Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help Please, Hijack This Log [RESOLVED]

Started by andyy , Jul 06 2005 08:08 AM

This topic is locked

#106
andyy

Posted 19 July 2005 - 02:39 PM

Member

Topic Starter
Member
77 posts

OK,

I've got SP2 on my computer. I'm not sure what I did wrong the first time.

Also... I've got these files in SYSTEM32:

C:\WINDOWS\System32\zolker003.dll
C:\WINDOWS\System32\zolker001.dll

I know these are malicious. In fact I think these are the ones I fixed in HJT before you responded to this thread. So I'm guessing I didn't really get them cleared off the computer. Do I just delete them from the System32 folder or is there something else I should do? I also wonder if these are the ones causing the hijack when I go to my friend's blog.

here's a current HJT:

Logfile of HijackThis v1.99.1
Scan saved at 3:34:35 PM, on 7/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\PROGRA~1\NORTON~1\NORTON~4\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~4\npssvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\NORTON~1\NORTON~4\alertsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Andy's Files\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~1\NORTON~4\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~4\defalert.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\navapw32.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\System32\oline.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.micro...eb/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{94DA7127-4609-4910-A5C0-09F2371F7E95}: NameServer = 69.50.188.180 85.255.112.5
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\npssvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#107
Excal

Posted 19 July 2005 - 03:39 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Yes please delete them :tazz:

Let me know if it changes

Tom

#108
andyy

Posted 20 July 2005 - 06:20 AM

Member

Topic Starter
Member
77 posts

I've updated everything I can think of including Norton antivirus. The updated Norton deleted those zolker.dll's.

I also see this file:
C:\WINDOWS\System32\ztoolb003.dll

The name, the date it was created, and a quick google search are making me think it also shouldn't be there. Any thoughts?

#109
Excal

Posted 20 July 2005 - 08:12 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Yes thats bad, get rid of that. Have you done an active scan lately, if not see if that comes up with anything.

TOm

#110
andyy

Posted 21 July 2005 - 08:06 AM

Member

Topic Starter
Member
77 posts

I've run Norton Anti-virus a couple times now. Once in normal and once in safe mode.

These were found:

Aphex.exe
Backup-20050706...
lopremover
mediaticketsinstaller

and possibly some others (this was yesterday)

Most were removed, but there were some it was unable to remove. I didn't note which ones those were. But I will run another scan later today.

I'm still getting graphic pop-ups. they seem to occur randomly when surfing the net, only with blog sites, none remotely related to the pop-up content. Once the pop-up occurs, I cannot go back to the site that triggered it without the pop-up occuring.

Also, I deleted the ztoolb003 yesterday. Somehow it was back today. I just deleted it again. Perhaps it is recreated when those pop-ups occur.

I don't know what I'm asking for at this point, perhaps just sympathy (lol)

arggh.

#111
Excal

Posted 21 July 2005 - 08:46 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Andyy,

Go ahead and post a fresh set of logs all the way around and I we will see. I will try to get more people to look at it also, you never know

LopRemover is the program we deleted in post 100, and you can delete it

Tom

Edited by Excal, 21 July 2005 - 08:47 AM.

#112
andyy

Posted 21 July 2005 - 09:36 AM

Member

Topic Starter
Member
77 posts

Here's Silent Runners log and HJT log. This is a naive guess on my part, but I think there's something in SYSTEM32 that's not being detected by the logs.

Thanks, -Andy

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"AcctMgr" = "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "CNavExtBho Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\upnpui.dll" [MS]
"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{450D8FBA-AD25-11D0-98A8-0800361B1103}" = "MyDocs Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SmartFTP\smarthook.dll" ["SmartFTP"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
PowerDesk Menu\(Default) = "{26E7F081-EB97-11d3-9239-006008D2D00F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ontrack\PowerDesk\pdshext.dll" ["Ontrack Data International, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]
VersionsMenu\(Default) = "{03170921-4754-11cf-AB9A-00C0F00683EB}"
-> {CLSID}\InProcServer32\(Default) = "C:\Corel\Suite8\Versions\CVersion.dll" ["Corel Corporation Limited"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
PowerDesk Menu\(Default) = "{26E7F081-EB97-11d3-9239-006008D2D00F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ontrack\PowerDesk\pdshext.dll" ["Ontrack Data International, Inc."]
QuickFinderMenu\(Default) = "{C0E10002-0028-0001-C0E1-C0E1C0E1C0E1}"
-> {CLSID}\InProcServer32\(Default) = "C:\Corel\Suite8\Programs\PFSE80.DLL" ["Novell, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
QuickFinderMenu\(Default) = "{C0E10002-0028-0001-C0E1-C0E1C0E1C0E1}"
-> {CLSID}\InProcServer32\(Default) = "C:\Corel\Suite8\Programs\PFSE80.DLL" ["Novell, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]
VersionsMenu\(Default) = "{03170921-4754-11cf-AB9A-00C0F00683EB}"
-> {CLSID}\InProcServer32\(Default) = "C:\Corel\Suite8\Versions\CVersion.dll" ["Corel Corporation Limited"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [file not found]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [file not found]
"Registration reminder 2" -> launches: "C:\WINDOWS\SYSTEM\OOBE\MSOOBE.EXE /r /2" [file not found]
"Registration reminder 3" -> launches: "C:\WINDOWS\SYSTEM\OOBE\MSOOBE.EXE /r /3" [file not found]
"Video Reminder" -> launches: "C:\WINDOWS\TUNEUP.EXE /COOL" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" [null data]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Kerio Personal Firewall 4, KPF4, ""C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe"" ["Kerio Technologies"]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE" ["Symantec Corporation"]
SAVScan, SAVScan, ""C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe"" ["Symantec Corporation"]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe" ["Symantec Corporation"]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 99 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 74 seconds.
---------- (total run time: 284 seconds)

Logfile of HijackThis v1.99.1
Scan saved at 10:26:54 AM, on 7/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Adobe\After Effects 5.5\AfterFX.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Andy's Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\System32\oline.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.micro...eb/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{94DA7127-4609-4910-A5C0-09F2371F7E95}: NameServer = 69.50.188.180 85.255.112.5
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#113
Excal

Posted 21 July 2005 - 01:20 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

go to start>run and copy and paste this in.

regedit /e C:\search.txt "HKEY_CURRENT_USER\RemoteAccess\Profile"

Paste the results in your next post (file will be C:\ search.txt)

do the same for this one:

regedit /e c:\search1.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
\Parameters\Adapters"

Paste the results in your next post (file will be C:\ search1.txt)

Click Start, and then click Search.
Click All files and folders.
In the "All or part of the file name" box, type:

rasphone.pbk
Verify that "Look in" is set to "Local Hard Drives" or to (C:).
Click "More advanced options."
Check "Search system folders."
Check "Search subfolders."
Click Search.
Click Find Now or Search Now.
If you find rasphone.pbk file, right-click the file, and then click "Open With."
Deselect the "Always use this program to open this program" check box.
Scroll through the list of programs and double-click Notepad.
Copy all that in the notepad and paste here

#114
andyy

Posted 21 July 2005 - 03:26 PM

Member

Topic Starter
Member
77 posts

***Here's the rasphone:***

[DSL Connection]
Encoding=1
Type=5
AutoLogon=0
UseRasCredentials=1
DialParamsUID=538764
Guid=48C9BB9CBAAC57489A427191ECA473FB
BaseProtocol=1
VpnStrategy=0
ExcludedProtocols=3
LcpExtensions=1
DataEncryption=8
SwCompression=0
NegotiateMultilinkAlways=0
SkipNwcWarning=0
SkipDownLevelDialog=0
SkipDoubleDialDialog=0
DialMode=0
DialPercent=0
DialSeconds=0
HangUpPercent=0
HangUpSeconds=0
OverridePref=15
RedialAttempts=0
RedialSeconds=0
IdleDisconnectSeconds=0
RedialOnLinkFailure=0
CallbackMode=0
CustomDialDll=
CustomDialFunc=
CustomRasDialDll=
AuthenticateServer=0
ShareMsFilePrint=0
BindMsNetClient=1
SharedPhoneNumbers=0
GlobalDeviceSettings=0
PrerequisiteEntry=
PrerequisitePbk=
PreferredPort=PPPoE5-0
PreferredDevice=WAN Miniport (PPPOE)
PreferredBps=0
PreferredHwFlow=0
PreferredProtocol=0
PreferredCompression=0
PreferredSpeaker=0
PreferredMdmProtocol=0
PreviewUserPw=1
PreviewDomain=0
PreviewPhoneNumber=0
ShowDialingProgress=1
ShowMonitorIconInTaskBar=1
CustomAuthKey=-1
AuthRestrictions=264
TypicalAuth=1
IpPrioritizeRemote=1
IpHeaderCompression=0
IpAddress=0.0.0.0
IpDnsAddress=69.50.188.180
IpDns2Address=85.255.112.5
IpWinsAddress=0.0.0.0
IpWins2Address=0.0.0.0
IpAssign=1
IpNameAssign=2
IpFrameSize=1006
IpDnsFlags=0
IpNBTFlags=1
TcpWindowSize=0
UseFlags=0
IpSecFlags=0
IpDnsSuffix=

NETCOMPONENTS=
ms_msclient=1
ms_server=0

MEDIA=rastapi
Port=PPPoE5-0
Device=WAN Miniport (PPPOE)

DEVICE=PPPoE
LastSelectedPhone=0
PromoteAlternates=0
TryNextAlternateOnFail=1

***HERE'S SEARCH.TXT:***

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\RemoteAccess\Profile]

[HKEY_CURRENT_USER\RemoteAccess\Profile\DSL Connection]
"EnableAutodisconnect"=dword:00000000
"DisconnectIdleTime"=dword:00000014
"EnableExitDisconnect"=dword:00000000
"RedialAttempts"=dword:0000000a
"RedialWait"=dword:00000005
"AutoConnect"=dword:00000000

***HERE'S SEARCH1.TXT:***

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000003
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,74,00,63,00,70,00,69,00,70,00,2e,\
00,73,00,79,00,73,00,00,00
"DisplayName"="TCP/IP Protocol Driver"
"Group"="PNP_TDI"
"DependOnService"=hex(7):49,00,50,00,53,00,65,00,63,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"Description"="TCP/IP Protocol Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage]
"Bind"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,7b,00,36,00,35,\
00,36,00,42,00,46,00,31,00,38,00,38,00,2d,00,42,00,39,00,43,00,33,00,2d,00,\
34,00,46,00,30,00,33,00,2d,00,39,00,38,00,46,00,36,00,2d,00,36,00,39,00,46,\
00,31,00,37,00,35,00,31,00,39,00,30,00,42,00,44,00,31,00,7d,00,00,00,5c,00,\
44,00,65,00,76,00,69,00,63,00,65,00,5c,00,7b,00,34,00,41,00,43,00,43,00,44,\
00,42,00,30,00,33,00,2d,00,42,00,39,00,33,00,30,00,2d,00,34,00,30,00,31,00,\
43,00,2d,00,42,00,37,00,41,00,45,00,2d,00,32,00,46,00,30,00,43,00,34,00,38,\
00,38,00,46,00,35,00,30,00,34,00,35,00,7d,00,00,00,5c,00,44,00,65,00,76,00,\
69,00,63,00,65,00,5c,00,7b,00,42,00,39,00,41,00,42,00,30,00,38,00,46,00,32,\
00,2d,00,42,00,31,00,34,00,31,00,2d,00,34,00,43,00,30,00,46,00,2d,00,39,00,\
41,00,41,00,32,00,2d,00,32,00,46,00,35,00,43,00,31,00,38,00,31,00,44,00,39,\
00,41,00,41,00,44,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,\
5c,00,4e,00,64,00,69,00,73,00,57,00,61,00,6e,00,49,00,70,00,00,00,00,00
"Route"=hex(7):22,00,7b,00,36,00,35,00,36,00,42,00,46,00,31,00,38,00,38,00,2d,\
00,42,00,39,00,43,00,33,00,2d,00,34,00,46,00,30,00,33,00,2d,00,39,00,38,00,\
46,00,36,00,2d,00,36,00,39,00,46,00,31,00,37,00,35,00,31,00,39,00,30,00,42,\
00,44,00,31,00,7d,00,22,00,00,00,22,00,7b,00,34,00,41,00,43,00,43,00,44,00,\
42,00,30,00,33,00,2d,00,42,00,39,00,33,00,30,00,2d,00,34,00,30,00,31,00,43,\
00,2d,00,42,00,37,00,41,00,45,00,2d,00,32,00,46,00,30,00,43,00,34,00,38,00,\
38,00,46,00,35,00,30,00,34,00,35,00,7d,00,22,00,00,00,22,00,7b,00,42,00,39,\
00,41,00,42,00,30,00,38,00,46,00,32,00,2d,00,42,00,31,00,34,00,31,00,2d,00,\
34,00,43,00,30,00,46,00,2d,00,39,00,41,00,41,00,32,00,2d,00,32,00,46,00,35,\
00,43,00,31,00,38,00,31,00,44,00,39,00,41,00,41,00,44,00,7d,00,22,00,00,00,\
22,00,4e,00,64,00,69,00,73,00,57,00,61,00,6e,00,49,00,70,00,22,00,00,00,00,\
00
"Export"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,\
00,69,00,70,00,5f,00,7b,00,36,00,35,00,36,00,42,00,46,00,31,00,38,00,38,00,\
2d,00,42,00,39,00,43,00,33,00,2d,00,34,00,46,00,30,00,33,00,2d,00,39,00,38,\
00,46,00,36,00,2d,00,36,00,39,00,46,00,31,00,37,00,35,00,31,00,39,00,30,00,\
42,00,44,00,31,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,\
00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,34,00,41,00,43,00,43,00,44,00,\
42,00,30,00,33,00,2d,00,42,00,39,00,33,00,30,00,2d,00,34,00,30,00,31,00,43,\
00,2d,00,42,00,37,00,41,00,45,00,2d,00,32,00,46,00,30,00,43,00,34,00,38,00,\
38,00,46,00,35,00,30,00,34,00,35,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,\
00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,42,00,39,00,\
41,00,42,00,30,00,38,00,46,00,32,00,2d,00,42,00,31,00,34,00,31,00,2d,00,34,\
00,43,00,30,00,46,00,2d,00,39,00,41,00,41,00,32,00,2d,00,32,00,46,00,35,00,\
43,00,31,00,38,00,31,00,44,00,39,00,41,00,41,00,44,00,7d,00,00,00,5c,00,44,\
00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,\
7b,00,38,00,34,00,43,00,35,00,30,00,35,00,36,00,34,00,2d,00,46,00,32,00,38,\
00,35,00,2d,00,34,00,30,00,33,00,33,00,2d,00,42,00,38,00,42,00,44,00,2d,00,\
39,00,41,00,39,00,42,00,34,00,39,00,45,00,39,00,38,00,32,00,36,00,34,00,7d,\
00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,\
69,00,70,00,5f,00,7b,00,35,00,45,00,38,00,37,00,38,00,38,00,30,00,41,00,2d,\
00,37,00,36,00,41,00,31,00,2d,00,34,00,44,00,37,00,33,00,2d,00,41,00,33,00,\
31,00,46,00,2d,00,46,00,32,00,37,00,34,00,42,00,39,00,33,00,32,00,30,00,37,\
00,44,00,30,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,\
54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,42,00,41,00,33,00,35,00,42,00,32,\
00,35,00,35,00,2d,00,41,00,31,00,32,00,42,00,2d,00,34,00,36,00,41,00,42,00,\
2d,00,41,00,39,00,46,00,42,00,2d,00,43,00,45,00,42,00,30,00,35,00,44,00,32,\
00,38,00,32,00,37,00,41,00,45,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,\
63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,39,00,34,00,44,\
00,41,00,37,00,31,00,32,00,37,00,2d,00,34,00,36,00,30,00,39,00,2d,00,34,00,\
39,00,31,00,30,00,2d,00,41,00,35,00,43,00,30,00,2d,00,30,00,39,00,46,00,32,\
00,33,00,37,00,31,00,46,00,37,00,45,00,39,00,35,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"NV Hostname"="oemcomputer"
"DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,65,00,74,00,63,00,00,00
"NameServer"=""
"ForwardBroadcasts"=dword:00000000
"IPEnableRouter"=dword:00000000
"Domain"=""
"Hostname"="oemcomputer"
"SearchList"=""
"UseDomainNameDevolution"=dword:00000001
"EnableICMPRedirect"=dword:00000001
"DeadGWDetectDefault"=dword:00000001
"DontAddDefaultGatewayDefault"=dword:00000000
"EnableSecurityFilters"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\NdisWanIp]
"LLInterface"="WANARP"
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,38,00,34,00,43,00,35,00,30,00,35,00,\
36,00,34,00,2d,00,46,00,32,00,38,00,35,00,2d,00,34,00,30,00,33,00,33,00,2d,\
00,42,00,38,00,42,00,44,00,2d,00,39,00,41,00,39,00,42,00,34,00,39,00,45,00,\
39,00,38,00,32,00,36,00,34,00,7d,00,00,00,54,00,63,00,70,00,69,00,70,00,5c,\
00,50,00,61,00,72,00,61,00,6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,\
6e,00,74,00,65,00,72,00,66,00,61,00,63,00,65,00,73,00,5c,00,7b,00,35,00,45,\
00,38,00,37,00,38,00,38,00,30,00,41,00,2d,00,37,00,36,00,41,00,31,00,2d,00,\
34,00,44,00,37,00,33,00,2d,00,41,00,33,00,31,00,46,00,2d,00,46,00,32,00,37,\
00,34,00,42,00,39,00,33,00,32,00,30,00,37,00,44,00,30,00,7d,00,00,00,54,00,\
63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,6d,00,65,00,74,00,65,\
00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,00,61,00,63,00,65,00,\
73,00,5c,00,7b,00,42,00,41,00,33,00,35,00,42,00,32,00,35,00,35,00,2d,00,41,\
00,31,00,32,00,42,00,2d,00,34,00,36,00,41,00,42,00,2d,00,41,00,39,00,46,00,\
42,00,2d,00,43,00,45,00,42,00,30,00,35,00,44,00,32,00,38,00,32,00,37,00,41,\
00,45,00,7d,00,00,00,54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,\
61,00,6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,\
00,66,00,61,00,63,00,65,00,73,00,5c,00,7b,00,39,00,34,00,44,00,41,00,37,00,\
31,00,32,00,37,00,2d,00,34,00,36,00,30,00,39,00,2d,00,34,00,39,00,31,00,30,\
00,2d,00,41,00,35,00,43,00,30,00,2d,00,30,00,39,00,46,00,32,00,33,00,37,00,\
31,00,46,00,37,00,45,00,39,00,35,00,7d,00,00,00,00,00
"NumInterfaces"=dword:00000004
"IpInterfaces"=hex:64,05,c5,84,85,f2,33,40,b8,bd,9a,9b,49,e9,82,64,0a,88,87,5e,\
a1,76,73,4d,a3,1f,f2,74,b9,32,07,d0,55,b2,35,ba,2b,a1,ab,46,a9,fb,ce,b0,5d,\
28,27,ae,27,71,da,94,09,46,10,49,a5,c0,09,f2,37,1f,7e,95

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{4ACCDB03-B930-401C-B7AE-2F0C488F5045}]
"LLInterface"="ARP1394"
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,34,00,41,00,43,00,43,00,44,00,42,00,\
30,00,33,00,2d,00,42,00,39,00,33,00,30,00,2d,00,34,00,30,00,31,00,43,00,2d,\
00,42,00,37,00,41,00,45,00,2d,00,32,00,46,00,30,00,43,00,34,00,38,00,38,00,\
46,00,35,00,30,00,34,00,35,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{656BF188-B9C3-4F03-98F6-69F175190BD1}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,36,00,35,00,36,00,42,00,46,00,31,00,\
38,00,38,00,2d,00,42,00,39,00,43,00,33,00,2d,00,34,00,46,00,30,00,33,00,2d,\
00,39,00,38,00,46,00,36,00,2d,00,36,00,39,00,46,00,31,00,37,00,35,00,31,00,\
39,00,30,00,42,00,44,00,31,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{B9AB08F2-B141-4C0F-9AA2-2F5C181D9AAD}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,42,00,39,00,41,00,42,00,30,00,38,00,\
46,00,32,00,2d,00,42,00,31,00,34,00,31,00,2d,00,34,00,43,00,30,00,46,00,2d,\
00,39,00,41,00,41,00,32,00,2d,00,32,00,46,00,35,00,43,00,31,00,38,00,31,00,\
44,00,39,00,41,00,41,00,44,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4ACCDB03-B930-401C-B7AE-2F0C488F5045}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5E87880A-76A1-4D73-A31F-F274B93207D0}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=hex(7):00,00
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"DhcpClassIdBin"=hex:
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{656BF188-B9C3-4F03-98F6-69F175190BD1}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,\
33,00,00,00,00,00
"DhcpClassIdBin"=hex:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{84C50564-F285-4033-B8BD-9A9B49E98264}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{94DA7127-4609-4910-A5C0-09F2371F7E95}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,\
33,00,00,00,00,00
"DhcpIPAddress"="69.217.205.192"
"DhcpSubnetMask"="255.255.255.255"
"DhcpClassIdBin"=hex:
"Domain"=""
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000
"NameServer"="69.50.188.180 85.255.112.5"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B9AB08F2-B141-4C0F-9AA2-2F5C181D9AAD}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DefaultGatewayMetric"=hex(7):00,00
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00,00,00,00
"UDPAllowedPorts"=hex(7):30,00,00,00,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00
"NTEContextList"=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,\
32,00,00,00,00,00
"DhcpClassIdBin"=hex:
"DhcpServer"="255.255.255.255"
"Lease"=dword:00000000
"LeaseObtainedTime"=dword:42dfa82c
"T1"=dword:42dfa82c
"T2"=dword:42dfa82c
"LeaseTerminatesTime"=dword:7fffffff
"IPAutoconfigurationAddress"="169.254.173.117"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:00000000
"AddressType"=dword:00000001
"DhcpIPAddress"="169.254.173.117"
"DhcpSubnetMask"="255.255.0.0"
"DhcpRetryTime"=dword:0000013a
"DhcpRetryStatus"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BA35B255-A12B-46AB-A9FB-CEB05D2827AE}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock]
"UseDelayedAcceptance"=dword:00000000
"HelperDllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,77,00,73,00,68,00,74,00,63,00,70,00,69,00,70,00,2e,00,64,00,6c,00,6c,00,\
00,00
"MaxSockAddrLength"=dword:00000010
"MinSockAddrLength"=dword:00000010
"Mapping"=hex:0b,00,00,00,03,00,00,00,02,00,00,00,01,00,00,00,06,00,00,00,02,\
00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,06,00,00,00,00,00,\
00,00,00,00,00,00,06,00,00,00,00,00,00,00,01,00,00,00,06,00,00,00,02,00,00,\
00,02,00,00,00,11,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,02,00,00,00,\
00,00,00,00,11,00,00,00,00,00,00,00,00,00,00,00,11,00,00,00,00,00,00,00,02,\
00,00,00,11,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Performance]
"Close"="CloseTcpIpPerformanceData"
"Collect"="CollectTcpIpPerformanceData"
"Library"="Perfctrs.dll"
"Open"="OpenTcpIpPerformanceData"
"Object List"="502 510 546 582 638 658"
"WbemAdapFileSignature"=hex:97,2e,ff,c8,0d,9e,80,65,39,48,98,83,d3,70,32,f5
"WbemAdapFileTime"=hex:60,61,fb,31,3a,e4,c3,01
"WbemAdapFileSize"=dword:00009200
"WbemAdapStatus"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
"Class"=dword:00000008
"DnsPriority"=dword:000007d0
"HostsPriority"=dword:000001f4
"LocalPriority"=dword:000001f3
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
77,00,73,00,6f,00,63,00,6b,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00
"NetbtPriority"=dword:000007d1
"Name"="TCP/IP"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Enum]
"0"="Root\\LEGACY_TCPIP\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

#115
Excal

Posted 21 July 2005 - 03:39 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

I am just shooting at the stars here...lol. But we have nothign to lose...lol

Go ahead and back ur registry up :tazz:

just in case

Go to Start > Run - type:

regedit

Click OK.

When you get into the registry, on the leftside, click to highlight My Computer at the top. Then go up to "File > Export" Make sure in that window there is a tick next to "All" under Export Branch. Leave the "Save As Type" as "Registration Files", then save it as backup to a convenient location. Remember where you put it (I don't recommend putting it on the desktop) This is so the registry can be restored to this point should anything be deleted by accident or something else happens. It may take a minute. Just let it go until it's done.

------------------------------------------------------------------------------------------

go to start>run and copy and paste this in.

regedit /e C:\search2.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters"

Paste the results in your next post (file will be C:\ search2.txt)

#116
Excal

Posted 21 July 2005 - 10:38 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

One more thing :tazz:

Please download RootKitRevealer from here:

http://www.sysintern...kitrevealer.zip

Unzip it to your desktop, run it, and click Scan.
This will generate a log file. Please post the entire contents of the log file to your next post.

#117
andyy

Posted 24 July 2005 - 05:42 PM

Member

Topic Starter
Member
77 posts

Busy weekend... here's the search2.log, then the rootkitrevealer log:

Search2log:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\NdisWanIp]
"LLInterface"="WANARP"
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,38,00,34,00,43,00,35,00,30,00,35,00,\
36,00,34,00,2d,00,46,00,32,00,38,00,35,00,2d,00,34,00,30,00,33,00,33,00,2d,\
00,42,00,38,00,42,00,44,00,2d,00,39,00,41,00,39,00,42,00,34,00,39,00,45,00,\
39,00,38,00,32,00,36,00,34,00,7d,00,00,00,54,00,63,00,70,00,69,00,70,00,5c,\
00,50,00,61,00,72,00,61,00,6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,\
6e,00,74,00,65,00,72,00,66,00,61,00,63,00,65,00,73,00,5c,00,7b,00,35,00,45,\
00,38,00,37,00,38,00,38,00,30,00,41,00,2d,00,37,00,36,00,41,00,31,00,2d,00,\
34,00,44,00,37,00,33,00,2d,00,41,00,33,00,31,00,46,00,2d,00,46,00,32,00,37,\
00,34,00,42,00,39,00,33,00,32,00,30,00,37,00,44,00,30,00,7d,00,00,00,54,00,\
63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,6d,00,65,00,74,00,65,\
00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,00,61,00,63,00,65,00,\
73,00,5c,00,7b,00,42,00,41,00,33,00,35,00,42,00,32,00,35,00,35,00,2d,00,41,\
00,31,00,32,00,42,00,2d,00,34,00,36,00,41,00,42,00,2d,00,41,00,39,00,46,00,\
42,00,2d,00,43,00,45,00,42,00,30,00,35,00,44,00,32,00,38,00,32,00,37,00,41,\
00,45,00,7d,00,00,00,54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,\
61,00,6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,\
00,66,00,61,00,63,00,65,00,73,00,5c,00,7b,00,39,00,34,00,44,00,41,00,37,00,\
31,00,32,00,37,00,2d,00,34,00,36,00,30,00,39,00,2d,00,34,00,39,00,31,00,30,\
00,2d,00,41,00,35,00,43,00,30,00,2d,00,30,00,39,00,46,00,32,00,33,00,37,00,\
31,00,46,00,37,00,45,00,39,00,35,00,7d,00,00,00,00,00
"NumInterfaces"=dword:00000004
"IpInterfaces"=hex:64,05,c5,84,85,f2,33,40,b8,bd,9a,9b,49,e9,82,64,0a,88,87,5e,\
a1,76,73,4d,a3,1f,f2,74,b9,32,07,d0,55,b2,35,ba,2b,a1,ab,46,a9,fb,ce,b0,5d,\
28,27,ae,27,71,da,94,09,46,10,49,a5,c0,09,f2,37,1f,7e,95

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{4ACCDB03-B930-401C-B7AE-2F0C488F5045}]
"LLInterface"="ARP1394"
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,34,00,41,00,43,00,43,00,44,00,42,00,\
30,00,33,00,2d,00,42,00,39,00,33,00,30,00,2d,00,34,00,30,00,31,00,43,00,2d,\
00,42,00,37,00,41,00,45,00,2d,00,32,00,46,00,30,00,43,00,34,00,38,00,38,00,\
46,00,35,00,30,00,34,00,35,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{656BF188-B9C3-4F03-98F6-69F175190BD1}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,36,00,35,00,36,00,42,00,46,00,31,00,\
38,00,38,00,2d,00,42,00,39,00,43,00,33,00,2d,00,34,00,46,00,30,00,33,00,2d,\
00,39,00,38,00,46,00,36,00,2d,00,36,00,39,00,46,00,31,00,37,00,35,00,31,00,\
39,00,30,00,42,00,44,00,31,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{B9AB08F2-B141-4C0F-9AA2-2F5C181D9AAD}]
"LLInterface"=""
"IpConfig"=hex(7):54,00,63,00,70,00,69,00,70,00,5c,00,50,00,61,00,72,00,61,00,\
6d,00,65,00,74,00,65,00,72,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,66,\
00,61,00,63,00,65,00,73,00,5c,00,7b,00,42,00,39,00,41,00,42,00,30,00,38,00,\
46,00,32,00,2d,00,42,00,31,00,34,00,31,00,2d,00,34,00,43,00,30,00,46,00,2d,\
00,39,00,41,00,41,00,32,00,2d,00,32,00,46,00,35,00,43,00,31,00,38,00,31,00,\
44,00,39,00,41,00,41,00,44,00,7d,00,00,00,00,00

Rootkitrevealer:

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20050720.017\VSCANMSX.DAT 7/24/2005 5:43 PM 2.02 KB Hidden from Windows API.
C:\Recycled\NPROTECT 7/19/2005 3:55 PM 0 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000000.DAT 7/23/2005 10:17 AM 14 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000001.DAT 7/23/2005 10:17 AM 14 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000024.EDB 7/23/2005 10:18 AM 64.00 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000085.DIC 7/23/2005 12:20 PM 162 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000118.LNK 6/28/2005 9:26 AM 567 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000119.LNK 7/23/2005 1:25 PM 215 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000120.LNK 7/23/2005 1:25 PM 215 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000121.LNK 7/13/2005 5:51 PM 616 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000184.EDB 7/23/2005 3:20 PM 64.00 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000268.LNK 7/22/2005 5:14 PM 179 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000269.LNK 7/23/2005 6:14 PM 179 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000270.LNK 7/23/2005 6:14 PM 179 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000271.LNK 7/23/2005 1:25 PM 344 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000272.DOT 7/23/2005 12:10 PM 162 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000273.DAT 7/23/2005 10:39 PM 14 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000274.DAT 7/23/2005 10:39 PM 14 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000296.CAB 7/23/2005 7:00 AM 15.45 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000312.MOZ 7/23/2005 7:15 AM 8.11 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000314.EDB 7/23/2005 10:39 PM 64.00 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000318.MOZ 7/23/2005 7:18 AM 55.10 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000320.MOZ 7/23/2005 10:52 PM 55.10 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000321.MOZ 7/23/2005 7:18 AM 1.23 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000332.MOZ 7/23/2005 10:46 PM 8.11 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000333.MOZ 7/23/2005 11:02 PM 8.47 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000337.MOZ 7/23/2005 10:52 PM 55.10 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000339.MOZ 7/23/2005 11:07 PM 55.10 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000340.MOZ 7/23/2005 10:52 PM 1.23 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000342.DAT 7/24/2005 9:28 AM 14 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000343.DAT 7/24/2005 9:28 AM 14 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000365.EDB 7/24/2005 9:29 AM 64.00 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000367.DIC 7/24/2005 9:34 AM 162 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000372.DIC 7/24/2005 9:44 AM 162 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000397.LNK 7/22/2005 6:24 PM 340 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000398.LNK 7/24/2005 10:33 AM 340 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000399.LNK 7/24/2005 10:33 AM 340 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000400.LNK 7/13/2005 5:51 PM 621 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000476.LNK 7/23/2005 6:14 PM 179 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000477.LNK 7/24/2005 1:08 PM 179 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000478.LNK 7/24/2005 1:08 PM 179 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000479.LNK 7/24/2005 10:33 AM 465 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000489.DAT 7/24/2005 5:09 PM 14 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000490.DAT 7/24/2005 5:09 PM 14 bytes Hidden from Windows API.
C:\Recycled\NPROTECT\00000500.MOZ 7/23/2005 11:04 PM 8.47 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000501.MOZ 7/24/2005 5:12 PM 8.40 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000506.EDB 7/24/2005 5:10 PM 64.00 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000515.MOZ 7/23/2005 11:07 PM 55.10 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000517.MOZ 7/24/2005 5:19 PM 55.10 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000518.MOZ 7/23/2005 11:07 PM 1.23 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000519.SYS 7/24/2005 5:19 PM 7.49 KB Hidden from Windows API.
C:\Recycled\NPROTECT\00000521 7/24/2005 5:22 PM 18.46 MB Hidden from Windows API.
C:\Recycled\NPROTECT\00000523 7/24/2005 5:22 PM 4.27 MB Hidden from Windows API.
C:\Recycled\NPROTECT\00000525 7/24/2005 5:23 PM 4.30 MB Hidden from Windows API.
C:\Recycled\NPROTECT\NPROTECT.LOG 7/24/2005 1:12 PM 631.38 KB Hidden from Windows API.
D:\RECYCLER\NPROTECT 7/24/2005 5:08 PM 0 bytes Hidden from Windows API.
D:\RECYCLER\NPROTECT\NPROTECT.LOG 7/24/2005 1:12 PM 631.38 KB Hidden from Windows API.

#118
andyy

Posted 24 July 2005 - 05:43 PM

Member

Topic Starter
Member
77 posts

#119
Excal

Posted 24 July 2005 - 08:40 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Ok here we go. The last battle! ....lol

Step 1

Download Ewido Security Suite from here

Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen.

You will need to update ewido to the latest definition files:

On the left hand side of the main screen click Update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can manually update Ewido.

Step 2

Download remv3.zip from here and unzip it to its own folder. It must be unzipped to it's own folder to work.

Reboot into Safe Mode and then configure Windows to Show All Hidden Files and Folders - this must be done while in Safe Mode so copy and paste the instructions in the link to notepad and save to the desktop.

Now open the folder where you saved the remv3.zip files and double click the rem.bat file and let it run.
Wait for the Dos window to close.
It will delete the files, remove the infection and then make a log of the files it finds.

The log file will be located at C:\log.txt

Step 3

Enter your Control Panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically. Make sure the radio dial has the Green Dot in it!!

Step 4

Open HijackThis and place a checkmark beside these entries:

O17 - HKLM\System\CCS\Services\Tcpip\..\{94DA7127-4609-4910-A5C0-09F2371F7E95}: NameServer = 69.50.188.180 85.255.112.5

Make sure ALL WINDOWS and BROWSERS are CLOSED and click Fix Checked

Step 5

Click Start | Search.
Click 'All files and folders'.
In the "All or part of the file name" box, type rasphone.pbk

Verify that "Look in" is set to "Local Hard Drives" or to ( C: ).

Click "More advanced options".
Check "Search System Folders".
Check "Search Subfolders".
Click "Search.
Click "Find Now" or "Search Now".

If you find the rasphone.pbk file, right-click it and then click "Open With."
Deselect the "Always use this program to open this program" check box.
Scroll through the list of programs and double-click Notepad.
When the file opens, delete the entries below:

IpDnsAddress=69.50.188.180
IpDns2Address=85.255.112.5
IpNameAssign = 2[/b]

Close Notepad and be sure to Save your changes when prompted!

Step 6

Now open Ewido Security Suite:
Click on Scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.

You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
Do NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.

Once the scan has completed, click the Save Report button at the bottom.
Save the report .txt file to your desktop.
Then close Ewido Security Suite and reboot back to normal Windows mode.

Step 7

Once back in normal mode, click Start | Run and type CMD and click OK.

At the Dos Prompt Screen, type in cd\ and hit enter.

Now type in ipconfig /flushdns and click enter! (notice the space in the middle)

Then close the command prompt.

Restart the machine and post a fresh HijackThis log along with the logs from Ewido and Remv3

#120
Excal

Posted 24 July 2005 - 08:54 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Andyy,

Check for a and fire wall exceptions:

Start-> Control Panel-> Security Center-> Windows Firewall-> Exceptions

In the Exeptions-> look for any entry labeled rk.exe
under the Advanced tab

Let me know the addresses listed in there.

Thanks,

:tazz:

Excal