Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help with spyware removal ....please [resolved]

Started by douglasreno , Dec 18 2004 06:55 AM

  • Please log in to reply

#1
douglasreno
Posted 18 December 2004 - 06:55 AM

douglasreno

    Member

  • Member
  • PipPip
  • 15 posts
Here is my HiJack This log file:


Logfile of HijackThis v1.97.7
Scan saved at 7:58:41 AM, on 12/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\PROGRA~1\HEWLET~2\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\system32\MsiExec.exe
C:\My Documents\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.c...ODQ6NTo5&Terms=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [owkqrdmfmodf] C:\WINDOWS\system32\bzmzjp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C:\WINDOWS\qgbdvio.exe] C:\WINDOWS\qgbdvio.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: CheckIt &86 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab

Please help me someone??????

Doug
  • 0

Advertisements

#2
douglasreno
Posted 18 December 2004 - 06:59 AM

douglasreno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
yes i am also on a cable modem if that iformation is needed......
  • 0

#3
coachwife6
Posted 18 December 2004 - 07:53 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi douglasreno. Welcome to GTG. :tazz:

Click Here download the latest version of Hijack This (1.98.2). It's better able to catch the latest threats.
  • 0

#4
douglasreno
Posted 18 December 2004 - 12:26 PM

douglasreno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
coach wife 6 ihave done the following:

run ad-adware se
run cw sherdder
run spybot search and destroy
run mcafee virus scan
i am still having problems

here is the hijack this log file run with new version, you reccomended.

Logfile of HijackThis v1.99.0
Scan saved at 1:27:47 PM, on 12/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Documents\My Downloads\HijackThis-1.exe

O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

YOur help is appreciated.

Doug
  • 0

#5
coachwife6
Posted 18 December 2004 - 01:49 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Good job DR. Telling me what you did helps me out very much. :tazz:
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.

  • 0

#6
douglasreno
Posted 18 December 2004 - 02:18 PM

douglasreno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here you go cw6:


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB

Directory of C:\WINDOWS\System32

12/18/2004 08:14a 223,100 enlol1331.dll
12/18/2004 07:45a <DIR> dllcache
12/18/2004 07:43a 225,015 irjul5191.dll
12/18/2004 07:40a 225,050 q0nula591d.dll
12/15/2004 10:39p 224,723 f6l00g3me6.dll
12/15/2004 09:55p 225,336 lv4609hse.dll
12/15/2004 09:53p 225,992 ir0ol5d31.dll
12/15/2004 08:34p 223,703 mkhcp.dll
12/14/2004 10:05p 225,640 ktlul7391.dll
12/14/2004 08:07p 223,816 fNxmapi.dll
12/14/2004 05:18p 224,513 i0lola331d.dll
12/14/2004 06:01a 224,890 rem.dll
12/11/2004 06:20p 223,304 e802lido180c.dll
12/08/2004 06:21p 223,123 gpj8l31u1.dll
12/07/2004 06:27p 223,123 r6r60g9se6.dll
12/07/2004 06:18p 226,129 j00s0ad7ed0.dll
12/06/2004 04:21p 226,129 ITMFILTER.DLL
16 File(s) 3,593,586 bytes
1 Dir(s) 6,973,149,696 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB

Directory of C:\WINDOWS\System32

12/18/2004 07:45a <DIR> dllcache
08/13/2004 09:50p <DIR> GroupPolicy
08/13/2004 09:31p 21,692 folder.htt
08/13/2004 09:31p 271 desktop.ini
2 File(s) 21,963 bytes
2 Dir(s) 6,973,153,280 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB

Directory of C:\WINDOWS\System32

12/18/2004 01:23p 225,015 guard.tmp
1 File(s) 225,015 bytes
0 Dir(s) 6,973,153,280 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB

Directory of C:\WINDOWS\System32

12/18/2004 01:23p 225,015 guard.tmp
12/07/1999 07:00a 2,577 CONFIG.TMP
2 File(s) 227,592 bytes
0 Dir(s) 6,973,153,280 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B050EB16-A35D-4FE1-98F4-A172E7A572BA}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fontsize]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\irjul5191.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


---------------- Xfind Results -----------------


  • 0

#7
coachwife6
Posted 18 December 2004 - 03:10 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
is that the entire log?
  • 0

#8
douglasreno
Posted 18 December 2004 - 03:22 PM

douglasreno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
yes that is the entire file.... i will post again i ran it again for you....


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB

Directory of C:\WINDOWS\System32

12/18/2004 08:14a 223,100 enlol1331.dll
12/18/2004 07:45a <DIR> dllcache
12/18/2004 07:43a 225,015 irjul5191.dll
12/18/2004 07:40a 225,050 q0nula591d.dll
12/15/2004 10:39p 224,723 f6l00g3me6.dll
12/15/2004 09:55p 225,336 lv4609hse.dll
12/15/2004 09:53p 225,992 ir0ol5d31.dll
12/15/2004 08:34p 223,703 mkhcp.dll
12/14/2004 10:05p 225,640 ktlul7391.dll
12/14/2004 08:07p 223,816 fNxmapi.dll
12/14/2004 05:18p 224,513 i0lola331d.dll
12/14/2004 06:01a 224,890 rem.dll
12/11/2004 06:20p 223,304 e802lido180c.dll
12/08/2004 06:21p 223,123 gpj8l31u1.dll
12/07/2004 06:27p 223,123 r6r60g9se6.dll
12/07/2004 06:18p 226,129 j00s0ad7ed0.dll
12/06/2004 04:21p 226,129 ITMFILTER.DLL
16 File(s) 3,593,586 bytes
1 Dir(s) 6,974,029,312 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB

Directory of C:\WINDOWS\System32

12/18/2004 07:45a <DIR> dllcache
08/13/2004 09:50p <DIR> GroupPolicy
08/13/2004 09:31p 21,692 folder.htt
08/13/2004 09:31p 271 desktop.ini
2 File(s) 21,963 bytes
2 Dir(s) 6,974,036,992 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB

Directory of C:\WINDOWS\System32

12/18/2004 01:23p 225,015 guard.tmp
1 File(s) 225,015 bytes
0 Dir(s) 6,974,036,992 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is HP_PAVILION
Volume Serial Number is E0C6-2FAB

Directory of C:\WINDOWS\System32

12/18/2004 01:23p 225,015 guard.tmp
12/07/1999 07:00a 2,577 CONFIG.TMP
2 File(s) 227,592 bytes
0 Dir(s) 6,974,036,992 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B050EB16-A35D-4FE1-98F4-A172E7A572BA}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fontsize]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\irjul5191.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


---------------- Xfind Results -----------------


  • 0

#9
douglasreno
Posted 18 December 2004 - 07:51 PM

douglasreno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
i hope the above gives you something to go on cw6, i am headed to bed ill chk back in the morning hopefully youll have something for me. Doug
  • 0

#10
coachwife6
Posted 18 December 2004 - 09:43 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please Download LSPFix from http://www.cexx.org/lspfix.htm and Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and remove all traces of calsp.dll. Reboot.

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.


O1 - Hosts: 69.20.16.183 search.netscape.com

01 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 ieautosearch

O1 - Hosts: 69.20.16.183 ieautosearch

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)

O9 - Extra \'Tools\' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

Reboot and post a fresh log.
  • 0

Advertisements

#11
douglasreno
Posted 19 December 2004 - 02:02 PM

douglasreno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
cw6 thanks i did exactly as you requested, howerver encountered some problems when i went to delete files with disk clean up.... it would nt run, well it would but it would seem to hang up never completed. ... so i went and tried to delete all the files in my tem internet got all of them.... deleted all but these file from my temp folder:
site=mons&affiliate=mon&app=2fjobsearch%2Easp&lid=635&lid=637&cy=US&st=&ci=&cid=8&cid=12&cid=46&cid=10&cid=597&lv=&key=&zip=&ct=[1].htm
this is in three seperate folders and
1895129202@HeaderSpon,PageSpon,PageSpon2,LoalAd,WXSpon,Explore1,Explore2,Explore3,Explore4,Explore5,Explore6,LocalSite1,......LocalSite5,Loca[1]
this appears in one folder and
grp=build_a_site&country=uk&affiliate=uktripod&svc=hosting&adpos=18&ch=hobby&sch=hobbies&kw=benjamine&kw=eggelston&kw=benjamine+eggelston&ee=1&params[1].htm
this is in another folder and
in antoher folder ti appears again twice ending in [1].htm and [2].htm

also jsut to throw this on top of it all the recycle bin continuously shows 7 items even after you empty it and even after you delete more than seven items..... witht hat said here is the log and it would appear all the thnigs i delelted from it the first time are back in the log.

Logfile of HijackThis v1.97.7
Scan saved at 2:48:07 PM, on 12/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\My Documents\My Downloads\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

thanks for all the help so far i am willing to do anything you wanna try.

Doug
  • 0

#12
coachwife6
Posted 19 December 2004 - 02:04 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
you rescanned with the old version of Hijack This. Please use the new version. Unfortunately, you have an infection that I really have not been able to figure out how to clean. There's a fix, but I'm still unsure how to proceed. I will get back to you, but it may be a day or two. We are very, very understaffed and it seems like overloaded with problems the past few days. Just be patient, and we'll get back with you. :tazz:
  • 0

#13
douglasreno
Posted 19 December 2004 - 02:08 PM

douglasreno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Logfile of HijackThis v1.99.0
Scan saved at 3:12:09 PM, on 12/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Documents\My Downloads\HijackThis-1.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
  • 0

#14
douglasreno
Posted 19 December 2004 - 07:06 PM

douglasreno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
cw6
i hope i havent worn you out on this one... ill chk back later tonight....

Doug
  • 0

#15
admin
Posted 20 December 2004 - 12:50 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP