iwukhwmn - C:\WINNT\SYSTEM32\iwukhwmn.dll
O20 - Winlogon Notify: kyjrhyoi - C:\WINNT\SYSTEM32\kyjrhyoi.dll
O20 - Winlogon Notify: lkcdmefe - C:\WINNT\SYSTEM32\lkcdmefe.dll
O20 - Winlogon Notify: mcetijni - C:\WINNT\SYSTEM32\mcetijni.dll
O20 - Winlogon Notify: mwssallj - C:\WINNT\SYSTEM32\mwssallj.dll
O20 - Winlogon Notify: njlrmjqn - C:\WINNT\SYSTEM32\njlrmjqn.dll
O20 - Winlogon Notify: skyctewh - C:\WINNT\SYSTEM32\skyctewh.dll
O20 - Winlogon Notify: slgkdcgc - C:\WINNT\SYSTEM32\slgkdcgc.dll
O20 - Winlogon Notify: uhhccwsc - C:\WINNT\SYSTEM32\uhhccwsc.dll
O20 - Winlogon Notify: wgabvwci - C:\WINNT\SYSTEM32\wgabvwci.dll
O20 - Winlogon Notify: wipixspg - C:\WINNT\SYSTEM32\wipixspg.dll
O20 - Winlogon Notify: ws_3s32 - ws_3s32.dll (file missing)
O20 - Winlogon Notify: ygevlqqq - C:\WINNT\SYSTEM32\ygevlqqq.dll

Exit HijackThis when done. Reboot, rescan with HijackThis and post a new log here.

Do you know what all those services starting with BK are?

#14
anita1973

Posted 26 November 2006 - 08:13 PM

Member

Topic Starter
Member
55 posts

I have no idea what the bk service files are. The person who owned this computer had all kinds of games and [bleep] on it. I deleted a few things but know there's more. If you want to have me try and delete them, I will. If all else fails, I could re-format or wipe the drive...

Looks like some files are still there? :whistling:

Here's the new hijackthis scan log:

Logfile of HijackThis v1.99.1
Scan saved at 8:23:01 PM, on 11/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\netdde.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\LTMSG.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Documents and Settings\Administrator\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle....bin/scraper.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: aqdywclx - C:\WINNT\SYSTEM32\aqdywclx.dll
O20 - Winlogon Notify: biyvkfcn - C:\WINNT\SYSTEM32\biyvkfcn.dll
O20 - Winlogon Notify: bkkqnwut - C:\WINNT\SYSTEM32\bkkqnwut.dll
O20 - Winlogon Notify: elyutudy - C:\WINNT\SYSTEM32\elyutudy.dll
O20 - Winlogon Notify: gkargbkc - C:\WINNT\SYSTEM32\gkargbkc.dll
O20 - Winlogon Notify: iwukhwmn - C:\WINNT\SYSTEM32\iwukhwmn.dll
O20 - Winlogon Notify: kyjrhyoi - C:\WINNT\SYSTEM32\kyjrhyoi.dll
O20 - Winlogon Notify: lkcdmefe - C:\WINNT\SYSTEM32\lkcdmefe.dll
O20 - Winlogon Notify: mcetijni - C:\WINNT\SYSTEM32\mcetijni.dll
O20 - Winlogon Notify: mwssallj - C:\WINNT\SYSTEM32\mwssallj.dll
O20 - Winlogon Notify: njlrmjqn - C:\WINNT\SYSTEM32\njlrmjqn.dll
O20 - Winlogon Notify: skyctewh - C:\WINNT\SYSTEM32\skyctewh.dll
O20 - Winlogon Notify: slgkdcgc - C:\WINNT\SYSTEM32\slgkdcgc.dll
O20 - Winlogon Notify: uhhccwsc - C:\WINNT\SYSTEM32\uhhccwsc.dll
O20 - Winlogon Notify: wgabvwci - C:\WINNT\SYSTEM32\wgabvwci.dll
O20 - Winlogon Notify: wipixspg - C:\WINNT\SYSTEM32\wipixspg.dll
O20 - Winlogon Notify: ygevlqqq - C:\WINNT\SYSTEM32\ygevlqqq.dll
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: BK Bossd - Unknown owner - C:\CS3000\PROGRAM\BKHBosSvc.exe (file missing)
O23 - Service: BK FMS - Unknown owner - C:\CS3000\PROGRAM\BKHFms.exe (file missing)
O23 - Service: BK Logd - Unknown owner - C:\CS3000\Program\BKCLogSvr.exe (file missing)
O23 - Service: BK OPKB - Unknown owner - C:\CS3000\PROGRAM\BKHOPKBService.exe (file missing)
O23 - Service: BK ROOT - Unknown owner - C:\CS3000\Program\BKCRoot.exe (file missing)
O23 - Service: BK SIMMGR - Unknown owner - C:\CS3000\program\BKESimmgr.exe"/s (file missing)
O23 - Service: BK SyncTime - Unknown owner - C:\CS3000\PROGRAM\BKNSyncTime.exe (file missing)
O23 - Service: BK Timerd - Unknown owner - C:\WINNT\system32\TimerNthmi.exe
O23 - Service: BK Vhfd - Unknown owner - C:\WINNT\system32\VhfNthmi.exe
O23 - Service: BK Vhfd_SM - Unknown owner - C:\WINNT\system32\VhfNthmiSM.exe
O23 - Service: BK VLmon - Unknown owner - C:\WINNT\system32\BKNVLmon.exe
O23 - Service: BK WDT - Unknown owner - C:\WINNT\system32\BKNWdt.exe
O23 - Service: BK Web Data Source Server - Unknown owner - C:\CS3000\Program\BKHDataServer.exe (file missing)
O23 - Service: BK Web Extended Data Souce Server - Unknown owner - C:\CS3000\Program\BKHExtendedDataServer.exe (file missing)
O23 - Service: BK Web Trend Data Source Server - Unknown owner - C:\CS3000\Program\BKHTrendDataServer.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: OPCEnum (OpcEnum) - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE (file missing)
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: PI-Ping Data Measurement Program (basic version) (piping_basic) - Unknown owner - C:\Program Files\pipc\Interfaces\PING_basic\piping_basic.exe (file missing)
O23 - Service: RSLinx Enterprise (RSLinxNG) - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe" /service (file missing)
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe

#15
anita1973

Posted 26 November 2006 - 08:51 PM

Member

Topic Starter
Member
55 posts

I may be totally "barking up the wrong tree" but I tried to find info on the BK service files with a Scroogle search and kept coming up with a couple pages in Chinese (or something). I tried running parts of the pages through an online translator. Didn't help me much but I did find reference to Card Buskie. From what I can tell, it has something to do with Kaspersky anitivirus, a russian program. Could the BK service files be viruses that are deleted with this Card Buskie/Kaspersky program? I'm REALLY making a wild guess!! :whistling: