Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

HIJACK THIS log fighting http://ads1.revenue.net

Started by pezgandhi , Nov 21 2004 04:35 PM

Please log in to reply

#1
pezgandhi

Posted 21 November 2004 - 04:35 PM

New Member

Member
7 posts

I have tried and tried again to get rid of a bunch of pop ups and other stuff on my wifes desktop. She swears she hasn't gone anywhere off mainstream and still I can't get rid of this stuff.

If you can help at all, I would greatly appreciate the guidance. I have attempted to do as instructed. In addition, I have run Pest patrol that seems to find even more than adaware

Thank you
Brian

Logfile of HijackThis v1.98.2
Scan saved at 4:30:45 PM, on 11/21/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mary\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mgochal.pledgepage.org/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\ezStub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

#2
ditto

Posted 22 November 2004 - 10:23 PM

- i pwn n00bs -

Member
1,260 posts

Please run a free online virus scan here:
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

#3
pezgandhi

Posted 23 November 2004 - 09:15 PM

New Member

Topic Starter
Member
7 posts

Please run a free online virus scan here:
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

I ran the trojan scan and it found nothing. Same result with the online virus scanner.

here is today's highjack log
Logfile of HijackThis v1.98.2
Scan saved at 9:14:34 PM, on 11/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mary\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mgochal.pledgepage.org/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\ezStub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

AGain, any help getting rid of this crap would be greatly appreciated.

#4
Smokey

Posted 24 November 2004 - 10:32 AM

Member 1K

Retired Staff
1,423 posts

Your computer has a number of spyware programs that we need to remove. For more info on spyware see the Spyware FAQ link in my signature.

Let's start with a couple free programs.

Ad-aware. Open Ad-Aware and use the Check for updates now link. Download and accept the latest reference file. When finished click the Start button. When done scanning, the Abort button will change to Next. Click the Next button. Right-click in the Scanning Results window and click "Select all objects". Then click the "Next" button and confirm that you want to delete the selected entries.

Spybot Search & Destroy Download and install. Start Spybot S&D using the "Spybot-S&D (easy mode)" link from your Start menu . Click the Search for updates button, if any are found then click the Download Updates button. After all updates are downloaded, click the Check for problems button. When the scan is complete, place a check next to anything marked in red, then click the Fix selected problems button. You may need to run Spybot S&D multiple times to remove all infections.

When finished, Reboot your computer. Finally, reply to this post with a new HiJackThis log so we can look for any nasties that may have been missed. <_<

CLICK HERE to download Ad-aware
CLICK HERE to download Spybot S&D

#5
pezgandhi

Posted 26 November 2004 - 11:24 PM

New Member

Topic Starter
Member
7 posts

tried using ADaware and it keeps getting stuck at this point:

C:\WINDOWS\$NtServicePackUninstall$\msrdp.cab..

is this something that I can delete or is this something I should keep. Either way, without getting past this file, the program will continue to get hung up.

I really appreciate the help!!!

Sincerely,
Brian

#6
admin

Posted 26 November 2004 - 11:53 PM

Founder Geek

Community Leader
24,639 posts

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\ezStub.exe

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINDOWS\system32\ezStub.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. <_<

#7
pezgandhi

Posted 28 November 2004 - 10:36 AM

New Member

Topic Starter
Member
7 posts

This has become pure maddness.

I did as instructed and all of those files mentioned for me to delete couldn't be found

Again, I am unable to run adaware fully because the program hangs up scanning this file and it tries to scan it even if I uncheck the file in files to be scanned:

C:\WINDOWS\$NtServicePackUninstall$\msrdp.cab..

I can do a smart system scan. at this point I find some disturbing files. I have attemted to delete them and my system just won't let me. I have started in safe mode and it makes no difference.

This is the browser window that continues to open without any prompting from my wife and with no other windows open. Kapersky continues to stop whatever content is trying to load in the window. It says it contains malicious code

http://69.20.56.3/normal/yyy12.html

This is also opening up
http://69.20.61.245/.../ad-armorie.htm

and this IE window

http://z1.adserver.c...ac=29;c=48;nc=1

I have searched the Registry and found nothing titled Adserver

In the temp folders I find index.dat and desktop.ini. These two files, I can’t delete!
In adaware, this seems to be the nasty that I can’t delete
Vendor:VX2
Category:Malware
Object Type:Process
Size:-
Location:C:\WINDOWS\system32\aecups.dll
Last Activity:11-28-2004 7:43:29 AM
Risk Level:High
TAC index:10
Comment:
Description:Malware. Causes Popups and may install unsolicited software.

I checked the file aecups.dll and it appears to have been created on 7/2/04. My wife doesn't have to much on the system. I have taken her off of the network and I am getting so frustrated that I am on the verge of wiping the [bleep] thing.
It would appear as though the F@#$Ker's have been able to get in and I can't get them out. What confuses me is that I don't understand what they hope to accomplish. I have no intention of buying something from them and in fact, if I could attack them with bats (maybe even the flying kind:)), I might consider it:) <_<

below is the latest Hijack this report.
I must once again say that I appreciate all the time and efforts you are all providing to help rid the planet of this crap

Sincerely,
Brian

Logfile of HijackThis v1.98.2
Scan saved at 10:35:19 AM, on 11/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mary\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mgochal.pledgepage.org/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#8
pezgandhi

Posted 10 December 2004 - 10:15 AM

New Member

Topic Starter
Member
7 posts

it would appear as though everyone is now fully stumped and I don't know what else to do...I'm thinking I'm going to just wipe the system. I just wish I knew how to keep this crap off the system other than not allowing the wifes computer to surf the internet.

Brian

#9
admin

Posted 10 December 2004 - 10:55 AM

Founder Geek

Community Leader
24,639 posts

1. Download VX2Finder here: http://www.geekstogo...=download&id=37
Run Vx2Finder and click on the Click to find VX2.BetterInternet button.

Click the Make Log button.

Save the log some place convenient like My Documents. Include the contents of the log in your next reply here.

2. Download this ZIP file: http://www.geekstogo...=download&id=36
and unzip the contents to a folder, then open that folder and double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here as well.

3. Please download DllCompare from here: http://www.geekstogo...=download&id=38

When it has downloaded, run the program and click on the Run Locate.com button. When that has completed, click on the Compare button. When that completed click on the Make Log of What Was Found button. Then post the contents of that log as a reply to this post.

Only if you get an error after pressing Run Locate.com:
copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder.

4. Please also open the c:\Windows\System32 folder and see if there's a file there called Guard.tmp visible and report that here as well.

#10
ELP44

Posted 10 December 2004 - 01:48 PM

New Member

Member
5 posts

Upgrade to Win XP SP2 Should work

#11
pezgandhi

Posted 10 December 2004 - 07:22 PM

New Member

Topic Starter
Member
7 posts

ok, did exactly as you said and found some items

HERE ARE THE RESULTS TO TO THE VX2 LOG
Log for VX2.BetterInternet File Finder (msg126)

Files Found---
C:\WINDOWS\system32\abledit.dll
C:\WINDOWS\system32\ajd.dll

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon
WPAEvents

Guardian Key--- is called: WPAEvents
Asynchronous 000
DllName C:\WINDOWS\system32\abledit.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 126
ID {0647DFE8-F70E-4DC4-8F52-188AFC159FFA}
IDex DS3

User Agent String---
{0647DFE8-F70E-4DC4-8F52-188AFC159FFA}
%%%%%%%%%%%%%%

HERE ARE THE RESULTS TO THE FIND BAT OUTPUT LOG

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is C868-22C1

Directory of C:\WINDOWS\System32

10/05/2004 06:58 PM <DIR> dllcache
07/12/2004 08:27 AM 5 AuxDrv32_g.dlx
06/29/2003 04:36 PM <DIR> Microsoft
1 File(s) 5 bytes
2 Dir(s) 35,745,498,112 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is C868-22C1

Directory of C:\WINDOWS\System32

12/10/2004 07:00 PM 1,060 vsconfig.xml
12/10/2004 06:49 PM 4,212 zllictbl.dat
10/05/2004 06:58 PM <DIR> dllcache
07/12/2004 08:27 AM 5 AuxDrv32_g.dlx
06/29/2003 05:28 PM 24,200 PROSetp.GID
06/29/2003 03:01 PM 488 logonui.exe.manifest
06/29/2003 03:01 PM 488 WindowsLogon.manifest
06/29/2003 03:01 PM 749 cdplayer.exe.manifest
06/29/2003 03:01 PM 749 sapi.cpl.manifest
06/29/2003 03:01 PM 749 wuaucpl.cpl.manifest
06/29/2003 03:01 PM 749 nwc.cpl.manifest
06/29/2003 03:01 PM 749 ncpa.cpl.manifest
11 File(s) 34,198 bytes
1 Dir(s) 35,745,497,088 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is C868-22C1

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is C868-22C1

Directory of C:\WINDOWS\System32

08/11/2004 12:45 AM 5,550,080 setb6.tmp
03/29/2004 07:48 PM 439,808 SET770.tmp
03/29/2004 07:48 PM 306,176 SET77A.tmp
03/29/2004 07:48 PM 253,440 SET76B.tmp
08/30/2001 04:30 AM 2,577 CONFIG.TMP
5 File(s) 6,552,081 bytes
0 Dir(s) 35,745,497,088 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0647DFE8-F70E-4DC4-8F52-188AFC159FFA}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Time Zones]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\abledit.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Version"="126"
"ID"="{0647DFE8-F70E-4DC4-8F52-188AFC159FFA}"
"IDex"="DS3"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

'Xfind' is not recognized as an internal or external command,
operable program or batch file.

-------------- Locate.com Results ---------------

%%%%%%%%%%%%%%%%%%%

HERE ARE THE RESULTS FOR THE DLL COMPARE LOG
* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

"
________________________________________________

1,270 items found: 1,270 files, 0 directories.
Total of file sizes: 257,254,253 bytes 245.34 M

Administrator Account = True

--------------------End log---------------------

The file Guard.tmp was not located in the system32 folder

I ran highjack this one more time below is the output log

Logfile of HijackThis v1.98.2
Scan saved at 7:16:23 PM, on 12/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\SahAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mary\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mgochal.pledgepage.org/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Mary\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\system32\SahAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

As always, I want to sincerely thank every single one that helps me in my quest to rid my wife's computer of this crap.

#12
admin

Posted 11 December 2004 - 03:45 PM

Founder Geek

Community Leader
24,639 posts

Follow these instructions to run Ad-ware and the VX2 plugin.

Run Ad-Aware with the latest update.

Download the latest version of Ad-Aware (Ad-Aware SE Build 1.05) from here.
If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
Once the definitions have been updated:
Reconfigure Ad-Aware for Full Scan as per the following instructions:
- Launch the program, and click on the Gear at the top of the start screen.
- Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
  - "Automatically save logfile"
  - Automatically quarantine objects prior to removal"
  - Safe Mode (always request confirmation)
  - Prompt to update outdated confirmation) - Change to 7 days.
- Click the "Scanning" button (On the left side).
- Under Drives & Folders, select "Scan within Archives"
- Click "Click here to select Drives + folders" and select your installed hard drives.
- Under Memory & Registry, select all options.
- Click the "Advanced" button (On the left hand side).
- Under "Shell Integration", select "Move deleted files to Recycle Bin".
- Under "Log-file detail", select all options.
- Click on the "Defaults" button on the left.
- Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
- Click the "Tweak" button (Again, on the left hand side).
- Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
  - "Unload recognized processes during scanning."
  - "Obtain command line of scanned processes"
  - "Scan registry for all users instead of current user only"
- Under "Cleaning Engine", select the following:
  - "Automatically try to unregister objects prior to deletion."
  - "During removal, unload explorer and IE if necessary"
  - "Let Windows remove files in use at next reboot."
  - "Delete quarrantined objects after restoring"
- Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
- Click on "Proceed" to save these Preferences.
- Click on the "Scan Now" button on the left.
- Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
Close all programs except ad-aware.
Click on "Next" in the bottom right corner to start the scan.
Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Plug-Ins for Ad-Aware (VX2 Cleaner)
Download the free VX2 Cleaner here

Close Ad-Aware SE build 1.05 and Ad-Watch (if running)
Install the VX2 Cleaner
Start Ad-Aware SE build 1.05
Go to “Plug-ins”
Select the VX2 Cleaner plug-in and click “Run Plugin”
If your computer isn't infected, click "close"

If your computer is infected:

Select “Clean System”
Reboot your computer
Scan your computer with Ad-Aware
Remove any VX2 objects detected
Reboot your computer again
Run a second scan to make sure the files have been removed from your computer

#13
pezgandhi

Posted 11 December 2004 - 05:09 PM

New Member

Topic Starter
Member
7 posts

I am unable to successfully run Adaware. Many, many folders within the Windows folder cause adaware to hang up. I'm talking 20 minutes later and no movement. It never goes to "not responding", it just stops playing. After about 6 folders of me unchecking them in the customization, I just unchecked windows and it went through.

I ran the VX add on tool in adaware and it found nothng.

here is the latest highjack this log.

and because I can't say it enough, thank you very, very much
Brian

Logfile of HijackThis v1.98.2
Scan saved at 5:09:16 PM, on 12/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mary\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mgochal.pledgepage.org/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL