Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help(resolved)


  • This topic is locked This topic is locked

#1
beargk

beargk

    Member

  • Member
  • PipPip
  • 15 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:23:07 PM, on 5/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Ad-Ware Removal Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/info/e-center-p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vxteg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxteg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxteg.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxteg.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/info/e-center-p
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {5AEC2E5B-19DD-07E2-6172-3EEC429FF547} - C:\WINDOWS\ntqg32.dll
O2 - BHO: Class - {ECC0DCA3-B90A-458E-0B4B-C57DB59004F7} - C:\WINDOWS\netwd32.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [appbv32.exe] C:\WINDOWS\system32\appbv32.exe
O4 - HKLM\..\RunOnce: [winaw32.exe] C:\WINDOWS\winaw32.exe
O4 - HKLM\..\RunOnce: [ipqh.exe] C:\WINDOWS\system32\ipqh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {AC8B6F52-8AC7-4954-9887-6A26E7E6F172} (MADirectVideo Control) - http://messenger.sil...DirectVideo.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\Software\..\Telephony: DomainName = domain.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{887798EB-0A07-41C1-9890-C885891BBA3F}: NameServer = 192.168.1.251
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\winaw32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

Advertisements


#2
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi bear,

Welcome to Geeks 2 Go. Sorry about the delay in getting to your post, we have been very busy.

Do you still require help or are your problems resolved.

Please let me know and if you still require assistance, please post a fresh HJT log.

Regards,

Usetobe
  • 0

#3
beargk

beargk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Yes I do.

Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 9:28:13 AM, on 5/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Ad-Ware Removal Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/info/e-center-p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vxteg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxteg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxteg.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxteg.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/info/e-center-p
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1044D226-ABD5-722D-DD77-9D9C9402539A} - C:\WINDOWS\sdkqz32.dll
O2 - BHO: Class - {5AEC2E5B-19DD-07E2-6172-3EEC429FF547} - C:\WINDOWS\ntqg32.dll
O2 - BHO: Class - {7C061B06-4572-3DED-BEE5-45419ADBBEFC} - C:\WINDOWS\winfm32.dll
O2 - BHO: Class - {ECC0DCA3-B90A-458E-0B4B-C57DB59004F7} - C:\WINDOWS\netwd32.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [appbv32.exe] C:\WINDOWS\system32\appbv32.exe
O4 - HKLM\..\RunOnce: [winaw32.exe] C:\WINDOWS\winaw32.exe
O4 - HKLM\..\RunOnce: [ipqh.exe] C:\WINDOWS\system32\ipqh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {AC8B6F52-8AC7-4954-9887-6A26E7E6F172} (MADirectVideo Control) - http://messenger.sil...DirectVideo.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\Software\..\Telephony: DomainName = domain.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{887798EB-0A07-41C1-9890-C885891BBA3F}: NameServer = 192.168.1.251
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\winaw32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#4
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Bear,

It's showtime.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Download a free 14 day trial of ewido from the link below. Install it and start it up. Follow the prompts to upgrade it, then close it down.

ewido

Set PC to show hidden files (click link if you do not know how)LINK

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Service: Workstation NetLogon Service ( 11F#`I).
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.


Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now scan with HJT and check the following entries if they are there. Some may have been removed by earlier procedures.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vxteg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxteg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxteg.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxteg.dll/sp.html#37049
O2 - BHO: Class - {1044D226-ABD5-722D-DD77-9D9C9402539A} - C:\WINDOWS\sdkqz32.dll
O2 - BHO: Class - {5AEC2E5B-19DD-07E2-6172-3EEC429FF547} - C:\WINDOWS\ntqg32.dll
O2 - BHO: Class - {7C061B06-4572-3DED-BEE5-45419ADBBEFC} - C:\WINDOWS\winfm32.dll
O2 - BHO: Class - {ECC0DCA3-B90A-458E-0B4B-C57DB59004F7} - C:\WINDOWS\netwd32.dll
O4 - HKLM\..\Run: [appbv32.exe] C:\WINDOWS\system32\appbv32.exe
O4 - HKLM\..\RunOnce: [winaw32.exe] C:\WINDOWS\winaw32.exe
O4 - HKLM\..\RunOnce: [ipqh.exe] C:\WINDOWS\system32\ipqh.exe
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\winaw32.exe


Ensure no windows open except HJT and click FIX CHECKED.

now using windows explorer locate the following files/folders and delete them if found.

C:\WINDOWS\vxteg.dll/sp.html#37049
C:\WINDOWS\sdkqz32.dll
C:\WINDOWS\ntqg32.dll
C:\WINDOWS\winfm32.dll
C:\WINDOWS\netwd32.dll
C:\WINDOWS\system32\appbv32.exe
C:\WINDOWS\winaw32.exe
C:\WINDOWS\system32\ipqh.exe


Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Open up HJT again and click on misc. tools, then click on Delete an NT Service.
In the popup box Cut and paste the following IT IS IMPORTANT THAT THERE IS A SPACE BEFORE THE FIRST NUMBER 1 OR IT WON'T WORK

11F#`I

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

Now run Ewido. click on the Scanner button, Select drives if you have more than one and then start.

grab a cup of coffee, sandwiches, book as this may take some time. Once the first problem is detected ensure you tick the box for all (bottom left) and allow it to continue.

At the end of the scan, it may ask if you would like to delete anything found in archive or zipped files, OK that request, then click on save report. SAVE to the default location, it will then generate a text file. Copy that to post in this thread.

Carry out another HJT scan and post the log back here, so we can sort out any remnants
  • 0

#5
beargk

beargk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here is what Kaspersky Found. What should I do?

C:\WINDOWS\addax32.exe
Trojan....2.Agent.bi
C:\WINDOWS\addfd32.exe
Trojan....2.Agent.bi
C:\WINDOWS\addis32.exe
Trojan....2.Agent.bi
C:\WINDOWS\addky32.exe
Trojan....2.Agent.bi
C:\WINDOWS\addob.exe
Trojan....2.Agent.bi
C:\WINDOWS\addot.exe
Trojan....2.Agent.bi
C:\WINDOWS\addtu.exe
Trojan....2.Agent.bi
C:\WINDOWS\addyg32.exe
Trojan....2.Agent.bi
C:\WINDOWS\addzr32.exe
Trojan....2.Agent.bi
C:\WINDOWS\apiag.dll
Trojan-...2.Agent.bc
C:\WINDOWS\apian.exe
Trojan....2.Agent.bi
C:\WINDOWS\apibv.exe
Trojan....2.Agent.bi
C:\WINDOWS\apica.exe
Trojan....2.Agent.bi
C:\WINDOWS\apicg32.exe
Trojan....2.Agent.bi
C:\WINDOWS\apidy.exe
Trojan....2.Agent.bi
C:\WINDOWS\apihq.exe
Trojan....2.Agent.bi
C:\WINDOWS\apijd.exe
Trojan....2.Agent.bi
C:\WINDOWS\apimk32.exe
Trojan....2.Agent.bi
C:\WINDOWS\apior.exe
Trojan....2.Agent.bi
C:\WINDOWS\apiun.exe
Trojan....2.Agent.bi
C:\WINDOWS\appdh32.exe
Trojan....2.Agent.bi
C:\WINDOWS\appib.exe
Trojan....2.Agent.bi
C:\WINDOWS\appjf32.exe
Trojan....2.Agent.bi
C:\WINDOWS\appkc32.exe
Trojan....2.Agent.bi
C:\WINDOWS\appkr32.exe
Trojan....2.Agent.bi
C:\WINDOWS\appmu32.exe
Trojan....2.Agent.bi
C:\WINDOWS\appno.dll
Trojan-...2.Agent.bc
C:\WINDOWS\appqb32.exe
Trojan....2.Agent.bi
C:\WINDOWS\appqg32.exe
Trojan....2.Agent.bi
C:\WINDOWS\apprw32.exe
Trojan....2.Agent.bi
C:\WINDOWS\apptj.exe
Trojan....2.Agent.bi
C:\WINDOWS\apptr32.exe
Trojan....2.Agent.bi
C:\WINDOWS\atlad.exe
Trojan....2.Agent.bi
C:\WINDOWS\atlbt32.exe
Trojan....2.Agent.bi
C:\WINDOWS\atlcr.exe
Trojan....2.Agent.bi
C:\WINDOWS\atlfd32.exe
Trojan....2.Agent.bi
C:\WINDOWS\atlff.dll
Trojan-...2.Agent.bc
C:\WINDOWS\atlgi.exe
Trojan....2.Agent.bi
C:\WINDOWS\atlib.dll
Trojan-...2.Agent.bc
C:\WINDOWS\atlkq32.exe
Trojan....2.Agent.bi
C:\WINDOWS\atlni32.exe
Trojan....2.Agent.bi
C:\WINDOWS\atlox32.exe
Trojan....2.Agent.bi
C:\WINDOWS\atlrh.dll
Trojan-...2.Agent.bc
C:\WINDOWS\atlsz.exe
Trojan....2.Agent.bi
C:\WINDOWS\atlvc32.exe
Trojan....2.Agent.bi
C:\WINDOWS\atlvu.exe
Trojan....2.Agent.bi
C:\WINDOWS\atlxn32.exe
Trojan....2.Agent.bi
C:\WINDOWS\crct.exe
Trojan....2.Agent.bi
C:\WINDOWS\creg32.exe
Trojan....2.Agent.bi
C:\WINDOWS\crew32.exe
Trojan....2.Agent.bi
C:\WINDOWS\crgk.exe
Trojan....2.Agent.bi
C:\WINDOWS\crhk32.exe
Trojan....2.Agent.bi
C:\WINDOWS\crjl.exe
Trojan....2.Agent.bi
C:\WINDOWS\crok.exe
Trojan....2.Agent.bi
C:\WINDOWS\crrg.dll
Trojan-...2.Agent.bc
C:\WINDOWS\crrg.exe
Trojan....2.Agent.bi
C:\WINDOWS\crvc32.exe
Trojan....2.Agent.bi
C:\WINDOWS\crxw32.exe
Trojan....2.Agent.bi
C:\WINDOWS\crzo32.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3bh32.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3bo32.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3dy.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3er32.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3gh.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3hn.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3je32.exe
Trojan-...2.Agent.bq
C:\WINDOWS\d3ku32.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3qh32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\d3vs.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3wa.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3wm.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3xd32.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3xh32.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3xi32.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3yi.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3ys32.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3yv.exe
Trojan....2.Agent.bi
C:\WINDOWS\d3zl32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ieag.dll
Trojan-...2.Agent.bc
C:\WINDOWS\ieag.exe
Trojan-...2.Agent.bq
C:\WINDOWS\iebf.exe
Trojan....2.Agent.bi
C:\WINDOWS\iecc32.exe
Trojan....2.Agent.bi
C:\WINDOWS\iecq32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ieey.exe
Trojan....2.Agent.bi
C:\WINDOWS\iefz32.exe
Trojan....2.Agent.bi
C:\WINDOWS\iehc.exe
Trojan....2.Agent.bi
C:\WINDOWS\ieig32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ieim.dll
Trojan-...2.Agent.bc
C:\WINDOWS\ieji32.exe
Trojan....2.Agent.bi
C:\WINDOWS\iemj32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ienp32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ieox32.exe
Trojan....2.Agent.bi
C:\WINDOWS\iepw32.exe
Trojan....2.Agent.bi
C:\WINDOWS\iesm.exe
Trojan....2.Agent.bi
C:\WINDOWS\iewb.exe
Trojan....2.Agent.bi
C:\WINDOWS\iexm32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ieyg32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ieyp.exe
Trojan....2.Agent.bi
C:\WINDOWS\ipdx.exe
Trojan-...2.Agent.bq
C:\WINDOWS\ipfv32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ipha.exe
Trojan....2.Agent.bi
C:\WINDOWS\ipid32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ipjh.dll
Trojan-...2.Agent.bc
C:\WINDOWS\ipjt32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ipln.exe
Trojan....2.Agent.bi
C:\WINDOWS\ipns.exe
Trojan....2.Agent.bi
C:\WINDOWS\ippf32.exe
Trojan....2.Agent.bi
C:\WINDOWS\iptu.exe
Trojan....2.Agent.bi
C:\WINDOWS\ipuf.exe
Trojan....2.Agent.bi
C:\WINDOWS\ipvj.dll
Trojan-...2.Agent.bc
C:\WINDOWS\javaca32.exe
Trojan....2.Agent.bi
C:\WINDOWS\javacf32.exe
Trojan....2.Agent.bi
C:\WINDOWS\javaec.exe
Trojan....2.Agent.bi
C:\WINDOWS\javagj.exe
Trojan....2.Agent.bi
C:\WINDOWS\javagq.exe
Trojan....2.Agent.bi
C:\WINDOWS\javahs.exe
Trojan-...2.Agent.bq
C:\WINDOWS\javakd32.exe
Trojan....2.Agent.bi
C:\WINDOWS\javakp32.exe
Trojan....2.Agent.bi
C:\WINDOWS\javany32.exe
Trojan....2.Agent.bi
C:\WINDOWS\javaox.dll
Trojan-...2.Agent.bc
C:\WINDOWS\javapi32.exe
Trojan....2.Agent.bi
C:\WINDOWS\javaum32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\javauw32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\javawj.exe
Trojan....2.Agent.bi
C:\WINDOWS\javaww.exe
Trojan....2.Agent.bi
C:\WINDOWS\mfcbz32.exe
Trojan....2.Agent.bi
C:\WINDOWS\mfcef32.exe
Trojan....2.Agent.bi
C:\WINDOWS\mfcfy32.exe
Trojan....2.Agent.bi
C:\WINDOWS\mfcgg32.exe
Trojan....2.Agent.bi
C:\WINDOWS\mfcgo32.exe
Trojan....2.Agent.bi
C:\WINDOWS\mfcgz.exe
Trojan....2.Agent.bi
C:\WINDOWS\mfchg32.exe
Trojan....2.Agent.bi
C:\WINDOWS\mfcmn32.exe
Trojan....2.Agent.bi
C:\WINDOWS\mfcnx32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\mfcps32.exe
Trojan....2.Agent.bi
C:\WINDOWS\mfcsn32.exe
Trojan....2.Agent.bi
C:\WINDOWS\mfcue.exe
Trojan....2.Agent.bi
C:\WINDOWS\mfcum.exe
Trojan-...2.Agent.bq
C:\WINDOWS\mfcvq.exe
Trojan....2.Agent.bi
C:\WINDOWS\mfcwz.exe
Trojan....2.Agent.bi
C:\WINDOWS\mfczj32.exe
Trojan....2.Agent.bi
C:\WINDOWS\mfczn.exe
Trojan....2.Agent.bi
C:\WINDOWS\msaw32.exe
Trojan....2.Agent.bi
C:\WINDOWS\msay.exe
Trojan....2.Agent.bi
C:\WINDOWS\msbb.exe
Trojan....2.Agent.bi
C:\WINDOWS\msbi.exe
Trojan....2.Agent.bi
C:\WINDOWS\mscu32.exe
Trojan....2.Agent.bi
C:\WINDOWS\msdn.exe
Trojan....2.Agent.bi
C:\WINDOWS\mseq.exe
Trojan....2.Agent.bi
C:\WINDOWS\msgq.exe
Trojan....2.Agent.bi
C:\WINDOWS\msgq32.exe
Trojan....2.Agent.bi
C:\WINDOWS\mshd32.exe
Trojan-...2.Agent.bq
C:\WINDOWS\mshn32.exe
Trojan....2.Agent.bi
C:\WINDOWS\msiq32.exe
Trojan....2.Agent.bi
C:\WINDOWS\msiy32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\mswf.dll
Trojan-...2.Agent.bc
C:\WINDOWS\netbd.exe
Trojan....2.Agent.bi
C:\WINDOWS\netbh32.exe
Trojan....2.Agent.bi
C:\WINDOWS\netei.exe
Trojan....2.Agent.bi
C:\WINDOWS\netih32.exe
Trojan....2.Agent.bi
C:\WINDOWS\netix.exe
Trojan....2.Agent.bi
C:\WINDOWS\netjh.exe
Trojan....2.Agent.bi
C:\WINDOWS\netkv.exe
Trojan....2.Agent.bi
C:\WINDOWS\netla.exe
Trojan....2.Agent.bi
C:\WINDOWS\netla32.exe
Trojan....2.Agent.bi
C:\WINDOWS\netmx32.exe
Trojan....2.Agent.bi
C:\WINDOWS\netpa32.exe
Trojan....2.Agent.bi
C:\WINDOWS\netqw32.exe
Trojan....2.Agent.bi
C:\WINDOWS\netrn.exe
Trojan....2.Agent.bi
C:\WINDOWS\netsq32.exe
Trojan....2.Agent.bi
C:\WINDOWS\nettj.exe
Trojan....2.Agent.bi
C:\WINDOWS\nettq32.exe
Trojan....2.Agent.bi
C:\WINDOWS\netui32.exe
Trojan....2.Agent.bi
C:\WINDOWS\netun32.exe
Trojan....2.Agent.bi
C:\WINDOWS\netvm32.exe
Trojan....2.Agent.bi
C:\WINDOWS\netxv32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ntcd32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ntdm.exe
Trojan....2.Agent.bi
C:\WINDOWS\ntdn32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ntfd32.exe
Trojan....2.Agent.bi
C:\WINDOWS\nthy32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ntjd.exe
Trojan....2.Agent.bi
C:\WINDOWS\ntmk.exe
Trojan....2.Agent.bi
C:\WINDOWS\ntnc.exe
Trojan....2.Agent.bi
C:\WINDOWS\ntns.dll
Trojan-...2.Agent.bc
C:\WINDOWS\ntog32.exe
Trojan-...2.Agent.bq
C:\WINDOWS\ntpl.exe
Trojan-...2.Agent.bq
C:\WINDOWS\ntrd32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ntrj32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ntsr32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ntuh.exe
Trojan....2.Agent.bi
C:\WINDOWS\ntum32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ntvf.exe
Trojan....2.Agent.bi
C:\WINDOWS\ntvj32.exe
Trojan....2.Agent.bi
C:\WINDOWS\ntxh.exe
Trojan....2.Agent.bi
C:\WINDOWS\sdkbe32.exe
Trojan-...2.Agent.bq
C:\WINDOWS\sdkbn32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\sdkbv32.exe
Trojan....2.Agent.bi
C:\WINDOWS\sdkcj32.exe
Trojan....2.Agent.bi
C:\WINDOWS\sdkct.exe
Trojan....2.Agent.bi
C:\WINDOWS\sdkdz32.exe
Trojan-...2.Agent.bq
C:\WINDOWS\sdkfk.exe
Trojan....2.Agent.bi
C:\WINDOWS\sdkfo32.exe
Trojan....2.Agent.bi
C:\WINDOWS\sdkju.exe
Trojan....2.Agent.bi
C:\WINDOWS\sdkkn32.exe
Trojan....2.Agent.bi
C:\WINDOWS\sdknh.exe
Trojan....2.Agent.bi
C:\WINDOWS\sdkqf32.exe
Trojan....2.Agent.bi
C:\WINDOWS\sdkrh.exe
Trojan....2.Agent.bi
C:\WINDOWS\sdkrr32.exe
Trojan....2.Agent.bi
C:\WINDOWS\sdksj32.exe
Trojan....2.Agent.bi
C:\WINDOWS\sdktf.exe
Trojan....2.Agent.bi
C:\WINDOWS\sdkwg32.exe
Trojan....2.Agent.bi
C:\WINDOWS\sdkwm.exe
Trojan....2.Agent.bi
C:\WINDOWS\sysak32.exe
Trojan....2.Agent.bi
C:\WINDOWS\sysdz32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\sysgm.exe
Trojan....2.Agent.bi
C:\WINDOWS\sysif.exe
Trojan....2.Agent.bi
C:\WINDOWS\sysij32.exe
Trojan....2.Agent.bi
C:\WINDOWS\sysko.exe
Trojan....2.Agent.bi
C:\WINDOWS\syslx.exe
Trojan....2.Agent.bi
C:\WINDOWS\sysmz.dll
Trojan-...2.Agent.bc
C:\WINDOWS\sysod32.exe
Trojan....2.Agent.bi
C:\WINDOWS\sysog.exe
Trojan....2.Agent.bi
C:\WINDOWS\syspk.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\addam.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\addam.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\addao.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\addbl.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\addgd32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\addgj.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\addhf.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\addle32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\addoh.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\addos32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\addqd32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\addqr32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\addsg32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\addxm32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\addyd.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\addym.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\apigf.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\apihn32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\apijc32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\apijm32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\apinb.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\apira.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\apisx.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\apiyc.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\apiyc32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\apiyl32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\apizv32.exe
Trojan-...2.Agent.bq
C:\WINDOWS\system32\appad32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\appby32.exe
Trojan-...2.Agent.bq
C:\WINDOWS\system32\appbz.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\apphq.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\appjd32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\appld.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\appnn.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\appob32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\appoh.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\appoi32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\appqg.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\apprw.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\appsz.exe
Trojan-...2.Agent.bq
C:\WINDOWS\system32\appvq32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\appwx.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\appzl.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\atlcf32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\atlek.exe
Trojan-...2.Agent.bq
C:\WINDOWS\system32\atlhh.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\atlig.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\atlmx32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\atlmz.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\atlog32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\atloh.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\atlop32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\atloy32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\atlpg32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\atlvw32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\atlwt32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\atlwz32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\atlyr32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\atlzo.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\crda32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\creb32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\crgi.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\cric.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\crla32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\crmf.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\crtd.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\crtv32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\cruj.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\crvv.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\crvx32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\crya32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\d3fr.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\d3hl32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\d3hl32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\d3ir.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\d3og32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\d3qd32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\d3rl.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\d3rr32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\d3sb.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\d3ud.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\ieck32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\iedy.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\iedy.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ieeq.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ieib32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\iekv32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ielk32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\ieov.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ietd32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\iewv32.exe
Trojan-...2.Agent.bq
C:\WINDOWS\system32\ieyd.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ipcn32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ipim.exe
Trojan-...2.Agent.bq
C:\WINDOWS\system32\ipnl32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ippg.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\ippg.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ipps.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ipuz.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ipwt.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\ipwt.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ipxq.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ipyl32.exe
Trojan-...2.Agent.bq
C:\WINDOWS\system32\javaag.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\javaaz.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\javabl32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\javace32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\javafl.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\javahs.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\javaku.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\javann32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\javany.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\javarr32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\javasd32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\javasz.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\javatd.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\javatu.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\javavi32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\javavi32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\javawh32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\javawu.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\mfcah.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\mfcdn.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\mfcgb32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\mfcjh.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\mfckt.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\mfcna.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\mfcnz.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\mfcsc.exe
Trojan-...2.Agent.bq
C:\WINDOWS\system32\mfcua.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\mfcxd32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\mfcxe32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\mfcxf.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\mfcxv32.exe
Trojan-...2.Agent.bq
C:\WINDOWS\system32\mfcyd.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\msah32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\mscs32.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\msey32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\msgo.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\mshx.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\msis32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\msmn.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\mspi.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\mspt32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\mstj32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\mszf32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\netdf32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\netiu.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\netjo.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\netka32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\netlf.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\netss.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\netub32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\netus32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\netux.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\netvf.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\netvx32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\netwj.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntah.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntdx32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntec.exe
Trojan-...2.Agent.bq
C:\WINDOWS\system32\ntez.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntgj32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntia32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntip.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\ntiu.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntjz.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\ntke32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntlj.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\ntlj.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntmt.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\ntpa32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntpc.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\ntqx.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntqy.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntqy32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntsq32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntvp.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntxp.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntyo32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\ntyy.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sdkau.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sdkej32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sdkew32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sdkij.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\sdkij.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sdkkf32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sdklu32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sdkqm.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sdkqp32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sdksj32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sdkut32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sdkvr32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sdkvu32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sdkwk32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sdkyo32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sysbp.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\sysbp.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sysbq.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sysmp.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sysnn32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sysoa32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\syssc.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sysub.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\sysxp32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sysxt32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\sysym.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\sysyo32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\winbq.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\winnv32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\winov.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\winpk.dll
Trojan-...2.Agent.bc
C:\WINDOWS\system32\winqj32.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\winrb.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\winwi.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\winxp.exe
Trojan....2.Agent.bi
C:\WINDOWS\system32\winyw32.exe
Trojan....2.Agent.bi
C:\WINDOWS\winat32.exe
Trojan....2.Agent.bi
C:\WINDOWS\winde32.exe
Trojan....2.Agent.bi
C:\WINDOWS\winhw32.exe
Trojan....2.Agent.bi
C:\WINDOWS\winki.exe
Trojan....2.Agent.bi
C:\WINDOWS\winoj.exe
Trojan....2.Agent.bi
C:\WINDOWS\winpx32.exe
Trojan....2.Agent.bi
C:\WINDOWS\winuj.exe
Trojan....2.Agent.bi
C:\WINDOWS\winvj.exe
Trojan....2.Agent.bi
C:\WINDOWS\winwf32.exe
Trojan....2.Agent.bi
C:\WINDOWS\winxr32.exe
Trojan....2.Agent.bi
C:\WINDOWS\winys.exe
Trojan....2.Agent.bi
C:\WINDOWS\winza32.exe
Trojan....2.Agent.bi

Also, Here is the latest HJT:

Logfile of HijackThis v1.99.1
Scan saved at 7:33:34 AM, on 5/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\apizv32.exe
C:\WINDOWS\system32\ipaj32.exe
C:\WINDOWS\addvy.exe
C:\WINDOWS\msxs32.exe
C:\WINDOWS\system32\sysfw32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\sysjc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Ad-Ware Removal Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gxghs.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gxghs.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gxghs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gxghs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gxghs.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gxghs.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gxghs.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows...dir.asp?Ext=xlr
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {63B9E35B-C805-521D-8C71-33AC43B7813A} - C:\WINDOWS\javauw32.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [apizv32.exe] C:\WINDOWS\system32\apizv32.exe
O4 - HKLM\..\RunOnce: [syslx.exe] C:\WINDOWS\syslx.exe
O4 - HKLM\..\RunOnce: [javarr32.exe] C:\WINDOWS\system32\javarr32.exe
O4 - HKLM\..\RunOnce: [appqb32.exe] C:\WINDOWS\appqb32.exe
O4 - HKLM\..\RunOnce: [netwj.exe] C:\WINDOWS\system32\netwj.exe
O4 - HKLM\..\RunOnce: [addbl.exe] C:\WINDOWS\system32\addbl.exe
O4 - HKLM\..\RunOnce: [sysjc.exe] C:\WINDOWS\sysjc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {AC8B6F52-8AC7-4954-9887-6A26E7E6F172} (MADirectVideo Control) - http://messenger.sil...DirectVideo.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\Software\..\Telephony: DomainName = domain.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{887798EB-0A07-41C1-9890-C885891BBA3F}: NameServer = 192.168.1.251
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\apizb.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

I have yet to run Ewido.

Thanks for your help :tazz:
  • 0

#6
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Did you allow Kaspersky to repair/fix/delete what it found or was it unable to repair?

Please carry out the ewido scan
  • 0

#7
beargk

beargk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
It only asks me to delete the files and since they were all in windows folder, I was unsure of deleting them.
  • 0

#8
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Go ahead and delete them, then rescan with HJT and post that log back.
  • 0

#9
beargk

beargk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I have everything ran and here are the logs you requested:

Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:14:28 AM, 5/18/2005
+ Report-Checksum: 33D98C9E

+ Date of database: 5/17/2005
+ Version of scan engine: v3.0

+ Duration: 26 min
+ Scanned Files: 55596
+ Speed: 34.93 Files/Second
+ Infected files: 16
+ Removed files: 16
+ Files put in quarantine: 16
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\addvy.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\dthuv.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\kglsj.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\msxs32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\nsike.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\ohipc.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\oiiuj.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\oydml.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\sysjc.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\apiwg32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\system32\bioon.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\dhrdk.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\gxghs.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\mdmpo.dll -> Spyware.SearchPage -> Cleaned with backup
C:\WINDOWS\system32\sysfw32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\system32\vyyln.dll -> Spyware.SearchPage -> Cleaned with backup


::Report End

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 10:17:25 AM, on 5/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\atlgk.exe
C:\Ad-Ware Removal Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zkmec.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zkmec.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zkmec.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zkmec.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zkmec.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zkmec.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zkmec.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows...dir.asp?Ext=xlr
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {63B9E35B-C805-521D-8C71-33AC43B7813A} - C:\WINDOWS\javauw32.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [atlgk.exe] C:\WINDOWS\atlgk.exe
O4 - HKLM\..\RunOnce: [syslx.exe] C:\WINDOWS\syslx.exe
O4 - HKLM\..\RunOnce: [javarr32.exe] C:\WINDOWS\system32\javarr32.exe
O4 - HKLM\..\RunOnce: [appqb32.exe] C:\WINDOWS\appqb32.exe
O4 - HKLM\..\RunOnce: [netwj.exe] C:\WINDOWS\system32\netwj.exe
O4 - HKLM\..\RunOnce: [addbl.exe] C:\WINDOWS\system32\addbl.exe
O4 - HKLM\..\RunOnce: [ntbi32.exe] C:\WINDOWS\ntbi32.exe
O4 - HKLM\..\RunOnce: [ntpx.exe] C:\WINDOWS\ntpx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {AC8B6F52-8AC7-4954-9887-6A26E7E6F172} (MADirectVideo Control) - http://messenger.sil...DirectVideo.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\Software\..\Telephony: DomainName = domain.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{887798EB-0A07-41C1-9890-C885891BBA3F}: NameServer = 192.168.1.251
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\apizb.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

SpSeHjfix:


(5/17/05 11:00:16 AM) SPSeHjFix started v1.1.2
(5/17/05 11:00:16 AM) OS: WinXP Service Pack 2 (5.1.2600)
(5/17/05 11:00:16 AM) Language: english
(5/17/05 11:00:16 AM) Win-Path: C:\WINDOWS
(5/17/05 11:00:16 AM) System-Path: C:\WINDOWS\system32
(5/17/05 11:00:16 AM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/17/05 11:00:23 AM) Disinfection started
(5/17/05 11:00:23 AM) Bad-Dll(IEP): (not found)
(5/17/05 11:00:23 AM) Bad-Dll(IEP) in BHO: (not found)
(5/17/05 11:00:23 AM) UBF: 8 - UBB: 0 - UBR: 14
(5/17/05 11:00:23 AM) UBF: 8 - UBB: 0 - UBR: 14
(5/17/05 11:00:23 AM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
(5/17/05 11:00:23 AM) Stealth-String not found
(5/17/05 11:00:23 AM) Not infected->END

aboutbuster:

Scanned at: 10:53:26 AM on: 5/17/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 2 Random Key Entries
Removed! : C:\WINDOWS\jbxjd.dat
Removed! : C:\WINDOWS\system32\iyvtu.dat
Removed! : C:\WINDOWS\system32\jlsua.dat
Removed! : C:\WINDOWS\system32\khrhz.dat
Removed! : C:\WINDOWS\system32\mlkhu.dat
Removed! : C:\WINDOWS\system32\owxua.dat
Removed! : C:\WINDOWS\system32\xnvsq.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Thanks for your help so far!
:tazz:
  • 0

#10
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Thanks for the scan reports.

I need you to copy all of the file paths below and paste them into Notepad.

C:\WINDOWS\system32\zkmec.dll/sp.html#28129
C:\WINDOWS\atlgk.exe
C:\WINDOWS\syslx.exe
C:\WINDOWS\system32\javarr32.exe
C:\WINDOWS\appqb32.exe
C:\WINDOWS\system32\netwj.exe
C:\WINDOWS\system32\addbl.exe
C:\WINDOWS\ntbi32.exe
C:\WINDOWS\ntpx.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
C:\WINDOWS\apizb.exe" /s

save the notepad where you can remember, like desktop

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Service: Network Security Service ( 11F#`I).
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Now reboot your pc into safe mode by taping the F8 key whilst your PC starts up.

Re-run about.buster, Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.

Reboot into SAFE MODE again

Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Rescan with HJT and check the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zkmec.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zkmec.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zkmec.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zkmec.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zkmec.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zkmec.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zkmec.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows...dir.asp?Ext=xlr
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {63B9E35B-C805-521D-8C71-33AC43B7813A} - C:\WINDOWS\javauw32.dll
O4 - HKLM\..\Run: [atlgk.exe] C:\WINDOWS\atlgk.exe
O4 - HKLM\..\RunOnce: [syslx.exe] C:\WINDOWS\syslx.exe
O4 - HKLM\..\RunOnce: [javarr32.exe] C:\WINDOWS\system32\javarr32.exe
O4 - HKLM\..\RunOnce: [appqb32.exe] C:\WINDOWS\appqb32.exe
O4 - HKLM\..\RunOnce: [netwj.exe] C:\WINDOWS\system32\netwj.exe
O4 - HKLM\..\RunOnce: [addbl.exe] C:\WINDOWS\system32\addbl.exe
O4 - HKLM\..\RunOnce: [ntbi32.exe] C:\WINDOWS\ntbi32.exe
O4 - HKLM\..\RunOnce: [ntpx.exe] C:\WINDOWS\ntpx.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O16 - DPF: {AC8B6F52-8AC7-4954-9887-6A26E7E6F172} (MADirectVideo Control) - http://messenger.sil...DirectVideo.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\Software\..\Telephony: DomainName = domain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\apizb.exe" /s (file missing)


Ensure no windows open except HJT and click FIX CHECKED

Reopen HJT.

Click on misc. tools, then click on Delete an NT Service.

In the popup box Cut and paste the following IT IS IMPORTANT THAT THERE IS 1 SPACE BEFORE THE FIRST NUMBER 1 OR IT WON'T WORK. ONCE YOU HAVE PASTED IT IN USE MOUSE CURSOR TO GO TO BEGINNING AND MAKE SURE USING SPACEBAR THAT THERE IS A SPACE

11F#`I

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Rescan with HJT and post the log back in this tread.

Edited by usetobe, 18 May 2005 - 10:20 AM.

  • 0

Advertisements


#11
beargk

beargk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here is the latest HJT.

Every time I go and try to delete the 11F#`I in HJT. It always says it is not found in the registry. I do make sure that there are no extra spaces and everything is correct.

Logfile of HijackThis v1.99.1
Scan saved at 1:23:00 PM, on 5/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\crsu.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\LVComS.exe
C:\Ad-Ware Removal Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qesqh.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qesqh.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qesqh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qesqh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qesqh.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qesqh.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qesqh.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows...dir.asp?Ext=xlr
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {197C0785-84C0-9284-C09C-6D2AC5B81796} - C:\WINDOWS\system32\winat.dll
O2 - BHO: Class - {F27D0254-6319-8D10-7E3C-489DB55957F0} - C:\WINDOWS\ntak32.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [crsu.exe] C:\WINDOWS\system32\crsu.exe
O4 - HKLM\..\RunOnce: [atlxi.exe] C:\WINDOWS\atlxi.exe
O4 - HKLM\..\RunOnce: [winat.exe] C:\WINDOWS\system32\winat.exe
O4 - HKLM\..\RunOnce: [appfh.exe] C:\WINDOWS\appfh.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\Software\..\Telephony: DomainName = domain.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{887798EB-0A07-41C1-9890-C885891BBA3F}: NameServer = 192.168.1.251
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\atlxi.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks.
  • 0

#12
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Bear,

This one sure is persistant, i'm getting annoyed with it now :tazz:
I don't doubt you when it says not found

One of the files is morphing each time we hit it.

Similar proceedure to last time

I need you to copy all of the file paths below and paste them into Notepad.

C:\WINDOWS\system32\qesqh.dll/sp.html#28129
C:\WINDOWS\system32\winat.dll
C:\WINDOWS\ntak32.dll
C:\WINDOWS\system32\crsu.exe
C:\WINDOWS\atlxi.exe
C:\WINDOWS\system32\winat.exe
C:\WINDOWS\appfh.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

save the notepad where you can remember, like desktop

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Service: Remote Procedure Call (RPC) Helper ( 11F#`I).
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Now reboot your pc into safe mode by taping the F8 key whilst your PC starts up.

Re-run about.buster, Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.

Reboot into SAFE MODE again

Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Rescan with HJT and check the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qesqh.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qesqh.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qesqh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qesqh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qesqh.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qesqh.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qesqh.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows...dir.asp?Ext=xlr
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {197C0785-84C0-9284-C09C-6D2AC5B81796} - C:\WINDOWS\system32\winat.dll
O2 - BHO: Class - {F27D0254-6319-8D10-7E3C-489DB55957F0} - C:\WINDOWS\ntak32.dll
O4 - HKLM\..\Run: [crsu.exe] C:\WINDOWS\system32\crsu.exe
O4 - HKLM\..\RunOnce: [atlxi.exe] C:\WINDOWS\atlxi.exe
O4 - HKLM\..\RunOnce: [winat.exe] C:\WINDOWS\system32\winat.exe
O4 - HKLM\..\RunOnce: [appfh.exe] C:\WINDOWS\appfh.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\Software\..\Telephony: DomainName = domain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\atlxi.exe" /s (file missing)


Ensure no windows open except HJT and click FIX CHECKED

Reopen HJT.

Click on misc. tools, then click on Delete an NT Service.

In the popup box Cut and paste the following IT IS IMPORTANT THAT THERE IS 1 SPACE BEFORE THE FIRST NUMBER 1 OR IT WON'T WORK. ONCE YOU HAVE PASTED IT IN USE MOUSE CURSOR TO GO TO BEGINNING AND MAKE SURE USING SPACEBAR THAT THERE IS A SPACE

11F#`I

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

Now using windows explorer, locate the following files/folders and delete them

C:\WINDOWS\system32\winat.dll
C:\WINDOWS\ntak32.dll
C:\WINDOWS\system32\crsu.exe
C:\WINDOWS\atlxi.exe
C:\WINDOWS\system32\winat.exe
C:\WINDOWS\appfh.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe


* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Rescan with HJT and post the log back in this tread.
  • 0

#13
beargk

beargk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I think we are making progess!!!!

Wheen I ran HJT in safe mode, it came up with about 400+ extra files that I fixed. They were all in the 04 - HKLM RunOnce area.

Here is the latest HJT:

Logfile of HijackThis v1.99.1
Scan saved at 8:21:47 AM, on 5/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\LVComS.exe
C:\Ad-Ware Removal Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gqtpl.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gqtpl.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gqtpl.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows...dir.asp?Ext=xlr
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\Software\..\Telephony: DomainName = domain.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{887798EB-0A07-41C1-9890-C885891BBA3F}: NameServer = 192.168.1.251
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks for your help!
:tazz:
  • 0

#14
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Well we are making slow progress, but it is in the right direction.

We have got rid of the NT service. Now we just need to sort out CWS.

Next please download the following two programs. Install them and update them both. Then run each one and have them fix anything that they may find.

Spybot Search and Destroy 1.3

Ad-aware S E 1.5

Download Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Copy and paste the content of the txtfile you get afterwards in your next reply.

Reboot into Safe mode, Disconnect from the internet and disable Norton.

Re-run About.buster procedure

Re-run CWShredder.

Rescan with HJT and check the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gqtpl.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gqtpl.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows...dir.asp?Ext=xlr
R3 - Default URLSearchHook is missing
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe


Rescan with Ewido and save the report.

Reboot normally, re-enable norton, rescan with HJT and post the log back.
  • 0

#15
beargk

beargk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here is the HJT:

Logfile of HijackThis v1.99.1
Scan saved at 2:17:13 PM, on 5/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\LVComS.exe
C:\Ad-Ware Removal Tools\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gqtpl.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows...dir.asp?Ext=xlr
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\Software\..\Telephony: DomainName = domain.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{887798EB-0A07-41C1-9890-C885891BBA3F}: NameServer = 192.168.1.251
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Here is the Silent Runner:
"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"PreloadApp" = "c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d" [null data]
"Display Settings" = "C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s" ["Hewlett-Packard"]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"CARPService" = "carpserv.exe" ["Conexant Systems, Inc."]
"LogitechVideoRepair" = "C:\Program Files\Logitech\Video\ISStart.exe" ["Logitech Inc."]
"LogitechVideoTray" = "C:\Program Files\Logitech\Video\LogiTray.exe" ["Logitech Inc."]
"vptray" = "C:\PROGRA~1\SYMANT~2\VPTray.exe" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\System32\NavLogon.dll" ["Symantec Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "kate" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Logitech Desktop Messenger" -> shortcut to: "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Thanks :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP