Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

infected computer [CLOSED]

Started by russell146 , Aug 24 2005 08:52 AM

  • This topic is locked This topic is locked

#1
russell146
Posted 24 August 2005 - 08:52 AM

russell146

    Member

  • Member
  • PipPip
  • 28 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:50:09 AM, on 8/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\System32\nod32cc.exe
C:\WINDOWS\System32\nod32m2.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\explorer6s4.exe
C:\WINDOWS\System32\icasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\winstall.exe
C:\WINDOWS\System32\vxh8jkdq6.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\clntrust.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ChriRuss\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yoursearch.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yoursearch.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.2.4:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;www.hpsvikings.org;10.162.1.1;10.162.1.2;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\s4gddk.exe reg_run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\explorer6s4.exe
O4 - HKLM\..\Run: [icasServ] C:\WINDOWS\System32\icasServ.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: CLNTRUST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.asdbiz.biz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.chart...oad/tgctlcm.cab
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia...ll/pcs_0006.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124219545770
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara....301470OneCC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124282877768
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.si...cherControl.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O21 - SSODL: OofwVxEfUTE - {D4B1D7FF-7E1B-7D55-23FD-2D2EB3EEEED1} - C:\WINDOWS\System32\bu.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NOD32 Control Center Service (NOD32ControlCenter) - Unknown owner - C:\WINDOWS\System32\nod32cc.exe" -service (file missing)
O23 - Service: NOD32 Service (NOD32Service) - Unknown owner - C:\WINDOWS\System32\nod32m2.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Novell ZFD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZFD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe
  • 0

Advertisements

#2
tampabelle
Posted 24 August 2005 - 12:34 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
You have a bunch of infections on your PC. It will take a few iterations to clean up the PC.


Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp

DelDomains.inf

2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yoursearch.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yoursearch.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\explorer6s4.exe
O4 - HKLM\..\Run: [icasServ] C:\WINDOWS\System32\icasServ.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia...ll/pcs_0006.exe
O21 - SSODL: OofwVxEfUTE - {D4B1D7FF-7E1B-7D55-23FD-2D2EB3EEEED1} - C:\WINDOWS\System32\bu.dll

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

3. Delete Rogue files

Run CleanUp and delete all temp files including temporary internet files

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\kernels32.exe (donot delete the file kernel32.exe)
C:\WINDOWS\System32\explorer6s4.exe
C:\WINDOWS\System32\icasServ.exe
C:\WINDOWS\System32\symcsvc.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\bu.dll
C:\winstall.exe


Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch. It will open the folder Prefetch. Delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!

Right click on DelDomains.inf and then click on Install.

Reboot the PC in Normal Mode.


Run Hijack This and post a fresh HJT log along with Ewido scan report.

Please visit Panda and do an online scan. Save the scan report.

Run Hijack This and post a fresh HJT log along with Panda scan report.
  • 0

#3
russell146
Posted 24 August 2005 - 01:24 PM

russell146

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
1.) I was unable to download the programs to run (cleanup, etc...) because I can no longer open the internet on my computer. When I tried to open the computer, the computer went to a screen that said this:

"A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this sopt error screen, restart your computer. If this screen appears again, follow these steps:

Check to be sure you have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changeing video adapters.

Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical information:

*** STOP: 0x000008E (0XC0000005, 0XF9490465, 0xF1DDEB50, 0X00000000)

*** vdmt16.sys - Address F9490465 base at F9490000, DataStamp 427a2a44

Beginning dump of physical memory."


2.) Also, I went to dump the files in the Prefetch, but it was already empty.

3.) I was able to run hijack this, check, and fix what you suggested to get rid of there.

New Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 3:22:20 PM, on 8/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\System32\nod32cc.exe
C:\WINDOWS\System32\nod32m2.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\system32\mdms.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\tool2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\tibs.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\tool2.exe
C:\WINDOWS\System32\tibs.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\clntrust.exe
C:\WINDOWS\System32\locallpr.exe
C:\Documents and Settings\ChriRuss\Desktop\HijackThis.exe
C:\WINDOWS\System32\msvdtc.exe
C:\WINDOWS\System32\msievc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.2.4:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;www.hpsvikings.org;10.162.1.1;10.162.1.2;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,c:\windows\dx32cxlp.exe,
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2[bleep]ed.biz
O1 - Hosts: 127.0.0.3 sp2[bleep]ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 topsearch10.com
O1 - Hosts: 127.0.0.3 www.topsearch10.com
O1 - Hosts: 127.0.0.3 statscash.biz
O1 - Hosts: 127.0.0.3 www.statscash.biz
O1 - Hosts: 127.0.0.3 vxiframe.biz
O1 - Hosts: 127.0.0.3 www.vxiframe.biz
O1 - Hosts: 127.0.0.3 crazy-toolbar.com
O1 - Hosts: 127.0.0.3 www.crazy-toolbar.com
O1 - Hosts: 127.0.0.3 topcash.biz
O1 - Hosts: 127.0.0.3 www.topcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 txiframe.biz
O1 - Hosts: 127.0.0.3 www.txiframe.biz
O1 - Hosts: 127.0.0.3 procounter.biz
O1 - Hosts: 127.0.0.3 www.procounter.biz
O1 - Hosts: 127.0.0.3 advadmin.biz
O1 - Hosts: 127.0.0.3 www.advadmin.biz
O1 - Hosts: 127.0.0.3 trafficbest.net
O1 - Hosts: 127.0.0.3 www.trafficbest.net
O1 - Hosts: 127.0.0.3 besthvac.com
O1 - Hosts: 127.0.0.3 www.besthvac.com
O1 - Hosts: 127.0.0.3 traff4.com
O1 - Hosts: 127.0.0.3 www.traff4.com
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\s4gddk.exe reg_run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [polo.exe] polo.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [win32xvs] C:\WINDOWS\tool4.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\tool3.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Tiny Firewall] C:\WINDOWS\System32\msvcrtid.exe
O4 - HKLM\..\RunServices: [dx32serv] dx32cxlp.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\RunServices: [Explorer64] C:\WINDOWS\System32\explorer6s4.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - Global Startup: CLNTRUST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.asdbiz.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.chart...oad/tgctlcm.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124219545770
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara....301470OneCC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124282877768
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.si...cherControl.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O21 - SSODL: OofwVxEfUTE - {D4B1D7FF-7E1B-7D55-23FD-2D2EB3EEEED1} - C:\WINDOWS\System32\bu.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NOD32 Control Center Service (NOD32ControlCenter) - Unknown owner - C:\WINDOWS\System32\nod32cc.exe" -service (file missing)
O23 - Service: NOD32 Service (NOD32Service) - Unknown owner - C:\WINDOWS\System32\nod32m2.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Novell ZFD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZFD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe
  • 0

#4
tampabelle
Posted 24 August 2005 - 01:41 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,

You have a bunch of infections and it will take a few iterations to clean up everything.

Also we need to download a number of tools to tackle the infections. If you are not able to connect to the internet, how do we proceed ????
  • 0

#5
russell146
Posted 24 August 2005 - 02:15 PM

russell146

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I don't really know, since I don't know much about computers. I do have another computer I can use to help us out. I have no idea if this is possible - Can I download the install software onto my flash drive and then open it and install it on my infected computer?

Thanks
  • 0

#6
tampabelle
Posted 24 August 2005 - 04:00 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Thats great news !!!! So you need to download and transfer a few programs / files to the infected PC and run them. I will get a whole host of tools which we will be using subsequently. DONOT use the tools unless I tell you to !!!!!!!

In case you get stuck at any stage. Proceed to the next step and try and complete the entire fix. Let me know about any hiccups you had after you complete the fix.

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
HSFix.zip
Create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.

DelDomains.inf
WinPFind
Killbox.exe
Track qoo
Hoster.zip
Extract the files and save them on your desktop.

smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.


2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,c:\windows\dx32cxlp.exe
O4 - HKLM\..\Run: [polo.exe] polo.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [win32xvs] C:\WINDOWS\tool4.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\tool3.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Tiny Firewall] C:\WINDOWS\System32\msvcrtid.exe
O4 - HKLM\..\RunServices: [dx32serv] dx32cxlp.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\RunServices: [Explorer64] C:\WINDOWS\System32\explorer6s4.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - Global Startup: CLNTRUST.EXE
O21 - SSODL: OofwVxEfUTE - {D4B1D7FF-7E1B-7D55-23FD-2D2EB3EEEED1} - C:\WINDOWS\System32\bu.dll

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

3. Delete Rogue files

Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat". A log will be produced which you can close out of.

Then run HijackThis again, close any open windows and browsers and fix these:

O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll


Run CleanUp! and let it clean your computer of temp files. Decline when it asks you to log off.

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following files -

Files
c:\windows\dx32cxlp.exe
c:\windows\system32\mdms.exe
C:\WINDOWS\tool4.exe
C:\WINDOWS\tool3.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\msvcrtid.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\explorer6s4.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\bu.dll

CLNTRUST.EXE
polo.exe

(Search for these files using the Windows Search function)


Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch. It will open the folder Prefetch. Delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!

Run Hoster.exe and click on "Restore Original Hosts".

Right click on DelDomains.inf and then click on Install.

Reboot the PC in Normal Mode.


Please visit Panda and do an online scan. Save the scan report.

Run Hijack This and post a fresh HJT log along with Panda scan report.

Edited by tampabelle, 24 August 2005 - 04:02 PM.

  • 0

#7
russell146
Posted 24 August 2005 - 07:17 PM

russell146

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Things went fairly well. I am able to get online again without the computer going to the screen that I mentioned before!!! That's great progress! My computer continues to run slow and have pop-ups. Here's how things went:

1.)I was able to download, extract, etc... all files you suggested and put them on my computer.

2.) When I ran the Hijack This program: I fixed everything except: I could not find "O20-winlogon"

3.) Deleting files - Deleted all except "mdms.exe" file. It said access denied when I tried to delete it.

4.)The Prefetch file continues to be empty so I am unable to delete anything from it.

5.) I followed all other steps exactly how you said to complete them.

Here are my updated logs:

Logfile of HijackThis v1.99.1
Scan saved at 8:44:00 PM, on 8/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\System32\nod32cc.exe
C:\WINDOWS\System32\nod32m2.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ChriRuss\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wmich.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.2.4:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;www.hpsvikings.org;10.162.1.1;10.162.1.2;<local>
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\s4gddk.exe reg_run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.chart...oad/tgctlcm.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124219545770
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara....301470OneCC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124282877768
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.si...cherControl.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NOD32 Control Center Service (NOD32ControlCenter) - Unknown owner - C:\WINDOWS\System32\nod32cc.exe" -service (file missing)
O23 - Service: NOD32 Service (NOD32Service) - Unknown owner - C:\WINDOWS\System32\nod32m2.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Novell ZFD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZFD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe






Incident Status Location

Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rpkc.exe
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\SYSTEM32\S4GDDK.EXE
Virus:Trj/Zhenya.A Disinfected Operating system
Adware:adware/adsmart No disinfected C:\DOCUMENTS AND SETTINGS\CHRIRUSS\LOCAL SETTINGS\TEMP\pi.sys
Adware:adware/azesearch No disinfected C:\DOCUMENTS AND SETTINGS\CHRIRUSS\FAVORITES\SPORTS\Auto racing.url
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM32\AUNPS2.dll
Adware:adware/clkoptimizer No disinfected C:\WINDOWS\SYSTEM32\datadx.dll
Adware:adware/alwaysupdatednewsNo disinfected C:\WINDOWS\SYSTEM32\Free Cell Phone.ico
Dialer:dialer.bew No disinfected C:\WINDOWS\SYSTEM32\maxd1.exe
Dialer:dialer.bdf No disinfected C:\WINDOWS\SYSTEM32\newdial.exe
Adware:adware/addestroyer No disinfected C:\WINDOWS\SYSTEM32\SWLAD1.dll
Dialer:dialer.bb No disinfected C:\WINDOWS\SYSTEM32\tibs.exe
Adware:adware/sqwire No disinfected C:\WINDOWS\SYSTEM32\tsuninst.exe
Adware:adware/mirar No disinfected C:\WINDOWS\SYSTEM32\WinNB57.dll
Adware:adware/ipinsight No disinfected C:\WINDOWS\LASTGOOD\INF\farmmext.inf
Spyware:spyware/betterinet No disinfected C:\WINDOWS\LASTGOOD\INF\payload2.inf
Spyware:spyware/surfsidekick No disinfected C:\DOCUMENTS AND SETTINGS\CHRIRUSS\APPLICATION DATA\Sskcwrd.dll
Adware:adware/popuper No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\FAVORITES\Cheap Viagra.url
Adware:adware/comet No disinfected C:\WINDOWS\INF\dm.inf
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\kl.exe
Adware:adware/spywad No disinfected C:\WINDOWS\ms2.exe
Adware:adware/isearch No disinfected C:\WINDOWS\tool2.exe
Adware:adware/spysheriff No disinfected C:\PROGRAM FILES\SpySheriff
Adware:adware/topconvert No disinfected C:\PROGRAM FILES\TopConverting
Adware:adware/virtualbouncer No disinfected C:\PROGRAM FILES\VBouncer
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/dealhelper No disinfected C:\WINDOWS\SYSTEM32\Newmsrdk
Adware:adware/delfinmedia No disinfected C:\WINDOWS\SYSTEM32\nsvsvc
Adware:adware/ilookup No disinfected C:\DOCUMENTS AND SETTINGS\CHRIRUSS\FAVORITES\Gambling
Adware:adware/savenow No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\nsv
Adware:adware/consumeralertsystemNo disinfected Windows Registry
Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\USER AGENT
Adware:adware/bigtrafficnet No disinfected Windows Registry
Dialer:dialer.bqw No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\CONC
Adware:adware/mediatickets No disinfected Windows Registry
Adware:Adware/SearchTheWeb No disinfected C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rpkc.exe
Virus:Trj/Zhenya.A Disinfected C:\Documents and Settings\ChriRuss\Local Settings\Temp\F7.tmp
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\qikz\qikzd\qikzc.dll
  • 0

#8
tampabelle
Posted 25 August 2005 - 06:07 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
  • 0

#9
russell146
Posted 25 August 2005 - 08:20 AM

russell146

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
New logs:

Trackqoo:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDPS"="C:\\WINDOWS\\System32\\dpmw32.exe"
"NWTRAY"="NWTRAY.EXE"
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"ZENRC Tray Icon"="C:\\WINDOWS\\System32\\zentray.exe"
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"RoxioAudioCentral"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"winsync"="C:\\WINDOWS\\System32\\s4gddk.exe reg_run"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- mtnkqgqs
{f98c1bbe-3f19-47c0-8b6d-007ce18f785c}
C:\WINDOWS\System32\eonkb.dll

Subkey --- NetWareMenuItems
{e3bbbfc0-f61f-11cf-bb16-00c04fd371f4}
novnpnt.dll

Subkey --- NOD32 Context Menu Shell Extension
{B089FE88-FB52-11d3-BDF1-0050DA34150D}
C:\Program Files\Eset\nodshex.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- sysacpildap
{5E2121EE-0300-11D4-8D3B-444553540000}
C:\WINDOWS\System32\winacpi.dll

Subkey --- {5020DB8E-1FFD-4A4A-8D72-7615ECDA4D46}
{5020DB8E-1FFD-4A4A-8D72-7615ECDA4D46}
C:\WINDOWS\System32\sfsshell.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
rpkc.exe
==============================
C:\Documents and Settings\ChriRuss\Start Menu\Programs\Startup

desktop.ini
rpkc.exe
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
conres.cpl
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nCredps.cpl Novell, Inc.
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
yacxgc.cpl YAMAHA CORPORATION



WINP:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PEC2 9/27/2004 7:50:24 PM 200923 C:\WINDOWS\Bpwzcvwazju.gpo
PTech 9/27/2004 7:50:20 PM 1626626 C:\WINDOWS\Brhzmkhbm.jag
UPX! 12/12/1989 10:10:10 AM 12288 C:\WINDOWS\CFindUninst.exe
PTech 9/27/2004 7:50:10 PM 483851 C:\WINDOWS\Ctxyhsjoyq.efb
PEC2 9/27/2004 7:49:56 PM 192875 C:\WINDOWS\Dulroovb.rro
UPX! 6/9/2004 2:31:42 PM 236032 C:\WINDOWS\dwbreader.exe
FSG! 8/24/2005 11:04:36 AM 39517 C:\WINDOWS\hammer.exe

Items found in C:\WINDOWS\hosts

aspack 9/27/2004 7:50:08 PM 1343999 C:\WINDOWS\Ivukipqckb.ysz
PTech 9/27/2004 7:50:08 PM 1343999 C:\WINDOWS\Ivukipqckb.ysz
PECompact2 1/29/2005 2:25:46 PM 12333557 C:\WINDOWS\LPT$VPN.381
qoologic 1/29/2005 2:25:46 PM 12333557 C:\WINDOWS\LPT$VPN.381
SAHAgent 1/29/2005 2:25:46 PM 12333557 C:\WINDOWS\LPT$VPN.381
PECompact2 4/2/2005 1:47:56 PM 14238171 C:\WINDOWS\lpt$vpn.532
qoologic 4/2/2005 1:47:56 PM 14238171 C:\WINDOWS\lpt$vpn.532
SAHAgent 4/2/2005 1:47:56 PM 14238171 C:\WINDOWS\lpt$vpn.532
UPX! 8/24/2005 11:04:56 AM 8704 C:\WINDOWS\ms1.exe
PEC2 9/26/2004 1:05:56 PM 184535 C:\WINDOWS\Qblciowin.vfs
PEC2 9/27/2004 7:49:58 PM 193869 C:\WINDOWS\Rdomccq.atw
UPX! 8/16/2005 10:20:24 AM RHS 82432 C:\WINDOWS\ru.exe
UPX! 12/12/1989 10:10:10 AM RHS 18944 C:\WINDOWS\SNDQDLL.EXE
UPX! 1/29/2005 2:25:50 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 1/29/2005 2:25:46 PM 12333557 C:\WINDOWS\VPTNFILE.381
qoologic 1/29/2005 2:25:46 PM 12333557 C:\WINDOWS\VPTNFILE.381
SAHAgent 1/29/2005 2:25:46 PM 12333557 C:\WINDOWS\VPTNFILE.381
PECompact2 4/2/2005 1:47:56 PM 14238171 C:\WINDOWS\VPTNFILE.532
qoologic 4/2/2005 1:47:56 PM 14238171 C:\WINDOWS\VPTNFILE.532
SAHAgent 4/2/2005 1:47:56 PM 14238171 C:\WINDOWS\VPTNFILE.532
UPX! 2/18/2005 7:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 7:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! 4/11/2005 3:17:10 PM 60928 C:\WINDOWS\SYSTEM32\1800414.dll
UPX! 8/16/2005 7:55:26 PM 67072 C:\WINDOWS\SYSTEM32\atidia.exe
UPX! 8/16/2005 10:50:14 AM 24576 C:\WINDOWS\SYSTEM32\AUNPS2.dll
UPX! 5/4/2005 1:00:44 PM 98816 C:\WINDOWS\SYSTEM32\better0503.dll
UPX! 4/18/2005 9:11:20 AM 168960 C:\WINDOWS\SYSTEM32\blizzard.dll
Umonitor 8/16/2005 3:29:58 PM R S 417792 C:\WINDOWS\SYSTEM32\csmrepl.dll
WinShutDown 8/16/2005 3:29:58 PM R S 417792 C:\WINDOWS\SYSTEM32\csmrepl.dll
69.59.186.63 8/16/2005 8:07:30 PM 30208 C:\WINDOWS\SYSTEM32\datadx.dll
209.66.67.134 8/16/2005 8:07:30 PM 30208 C:\WINDOWS\SYSTEM32\datadx.dll
66.63.167.97 8/16/2005 8:07:30 PM 30208 C:\WINDOWS\SYSTEM32\datadx.dll
66.63.167.77 8/16/2005 8:07:30 PM 30208 C:\WINDOWS\SYSTEM32\datadx.dll
web-nex 8/16/2005 8:07:30 PM 30208 C:\WINDOWS\SYSTEM32\datadx.dll
winsync 8/16/2005 8:07:30 PM 30208 C:\WINDOWS\SYSTEM32\datadx.dll
rec2_run 8/16/2005 8:07:30 PM 30208 C:\WINDOWS\SYSTEM32\datadx.dll
UPX! 4/6/2005 12:23:56 PM 51712 C:\WINDOWS\SYSTEM32\delfin0414.dll
PEC2 8/29/2002 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 8/24/2005 11:04:46 AM 117248 C:\WINDOWS\SYSTEM32\dx32cxujy.exe
UPX! 1/15/2005 10:06:28 PM 110592 C:\WINDOWS\SYSTEM32\explore1.exe
69.59.186.63 8/25/2005 9:57:08 AM 46080 C:\WINDOWS\SYSTEM32\fkjdgdg.dll
209.66.67.134 8/25/2005 9:57:08 AM 46080 C:\WINDOWS\SYSTEM32\fkjdgdg.dll
web-nex 8/25/2005 9:57:08 AM 46080 C:\WINDOWS\SYSTEM32\fkjdgdg.dll
winsync 8/25/2005 9:57:08 AM 46080 C:\WINDOWS\SYSTEM32\fkjdgdg.dll
UPX! 8/24/2005 10:54:18 AM 3616 C:\WINDOWS\SYSTEM32\init32m.exe
Umonitor 8/15/2005 11:11:24 AM R S 417792 C:\WINDOWS\SYSTEM32\kydsl1.dll
WinShutDown 8/15/2005 11:11:24 AM R S 417792 C:\WINDOWS\SYSTEM32\kydsl1.dll
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
FSG! 8/24/2005 7:35:28 PM 39517 C:\WINDOWS\SYSTEM32\mdms.exe
Umonitor 8/29/2002 8:00:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 8/24/2005 11:05:04 AM 108032 C:\WINDOWS\SYSTEM32\SWsBwsls.exe
FSG! 8/24/2005 11:04:42 AM 13373 C:\WINDOWS\SYSTEM32\tibs.exe
FSG! 8/24/2005 10:54:18 AM 11120 C:\WINDOWS\SYSTEM32\vxgame1.exe
UPX! 8/24/2005 10:54:18 AM 3616 C:\WINDOWS\SYSTEM32\vxgame3.exe
FSG! 8/24/2005 10:54:18 AM 2064 C:\WINDOWS\SYSTEM32\vxgame4.exe
FSG! 8/24/2005 10:54:18 AM 1632 C:\WINDOWS\SYSTEM32\vxgame6.exe
UPX! 8/24/2005 10:54:18 AM 7168 C:\WINDOWS\SYSTEM32\vxgamet1.exe
FSG! 8/24/2005 10:54:18 AM 1632 C:\WINDOWS\SYSTEM32\vxgamet2.exe
FSG! 8/24/2005 8:52:58 AM 1665 C:\WINDOWS\SYSTEM32\vxh8jkdq1.exe
FSG! 8/24/2005 8:53:00 AM 3488 C:\WINDOWS\SYSTEM32\vxh8jkdq5.exe
FSG! 8/24/2005 8:53:00 AM 3120 C:\WINDOWS\SYSTEM32\vxh8jkdq6.exe
FSG! 8/24/2005 8:53:00 AM 3520 C:\WINDOWS\SYSTEM32\vxh8jkdq7.exe
FSG! 8/24/2005 8:52:58 AM 1665 C:\WINDOWS\SYSTEM32\vxh8jkdq8.exe
winsync 8/29/2002 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/25/2005 9:58:46 AM S 2048 C:\WINDOWS\bootstat.dat
8/25/2005 9:57:10 AM H 54156 C:\WINDOWS\QTFont.qfn
8/16/2005 10:20:24 AM RHS 82432 C:\WINDOWS\ru.exe
8/16/2005 3:14:14 PM H 0 C:\WINDOWS\inf\oem20.inf
8/16/2005 3:20:20 PM H 0 C:\WINDOWS\LastGood\INF\oem21.inf
8/16/2005 3:20:20 PM H 0 C:\WINDOWS\LastGood\INF\oem21.PNF
8/16/2005 3:29:58 PM R S 417792 C:\WINDOWS\system32\csmrepl.dll
8/8/2005 9:22:10 AM RHS 401408 C:\WINDOWS\system32\d?xplore.exe
8/15/2005 11:11:24 AM R S 417792 C:\WINDOWS\system32\kydsl1.dll
8/25/2005 9:58:34 AM H 8192 C:\WINDOWS\system32\config\default.LOG
8/25/2005 9:59:26 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
8/25/2005 9:58:48 AM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
8/25/2005 10:00:00 AM H 110592 C:\WINDOWS\system32\config\software.LOG
8/25/2005 10:00:40 AM H 978944 C:\WINDOWS\system32\config\system.LOG
8/17/2005 8:49:56 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
8/17/2005 8:49:56 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\494VN39S\desktop.ini
8/17/2005 8:49:56 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4D2IR8U9\desktop.ini
8/17/2005 8:49:56 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S2MR04HT\desktop.ini
8/17/2005 8:49:56 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZD1J3240\desktop.ini
7/16/2005 1:08:20 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\abd4462e-da75-4a34-9d00-f089308c9e73
7/16/2005 1:08:20 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/16/2005 3:14:36 PM RHS 13698 C:\WINDOWS\system32\Restore\filelist.xml
8/16/2005 1:15:12 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/29/2002 8:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
8/16/2005 8:07:30 PM 31232 C:\WINDOWS\SYSTEM32\conres.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Novell, Inc. 8/1/2002 5:40:18 PM 94208 C:\WINDOWS\SYSTEM32\nCredps.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 5/27/2003 12:42:58 PM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
YAMAHA CORPORATION 9/18/2002 2:54:26 PM 249856 C:\WINDOWS\SYSTEM32\yacxgc.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/26/2003 12:11:56 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/25/2005 9:31:52 AM 92160 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rpkc.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...
6/26/2003 7:53:10 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
8/19/2005 12:14:34 PM 8 C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt
2/1/2005 8:33:14 PM 188 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
6/26/2003 12:11:56 PM HS 84 C:\Documents and Settings\ChriRuss\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
6/26/2003 7:53:10 AM HS 62 C:\Documents and Settings\ChriRuss\Application Data\desktop.ini
12/2/2004 9:15:36 PM 65048 C:\Documents and Settings\ChriRuss\Application Data\GDIPFONTCACHEV1.DAT
8/24/2005 11:05:30 AM 2060027 C:\Documents and Settings\ChriRuss\Application Data\Install.dat
8/16/2005 10:20:52 PM 27 C:\Documents and Settings\ChriRuss\Application Data\Sskcwrd.dll
8/16/2005 5:31:18 PM 444246 C:\Documents and Settings\ChriRuss\Application Data\Sskknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{5020DB8E-1FFD-4A4A-8D72-7615ECDA4D46} = C:\WINDOWS\System32\sfsshell.dll

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mtnkqgqs
{f98c1bbe-3f19-47c0-8b6d-007ce18f785c} = C:\WINDOWS\System32\eonkb.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NetWareMenuItems
{e3bbbfc0-f61f-11cf-bb16-00c04fd371f4} = novnpnt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension
{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Program Files\Eset\nodshex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\sysacpildap
{5E2121EE-0300-11D4-8D3B-444553540000} = C:\WINDOWS\System32\winacpi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{5020DB8E-1FFD-4A4A-8D72-7615ECDA4D46}
{5020DB8E-1FFD-4A4A-8D72-7615ECDA4D46} = C:\WINDOWS\System32\sfsshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NetWareMenuItems
{e3bbbfc0-f61f-11cf-bb16-00c04fd371f4} = novnpnt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NetWareServerMenu
{9b173360-732b-11ce-aa22-00805f9834b0} = novnpnt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension
{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Program Files\Eset\nodshex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{5020DB8E-1FFD-4A4A-8D72-7615ECDA4D46}
{5020DB8E-1FFD-4A4A-8D72-7615ECDA4D46} = C:\WINDOWS\System32\sfsshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\DateBar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{4E7BD74F-2B8D-469E-8AA5-A930F887B531} = inExplorer Search : C:\PROGRA~1\INEXPL~1\INEXPL~1.DLL
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{A833AB67-7368-457E-B8BF-249CCD8DDD14} = Date Bar : C:\DOCUME~1\ChriRuss\LOCALS~1\Temp\dbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NDPS C:\WINDOWS\System32\dpmw32.exe
NWTRAY NWTRAY.EXE
ATIModeChange Ati2mdxx.exe
AtiPTA atiptaxx.exe
ZENRC Tray Icon C:\WINDOWS\System32\zentray.exe
RoxioEngineUtility "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RoxioDragToDisc "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
RoxioAudioCentral "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
winsync C:\WINDOWS\System32\s4gddk.exe reg_run
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
CompatibleRUPSecurity 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallPaper 0
NoComponents 0
NoAddingComponents 0
NoDeletingComponents 0
NoEditingComponents 0
NoHTMLWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0
ForceActiveDesktopOn 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
olejte C:\WINDOWS\System32\olejte.exe
rhgr.exe C:\WINDOWS\system\rhgr.exe
tkaadbnq.exe C:\WINDOWS\system\tkaadbnq.exe
tqdua.exe C:\WINDOWS\system\tqdua.exe
blcci.exe C:\WINDOWS\system\blcci.exe
wsogeu.exe C:\WINDOWS\system\wsogeu.exe
lsdfg.exe C:\WINDOWS\system\lsdfg.exe
qnrgbqxu.exe C:\WINDOWS\system\qnrgbqxu.exe
coetunn.exe C:\WINDOWS\system\coetunn.exe
obsgsds.exe C:\WINDOWS\system\obsgsds.exe
aohwt.exe C:\WINDOWS\system\aohwt.exe
xjbrqkg.exe C:\WINDOWS\system\xjbrqkg.exe
teenph.exe C:\WINDOWS\system\teenph.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 1
NoDispAppearancePage 0
NoColorChoice 0
NoSizeChoice 0
NoDispBackgroundPage 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0
Wallpaper C:\WINDOWS\desktop.html


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,
Shell = explorer.exe
System = ziswin.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/25/2005 10:10:20 AM
  • 0

#10
tampabelle
Posted 25 August 2005 - 09:24 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
I have doubts about a few files / programs !!! The rest of the fix is ready. If these files are not known to you / not required we can include them in the fix.

Can you tell me whether you are aware of them ??

C:\WINDOWS\dwbreader.exe <----- May be related to some Web Reader program
C:\WINDOWS\hammer.exe <----- Maybe related to some music software
C:\WINDOWS\SYSTEM32\explore1.exe <----- Can you check if you have the file C:\Windows\explorer.exe ?? Did you create this file for some tinkering / backup purposes ??

Edited by tampabelle, 25 August 2005 - 09:25 AM.

  • 0

Advertisements

#11
russell146
Posted 25 August 2005 - 09:36 AM

russell146

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
All of the files are unrequired and not needed. Let's include them in the fix. I do have the "explore1" file. It's in C:\WINDOWS\system32. It says the type is an Application. Date modified - 1/15/2005.

Thanks
  • 0

#12
tampabelle
Posted 25 August 2005 - 09:45 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Can you confirm that your C:\Widnows\explorer.exe file is intact ??

Can you give me the file size of it ??
  • 0

#13
russell146
Posted 25 August 2005 - 09:50 AM

russell146

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
108KB
  • 0

#14
russell146
Posted 25 August 2005 - 09:55 AM

russell146

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
You know what, I think maybe I answered the last question wrong.

explore1 = 108 KB.

I think explorer = 981 KB

Does that make sense?
  • 0

#15
tampabelle
Posted 25 August 2005 - 10:04 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,

The C:\Windows\explorer.exe file on my pc in 0.98 MB big !!!!!!!!!!


Can you upload both the files -

C:\Windows\explorer.exe and
C:\windows\system32\explore1.exe

at http://virusscan.jotti.org/ for scanning.

Post back the scan report. Also let me know the size of the file C:\windows\system32\explore1.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP