Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

rundll error: xnhelp.dll, Umonitor

Started by neo_fightr , Dec 18 2004 10:05 PM

  • Please log in to reply

#1
neo_fightr
Posted 18 December 2004 - 10:05 PM

neo_fightr

    Member

  • Member
  • PipPip
  • 11 posts
Hi-
I've been following the postings for PyromanicElf in this forum and I believe I have the Umonitor and/or VX2 Trojan on my system.

I don't know how to read my log files so I thank you for your help.

I have Windows XP SP1. My system crashed twice today and upon re-boot, this error message appeared the first time:

RUNDLL
an exception occured while trying to run "C:WINDOWS\system32\guard.tmp", Umonitor

And the second time:
... "C:\WINDOWS\system32\xnhelp.dll", Umonitor

To remedy this, I have done the following:
1. Installed and run Adaware SE (log file attached)

2. Installed and run Spy-bot Search and Destroy (list of found spies attached)

3. Installed CWS shredder and removed the following: CWS.bootconfig and CWS.svchost32.

4. Installed Mozilla Firefox for browsing. Though I no longer use IE to browse, I sometimes get an IE pop up ad window while I'm online with Mozilla!

5. Installed HiJack This and scanned (log attached)

I'd like to eventually install Windows SP2 but would like to rid my sytem of this malware first.
  • 0

Advertisements

#2
neo_fightr
Posted 18 December 2004 - 10:12 PM

neo_fightr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Ad-aware Logfile


Ad-Aware SE Build 1.05
Logfile Created on:Saturday, December 18, 2004 6:47:24 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R23 16.12.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):9 total references
Redirected hostfile entry(TAC index:4):6 total references
VX2(TAC index:10):4 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R23 16.12.2004
Internal build : 28
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 418765 Bytes
Total size : 1325342 Bytes
Signature data size : 1295582 Bytes
Reference data size : 29248 Bytes
Signatures total : 36831
Fingerprints total : 624
Fingerprints size : 23478 Bytes
Target categories : 15
Target families : 634


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:42 %
Total physical memory:523804 kb
Available physical memory:217732 kb
Total page file size:1280484 kb
Available on page file:1024404 kb
Total virtual memory:2097024 kb
Available virtual memory:2048952 kb
OS:Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


12-18-2004 6:47:24 PM - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 444
ThreadCreationTime : 12-18-2004 11:51:15 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 524
ThreadCreationTime : 12-18-2004 11:51:19 PM
BasePriority : High


VX2 Object Recognized!
Type : Process
Data : e4020edoeh0c0.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\e4020edoeh0c0.dll)


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 572
ThreadCreationTime : 12-18-2004 11:51:20 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 588
ThreadCreationTime : 12-18-2004 11:51:20 PM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 760
ThreadCreationTime : 12-18-2004 11:51:21 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 832
ThreadCreationTime : 12-18-2004 11:51:21 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1132
ThreadCreationTime : 12-18-2004 11:51:24 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:8 [blackd.exe]
FilePath : C:\Program Files\ISS\BlackICE\
ProcessID : 1232
ThreadCreationTime : 12-18-2004 11:51:25 PM
BasePriority : Normal
FileVersion : 3.6.319
ProductVersion : 3.6
ProductName : Network ICE Corporation blackd
CompanyName : Internet Security Systems, Inc.
FileDescription : blackd
InternalName : BlackICE Daemon
LegalCopyright : Copyright ¨ 1999-200, Internet Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security Systems, Inc.
OriginalFilename : blackd.exe
Comments : Reverse engineering prohibited by license agreement

#:9 [cisvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1248
ThreadCreationTime : 12-18-2004 11:51:25 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cisvc.exe

#:10 [mcvsrte.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ProcessID : 1284
ThreadCreationTime : 12-18-2004 11:51:26 PM
BasePriority : Normal
FileVersion : 9, 0, 0, 10
ProductVersion : 9, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan Real-time Engine
InternalName : mcvsrte
LegalCopyright : Copyright © 1998-2003 Networks Associates Technology, Inc
OriginalFilename : mcvsrte.exe
Comments : McAfee VirusScan Real-time Engine

#:11 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1304
ThreadCreationTime : 12-18-2004 11:51:26 PM
BasePriority : Normal
FileVersion : 6.13.10.4106
ProductVersion : 6.13.10.4106
ProductName : NVIDIA Driver Helper Service, Version 41.06
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 41.06
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1340
ThreadCreationTime : 12-18-2004 11:51:26 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:13 [sssvr.exe]
FilePath : C:\Program Files\Sony\VAIO Media Music Server\
ProcessID : 1360
ThreadCreationTime : 12-18-2004 11:51:26 PM
BasePriority : Normal
FileVersion : 2.0.02.11130
ProductVersion : 2.0.02
ProductName : VAIO Media Music Server
CompanyName : Sony Corporation
FileDescription : VAIO Media Music Server
InternalName : SSSvr
LegalCopyright : Copyright 2002 Sony Corp.
OriginalFilename : SSSvr.exe
Comments : VAIO Media Music Server

#:14 [picappsrv.exe]
FilePath : C:\Program Files\Sony\Photo Server 20\appsrv\
ProcessID : 1504
ThreadCreationTime : 12-18-2004 11:51:30 PM
BasePriority : Normal


#:15 [gpvsvr.exe]
FilePath : C:\Program Files\Sony\giga pocket\
ProcessID : 1580
ThreadCreationTime : 12-18-2004 11:51:31 PM
BasePriority : Normal
FileVersion : 2, 0, 00, 07181
ProductVersion : 2, 0, 0, 0
ProductName : Giga Pocket
CompanyName : Sony Corporation
FileDescription : Giga Pocket Venus Server
InternalName : GPVSvr
LegalCopyright : Copyright 2002 Sony Corp.
LegalTrademarks : Giga Pocket
OriginalFilename : GPVSvr.EXE
Comments : July 8, 2002

#:16 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1708
ThreadCreationTime : 12-18-2004 11:51:33 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:17 [sv_httpd.exe]
FilePath : C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\
ProcessID : 1768
ThreadCreationTime : 12-18-2004 11:51:34 PM
BasePriority : Normal
FileVersion : 2.0.00.07170
ProductVersion : 2.0.00.07170
ProductName : SV_Httpd.exe
CompanyName : Sony Corporation
FileDescription : Sony HTTP Server
InternalName : SV_Httpd
LegalCopyright : Copyright 2002 Sony Corp.
OriginalFilename : SV_Httpd.exe

#:18 [sv_httpd.exe]
FilePath : C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\
ProcessID : 1816
ThreadCreationTime : 12-18-2004 11:51:35 PM
BasePriority : Normal
FileVersion : 2.0.00.07170
ProductVersion : 2.0.00.07170
ProductName : SV_Httpd.exe
CompanyName : Sony Corporation
FileDescription : Sony HTTP Server
InternalName : SV_Httpd
LegalCopyright : Copyright 2002 Sony Corp.
OriginalFilename : SV_Httpd.exe

#:19 [upnpframework.exe]
FilePath : C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\
ProcessID : 1848
ThreadCreationTime : 12-18-2004 11:51:35 PM
BasePriority : Normal
FileVersion : 2.0.02.11060
ProductVersion : 2.0.02.11060
ProductName : UPnPFramework.exe
CompanyName : Sony Corporation
FileDescription : Sony UPnP Framework
InternalName : UPnPFramework
LegalCopyright : Copyright 2002 Sony Corp.
OriginalFilename : UPnPFramework.exe

#:20 [upnpframework.exe]
FilePath : C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\
ProcessID : 1876
ThreadCreationTime : 12-18-2004 11:51:35 PM
BasePriority : Normal
FileVersion : 2.0.02.11060
ProductVersion : 2.0.02.11060
ProductName : UPnPFramework.exe
CompanyName : Sony Corporation
FileDescription : Sony UPnP Framework
InternalName : UPnPFramework
LegalCopyright : Copyright 2002 Sony Corp.
OriginalFilename : UPnPFramework.exe

#:21 [sv_httpd.exe]
FilePath : C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\
ProcessID : 2044
ThreadCreationTime : 12-18-2004 11:51:36 PM
BasePriority : Normal
FileVersion : 2.0.00.07170
ProductVersion : 2.0.00.07170
ProductName : SV_Httpd.exe
CompanyName : Sony Corporation
FileDescription : Sony HTTP Server
InternalName : SV_Httpd
LegalCopyright : Copyright 2002 Sony Corp.
OriginalFilename : SV_Httpd.exe

#:22 [upnpframework.exe]
FilePath : C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\
ProcessID : 200
ThreadCreationTime : 12-18-2004 11:51:37 PM
BasePriority : Normal
FileVersion : 2.0.02.11060
ProductVersion : 2.0.02.11060
ProductName : UPnPFramework.exe
CompanyName : Sony Corporation
FileDescription : Sony UPnP Framework
InternalName : UPnPFramework
LegalCopyright : Copyright 2002 Sony Corp.
OriginalFilename : UPnPFramework.exe

#:23 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 332
ThreadCreationTime : 12-18-2004 11:51:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

VX2 Object Recognized!
Type : Process
Data : reched32.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\reched32.dll)


#:24 [mcshield.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ProcessID : 1240
ThreadCreationTime : 12-18-2004 11:51:40 PM
BasePriority : High


#:25 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1780
ThreadCreationTime : 12-18-2004 11:51:42 PM
BasePriority : Normal
FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion : 6.00.2800.1221
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

VX2 Object Recognized!
Type : Process
Data : reched32.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\reched32.dll)


#:26 [htpatch.exe]
FilePath : C:\WINDOWS\
ProcessID : 640
ThreadCreationTime : 12-18-2004 11:51:52 PM
BasePriority : Normal


#:27 [agrsmmsg.exe]
FilePath : C:\WINDOWS\
ProcessID : 780
ThreadCreationTime : 12-18-2004 11:51:52 PM
BasePriority : Normal
FileVersion : 2.1.25 2.1.25 02/14/2003 11:58:58
ProductVersion : 2.1.25 2.1.25 02/14/2003 11:58:58
ProductName : Agere SoftModem Messaging Applet
CompanyName : Agere Systems
FileDescription : SoftModem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © Agere Systems 1998-2000
OriginalFilename : smdmstat.exe

#:28 [mcagent.exe]
FilePath : C:\PROGRA~1\mcafee.com\agent\
ProcessID : 996
ThreadCreationTime : 12-18-2004 11:51:54 PM
BasePriority : Normal
FileVersion : 5, 0, 0, 2
ProductVersion : 5, 0, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
LegalCopyright : Copyright © 2004 Networks Associates Technology, Inc.
OriginalFilename : mcagent.exe

#:29 [mcvsshld.exe]
FilePath : C:\PROGRA~1\mcafee.com\vso\
ProcessID : 1076
ThreadCreationTime : 12-18-2004 11:51:54 PM
BasePriority : Normal
FileVersion : 9, 0, 0, 7
ProductVersion : 9, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan ActiveShield Resource
InternalName : msvcshld
LegalCopyright : Copyright © 1998-2003 Networks Associates Technology, Inc
OriginalFilename : mcvsshld.exe
Comments : McAfee VirusScan ActiveShield Resource

#:30 [digstream.exe]
FilePath : C:\Program Files\DIGStream\
ProcessID : 1324
ThreadCreationTime : 12-18-2004 11:51:56 PM
BasePriority : Normal
FileVersion : 2.1.9.0003
ProductVersion : 2.1.9.0003
ProductName : DIGStream
CompanyName : Walt Disney Internet Group
FileDescription : DIGStream Cache Manager
InternalName : DIGStream.exe
LegalCopyright : Copyright © Walt Disney Internet Group.
OriginalFilename : digstream.exe
Comments : none

#:31 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1328
ThreadCreationTime : 12-18-2004 11:51:57 PM
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:32 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 1352
ThreadCreationTime : 12-18-2004 11:51:58 PM
BasePriority : Normal
FileVersion : 4.5.0.31
ProductVersion : 4.5.0.31
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:33 [motivesb.exe]
FilePath : C:\PROGRA~1\SBCSEL~1\SMARTB~1\
ProcessID : 1336
ThreadCreationTime : 12-18-2004 11:51:59 PM
BasePriority : Normal
FileVersion : 5.6.7.asst_classic.smartbridge.20031210_035000
ProductVersion : 5.6.7.asst_classic.smartbridge
ProductName : Motive System
CompanyName : Motive Communications, Inc.
FileDescription : SBC Self Support Tool Alerts
InternalName : version
LegalCopyright : Copyright 1998-2003
OriginalFilename : version

#:34 [mcvsescn.exe]
FilePath : c:\progra~1\mcafee.com\vso\
ProcessID : 1888
ThreadCreationTime : 12-18-2004 11:52:02 PM
BasePriority : Normal
FileVersion : 9, 0, 0, 7
ProductVersion : 9, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan E-mail Scan Module
InternalName : mcvsescn
LegalCopyright : Copyright © 1998-2003 Networks Associates Technology, Inc
OriginalFilename : mcvsescn.EXE
Comments : McAfee VirusScan E-mail Scan Module

#:35 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 2052
ThreadCreationTime : 12-18-2004 11:52:05 PM
BasePriority : Normal
FileVersion : 4.7.2009
ProductVersion : Version 4.7
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 1997-2003
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:36 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 2060
ThreadCreationTime : 12-18-2004 11:52:05 PM
BasePriority : Normal
FileVersion : 4.5.0.31
ProductVersion : 4.5.0.31
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:37 [w?wexec.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2164
ThreadCreationTime : 12-18-2004 11:52:08 PM
BasePriority : Normal


#:38 [blackice.exe]
FilePath : C:\Program Files\ISS\BlackICE\
ProcessID : 2416
ThreadCreationTime : 12-18-2004 11:52:17 PM
BasePriority : Normal
FileVersion : 3.6.319
ProductVersion : 3.6
ProductName : Internet Security Systems, Inc. BlackICE
CompanyName : Internet Security Systems, Inc.
FileDescription : BlackICE MFC Application
InternalName : BlackICE
LegalCopyright : Copyright ¨ 1999-2004, Internet Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security Systems, Inc.
OriginalFilename : blackice.exe
Comments : Reverse engineering prohibited by license agreement

#:39 [usbsircs.exe]
FilePath : C:\Program Files\sony\giga pocket\
ProcessID : 2504
ThreadCreationTime : 12-18-2004 11:52:18 PM
BasePriority : Normal


#:40 [hpotdd01.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 2528
ThreadCreationTime : 12-18-2004 11:52:18 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Hewlett-Packard hpotdd01
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
LegalCopyright : Copyright © 2002
OriginalFilename : hpotdd01.exe

#:41 [naturalcolorload.exe]
FilePath : C:\Program Files\SEC\Natural Color\
ProcessID : 2576
ThreadCreationTime : 12-18-2004 11:52:19 PM
BasePriority : Normal
FileVersion : 2, 0, 1, 1
ProductVersion : 2, 0, 1, 1
ProductName : NaturalColorLoad
FileDescription : NaturalColorLoad
InternalName : NaturalColorLoad
LegalCopyright : Copyright © 2000
OriginalFilename : NaturalColorLoad.EXE

#:42 [hposol08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 2668
ThreadCreationTime : 12-18-2004 11:52:21 PM
BasePriority : Normal
FileVersion : 4.2.0.020
ProductVersion : 2.4.1.020
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOSOL08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOSOL08.EXE
Comments : HP OfficeJet <Solar> Series COM Device Objects

#:43 [reservemodule.exe]
FilePath : C:\Program Files\Sony\giga pocket\
ProcessID : 3196
ThreadCreationTime : 12-18-2004 11:52:33 PM
BasePriority : Normal
FileVersion : 5, 0, 01, 10301
ProductVersion : 5, 0, 01
ProductName : Giga Pocket
CompanyName : Sony Corporation
FileDescription : Timer Recording Manager
InternalName : Timer Recording Manager
LegalCopyright : Copyright 1999, 2000, 2001, 2002, 2003 Sony Corp.
OriginalFilename : ReserveModule.exe
Comments : October 30, 2002

#:44 [vaserv.exe]
FilePath : C:\Program Files\Sony\VAIO Action Setup\
ProcessID : 3212
ThreadCreationTime : 12-18-2004 11:52:34 PM
BasePriority : Normal


#:45 [mcvsftsn.exe]
FilePath : c:\progra~1\mcafee.com\vso\
ProcessID : 3360
ThreadCreationTime : 12-18-2004 11:52:42 PM
BasePriority : Normal
FileVersion : 9, 0, 0, 0
ProductVersion : 9, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan Instant Messenger Scan Module
InternalName : mcvsftsn
LegalCopyright : Copyright © 1998-2003 Networks Associates Technology, Inc
OriginalFilename : mcvsftsn.EXE
Comments : McAfee VirusScan Instant Messenger Scan Module

#:46 [gps.exe]
FilePath : C:\Program Files\sony\giga pocket\
ProcessID : 3392
ThreadCreationTime : 12-18-2004 11:52:45 PM
BasePriority : Normal
FileVersion : 5.0.00.10210
ProductVersion : 5.0.01
ProductName : Giga Pocket
CompanyName : Sony Corporation
FileDescription : Giga Pocket Server
InternalName : GPS.exe
LegalCopyright : Copyright 2000, 2001, 2002, 2003 Sony Corp.
OriginalFilename : GPS.EXE
Comments : Oct 21, 2002

#:47 [sgpcom.exe]
FilePath : C:\PROGRA~1\Sony\GIGAPO~1\
ProcessID : 3432
ThreadCreationTime : 12-18-2004 11:52:47 PM
BasePriority : Normal
FileVersion : 1, 0, 1, 11060
ProductVersion : 5, 0
ProductName : Giga Pocket
CompanyName : Sony Corporation
FileDescription : Sgpcom
InternalName : Sgpcom
LegalCopyright : Copyright 2002, 2003 Sony Corp.
OriginalFilename : Sgpcom.EXE
Comments : November 06, 2002

#:48 [mpbtn.exe]
FilePath : C:\Program Files\SBC Self Support Tool\bin\
ProcessID : 3456
ThreadCreationTime : 12-18-2004 11:52:51 PM
BasePriority : Normal


#:49 [hpoevm08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 3560
ThreadCreationTime : 12-18-2004 11:52:55 PM
BasePriority : Normal
FileVersion : 4.2.0.020
ProductVersion : 2.4.1.020
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOEVM08.EXE
Comments : HP OfficeJet COM Event Manager

#:50 [hpzipm12.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3756
ThreadCreationTime : 12-18-2004 11:53:01 PM
BasePriority : Normal
FileVersion : 6, 0, 0, 0
ProductVersion : 6, 0, 0, 0
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:51 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3948
ThreadCreationTime : 12-18-2004 11:53:12 PM
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:52 [hposts08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\
ProcessID : 888
ThreadCreationTime : 12-18-2004 11:54:02 PM
BasePriority : Normal
FileVersion : 4.2.0.020
ProductVersion : 2.4.1.020
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOSTS08.EXE
Comments : HP OfficeJet Status

#:53 [wksss.exe]
FilePath : C:\Program Files\Microsoft Works\
ProcessID : 2660
ThreadCreationTime : 12-18-2004 11:54:46 PM
BasePriority : Normal
FileVersion : 7.02.0628.0
ProductVersion : 7.02.0628.0
ProductName : Microsoft® Works 7.0
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Spreadsheet
InternalName : WksSS
LegalCopyright : Copyright © Microsoft Corporation. All rights reserved.
OriginalFilename : WksSS.exe

#:54 [msworks.exe]
FilePath : C:\Program Files\Microsoft Works\
ProcessID : 2600
ThreadCreationTime : 12-18-2004 11:54:49 PM
BasePriority : Normal
FileVersion : 7.02.0620.0
ProductVersion : 7.02.0620.0
ProductName : Microsoft® Works 7.0
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Task Launcher
InternalName : MSWORKS
LegalCopyright : Copyright © Microsoft Corporation. All rights reserved.
OriginalFilename : MSWorks.exe

#:55 [cidaemon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3788
ThreadCreationTime : 12-18-2004 11:59:11 PM
BasePriority : Idle
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cidaemon.exe

#:56 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3680
ThreadCreationTime : 12-19-2004 2:47:13 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3



Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

Disk Scan Result for C:\WINDOWS\System32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

Disk Scan Result for C:\DOCUME~1\ADAMST~1\LOCALS~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch
Warning!
Bad Hosts file entry:69.20.16.183:auto.search.msn.com


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:auto.search.msn.com
Warning!
Bad Hosts file entry:69.20.16.183:search.netscape.com


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:search.netscape.com
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
3609 entries scanned.
New critical objects:6
Objects found so far: 9



MRU List Object Recognized!
Location: : S-1-5-21-1653260272-2731057741-1425571382-1005\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : S-1-5-21-1653260272-2731057741-1425571382-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1653260272-2731057741-1425571382-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1653260272-2731057741-1425571382-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : S-1-5-21-1653260272-2731057741-1425571382-1005\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : C:\Documents and Settings\Adam Stein\recent
Description : list of recently opened documents



Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 19

6:51:56 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:04:32.906
Objects scanned:80854
Objects identified:7
Objects ignored:0
New critical objects:7



HiJackThis logfile:

Logfile of HijackThis v1.99.0
Scan saved at 7:36:46 PM, on 12/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\w?wexec.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\sony\giga pocket\usbsircs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Sony\giga pocket\ReserveModule.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\PROGRA~1\Sony\GIGAPO~1\Sgpcom.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vaio.net/everquest/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [McAgentexe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [McUpdateexe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [B8IJ8IACN] C:\documents and settings\adam stein\local settings\temp\B8IJ8IACN.exe
O4 - HKLM\..\Run: [7] C:\documents and settings\adam stein\local settings\temp\7.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Noin] C:\WINDOWS\System32\w?wexec.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\giga pocket\ReserveModule.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://ciscdb.sel.so...ct/VaioInfo.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...84/mcinsctl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,21/mcgdmgr.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72DC004C-1378-4165-8E19-FA25240067F5}: NameServer = 206.13.28.12 206.13.29.12
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) - Unknown - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (Application) - Sony Corporation - C:\Program Files\Sony\giga pocket\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
  • 0

#3
admin
Posted 19 December 2004 - 12:09 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.

  • 0

#4
neo_fightr
Posted 19 December 2004 - 07:32 PM

neo_fightr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I appreciate your help. The finditnt2000.zip output is below.

Still getting the RUNDLL error associated with Umonitor after I reboot and scan my computer with Ad-aware. I'm determined to beat this thing...

***********

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Adam Stein\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\System32

12/18/2004 07:44 PM 224,047 p46slej71ho.dll
12/18/2004 06:47 PM 223,769 o284lclq1fqe.dll
12/17/2004 09:59 PM 224,700 en8ql1l51.dll
12/17/2004 08:36 PM 224,085 lvn6095se.dll
12/13/2004 11:50 PM 223,119 cmnfmsp.dll
12/13/2004 11:50 PM 224,626 kt0ql7d51.dll
12/13/2004 10:10 PM 223,052 dlvacm.dll
12/06/2004 01:53 PM 226,136 cQtsrv.dll
12/05/2004 03:50 PM 224,356 o4lule391h.dll
11/30/2004 12:42 AM 223,698 k462lejo1hoc.dll
11/28/2004 06:38 PM 223,579 n64s0gh7e64.dll
11/26/2004 12:59 PM 224,890 n8n6li5s18.dll
11/26/2004 03:50 AM 512 ZcnkQa8.6fx
11/24/2004 06:48 AM 389,120 w?wexec.exe
12/04/2002 06:34 PM <DIR> Microsoft
14 File(s) 3,079,689 bytes
1 Dir(s) 3,449,679,872 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\System32

11/26/2004 03:50 AM 512 ZcnkQa8.6fx
11/24/2004 06:48 AM 389,120 w?wexec.exe
12/04/2002 06:22 PM 488 WindowsLogon.manifest
12/04/2002 06:22 PM 488 logonui.exe.manifest
12/04/2002 06:22 PM 749 sapi.cpl.manifest
12/04/2002 06:22 PM 749 wuaucpl.cpl.manifest
12/04/2002 06:22 PM 749 nwc.cpl.manifest
12/04/2002 06:22 PM 749 ncpa.cpl.manifest
12/04/2002 06:22 PM 749 cdplayer.exe.manifest
9 File(s) 394,353 bytes
0 Dir(s) 3,449,679,872 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\System32

12/19/2004 05:01 PM 225,502 guard.tmp
1 File(s) 225,502 bytes
0 Dir(s) 3,449,675,776 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\System32

12/19/2004 05:01 PM 225,502 guard.tmp
08/29/2002 04:00 AM 2,577 CONFIG.TMP
2 File(s) 228,079 bytes
0 Dir(s) 3,449,671,680 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{91FD0940-6FEB-4271-87D0-5AA1B250357E}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\irn4l55q1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
cmnfmsp.dll Mon Dec 13 2004 11:50:44p ..S.R 223,119 217.89 K
cqtsrv.dll Mon Dec 6 2004 1:53:34p ..S.R 226,136 220.84 K
dlvacm.dll Mon Dec 13 2004 10:10:16p ..S.R 223,052 217.82 K
en8ql1~1.dll Fri Dec 17 2004 9:59:46p ..S.R 224,700 219.43 K
k462le~1.dll Tue Nov 30 2004 12:42:06a ..S.R 223,698 218.45 K
kt0ql7~1.dll Mon Dec 13 2004 11:50:44p ..S.R 224,626 219.36 K
lvn609~1.dll Fri Dec 17 2004 8:36:36p ..S.R 224,085 218.83 K
n64s0g~1.dll Sun Nov 28 2004 6:38:26p ..S.R 223,579 218.34 K
n8n6li~1.dll Fri Nov 26 2004 12:59:22p ..S.R 224,890 219.62 K
o284lc~1.dll Sat Dec 18 2004 6:47:46p ..S.R 223,769 218.52 K
o4lule~1.dll Sun Dec 5 2004 3:50:14p ..S.R 224,356 219.10 K
p46sle~1.dll Sat Dec 18 2004 7:44:18p ..S.R 224,047 218.79 K
wwexec~1.exe Wed Nov 24 2004 6:48:06a ..SHR 389,120 380.00 K
zcnkqa8.6fx Fri Nov 26 2004 3:50:20a ..SH. 512 0.50 K

14 items found: 14 files, 0 directories.
Total of file sizes: 3,079,689 bytes 2.93 M

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\\WINDOWS\\htpatch.exe"
"SiS Tray"=""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"AGRSMMSG"="AGRSMMSG.exe"
"CTHelper"="CTHELPER.EXE"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"McAgentexe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe files\\mcafee.com\\agent\\mcagent.exe"
"McUpdateexe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
@=""
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"DIGStream"="C:\\Program Files\\DIGStream\\digstream.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"B8IJ8IACN"="C:\\documents and settings\\adam stein\\local settings\\temp\\B8IJ8IACN.exe"
"7"="C:\\documents and settings\\adam stein\\local settings\\temp\\7.exe"



  • 0

#5
admin
Posted 20 December 2004 - 12:55 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\p46slej71ho.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\o284lclq1fqe.dll
    • C:\WINDOWS\System32\en8ql1l51.dll
    • C:\WINDOWS\System32\lvn6095se.dll
    • C:\WINDOWS\System32\cmnfmsp.dll
    • C:\WINDOWS\System32\kt0ql7d51.dll
    • C:\WINDOWS\System32\dlvacm.dll
    • C:\WINDOWS\System32\cQtsrv.dll
    • C:\WINDOWS\System32\o4lule391h.dll
    • C:\WINDOWS\System32\k462lejo1hoc.dll
    • C:\WINDOWS\System32\n64s0gh7e64.dll
    • C:\WINDOWS\System32\n8n6li5s18.dll
    • C:\WINDOWS\System32\irn4l55q1.dll
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • Double-click on find.bat and post the new output.txt.

  • 0

#6
neo_fightr
Posted 20 December 2004 - 11:04 AM

neo_fightr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi again-
You don't know how much I *appreciate* your help!

The find.bat output is below. I will also include a HiJackThis logfile in a new post.

This thing morphs like crazy and should be called UMonster. Unfortunately, after running the killbox and doing all the step replacements, I still got a RUNDLL error on this reboot, with the exception due to

C:\WINDOWS\System32\IzkEd.dll, "UMonitor"

*********************

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Adam Stein\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\System32

12/20/2004 08:37 AM 225,502 IzkEd.dll
12/20/2004 08:34 AM 56 fppo0373e.dll
12/19/2004 06:18 PM 225,502 irrql5951.dll
11/26/2004 03:50 AM 512 ZcnkQa8.6fx
11/24/2004 06:48 AM 389,120 w?wexec.exe
12/04/2002 06:34 PM <DIR> Microsoft
5 File(s) 840,692 bytes
1 Dir(s) 3,374,825,472 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\System32

11/26/2004 03:50 AM 512 ZcnkQa8.6fx
11/24/2004 06:48 AM 389,120 w?wexec.exe
12/04/2002 06:22 PM 488 WindowsLogon.manifest
12/04/2002 06:22 PM 488 logonui.exe.manifest
12/04/2002 06:22 PM 749 sapi.cpl.manifest
12/04/2002 06:22 PM 749 wuaucpl.cpl.manifest
12/04/2002 06:22 PM 749 nwc.cpl.manifest
12/04/2002 06:22 PM 749 ncpa.cpl.manifest
12/04/2002 06:22 PM 749 cdplayer.exe.manifest
9 File(s) 394,353 bytes
0 Dir(s) 3,374,825,472 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\System32

08/29/2002 04:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 3,374,817,280 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{91FD0940-6FEB-4271-87D0-5AA1B250357E}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\irrql5951.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
fppo03~1.dll Mon Dec 20 2004 8:34:06a ..S.R 56 0.05 K
irrql5~1.dll Sun Dec 19 2004 6:18:10p ..S.R 225,502 220.21 K
izked.dll Mon Dec 20 2004 8:37:10a ..S.R 225,502 220.21 K
wwexec~1.exe Wed Nov 24 2004 6:48:06a ..SHR 389,120 380.00 K
zcnkqa8.6fx Fri Nov 26 2004 3:50:20a ..SH. 512 0.50 K

5 items found: 5 files, 0 directories.
Total of file sizes: 840,692 bytes 820.99 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\\WINDOWS\\htpatch.exe"
"SiS Tray"=""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"AGRSMMSG"="AGRSMMSG.exe"
"CTHelper"="CTHELPER.EXE"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"McAgentexe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe files\\mcafee.com\\agent\\mcagent.exe"
"McUpdateexe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
@=""
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"DIGStream"="C:\\Program Files\\DIGStream\\digstream.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"B8IJ8IACN"="C:\\documents and settings\\adam stein\\local settings\\temp\\B8IJ8IACN.exe"
"7"="C:\\documents and settings\\adam stein\\local settings\\temp\\7.exe"



  • 0

#7
neo_fightr
Posted 20 December 2004 - 11:07 AM

neo_fightr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here's my HiJackThis logfile too:

Logfile of HijackThis v1.99.0
Scan saved at 9:06:19 AM, on 12/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\w?wexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\sony\giga pocket\usbsircs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Sony\giga pocket\ReserveModule.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\PROGRA~1\Sony\GIGAPO~1\Sgpcom.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vaio.net/everquest/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [McAgentexe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [McUpdateexe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [B8IJ8IACN] C:\documents and settings\adam stein\local settings\temp\B8IJ8IACN.exe
O4 - HKLM\..\Run: [7] C:\documents and settings\adam stein\local settings\temp\7.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Noin] C:\WINDOWS\System32\w?wexec.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\giga pocket\ReserveModule.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://ciscdb.sel.so...ct/VaioInfo.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...84/mcinsctl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,21/mcgdmgr.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72DC004C-1378-4165-8E19-FA25240067F5}: NameServer = 206.13.28.12 206.13.29.12
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) - Unknown - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (Application) - Sony Corporation - C:\Program Files\Sony\giga pocket\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
  • 0

#8
neo_fightr
Posted 20 December 2004 - 11:15 AM

neo_fightr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I like the snowflakes and reflective ice theme on the site - cool.

One other thing:

Ever since I got this UMonitor, it seems my computer's Recycle Bin is permanently "filled". When I try to Empty it, the message "Do you want to delete these 40 items?" appears every time.

This could be totally unrelated, so let me know if I should post this on a different forum.
  • 0

#9
admin
Posted 20 December 2004 - 03:29 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
This often takes a couple tries to remove, and the corrupt Recycle bin is another symptom... we'll ge to it.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [B8IJ8IACN] C:\documents and settings\adam stein\local settings\temp\B8IJ8IACN.exe
O4 - HKLM\..\Run: [7] C:\documents and settings\adam stein\local settings\temp\7.exe
O4 - HKCU\..\Run: [Noin] C:\WINDOWS\System32\w?wexec.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

C:\WINDOWS\System32\w?wexec.exe
C:\Program Files\UpromiseRemindU <- this folder
C:\Program Files\Ebates_MoeMoneyMaker <- this folder

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

Reboot your PC.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\IzkEd.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\fppo0373e.dll
    • C:\WINDOWS\System32\irrql5951.dll
    • C:\WINDOWS\System32\ZcnkQa8.6fx
    • C:\WINDOWS\System32\w?wexec.exe
    • C:\WINDOWS\System32\irrql5951.dll
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • Double-click on find.bat and post the new output.txt

  • 0

#10
neo_fightr
Posted 20 December 2004 - 11:50 PM

neo_fightr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OK i followed the last post's steps (twice). Here's what I encountered:

The first time, while in HiJackThis, the following files did not come up (so I couldn't "x" them & fix them):

01 - Hosts: 69.20.16.183 ieautosearch
C:\WINDOWS\System32\w?wexec.exe
C:\Program Files\UpromiseRemindU
C:\Program Files\Ebates_MoeMoneyMaker

(I used windows explorer to search my computer for the above three C:\ files but couldn't find them that way either). After finishing all other instructions, I ran the find.bat & noticed the Guard.tmp file still in the log.

So I repeated the entire post instructions a second time. For the second attempt in HiJackThis, none of the original "x" items showed up. And my 2nd HiJackThis log still lists "Guard.tmp" on the C: drive.

am i missing something?

I will post each log in a separate reply (hope that's easier to read).

Thanks again for your help.
  • 0

#11
neo_fightr
Posted 20 December 2004 - 11:52 PM

neo_fightr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
My first HiJackThis log:


Logfile of HijackThis v1.99.0
Scan saved at 7:43:29 PM, on 12/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\w?wexec.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\sony\giga pocket\usbsircs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sony\giga pocket\ReserveModule.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\PROGRA~1\Sony\GIGAPO~1\Sgpcom.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vaio.net/everquest/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [McAgentexe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [McUpdateexe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [B8IJ8IACN] C:\documents and settings\adam stein\local settings\temp\B8IJ8IACN.exe
O4 - HKLM\..\Run: [7] C:\documents and settings\adam stein\local settings\temp\7.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Noin] C:\WINDOWS\System32\w?wexec.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\giga pocket\ReserveModule.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://ciscdb.sel.so...ct/VaioInfo.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...84/mcinsctl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,21/mcgdmgr.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) - Unknown - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (Application) - Sony Corporation - C:\Program Files\Sony\giga pocket\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
  • 0

#12
neo_fightr
Posted 20 December 2004 - 11:53 PM

neo_fightr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
my first findit output:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Adam Stein\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\System32

11/24/2004 06:48 AM 389,120 w?wexec.exe
12/04/2002 06:34 PM <DIR> Microsoft
1 File(s) 389,120 bytes
1 Dir(s) 5,301,600,256 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\System32

11/24/2004 06:48 AM 389,120 w?wexec.exe
12/04/2002 06:22 PM 488 WindowsLogon.manifest
12/04/2002 06:22 PM 488 logonui.exe.manifest
12/04/2002 06:22 PM 749 sapi.cpl.manifest
12/04/2002 06:22 PM 749 nwc.cpl.manifest
12/04/2002 06:22 PM 749 wuaucpl.cpl.manifest
12/04/2002 06:22 PM 749 ncpa.cpl.manifest
12/04/2002 06:22 PM 749 cdplayer.exe.manifest
8 File(s) 393,841 bytes
0 Dir(s) 5,301,600,256 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\System32

12/20/2004 08:08 PM 56 Guard.tmp
1 File(s) 56 bytes
0 Dir(s) 5,301,596,160 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\System32

12/20/2004 08:08 PM 56 Guard.tmp
08/29/2002 04:00 AM 2,577 CONFIG.TMP
2 File(s) 2,633 bytes
0 Dir(s) 5,301,592,064 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{91FD0940-6FEB-4271-87D0-5AA1B250357E}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\fppo0373e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
wwexec~1.exe Wed Nov 24 2004 6:48:06a ..SHR 389,120 380.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 389,120 bytes 380.00 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\\WINDOWS\\htpatch.exe"
"SiS Tray"=""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"AGRSMMSG"="AGRSMMSG.exe"
"CTHelper"="CTHELPER.EXE"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"McAgentexe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe files\\mcafee.com\\agent\\mcagent.exe"
"McUpdateexe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
@=""
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"DIGStream"="C:\\Program Files\\DIGStream\\digstream.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"



  • 0

#13
neo_fightr
Posted 20 December 2004 - 11:53 PM

neo_fightr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
my 2nd hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 8:26:20 PM, on 12/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\DIGStream\digstream.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Sony\giga pocket\ReserveModule.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\PROGRA~1\Sony\GIGAPO~1\Sgpcom.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vaio.net/everquest/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [McAgentexe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [McUpdateexe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: strings.exe
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\giga pocket\ReserveModule.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://ciscdb.sel.so...ct/VaioInfo.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...84/mcinsctl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,21/mcgdmgr.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) - Unknown - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (Application) - Sony Corporation - C:\Program Files\Sony\giga pocket\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
  • 0

#14
neo_fightr
Posted 20 December 2004 - 11:54 PM

neo_fightr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
my 2nd findit output

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Adam Stein\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\System32

11/24/2004 06:48 AM 389,120 w?wexec.exe
12/04/2002 06:34 PM <DIR> Microsoft
1 File(s) 389,120 bytes
1 Dir(s) 5,300,699,136 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\System32

11/24/2004 06:48 AM 389,120 w?wexec.exe
12/04/2002 06:22 PM 488 WindowsLogon.manifest
12/04/2002 06:22 PM 488 logonui.exe.manifest
12/04/2002 06:22 PM 749 sapi.cpl.manifest
12/04/2002 06:22 PM 749 nwc.cpl.manifest
12/04/2002 06:22 PM 749 wuaucpl.cpl.manifest
12/04/2002 06:22 PM 749 ncpa.cpl.manifest
12/04/2002 06:22 PM 749 cdplayer.exe.manifest
8 File(s) 393,841 bytes
0 Dir(s) 5,300,699,136 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\System32

12/20/2004 08:43 PM 56 Guard.tmp
1 File(s) 56 bytes
0 Dir(s) 5,300,695,040 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is FC1B-D472

Directory of C:\WINDOWS\System32

12/20/2004 08:43 PM 56 Guard.tmp
08/29/2002 04:00 AM 2,577 CONFIG.TMP
2 File(s) 2,633 bytes
0 Dir(s) 5,300,690,944 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{91FD0940-6FEB-4271-87D0-5AA1B250357E}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\fppo0373e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
wwexec~1.exe Wed Nov 24 2004 6:48:06a ..SHR 389,120 380.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 389,120 bytes 380.00 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\\WINDOWS\\htpatch.exe"
"SiS Tray"=""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"AGRSMMSG"="AGRSMMSG.exe"
"CTHelper"="CTHELPER.EXE"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"McAgentexe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe files\\mcafee.com\\agent\\mcagent.exe"
"McUpdateexe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
@=""
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"DIGStream"="C:\\Program Files\\DIGStream\\digstream.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"



  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP