Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

aurora abi network popup [RESOLVED]

Started by juliembrunelle , Jul 25 2005 09:55 AM

  • This topic is locked This topic is locked

#16
Crustyoldbloke
Posted 17 August 2005 - 07:52 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Julie

I expected to see you sooner. Looks like a Qoologic infection this time.

Install Ewido Security Suite.
  • Install Ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
    • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates
Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Launch Ewido, there should be an icon on your desktop, double-click it.
  • The programme will now open to the main screen.
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
Now that the updates have been installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with Ewido it is finding cases of false positives.
    • You will need to step through the process of cleaning files one-by-one.
    • If Ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop and include it in your reply.
Now close Ewido security suite.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kgssss.exe reg_run

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete this file (if present) using Windows Explorer:

C:\WINDOWS\system32\kgssss.exe

Close Windows Explorer and Reboot normally

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

Please download and run Silent Runners

* Please right click this link and choose save (link) as to download:Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Post back a fresh HijackThis log and I will take another look.
  • 0

Advertisements

#17
juliembrunelle
Posted 19 August 2005 - 12:35 PM

juliembrunelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
OK, here is the ewido report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:49:26 AM, 8/19/2005
+ Report-Checksum: C0AB547C

+ Scan result:

C:\Documents and Settings\Julie M Cullum\Cookies\julie m [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Julie M Cullum\Cookies\julie m [email protected][1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\SYSTEM32\nѕlookup.exe -> Spyware.PurityScan : Cleaned with backup
C:\_RESTORE\TEMP\A0077311.CPY -> Spyware.BargainBuddy : Cleaned with backup
C:\_RESTORE\TEMP\A0077312.CPY -> Adware.BrilliantDigital : Cleaned with backup
C:\_RESTORE\TEMP\A0077427.CPY -> Adware.SaveNow : Cleaned with backup
C:\_RESTORE\TEMP\A0077428.CPY -> Adware.SaveNow : Cleaned with backup
C:\_RESTORE\TEMP\A0099039.CPY -> Adware.SaveNow : Cleaned with backup
C:\_RESTORE\TEMP\A0099040.CPY -> Adware.SaveNow : Cleaned with backup
C:\_RESTORE\TEMP\UNINST~1.0 -> Spyware.NewDotNet : Cleaned with backup


::Report End



Here is the silent runners log:
"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"qxnilb.exe" = "C:\WINDOWS\system\qxnilb.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"CreateCD50" = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r" ["Roxio"]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"SMSERIAL" = "sm56hlpr.exe" ["Motorola Inc."]
"HPAIO_PrintFolderMgr" = "C:\WINDOWS\system32\spool\DRIVERS\W32X86\hpoopm07.exe" [null data]
"REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"MSN Video Enhanced" = ""C:\Program Files\MSN Video Enhanced\MSNVE.exe"" ["Microsoft"]
"winsync" = "C:\WINDOWS\system32\kgssss.exe reg_run" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL" [MS]
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ahead\Nero\neroshx.dll" ["ahead software gmbh im stoeckmaedle 6 76307 karlsbad, germany Fax: ++49-7248-911-888 e-mail: [email protected]"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\DOWNLOADED PROGRAM FILES\YMMAPI.DLL" ["Yahoo! Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office\1033\UNBIND.DLL" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~2\DirectCD\Shellex.dll" ["Roxio"]
"{9864B135-1BDC-4E01-B6C6-FFCCCD7526DC}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\NETAudioFile2.dll" [file not found]
"{25A10A31-C8FA-48F0-9FC8-B4E56CAF2FC3}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dcuiext.dll" [file not found]
"{09F7051C-CB93-4981-8712-C7DC0E668F4C}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\mjdart.dll" [file not found]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{D98A13B5-C4D6-49CD-A297-5A9F92023F34}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\rTsmans.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
gnmmmxnf\(Default) = "{0ca2a44d-6f62-4b43-8aa2-39440eb1581e}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dneee.dll" [null data]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\DOWNLOADED PROGRAM FILES\YMMAPI.DLL" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\My Documents\My Pictures\ryjullimo.jpg"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssstars.scr" [MS]


Startup items in "Julie M Cullum" & "All Users" startup folders:
----------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Exif Launcher" -> shortcut to: "C:\Program Files\FinePixViewer\QuickDCF.exe" ["FUJI PHOTO FILM CO., LTD."]
"HPAiODevice" -> shortcut to: "C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe -DeviceID 1079396355" ["Hewlett-Packard Co."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"SysTray" -> shortcut to: "C:\WINDOWS\Installer\{8F156C85-23F2-4F13-89A6-B0B286D1B4CD}\NewShortcut1_5221CCAB553E4E63B6FD56674A376D04_1.exe /startup" ["InstallShield Software Corp."]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Julie M Cullum" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.EXE /task:"C:\WINDOWS\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\WINDOWS\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [file not found]
"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{79406F24-8E95-4AF8-9FEF-2EA2B504E707}\ = "BottomFrame Class"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINDOWS\ttext.dll" [file not found]

HKLM\Software\Classes\CLSID\{8F7D96AA-489A-4194-AB34-21EF42507932}\ = "LeftFrame Class"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\ttext.dll" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
SAVScan, SAVScan, "C:\Program Files\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
WMP54GSVC, WMP54GSVC, ""C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe" "WMP54G.exe"" ["GEMTEKS"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 27 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 17 seconds.
---------- (total run time: 80 seconds)



And here is a fresh HJT log. FYI, when I was in safe mode and tried to delete kgssss.exe through explorer, I was not able to. The system said it was in use. I see again on the HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 2:29:42 PM, on 8/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SNET Internet
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\system32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSN Video Enhanced] "C:\Program Files\MSN Video Enhanced\MSNVE.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kgssss.exe reg_run
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SysTray.lnk = C:\Program Files\Kinko's\FPFK\Kinkos.Jupiter.GUI.SysTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.char...oad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ances...ll/MFImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://dar.armstrong...timage30717.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://biomerieux.w...bex/ieatgpc.cab
O16 - DPF: {E581F2C0-9293-11D0-B132-00A0249C49D7} (Net-It jDoc PrintGraphics) - http://www.fando.com/jobs/jdocprtm.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe" "WMP54G.exe (file missing)

Thanks again Phil!
  • 0

#18
Crustyoldbloke
Posted 19 August 2005 - 02:31 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Julie

Yes I see the Qoologic infection again in your log and Silent Runners together with another hiding away. Let’s see if we can zap them both together.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kgssss.exe reg_run

Now close all windows other than HiJackThis, then click Fix Checked.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\kgssss.exe
C:\WINDOWS\system32\dneee.dll

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe.
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.
  • 0

#19
juliembrunelle
Posted 21 August 2005 - 04:07 PM

juliembrunelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
OK, here is the infected list from MWA:

File C:\Documents and Settings\Julie M Cullum\Desktop\PC protection\nailfix\Process.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.
Object "mybar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "SurfSideKick Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Xolox Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Xolox Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BigTrafficNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BigTrafficNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BigTrafficNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BigTrafficNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BigTrafficNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BigTrafficNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BigTrafficNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "DelFin Media Viewer Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "DownloadWare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "istbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "my way speedbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "SurfSideKick Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "SearchSeekFind Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CasinoClient Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Win32.Passma Virus" found in File System! Action Taken: No Action Taken.
Object "ABetterInternet.Aurora Adware" found in File System! Action Taken: No Action Taken.
Object "altnet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cws.smartsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cws.smartsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ImIServer IEPlugin Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "RedV Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "aurora Spyware/Adware" found in File System! Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall4_34.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\U infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Julie M Cullum\Desktop\PC protection\nailfix\Process.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\00474287 tagged as "not-a-virus:AdWare.ToolBar.EliteBar.am". Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0C61727C tagged as "not-a-virus:AdWare.ToolBar.EliteBar.am". Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\138320A3 infected by "Trojan-Downloader.Win32.Qoologic.aa" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\16C3730E tagged as "not-a-virus:AdWare.BetterInternet.l". Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1A2D0D61 tagged as "not-a-virus:AdWare.PurityScan.w". Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1F7E7187 tagged as "not-a-virus:AdWare.ToolBar.ImiBar.g". Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2FDC7CF2 tagged as "not-a-virus:AdWare.ToolBar.EliteBar.ap". Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\324C5043 tagged as "not-a-virus:AdWare.ToolBar.EliteBar.am". Action Taken: No Action Taken.
File C:\WINDOWS\FONTS\VNCHooks.dll tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.1540. No Action Taken.
File C:\WINDOWS\NDNuninstall4_34.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\U infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\winnt\system32\drivers\etc\mirc.ini infected by "Backdoor.IRC.Zapchast" Virus! Action Taken: No Action Taken.
File C:\winnt\system32\drivers\etc\psexec.exe tagged as not-a-virus:RiskTool.Win32.PsExec.131. No Action Taken.
File C:\winnt\system32\psexec.exe tagged as not-a-virus:RiskTool.Win32.PsExec.131. No Action Taken.
File C:\winnt\system32\rmtcfg\files\bk.txt infected by "Trojan-Downloader.BAT.Ftp.ay" Virus! Action Taken: No Action Taken.
File C:\winnt\system32\ServUDaemon.ini infected by "Backdoor.Win32.ServU-based" Virus! Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0077431.CPY tagged as "not-a-virus:AdWare.Cydoor". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0084963.CPY tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\UNINST~2.0 tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\Documents and Settings\Julie M Cullum\Desktop\PC protection\nailfix\Process.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\00474287 tagged as "not-a-virus:AdWare.ToolBar.EliteBar.am". Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0C61727C tagged as "not-a-virus:AdWare.ToolBar.EliteBar.am". Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\138320A3 infected by "Trojan-Downloader.Win32.Qoologic.aa" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\16C3730E tagged as "not-a-virus:AdWare.BetterInternet.l". Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1A2D0D61 tagged as "not-a-virus:AdWare.PurityScan.w". Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1F7E7187 tagged as "not-a-virus:AdWare.ToolBar.ImiBar.g". Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2FDC7CF2 tagged as "not-a-virus:AdWare.ToolBar.EliteBar.ap". Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\324C5043 tagged as "not-a-virus:AdWare.ToolBar.EliteBar.am". Action Taken: No Action Taken.
File C:\WINDOWS\FONTS\VNCHooks.dll tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.1540. No Action Taken.
File C:\WINDOWS\NDNuninstall4_34.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\U infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\winnt\system32\drivers\etc\mirc.ini infected by "Backdoor.IRC.Zapchast" Virus! Action Taken: No Action Taken.
File C:\winnt\system32\drivers\etc\psexec.exe tagged as not-a-virus:RiskTool.Win32.PsExec.131. No Action Taken.
File C:\winnt\system32\psexec.exe tagged as not-a-virus:RiskTool.Win32.PsExec.131. No Action Taken.
File C:\winnt\system32\rmtcfg\files\bk.txt infected by "Trojan-Downloader.BAT.Ftp.ay" Virus! Action Taken: No Action Taken.
File C:\winnt\system32\ServUDaemon.ini infected by "Backdoor.Win32.ServU-based" Virus! Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0077431.CPY tagged as "not-a-virus:AdWare.Cydoor". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0084963.CPY tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\UNINST~2.0 tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.


Thank you so very much!

Julie
  • 0

#20
Crustyoldbloke
Posted 21 August 2005 - 05:31 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Julie

Three bad guys apear in the log, let's zap them and then look again.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\winnt\system32\drivers\etc\mirc.ini
C:\winnt\system32\rmtcfg\files\bk.txt
C:\winnt\system32\ServUDaemon.ini

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Post a fresh HJT log please and give me an indication of how the PC is running.
  • 0

#21
juliembrunelle
Posted 27 August 2005 - 06:21 AM

juliembrunelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi Phil,

Alright, still some popups showing up. Here is a fresh HJT log. That kgsss.exe just will not go away, I see it everytime in the log, but cannot locate it through Exporer.

Logfile of HijackThis v1.99.1
Scan saved at 8:20:21 AM, on 8/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SNET Internet
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\system32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSN Video Enhanced] "C:\Program Files\MSN Video Enhanced\MSNVE.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kgssss.exe reg_run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SysTray.lnk = C:\Program Files\Kinko's\FPFK\Kinkos.Jupiter.GUI.SysTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.char...oad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ances...ll/MFImgVwr.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://dar.armstrong...timage30717.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://biomerieux.w...bex/ieatgpc.cab
O16 - DPF: {E581F2C0-9293-11D0-B132-00A0249C49D7} (Net-It jDoc PrintGraphics) - http://www.fando.com/jobs/jdocprtm.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe" "WMP54G.exe (file missing)


Thanks again!
Julie
  • 0

#22
Crustyoldbloke
Posted 27 August 2005 - 10:20 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Julie

It's a stubborn beggar isn't it?

Let's hit it with this and find out where it is being supported.

Download Find Q.zip to your desktop

Find Q.zip

Extract the files inside to C:\ That will create a folder called Find Q , open it and run the batch file find q.bat

It must be extracted to C:\ or it might not function correctly

This will generate a log file; please post the entire contents of the log file here for me to see.
  • 0

#23
juliembrunelle
Posted 05 September 2005 - 07:13 PM

juliembrunelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Phil-
I got the following message after running the .bat file:

The system file is not suitable for running MS-DOS and Microsoft Windows Applications. Choose 'Close' to terminate the application.

After clicking Close 32 times, I got the log file, and this it:

»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL is a windows file...

»»»»»2K XP 9X and ME Misc check's...


»»»»» 9X and ME check's...

Again, I apologize for not getting this to you sooner.

Julie
  • 0

#24
Crustyoldbloke
Posted 06 September 2005 - 02:23 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
I think that log is spurious. Try this:

To fix the missing XP files, download this programme to your desktop

XP Home:

Missing Files XP Home

XP Professional:

Missing Files XP Pro.

Double-click the programme on your desktop to install the missing files.

Reboot and try FindQ again.
  • 0

#25
juliembrunelle
Posted 06 September 2005 - 07:08 PM

juliembrunelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi Phil. The new log is as follows:

»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL is a windows file...


»»»»»2K XP 9X and ME Misc check's...


»»»»» 9X and ME check's...


Looks the same as the last, but no errors this time after downloading the missing files.
Thanks!

Julie
  • 0

Advertisements

#26
Crustyoldbloke
Posted 07 September 2005 - 02:20 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Julie

I think one of the problems we have here is it the time between fixes and scans, so I am thinking along the lines of one final in depth scan, followed by a fix and a follow-up HJT scan to see if all is clear.

I would like that to happen within a 24 hour period for it to be successful and valid. So here is the first part, the scan. Only run this when you know that you will be around to complete the whole operation within 24 hours of starting it. I will make myself available.

Download:WinPFind

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder.

Restart normally and post the contents of WinPFind.txt
  • 0

#27
juliembrunelle
Posted 14 September 2005 - 06:29 PM

juliembrunelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Yes, today really is the first day that I can guarantee that I will be around tomorrow to perform the second task. I do apologize again for the length of time it took me to respond, but I feel awful for wasting so much of your time already. Here is the log file:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
UPX! 1/27/2004 9:47:12 PM 26084439 C:\Program Files\NAV10ESD.exe

Checking %WinDir% folder...
web-nex 8/3/2005 7:15:44 PM 3971 C:\WINDOWS\aommm.dll

Checking %System% folder...
UPX! 2/6/2003 1:49:32 PM 726016 C:\WINDOWS\SYSTEM32\beegd10.ocx
UPX! 7/14/2003 3:25:22 PM 335360 C:\WINDOWS\SYSTEM32\GnucDNA.dll
Umonitor 6/19/2003 3:05:04 PM 529168 C:\WINDOWS\SYSTEM32\RASDLG.DLL
winsync 12/7/1999 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 8/27/2005 8:09:18 AM 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 8/27/2005 8:09:18 AM 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 8/27/2005 8:09:18 AM 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 8/27/2005 8:09:18 AM 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/23/2005 10:25:08 PM H 54156 C:\WINDOWS\QTFont.qfn
9/14/2005 7:41:38 PM H 922788 C:\WINDOWS\ShellIconCache
7/26/2005 1:51:50 PM S 47 C:\WINDOWS\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_3814bd14-b2b8-4c98-9a71-b44f2835c68b
9/5/2005 7:00:14 PM H 16384 C:\WINDOWS\Application Data\Microsoft\Windows\UsrClass.dat
9/5/2005 7:00:14 PM H 1024 C:\WINDOWS\Application Data\Microsoft\Windows\UsrClass.dat.LOG
9/14/2005 7:41:54 PM S 64 C:\WINDOWS\CSC\00000001
8/18/2005 5:38:56 PM S 64 C:\WINDOWS\CSC\00000002
8/5/2005 7:19:38 AM S 64 C:\WINDOWS\CSC\csc1.tmp
9/14/2005 4:48:12 PM H 1024 C:\WINDOWS\SYSTEM32\config\default.LOG
9/14/2005 7:45:16 PM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG
9/14/2005 7:43:14 PM H 1024 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
9/14/2005 7:47:50 PM H 1024 C:\WINDOWS\SYSTEM32\config\software.LOG
7/26/2005 1:51:50 PM HS 336 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\b26c5401-9ee0-44a0-9fe8-6fd4c4e5719a
7/26/2005 1:51:50 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
9/14/2005 4:55:14 PM HS 192 C:\WINDOWS\TASKS\RUTASK.job
9/14/2005 7:41:54 PM H 6 C:\WINDOWS\TASKS\SA.DAT

Checking for CPL files...
Microsoft Corporation 12/7/1999 8:00:00 AM 67344 C:\WINDOWS\SYSTEM32\access.cpl
Acer Laboratories Inc. 12/6/2000 8:00:56 PM 61440 C:\WINDOWS\SYSTEM32\alipanel.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 301328 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 237328 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 12/7/1999 8:00:00 AM 31504 C:\WINDOWS\SYSTEM32\fax.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 128272 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 8:14:40 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 118032 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 36112 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 10/30/2001 9:10:00 AM 326144 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 122128 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/25/1997 8:00:00 PM 53520 C:\WINDOWS\SYSTEM32\mlcfg32.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 303888 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 17168 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 41232 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 41232 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 90896 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 5/6/2002 3:38:28 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 83216 C:\WINDOWS\SYSTEM32\sticpl.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 125712 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 12/7/1999 8:00:00 AM 5904 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 61200 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 54272 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 8:14:40 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
IBM Corporation 9/23/1999 7:44:36 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 41232 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/2/2004 9:22:04 AM 599 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
3/15/2004 8:27:22 PM 761 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice.lnk
3/28/2003 9:41:02 PM 1572 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
9/14/2005 4:55:28 PM 2318 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SysTray.lnk
3/7/2003 2:04:18 PM 1397 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/23/2005 10:25:56 PM 1755 C:\WINDOWS\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
7/22/2005 5:51:18 PM 70 C:\Documents and Settings\Julie M Cullum\Application Data\Sskcwrd.dll
7/22/2005 5:06:26 PM 406386 C:\Documents and Settings\Julie M Cullum\Application Data\Sskknwrd.dll
7/22/2005 5:52:44 PM 33 C:\Documents and Settings\Julie M Cullum\Application Data\Sskuknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=
iebar =
acc=marketingsector =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{FEF10FA2-355E-4e06-9381-9B24D7F7CC88} = C:\WINDOWS\system32\SHELL32.DLL
{53C74826-AB99-4d33-ACA4-3117F51D3788} = C:\WINDOWS\system32\SHELL32.DLL
{9864B135-1BDC-4E01-B6C6-FFCCCD7526DC} = C:\WINDOWS\system32\NETAudioFile2.dll
{25A10A31-C8FA-48F0-9FC8-B4E56CAF2FC3} = C:\WINDOWS\system32\dcuiext.dll
{09F7051C-CB93-4981-8712-C7DC0E668F4C} = C:\WINDOWS\system32\mjdart.dll
{D98A13B5-C4D6-49CD-A297-5A9F92023F34} = C:\WINDOWS\system32\rTsmans.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gnmmmxnf
{0ca2a44d-6f62-4b43-8aa2-39440eb1581e} = C:\WINDOWS\system32\dneee.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YMMAPI.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINDOWS\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7ab770c7-0e23-4d7a-8aa2-19bfad479829}
= C:\WINDOWS\system32\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINDOWS\System32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINDOWS\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
{014DA6C9-189F-421A-88CD-07CFE51CFF10} = :
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SystemTray SysTray.Exe
Synchronization Manager mobsync.exe /logon
CreateCD50 "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
AdaptecDirectCD "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SMSERIAL sm56hlpr.exe
HPAIO_PrintFolderMgr C:\WINDOWS\system32\spool\DRIVERS\W32X86\hpoopm07.exe
REGSHAVE C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
MSN Video Enhanced "C:\Program Files\MSN Video Enhanced\MSNVE.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp
NoRealMode 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
CDRAutoRun 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
qxnilb.exe C:\WINDOWS\system\qxnilb.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINDOWS\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/14/2005 7:56:40 PM


Thank you again, you are fantastic!

Julie
  • 0

#28
Crustyoldbloke
Posted 15 September 2005 - 01:51 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Julie

I think I got all the bad guys and pasted them into KillBox.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\aommm.dll
C:\WINDOWS\SYSTEM32\beegd10.ocx
C:\WINDOWS\SYSTEM32\GnucDNA.dll
C:\WINDOWS\TASKS\RUTASK.job
C:\Documents and Settings\Julie M Cullum\Application Data\Sskcwrd.dll
C:\Documents and Settings\Julie M Cullum\Application Data\Sskknwrd.dll
C:\Documents and Settings\Julie M Cullum\Application Data\Sskuknwrd.dll
C:\WINDOWS\system32\dcuiext.dll
C:\WINDOWS\system32\rTsmans.dll
C:\WINDOWS\system32\mjdart.dll
C:\WINDOWS\system32\dneee.dll

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Please reply with a fresh HJT log and a few words on how the system is running.
  • 0

#29
juliembrunelle
Posted 15 September 2005 - 07:23 PM

juliembrunelle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
OK Phil, it's done. Do you need to see a scan of any sort?

Thanks-

Julie
  • 0

#30
Crustyoldbloke
Posted 16 September 2005 - 01:35 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Julie

Just the HJT log as requested please.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP