Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Assistance required removing Bloodhound.W32.EP [RESOLVED]


  • This topic is locked This topic is locked

#16
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You've got a dialer we need to get out. Run HiJackThis. Place a check next to the following item and click FIX CHECKED:

O16 - DPF: {54C75FB0-6B8B-4278-BF7B-77036F15A69E} - http://akamai.downlo..._1041_EN_XP.cab

Close HiJackThis.

Then we have to replace the infected system file (wininet.dll) with a clean copy :tazz: We can do that today/tonight or I can wait until you get back, your choice ;)
  • 0

Advertisements


#17
Lord Morbius

Lord Morbius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi again, thanks for the prompt reply, unfortunately i just got it today after getting back from my trip. I have removed the item you advised and i also spotted this entry in the log which i thought was a little suspicious, although i hav'nt tampered with it...

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://morwillsearch.com/mwsearch.cab

I'm getting a lot of popups about anti-virus software, casinos etc.
  • 0

#18
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Yes, actually, I was going to ask you about that morwillsearch because it appears to be set as your search assistant and in the trusted zone as well. We'll take care of that little problem! I need you to post a new HiJackThis log for me, please.
  • 0

#19
Lord Morbius

Lord Morbius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Logfile of HijackThis v1.99.1
Scan saved at 17:36:35, on 22/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\LEXBCES.EXE
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\system32\LEXPPS.EXE
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\ewido\security suite\ewidoctrl.exe
I:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
I:\Program Files\Norton AntiVirus\navapsvc.exe
I:\WINDOWS\System32\nvsvc32.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\ZoneLabs\vsmon.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\WINDOWS\SOUNDMAN.EXE
I:\WINDOWS\ALCWZRD.EXE
I:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
I:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
I:\Program Files\Lexmark X5100 Series\lxbabmon.exe
I:\Program Files\ABIT\ABIT uGuru\uGuru.exe
I:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
I:\WINDOWS\System32\RUNDLL32.EXE
I:\Program Files\Messenger\msmsgs.exe
I:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
I:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\Program Files\QuickTime\qttask.exe
I:\WINDOWS\System32\ctfmon.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\WINDOWS\System32\wuauclt.exe
I:\Documents and Settings\Lord Morbius\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://morwillsearch...id=fish&sub_id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morwillsearch...id=fish&sub_id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morwillsearch...id=fish&sub_id=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - I:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - I:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - I:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "I:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "I:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "I:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [ABIT uGuru] I:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] I:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] I:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] I:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] I:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "I:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.morwillsearch.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120388988000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://morwillsearch.com/mwsearch.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - I:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - I:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - I:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - I:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - I:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#20
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
It's important all steps be done exactly otherwise you may lose Internet access.

If you do not understand something, please let me know before continuing!

*Important* Set your system to SHOW HIDDEN FILES

Then, Using Windows Explorer (You can get to Windows Explorer, by Going to Start > All Programs > Accessories > Windows Explorer), locate this file:

I:\WINDOWS\System32\wininet.dll

Right-click on it and select "Rename" and rename it to wininet.old

After renaming the file, Right-click an open space inside the system32 folder and choose "Refresh" - if another wininet.dll shows up in the system32 folder, just skip the rest of the instructions and reboot your computer. You must make sure there is a wininet.dll inside the system32 folder before you reboot otherwise you will lose Internet Access, function of programs, and possible loss of Explorer!

If another wininet.dll does not show up in system32 after refreshing, then go into this folder (it will be hidden so make sure hidden files are showing!):

I:\WINDOWS\System32\dllcache

Inside this folder, locate wininet.dll Right-click on it and choose "copy" (NOT cut!).

Then go back into I:\WINDOWS\System32
Right-click an open space and choose "Paste".

Reboot your computer.

After reboot, delete the following files, if found:

I:\WINDOWS\system32\wininet.old
I:\WINDOWS\System32\oleadm.dll

Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://morwillsearch...id=fish&sub_id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morwillsearch...id=fish&sub_id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morwillsearch...id=fish&sub_id=

O15 - Trusted Zone: *.morwillsearch.com

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://morwillsearch.com/mwsearch.cab


Rescan with HiJackThis and post a new HiJackThis log.
  • 0

#21
Lord Morbius

Lord Morbius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Access to wininet.dll was denied so i rebooted and went in via safe mode and this method allowed me to rename it to wininet.old. On refreshing there was no new instance of wininet.dll present! I thought this might be a result of being in safe mode so i rebooted back into normal mode and recieved the expected errors and warnings about being unable to find that file so that did'nt work either. Despite a windows file/folder search and looking manually i was unable to locate a dllcache folder anywhere (i do have folder options set to display hidden files).

I had no choice but to rename wininet back to dll and reboot, which brings me back to square one i'm afraid.

I ran hijackthis and rectified the items you advised although i'm unsure if it made any use as the previous steps had failed... anyway here is the resulting hijackthis log, i hope you are not getting fed up with this. I know it's dragging out a bit but i'm real keen to get rid of this bug, thanks again - M.Pritchard.

Logfile of HijackThis v1.99.1
Scan saved at 10:44:18, on 24/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\LEXBCES.EXE
I:\WINDOWS\system32\LEXPPS.EXE
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\WINDOWS\SOUNDMAN.EXE
I:\WINDOWS\ALCWZRD.EXE
I:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
I:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
I:\Program Files\ABIT\ABIT uGuru\uGuru.exe
I:\WINDOWS\System32\RUNDLL32.EXE
I:\Program Files\Lexmark X5100 Series\lxbabmon.exe
I:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
I:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\Program Files\QuickTime\qttask.exe
I:\Program Files\ewido\security suite\ewidoctrl.exe
I:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
I:\WINDOWS\System32\ctfmon.exe
I:\Program Files\Messenger\msmsgs.exe
I:\Program Files\Norton AntiVirus\navapsvc.exe
I:\WINDOWS\System32\nvsvc32.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\ZoneLabs\vsmon.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Documents and Settings\Lord Morbius\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - I:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - I:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - I:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "I:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "I:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "I:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [ABIT uGuru] I:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] I:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] I:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] I:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] I:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "I:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120388988000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - I:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - I:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - I:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - I:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - I:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#22
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You do, in fact, have a dllcache folder inside your system32 folder otherwise it would not have shown up in the batch I had you make previously.

So we'll use command prompt to do it:

please copy these instructions and paste them into notepad for use while in safe mode

Please reboot your computer into safe mode.

Once in Safe Mode, go to Start > Run type:

cmd

Click OK.

Please copy the following line and paste it into the black window:

CD I:\Windows\system32

Hit enter.

It will go to the next line, then copy this line and paste it in:

rename wininet.dll wininet.old

Hit enter.

Copy this line and paste it in:

CD I:\WINDOWS\system32\dllcache

Hit enter.

Copy this line and paste it in:

copy wininet.dll I:\windows\system32

Hit enter.

Finally, type exit and hit enter.

Then please go into your I:\Windows\system32 directory and make sure there is a wininet.old and a wininet.dll BOTH in there. Please let me know if you run into any problems. You MUST make sure there is a wininet.dll in the system32 directory before you reboot.

Reboot your computer.
  • 0

#23
Lord Morbius

Lord Morbius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Well that approach seems to have worked a treat, Job done.

Reminded me of back in the good ole' days when we had to control everything through the CLI.

No more norton popups!

I assume you would like me to delete the old wininet file?

P.S. i still seem to be suffering from popups.

Edited by Lord Morbius, 24 July 2005 - 06:25 AM.

  • 0

#24
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Yes, please delete wininet.old :tazz:

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#25
Lord Morbius

Lord Morbius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I installed spysweeper and it removed quite a few things.

I had already run spybot and adaware which removed a lot of stuff as well but when i rebooted and run them again spybot found and removed the same items and adaware also found a few more things... on the third reboot adaware was clean but spybot found the same items again, i assume they must be respawning.

Spysweeper removed the PSguard thing... which i think was responsible for the popups.

When i right clicked on wininet.old to delete it, i got the norton bloodhound statement again, so i rebooted again into safe mode, repeated the steps for renaming it and replacing using the dos cli box, then removed the renamed instances and restarted my machine...

Everything seems ok up until now.

Here is the spysweeper log you requested...

********
11:11: |··· Start of Session, 25 July 2005 ···|
11:11: Spy Sweeper started
11:11: Sweep initiated using definitions version 505
11:11: Starting Memory Sweep
11:12: Memory Sweep Complete, Elapsed Time: 00:01:14
11:12: Starting Registry Sweep
11:12: Found Adware: azsearch toolbar
11:12: HKCR\interface\{dcfab192-4a0e-4720-8e24-70d5f0cb8c39}\ (8 subtraces) (ID = 4364714)
11:12: HKLM\software\classes\interface\{dcfab192-4a0e-4720-8e24-70d5f0cb8c39}\ (8 subtraces) (ID = 4364743)
11:12: HKU\S-1-5-21-1417001333-1303643608-839522115-1003\software\microsoft\internet explorer\new windows\allow\ || *.morwillsearch.com (ID = 4364766)
11:12: HKLM\software\mwsearchco\ (8 subtraces) (ID = 4364776)
11:12: Found Adware: cws_analyzeie
11:12: HKCR\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 4377830)
11:12: HKLM\software\classes\clsid\{60d75c7f-d119-4a89-b3b3-d8aa07ef3300}\ (ID = 4377852)
11:12: Found Trojan Horse: fastvideoplayer
11:12: HKCR\clsid\{b5dd9a64-5c4b-4a48-be56-97c1a8f85708}\ (21 subtraces) (ID = 4387398)
11:12: HKCR\fastvideoplayerlite.fastvideoplayerlitectrl.1\ (4 subtraces) (ID = 4387401)
11:12: HKCR\fastvideoplayerlite.fastvideoplayerlitectrl\ (5 subtraces) (ID = 4387402)
11:12: HKCR\interface\{9ff86c1b-7e6f-4a7f-932a-244fe7296dae}\ (8 subtraces) (ID = 4387403)
11:12: HKCR\interface\{ee7e970d-3d17-4645-8660-d7f40b917092}\ (8 subtraces) (ID = 4387404)
11:12: HKLM\software\classes\clsid\{b5dd9a64-5c4b-4a48-be56-97c1a8f85708}\ (21 subtraces) (ID = 4387405)
11:12: HKLM\software\classes\fastvideoplayerlite.fastvideoplayerlitectrl.1\ (4 subtraces) (ID = 4387408)
11:12: HKLM\software\classes\fastvideoplayerlite.fastvideoplayerlitectrl\ (5 subtraces) (ID = 4387409)
11:12: HKLM\software\classes\interface\{9ff86c1b-7e6f-4a7f-932a-244fe7296dae}\ (8 subtraces) (ID = 4387410)
11:12: HKLM\software\classes\interface\{ee7e970d-3d17-4645-8660-d7f40b917092}\ (8 subtraces) (ID = 4387411)
11:12: HKLM\software\classes\typelib\{022850cb-74fd-486d-8b1c-573ecfd599ad}\ (9 subtraces) (ID = 4387412)
11:12: HKCR\typelib\{022850cb-74fd-486d-8b1c-573ecfd599ad}\ (9 subtraces) (ID = 4387413)
11:12: Found Adware: instant access
11:12: HKU\S-1-5-21-1417001333-1303643608-839522115-1003\software\microsoft\windows\currentversion\wintrust\trust providers\software publishing\trust database\0\ || goicfboogidikkejccmclpieicihhlpo bgdjdn (ID = 4389920)
11:12: HKU\S-1-5-21-1417001333-1303643608-839522115-1003\software\p2eclient\ (1 subtraces) (ID = 4389921)
11:12: Found Adware: one2one viewer
11:12: HKU\S-1-5-21-1417001333-1303643608-839522115-1003\software\livesvc\ (ID = 4397582)
11:12: Found Adware: psguard desktop hijacker
11:12: HKLM\software\microsoft\windows\currentversion\uninstall\internet update\ (3 subtraces) (ID = 4398274)
11:12: HKLM\software\psguard.com\ (21 subtraces) (ID = 4398275)
11:12: Found Adware: psguard
11:12: HKLM\software\pguard.com\ (ID = 4398286)
11:12: Registry Sweep Complete, Elapsed Time:00:00:07
11:12: Starting Cookie Sweep
11:12: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:12: Starting File Sweep
11:14: tmlpcert2005 (ID = 4106095)
11:14: mwsearch.bmp (ID = 4090939)
11:15: fvp.inf (ID = 4102593)
11:15: fvp.inf (ID = 4102593)
11:15: backup-20050722-145019-963.inf (ID = 4105858)
11:15: File Sweep Complete, Elapsed Time: 00:02:25
11:15: Full Sweep has completed. Elapsed time 00:03:48
11:15: Traces Found: 188
11:15: Removal process initiated
11:15: Quarantining All Traces: azsearch toolbar
11:15: Quarantining All Traces: cws_analyzeie
11:15: Quarantining All Traces: fastvideoplayer
11:15: Quarantining All Traces: instant access
11:15: Quarantining All Traces: one2one viewer
11:15: Quarantining All Traces: psguard desktop hijacker
11:15: Quarantining All Traces: psguard
11:15: Removal process completed. Elapsed time 00:00:02
********
11:10: |··· Start of Session, 25 July 2005 ···|
11:10: Spy Sweeper started
11:10: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 77F94213 in module 'ntdll.dll'. Read of address 00000058
11:11: |··· End of Session, 25 July 2005 ···|
  • 0

Advertisements


#26
Lord Morbius

Lord Morbius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Oops, maybe i spoke too soon...

Just got another popup for online casinos :-(
  • 0

#27
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please go here: Jotti Virus Scan

Click the "browse" button and locate this file:

I:\WINDOWS\System32\wininet.dll

Click "Open", then click the "Submit" button. Copy the results and paste them here.

I need you to open Ewido, update it, reboot into Safe Mode and run it just as you did previously and post the log.
  • 0

#28
Lord Morbius

Lord Morbius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hello again, sorry about the delay...

I submitted the wininet file to Jotti and they did'nt seem to find anything wrong with it. I was'nt sure how to copy the scan results they provided so i hope what i have posted below is satisfactory...

File: WININET.DLL Status:
OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 01893ed35886aff539b58a025736f7ed Packers detected:
-
Scanner results AntiVir
Found nothing ArcaVir
Found nothing Avast
Found nothing AVG Antivirus
Found nothing BitDefender
Found nothing ClamAV
Found nothing Dr.Web
Found nothing F-Prot Antivirus
Found nothing Fortinet
Found nothing Kaspersky Anti-Virus
Found nothing NOD32
Found nothing Norman Virus Control
Found nothing UNA
Found nothing VBA32
Found nothing

I updated ewido as advised and rebooted into safe mode but when i tried to run the scan i recieved a "no disk in drive" statment. I clicked on continue a few times and the scan appeared to run normally, reporting quite a few infections, the saved report is pasted below...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 17:04:03, 27/07/2005
+ Report-Checksum: E07E8031

+ Scan result:

I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@adopt.euroclick[2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@casinotropez[1].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@cz11.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@cz4.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@cz9.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wfk4agcpidq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wfk4amcjcho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wfk4ujcpofp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wfkigpdjeko.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wfkikgdpmeq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wfkikmdjakp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wfkikodjafp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wfkoukdpmaq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wfl4ahc5odp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wfl4ojazsho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wfl4ond5khp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wfl4wpdjgao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wflichdzoep.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wfliolcjeco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wfliwlazgao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wgkiqlczecq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wjk4sjczicq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wjk4wldzabp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wjk4wpdpmlq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wjkocmcpkkp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wjl4slazalo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wjlisjczaeo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wjloqhdpkfq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wjlosjcziao.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wjlosjczwaq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wjlyalcjgfo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wjlyamd5iap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wjlyuidzido.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wjmioncpiho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wjmywicpmgp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wjnygkdpeko.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@e-2dj6wjnyunczkep.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@hypertracker[2].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@www.casinotropez[1].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@xxxcounter[1].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
I:\WINDOWS\system32\msclock32.dll -> Dialer.Generic : Cleaned with backup


::Report End

When i rebooted into normal mode to make this reply, i started internet explorer and immediately got another popup window opening advertising anti-spy software... spynuker. I have no idea what that was about but there is obviously something still lurking in there.
  • 0

#29
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Let's see about locating the problem files:
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.

  • 0

#30
Lord Morbius

Lord Morbius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi there once again, I downloaded and extracted the utility and it produced the following output report...

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: I:\Documents and Settings\Lord Morbius\Desktop\anit virus folder\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive I has no label.
Volume Serial Number is 70D5-0997

Directory of I:\WINDOWS\System32

29/07/2005 10:23 <DIR> dllcache
17/02/2005 19:02 56 8BF5B1B8C1.sys
17/02/2005 19:02 1,682 KGyGaAvL.sys
28/01/2005 13:39 <DIR> Microsoft
28/01/2005 13:28 32 {6C6EADEF-A85F-4B12-9666-D7173E380815}.dat
3 File(s) 1,770 bytes
2 Dir(s) 199,261,519,872 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive I has no label.
Volume Serial Number is 70D5-0997

Directory of I:\WINDOWS\System32

29/07/2005 12:07 890 vsconfig.xml
29/07/2005 10:23 <DIR> dllcache
17/02/2005 19:02 56 8BF5B1B8C1.sys
17/02/2005 19:02 1,682 KGyGaAvL.sys
28/01/2005 14:27 4,212 zllictbl.dat
28/01/2005 13:28 32 {6C6EADEF-A85F-4B12-9666-D7173E380815}.dat
28/01/2005 13:20 488 logonui.exe.manifest
28/01/2005 13:20 488 WindowsLogon.manifest
28/01/2005 13:20 749 sapi.cpl.manifest
28/01/2005 13:20 749 wuaucpl.cpl.manifest
28/01/2005 13:20 749 cdplayer.exe.manifest
28/01/2005 13:20 749 nwc.cpl.manifest
28/01/2005 13:20 749 ncpa.cpl.manifest
12 File(s) 11,593 bytes
1 Dir(s) 199,261,515,776 bytes free

------------ Files Named "Guard" ---------------

Volume in drive I has no label.
Volume Serial Number is 70D5-0997

Directory of I:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive I has no label.
Volume Serial Number is 70D5-0997

Directory of I:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

I:\WINDOWS\SYSTEM32\
vsconfig.xml Fri 29 Jul 2005 12:07:48 A..H. 890 0.87 K

1 item found: 1 file, 0 directories.
Total of file sizes: 890 bytes 0.87 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"I:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"I:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe"
"SoundMan"="SOUNDMAN.EXE"
"AlcWzrd"="ALCWZRD.EXE"
"Alcmtr"="ALCMTR.EXE"
"Zone Labs Client"="\"I:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Lexmark X5100 Series"="\"I:\\Program Files\\Lexmark X5100 Series\\lxbabmgr.exe\""
"ABIT uGuru"="I:\\Program Files\\ABIT\\ABIT uGuru\\uGuru.exe"
"NvCplDaemon"="RUNDLL32.EXE I:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE I:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"MMTray"="I:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"Symantec NetDriver Monitor"="I:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SSC_UserPrompt"="I:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"iTunesHelper"="\"I:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"I:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"gwxpuzrt"="i:\\windows\\system32\\gwxpuzrt.exe -start"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


Bloodhound now seems to be a thing of the past - Thanks ever so much.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP