Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan. Wareout, ntfsnlpa.exe, rdsndin.exe [CLOSED]

Started by Waffleman640 , Aug 31 2005 08:50 PM

  • This topic is locked This topic is locked

#1
Waffleman640
Posted 31 August 2005 - 08:50 PM

Waffleman640

    New Member

  • Member
  • Pip
  • 9 posts
I managed to pick up this nasty thing. I looked on another forum and I figured that much out. It's redirecting me to other links when I click on them... really really annoying. Ad-Aware and Spybot can't get rid of this on their own and I'm having issues! Windows notifications keep popping up saying that my computer is "at risk". Help would be greatly appreciated. :tazz:

Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 7:49:26 PM, on 8/31/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\OFFICE51\SOINTGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RDSNDIN.EXE
C:\WINDOWS\SYSTEM\NTFSNLPA.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n....1&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/My%20Documents/web/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {B40A6610-1D16-11D3-80B2-005004994DA2} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [HCLEAN32.EXE] C:\WINDOWS\SYSTEM\HCLEAN32.EXE
O4 - HKLM\..\Run: [dmgrf.exe] C:\WINDOWS\SYSTEM\dmgrf.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 195.95.218.3,85.255.112.5
  • 0

Advertisements

#2
Buckeye_Sam
Posted 03 September 2005 - 07:31 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I see you are running Hijackthis from your desktop. Please create a directory on your c: drive called c:\hijackthis and move hijackthis into that directory. Run the program from that directory from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.

Once you have Hijackthis running from a within a folder please reboot and post a new hijackthis log.
  • 0

#3
Waffleman640
Posted 03 September 2005 - 08:22 AM

Waffleman640

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I've been trying to do this, but right now it's a fight just to keep my computer from freezing... any second now it may, i can't do anything online from safe mode because my comp doesn't have the option when I press F8 at start up to run safe mode with network connections (my internet!) i'll try to post a log next... it's in a folder and i've rebooted 30,000 times...
  • 0

#4
Waffleman640
Posted 03 September 2005 - 08:24 AM

Waffleman640

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sorry about my hurried response, I was just afraid that it was going to freeze on me and show me the blue screen of death before I could add a reply! Well anyway, it seems to be taking it's time to do this now, so I'll post the log. I put it in it's own HiJackThis folder on C: and took a scan and log file.

I've noticed there are quite a few topics on this particular trojan around the board that sound almost exactly like mine. hclean32.exe with the fake balloons that pop up and tell me that my computer is having issues with security risks (despite the fact I'm using Me and Me almost NEVER has balloons like this unlike XP). I also had Wareout. I managed to delete that entire folder but I bet the damage is still done. I'm getting loads of other spyware when I run Spybot as well. Stuff I normally don't get. It just comes back... jeez...

Logfile of HijackThis v1.99.1
Scan saved at 7:22:49 AM, on 9/3/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\OFFICE51\SOINTGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n....1&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/My%20Documents/web/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {B40A6610-1D16-11D3-80B2-005004994DA2} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\YTCMB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\YTCMB.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [HCLEAN32.EXE] C:\WINDOWS\SYSTEM\HCLEAN32.EXE
O4 - HKLM\..\Run: [dmopa.exe] C:\WINDOWS\SYSTEM\dmopa.exe
O4 - HKLM\..\Run: [dmnrp.exe] C:\WINDOWS\SYSTEM\dmnrp.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 195.95.218.3,85.255.112.5

Edited by Waffleman640, 03 September 2005 - 08:34 AM.

  • 0

#5
Buckeye_Sam
Posted 04 September 2005 - 05:35 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's see if we can get you stabilized a bit and then we'll have to see some more logs to show some hidden malware.


You will need to disable Spybot's Teatimer function before you proceed with this fix.
http://russelltexas....re/teatimer.htm



Please make sure that you can VIEW ALL HIDDEN FILES.
* Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked.


Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {B40A6610-1D16-11D3-80B2-005004994DA2} - (no file)
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\YTCMB.DLL
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\YTCMB.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HCLEAN32.EXE] C:\WINDOWS\SYSTEM\HCLEAN32.EXE
O4 - HKLM\..\Run: [dmopa.exe] C:\WINDOWS\SYSTEM\dmopa.exe
O4 - HKLM\..\Run: [dmnrp.exe] C:\WINDOWS\SYSTEM\dmnrp.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -



Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.




Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\SYSTEM\YTCMB.DLL
C:\WINDOWS\SYSTEM\HCLEAN32.EXE
C:\WINDOWS\SYSTEM\dmopa.exe
C:\WINDOWS\SYSTEM\dmnrp.exe


Reboot your computer to go back to normal mode.



Hopefully that will help a little and allow you to more easily follow this next step.

Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#6
Waffleman640
Posted 04 September 2005 - 08:50 AM

Waffleman640

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hey, I just wanted to thank you for the time and effort that you spend on people just like me who really oughtta be more educated on this subject anyway! Thanks!

Fixed all checked in HiJackThis with no problems. Rebooted in Safe Mode, and found that ytcmb.dll was there, I deleted it. I also deleted Hclean32.exe. I noticed neither of the other two applications you listed were there. However I noted another suspicious file (I didn't do anything to it, just bringing it to your attention) named dmele.exe, I noticed it also in HiJackThis. It might be nothing, but it just made me a wee bit curious.

I then rebooted and ran Silent Runners, it asked me as to whether I wanted to Skip supplementary searches (default), so I said yes... I'm not sure as to whether that was a smart idea. Anyway, here is the log...

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "c:\windows\scanregw.exe /autorun" [MS]
"TaskMonitor" = "c:\windows\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"ATIGART" = "c:\ati\gart\atigart.exe" ["ATI Technologies Inc."]
"SO5 Integrator Pass Two" = "C:\OFFICE51\SOINTGR.EXE" [null data]
"PCHealth" = "c:\windows\PCHealth\Support\PCHSchd.exe -s" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"InCD" = "C:\Program Files\ahead\InCD\InCD.exe" ["Copyright © ahead software gmbh and its licensors"]
"Motive SmartBridge" = "C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe" ["Motive Communications, Inc."]
"THGuard" = ""C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"" ["Mischel Internet Security"]
"dmraa.exe" = "C:\WINDOWS\SYSTEM\dmraa.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"SO5 Integrator Pass One" = "C:\OFFICE51\SOINTGR.EXE" [null data]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"KB891711" = "c:\windows\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 c:\windows\INF\applets1.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\ahead\Nero\neroshx.dll" ["ahead software gmbh im stoeckmaedle 6 76307 karlsbad, germany Fax: ++49-7248-911-888 e-mail: [email protected]"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SMARTFTP\SMARTHOOK.DLL" ["SmartFTP"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]


System Policies [Description]:
------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001
[disables toolbar status changes in Internet Explorer|View|Toolbars]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\My Documents\My Pictures\dvd_gimli_1024.bmp"


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Verizon Online Support Center" -> shortcut to: "C:\Program Files\Verizon Online\bin\matcli.exe -boot" ["Motive Communications, Inc."]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\mswsosp.dll [MS], 1
c:\windows\SYSTEM\msafd.dll [MS], 2 - 4
c:\windows\SYSTEM\rsvpsp.dll [MS], 5 - 6


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "MSN Messenger Service"
"Exec" = "C:\PROGRA~1\MESSEN~1\MSMSGS.EXE" [MS]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\PROGRAM FILES\AIM\AIM.EXE" ["America Online, Inc."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
[Strings]: MS_START_PAGE_URL="http://www.microsoft...5.5&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 96 seconds, including 82 seconds for message boxes)
  • 0

#7
Buckeye_Sam
Posted 04 September 2005 - 01:43 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I have a sneaky suspicion that there's a few bad files hiding out that we need to find.

Let's try this.

Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot your computer into Safe Mode


Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply.



===========


Also...


Download PFind.zip and unzip the contents to its own permanent folder.

Reboot your computer into Safe Mode

Locate the pfind.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\pfind.txt along with the rkfiles log.
  • 0

#8
Waffleman640
Posted 05 September 2005 - 10:28 AM

Waffleman640

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Alright, I ran both scans in safe mode and here are the logs. First the log for RKFiles.bat.

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM\rdsndin.exe: UPX!
C:\WINDOWS\SYSTEM\xwfqvx.exe: UPX!
C:\WINDOWS\SYSTEM\HyperLinker.exe: UPX!
C:\WINDOWS\SYSTEM\ntfsnlpa.exe: UPX!
C:\WINDOWS\SYSTEM\gpsresl32.exe: FSG!
C:\WINDOWS\SYSTEM\dgprpsetup.exe: FSG!
C:\WINDOWS\SYSTEM\DivX.dll: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\del.tmp: UPX!
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye



And now the log for WinPFind.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Windows Millennium Edition Version: 4.90.3000
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 9/5/2005 9:00:12 AM 152 c:\win.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
SAHAgent 9/5/2005 9:01:22 AM RH 1417248 c:\windows\USER.DAT
PECompact2 8/30/2005 7:46:40 AM 15707121 c:\windows\VPTNFILE.809
qoologic 8/30/2005 7:46:40 AM 15707121 c:\windows\VPTNFILE.809
SAHAgent 8/30/2005 7:46:40 AM 15707121 c:\windows\VPTNFILE.809
UPX! 1/10/2005 5:21:32 PM 597204 c:\windows\del.tmp
UPX! 5/3/2005 11:44:44 AM 25157 c:\windows\RMAgentOutput.dll
PECompact2 8/30/2005 7:46:40 AM 15707121 c:\windows\lpt$vpn.809
qoologic 8/30/2005 7:46:40 AM 15707121 c:\windows\lpt$vpn.809
SAHAgent 8/30/2005 7:46:40 AM 15707121 c:\windows\lpt$vpn.809
UPX! 8/30/2005 7:46:42 AM 170053 c:\windows\tsc.exe
UPX! 8/30/2005 7:46:42 AM 1044560 c:\windows\vsapi32.dll
aspack 8/30/2005 7:46:42 AM 1044560 c:\windows\vsapi32.dll

Checking %System% folder...
PTech 1/31/2005 6:20:14 AM HS 10856 c:\windows\SYSTEM\KGyGaAvL.sys
PTech 9/2/1999 3:31:08 PM 376184 c:\windows\SYSTEM\3DFX16V3.DRV
UPX! 9/5/2005 8:50:54 AM 4608 c:\windows\SYSTEM\rdsndin.exe
UPX! 1/10/2005 5:20:44 PM 38400 c:\windows\SYSTEM\xwfqvx.exe
PTech 1/10/2005 5:20:48 PM 614456 c:\windows\SYSTEM\saie_kyf.dat
PTech 1/10/2005 5:21:38 PM 3686585 c:\windows\SYSTEM\saie_kyf_update.dat
UPX! 12/30/2004 11:56:10 AM 887987 c:\windows\SYSTEM\HyperLinker.exe
PEC2 10/26/2004 2:38:24 PM 716800 c:\windows\SYSTEM\DivX.dll
PECompact2 10/26/2004 2:38:24 PM 716800 c:\windows\SYSTEM\DivX.dll
UPX! 9/5/2005 8:50:54 AM 45568 c:\windows\SYSTEM\ntfsnlpa.exe
FSG! 8/29/2005 6:48:06 AM 705 c:\windows\SYSTEM\gpsresl32.exe
FSG! 9/2/2005 5:57:02 AM 705 c:\windows\SYSTEM\dgprpsetup.exe

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/5/2005 9:02:22 AM RH 3407904 c:\windows\CLASSES.DAT
9/5/2005 8:57:28 AM RH 1683488 c:\windows\SYSTEM.DAT
9/5/2005 9:07:44 AM RH 1417248 c:\windows\USER.DAT
9/4/2005 7:43:02 AM H 8809 c:\windows\ttfCache
9/5/2005 8:55:26 AM H 553938 c:\windows\ShellIconCache
9/4/2005 8:50:56 AM H 6 c:\windows\TASKS\SA.DAT
8/24/2005 6:19:40 AM HS 118 c:\windows\Recent\Desktop.ini
9/5/2005 8:56:48 AM HS 2368 c:\windows\Application Data\Microsoft\Internet Explorer\Desktop.htt
8/24/2005 6:10:08 AM H 159 c:\windows\Desktop\My Briefcase\Briefcase Database
9/5/2005 8:57:10 AM H 2216 c:\windows\PCHEALTH\HELPCTR\Database\HelpSessionHistory.stream
9/3/2005 7:11:58 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\desktop.ini
9/3/2005 7:14:18 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\8T4R030V\desktop.ini
9/3/2005 7:14:20 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\3J9JVXKK\desktop.ini
9/3/2005 7:14:46 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\27Y7E1I3\desktop.ini
9/3/2005 7:14:46 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\IHH2ZIXS\desktop.ini
9/4/2005 1:09:44 PM HS 92 c:\windows\NetHood\dashboard.serveftp.com\Desktop.ini

Checking for CPL files...
Microsoft Corporation 6/8/2000 5:00:00 PM 221280 c:\windows\SYSTEM\DESK.CPL
Microsoft Corporation 8/29/2002 7:07:38 AM 292352 c:\windows\SYSTEM\INETCPL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 62464 c:\windows\SYSTEM\INTL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 408576 c:\windows\SYSTEM\MMSYS.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 104368 c:\windows\SYSTEM\MODEM.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 14448 c:\windows\SYSTEM\NETCPL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 41232 c:\windows\SYSTEM\ODBCCP32.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 47104 c:\windows\SYSTEM\PASSWORD.CPL
Microsoft Corporation 9/16/2002 9:37:16 AM 28672 c:\windows\SYSTEM\WUAUCPL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 79872 c:\windows\SYSTEM\APPWIZ.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 111616 c:\windows\SYSTEM\MAIN.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 389872 c:\windows\SYSTEM\SYSDM.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 36864 c:\windows\SYSTEM\TIMEDATE.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 61200 c:\windows\SYSTEM\POWERCFG.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 15360 c:\windows\SYSTEM\THEMES.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 66560 c:\windows\SYSTEM\ACCESS.CPL
Sun Microsystems, Inc. 12/6/2004 9:31:48 PM 49265 c:\windows\SYSTEM\jpicpl32.cpl
Microsoft Corporation 6/8/2000 5:00:00 PM 15360 c:\windows\SYSTEM\TELEPHON.CPL
Apple Computer, Inc. 9/23/2004 6:57:40 PM 323072 c:\windows\SYSTEM\QuickTime.cpl
Microsoft Corporation 10/30/2001 8:10:00 AM 442368 c:\windows\SYSTEM\JOY.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
3/10/2004 6:01:36 AM 45056 C:\WINDOWS\Start Menu\Programs\StartUp\strings.exe
4/4/2005 6:25:20 AM 519 C:\WINDOWS\Start Menu\Programs\StartUp\Verizon Online Support Center.lnk

Checking files in %USERPROFILE%\Application Data folder...
1/25/2005 9:11:46 AM 4608 C:\WINDOWS\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
9/4/2005 1:30:56 PM 1313 C:\WINDOWS\Application Data\dw.log
7/11/2005 2:25:24 AM 18816 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT
10/28/1999 3:25:44 PM 42 C:\WINDOWS\Application Data\sversion.ini
10/28/1999 3:32:06 PM 4096 C:\WINDOWS\Application Data\user.rdb
12/22/2004 7:43:14 PM 4713 C:\WINDOWS\Application Data\wo.tmp

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
VZ_IE6 = IEAK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{FEF10FA2-355E-4e06-9381-9B24D7F7CC88} = C:\WINDOWS\SYSTEM\SHELL32.DLL
{53C74826-AB99-4d33-ACA4-3117F51D3788} = C:\WINDOWS\SYSTEM\SHELL32.DLL
{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
{BD472F60-27FA-11cf-B8B4-444553540000} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\PROGRAM FILES\WINRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\PROGRAM FILES\WINRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\PROGRAM FILES\WINRAR\rarext.dll

<<< WARNING! - NOT A VALID WIN98 KEY! (ME is Ok) >>>
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7ab770c7-0e23-4d7a-8aa2-19bfad479829}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINDOWS\SYSTEM\DOCPROP2.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRAM FILES\AIM\AIM.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINDOWS\SYSTEM\SHELL32.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{08BEC6AA-49FC-4379-3587-4B21E286C19E} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{08BEC6AA-49FC-4379-3587-4B21E286C19E} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ScanRegistry c:\windows\scanregw.exe /autorun
TaskMonitor c:\windows\taskmon.exe
SystemTray SysTray.Exe
ATIGART c:\ati\gart\atigart.exe
SO5 Integrator Pass Two C:\OFFICE51\SOINTGR.EXE
PCHealth c:\windows\PCHealth\Support\PCHSchd.exe -s
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
InCD C:\Program Files\ahead\InCD\InCD.exe
Motive SmartBridge C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
THGuard "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
dmnyu.exe C:\WINDOWS\SYSTEM\dmnyu.exe
cstei.exe cstei.exe
HCLEAN32.EXE C:\WINDOWS\SYSTEM\HCLEAN32.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
SO5 Integrator Pass One C:\OFFICE51\SOINTGR.EXE
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent mstask.exe
*StateMgr C:\WINDOWS\System\Restore\StateMgr.exe
KB891711 c:\windows\SYSTEM\KB891711\KB891711.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AIM C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp
NoRealMode 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{0CB2BD5A-7A80-4BA9-B49A-02DC51144BDF}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{10003000-1000-0000-1000-000000000000}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{11111111-1111-1111-1111-111111111157}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{11111111-1111-1111-1111-111111113457}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{11111111-1111-1111-1111-111191113457}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{11111111-1111-1111-1111-511111113457}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{11111111-1111-1111-1111-511111113458}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{11111111-1111-1111-1111-511111193457}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{11111111-1111-1111-1111-511111193458}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{11212111-2121-1311-1141-115611111222}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{11311111-1111-1111-1111-111111111157}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{11F1D260-129E-4EB7-B37E-57E3D97A3DF1}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{12398DD6-40AA-4C40-A4EC-A42CFC0DE797}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{15589FA1-C456-11CE-BF01-000000000000}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{16CBFD08-1D2E-4641-A3AE-5231633DE0D9}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{1D0D9077-3798-49BB-9058-393499174D5D}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{22222222-2222-2222-2222-222222222222}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{23232323-2323-2323-2323-232323291122}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{2456741B-1567-7682-A355-939856783603}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{26D73573-F1B3-48C9-A989-E6CE071957A1}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{288C5F13-7E52-4ADA-A32E-F5BF9D125F98}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{2AEBF56B-88C4-7EC4-3B3F-24F1B5AD40FF}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{2E3C3651-B19C-4DD9-A979-901EC3E930AF}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{2ED9207B-BC4E-2F4A-B885-07E8685767EE}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{34805D32-AD89-469E-8503-A5666AEE4333}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{386A771C-E96A-421F-8BA7-32F1B706892F}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{495290C2-F899-3F27-7DCD-F0A53C127EF2}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{4F5E4276-C120-11D6-A1FD-00508B9D48EA}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{511F9316-771B-4953-A268-1C36DA667FE9}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{54C75FB0-6B8B-4278-BF7B-77036F15A69E}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{5C3A9EA6-4068-46B8-8B5A-692FB10607B1}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{7149E79C-DC19-4C5E-A53C-A54DDF75EEE9}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{73F0FD85-BD47-4A95-86D1-DE38860462C1}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{771A1334-6B08-4A6B-AEDC-CF994BA2CEBE}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{79849612-A98F-45B8-95E9-4D13C7B6B35C}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{7C559105-9ECF-42B8-B3F7-832E75EDD959}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{9076A11F-5EA6-4A67-BDE9-8D3C7C453DAC}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{99410CDE-6F16-42ce-9D49-3807F78F0287}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{AEFD32B6-4815-11D2-98E4-00C04FCEFE77}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{AF9104F7-D6E9-46CC-8FBF-BBE2FB05E3CF}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{B942A249-D1E7-4C11-98AE-FCB76B08747F}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{B94B4225-E02E-4D3F-BADB-026F1E2F3AD7}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{C6760A07-A574-4705-B113-7856315922C3}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{CC110316-5BE7-4AAA-AEDD-1A5B147BE34C}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{D909E944-3A96-4280-9983-9D00001973A4}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{EF86873F-04C2-4A95-A373-5703C08EFC7B}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{FA83E942-B796-46DE-9155-1632ECC5473B}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\v3cab
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{08BEC6AA-49FC-4379-3587-4B21E286C19E}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{BB936323-19FA-4521-BA29-ECA6A121BC78}
Compatibility Flags 1024


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\BitBucket

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\BitBucket\C

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\{2318C2B1-4965-11d4-9B18-009027A5CD4F}
Compatibility Flags 1024


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 0
CDRAutoRun
NoBandCustomize 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL
AUHook {BCBCD383-3E06-11D3-91A9-00C04F68105C} = C:\WINDOWS\SYSTEM\AUHOOK.DLL


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/5/2005 9:09:49 AM
  • 0

#9
Buckeye_Sam
Posted 05 September 2005 - 04:43 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:

    • C:\WINDOWS\SYSTEM\rdsndin.exe
      C:\WINDOWS\SYSTEM\xwfqvx.exe
      C:\WINDOWS\SYSTEM\HyperLinker.exe
      C:\WINDOWS\SYSTEM\ntfsnlpa.exe
      C:\WINDOWS\SYSTEM\gpsresl32.exe
      C:\WINDOWS\SYSTEM\dgprpsetup.exe
      C:\WINDOWS\del.tmp
      c:\windows\SYSTEM\saie_kyf.dat
      c:\windows\SYSTEM\saie_kyf_update.dat
      C:\WINDOWS\SYSTEM\dmnyu.exe
      C:\WINDOWS\SYSTEM\HCLEAN32.EXE

  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
Your system will reboot now.



Please post a new hijackthis log and a new log from rkfiles.
  • 0

#10
Buckeye_Sam
Posted 21 September 2005 - 04:21 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP