Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HijackLog


  • Please log in to reply

#1
pico90

pico90

    New Member

  • Member
  • Pip
  • 4 posts
I'm getting all kinds of popups in this computer, I've run lots of anti spyware and adware software, I have the systerm mechanic pop up stopper running and I erased everything I found with Ad Aware and I have the ad-watch open and I still get annoying popups coming up, I'm at a point where I find myself with no resources, here's my hijack log and I hope someone could help me with this problems, I really appreciate it.

LOG:
Logfile of HijackThis v1.99.0
Scan saved at 9:12:16 PM, on 12/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\iolo\SYSTEM~1\PopupStopper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\progra~1\intern~1\iexplore.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.cmtgtgdul...rd3xKfHDKJ.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jhdctglte...vqm5h9qIR8.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SStb.exe] SStb.exe
O4 - HKLM\..\Run: [SpyBlocs3.0] C:\Program Files\SpyBlocsv3.0\SpyBlocs3.0.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvwor32.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\PROGRA~1\iolo\SYSTEM~1\PopupStopper.exe"
O4 - HKCU\..\Run: [Thunk open] C:\DOCUME~1\User\APPLIC~1\EXTRAS~1\Pile Store Dart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ykunyn.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\system32\angelex.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Welcome pico90 to Geeks to Go. This is a nasty new infection that seems to be spreading fast. An automated solution is being worked on, but until that is done it requires a rather complex multi-step process. We'll walk you through it. :tazz:
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.

  • 0

#3
pico90

pico90

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the quick help, here's the log that came out when I ran the program you told me to use...

LOG:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\My Downloads\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 8CEB-9231

Directory of C:\WINDOWS\System32

12/25/2004 04:08 AM 225,281 hkhipr09.dll
12/25/2004 04:08 AM 222,755 irr0l59m1.dll
12/24/2004 11:52 PM 225,281 aza0059me.dll
12/24/2004 11:45 PM 223,209 hp0023dmg.dll
12/24/2004 11:37 PM 225,247 jtpo0773e.dll
12/24/2004 03:08 PM 224,525 enn0l15m1.dll
12/24/2004 03:01 PM 225,087 gpj6l31s1.dll
12/24/2004 02:49 PM 224,446 s2pu0c79ef.dll
12/23/2004 09:52 PM 223,506 hrr0059me.dll
12/22/2004 01:14 PM <DIR> dllcache
12/22/2004 09:38 AM 225,337 p84u0ih9e84.dll
12/22/2004 09:32 AM 225,337 lvp4097qe.dll
12/21/2004 12:09 PM 225,337 dnr8019ue.dll
12/20/2004 10:04 PM 225,337 p4p6le7s1h.dll
12/20/2004 12:52 PM 225,337 ir02l5do1.dll
12/20/2004 01:10 AM 225,337 irrql5951.dll
12/19/2004 06:17 PM 224,680 lvr4099qe.dll
12/14/2004 11:12 AM 224,680 en46l1hs1.dll
12/08/2004 11:16 PM 224,680 h6l20g3oe6.dll
12/08/2004 06:14 PM 224,680 p8n80i5ue8.dll
12/08/2004 05:58 PM 224,680 j4n20e5oeh.dll
12/08/2004 11:15 AM 224,680 r08s0al7edq.dll
12/07/2004 12:17 AM 224,680 e0jm0a11ed.dll
12/05/2004 01:58 PM 223,250 lv0q09d5e.dll
11/06/2004 07:45 PM <DIR> Microsoft
08/04/2004 12:56 AM 11,776 regsvr32.exe
08/04/2004 12:56 AM 83,456 olepro32.dll
08/04/2004 12:56 AM 553,472 oleaut32.dll
08/04/2004 12:56 AM 1,028,096 mfc42.dll
08/04/2004 12:56 AM 54,784 msvcirt.dll
08/04/2004 12:56 AM 413,696 msvcp60.dll
08/04/2004 12:56 AM 343,040 msvcrt.dll
30 File(s) 7,655,689 bytes
2 Dir(s) 66,521,362,432 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 8CEB-9231

Directory of C:\WINDOWS\System32

12/22/2004 01:14 PM <DIR> dllcache
11/06/2004 07:39 PM 488 logonui.exe.manifest
11/06/2004 07:39 PM 488 WindowsLogon.manifest
11/06/2004 07:39 PM 749 cdplayer.exe.manifest
11/06/2004 07:39 PM 749 sapi.cpl.manifest
11/06/2004 07:39 PM 749 wuaucpl.cpl.manifest
11/06/2004 07:39 PM 749 nwc.cpl.manifest
11/06/2004 07:39 PM 749 ncpa.cpl.manifest
08/04/2004 12:56 AM 11,776 regsvr32.exe
08/04/2004 12:56 AM 553,472 oleaut32.dll
08/04/2004 12:56 AM 83,456 olepro32.dll
08/04/2004 12:56 AM 54,784 msvcirt.dll
08/04/2004 12:56 AM 1,028,096 mfc42.dll
08/04/2004 12:56 AM 343,040 msvcrt.dll
08/04/2004 12:56 AM 413,696 msvcp60.dll
14 File(s) 2,493,041 bytes
1 Dir(s) 66,521,358,336 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 8CEB-9231

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 8CEB-9231

Directory of C:\WINDOWS\System32


---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A5E4CA86-AF44-415E-BF1D-7C2F75CDB3E0}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\aza0059me.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
aza005~1.dll Fri Dec 24 2004 11:52:18p ..S.R 225,281 220.00 K
cdplay~1.man Sat Nov 6 2004 7:39:30p A..HR 749 0.73 K
dnr801~1.dll Tue Dec 21 2004 12:09:04p ..S.R 225,337 220.05 K
e0jm0a~1.dll Tue Dec 7 2004 12:17:04a ..S.R 224,680 219.41 K
en46l1~1.dll Tue Dec 14 2004 11:12:16a ..S.R 224,680 219.41 K
enn0l1~1.dll Fri Dec 24 2004 3:08:52p ..S.R 224,525 219.26 K
gpj6l3~1.dll Fri Dec 24 2004 3:01:04p ..S.R 225,087 219.81 K
h6l20g~1.dll Wed Dec 8 2004 11:16:46p ..S.R 224,680 219.41 K
hkhipr09.dll Sat Dec 25 2004 4:08:28a ..S.R 225,281 220.00 K
hp0023~1.dll Fri Dec 24 2004 11:45:24p ..S.R 223,209 217.98 K
hrr005~1.dll Thu Dec 23 2004 9:52:14p ..S.R 223,506 218.27 K
ir02l5~1.dll Mon Dec 20 2004 12:52:46p ..S.R 225,337 220.05 K
irr0l5~1.dll Sat Dec 25 2004 4:08:28a ..S.R 222,755 217.53 K
irrql5~1.dll Mon Dec 20 2004 1:10:50a ..S.R 225,337 220.05 K
j4n20e~1.dll Wed Dec 8 2004 5:58:30p ..S.R 224,680 219.41 K
jtpo07~1.dll Fri Dec 24 2004 11:37:30p ..S.R 225,247 219.96 K
logonu~1.man Sat Nov 6 2004 7:39:36p A..HR 488 0.48 K
lv0q09~1.dll Sun Dec 5 2004 1:58:46p ..S.R 223,250 218.02 K
lvp409~1.dll Wed Dec 22 2004 9:32:52a ..S.R 225,337 220.05 K
lvr409~1.dll Sun Dec 19 2004 6:17:44p ..S.R 224,680 219.41 K
ncpacp~1.man Sat Nov 6 2004 7:39:30p A..HR 749 0.73 K
nwccpl~1.man Sat Nov 6 2004 7:39:30p A..HR 749 0.73 K
p4p6le~1.dll Mon Dec 20 2004 10:04:02p ..S.R 225,337 220.05 K
p84u0i~1.dll Wed Dec 22 2004 9:38:02a ..S.R 225,337 220.05 K
p8n80i~1.dll Wed Dec 8 2004 6:14:48p ..S.R 224,680 219.41 K
r08s0a~1.dll Wed Dec 8 2004 11:15:24a ..S.R 224,680 219.41 K
s2pu0c~1.dll Fri Dec 24 2004 2:49:06p ..S.R 224,446 219.18 K
sapicp~1.man Sat Nov 6 2004 7:39:30p A..HR 749 0.73 K
window~1.man Sat Nov 6 2004 7:39:36p A..HR 488 0.48 K
wuaucp~1.man Sat Nov 6 2004 7:39:30p A..HR 749 0.73 K

30 items found: 30 files, 0 directories.
Total of file sizes: 5,172,090 bytes 4.93 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\system32\glypgp.dll: updates.qoologic.com
C:\WINDOWS\system32\plzqpq.exe: updates.qoologic.com
C:\WINDOWS\system32\zioaza.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\Incinerator.dll: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\qwavqv.dat: .aspack
C:\WINDOWS\system32\yvikyk.exe: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ykunyn.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SStb.exe"="SStb.exe"
"AWMON"="\"C:\\PROGRA~1\\Lavasoft\\AD-AWA~1\\Ad-Watch.exe\""
"kalvsys"="C:\\windows\\system32\\kalvwor32.exe"
"Narrator"="C:\\WINDOWS\\system32\\yvikyk.exe"
"SpyBlocs3.0"="C:\\Program Files\\SpyBlocsv3.0\\SpyBlocs3.0.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\hkhipr09.dll
C:\WINDOWS\System32\irr0l59m1.dll
C:\WINDOWS\System32\hp0023dmg.dll
C:\WINDOWS\System32\jtpo0773e.dll
C:\WINDOWS\System32\enn0l15m1.dll
C:\WINDOWS\System32\gpj6l31s1.dll
C:\WINDOWS\System32\s2pu0c79ef.dll
C:\WINDOWS\System32\hrr0059me.dll
C:\WINDOWS\System32\p84u0ih9e84.dll
C:\WINDOWS\System32\lvp4097qe.dll
C:\WINDOWS\System32\dnr8019ue.dll
C:\WINDOWS\System32\p4p6le7s1h.dll
C:\WINDOWS\System32\ir02l5do1.dll
C:\WINDOWS\System32\irrql5951.dll
C:\WINDOWS\System32\lvr4099qe.dll
C:\WINDOWS\System32\en46l1hs1.dll
C:\WINDOWS\System32\h6l20g3oe6.dll
C:\WINDOWS\System32\p8n80i5ue8.dll
C:\WINDOWS\System32\j4n20e5oeh.dll
C:\WINDOWS\System32\r08s0al7edq.dll
C:\WINDOWS\System32\e0jm0a11ed.dll
C:\WINDOWS\System32\lv0q09d5e.dll
C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\system32\aza0059me.dll <= save till last

After the reboot copy the part in bold below into notepad. Save the file as vx2uawn.reg (Set file type to "All files")

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A5E4CA86-AF44-415E-BF1D-7C2F75CDB3E0}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes]


Doubleclick that file and confirm you want to merge it with the registry.

Post a new log when you are done.

Regards,

Pieter
  • 0

#5
pico90

pico90

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the help, I already followed the instructions but I still have some problems like the browser changing suddenly to another website.
Here's my log nright now:

Logfile of HijackThis v1.99.0
Scan saved at 12:21:55 PM, on 12/25/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\yvikyk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\iolo\SYSTEM~1\PopupStopper.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hjldnalwpzr.c...rd3xKfHDKJ.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jhdctglte...vqm5h9qIR8.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SStb.exe] SStb.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvwor32.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\PROGRA~1\iolo\SYSTEM~1\PopupStopper.exe"
O4 - HKCU\..\Run: [Thunk open] C:\DOCUME~1\User\APPLIC~1\EXTRAS~1\Pile Store Dart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hjldnalwpzr.c...rd3xKfHDKJ.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jhdctglte...vqm5h9qIR8.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SStb.exe] SStb.exe

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvwor32.exe

O4 - HKCU\..\Run: [Thunk open] C:\DOCUME~1\User\APPLIC~1\EXTRAS~1\Pile Store Dart.exe

Download LSPfix here: http://www.cexx.org/lspfix.htm
Launch the application, and click the "I know what I'm doing" checkbox.
Check all instances of calsp.dll (and nothing else), and move them to the "Remove" pane.
Then click Finish.

Reboot after doing so, preferably into safe mode and delete:
C:\DOCUMENTS AND SETTINGS\User\APPLICATION DATA\EXTRAS~1 <= the entire folder that holds Pile Store Dart.exe
C:\windows\system32\kalvwor32.exe

Then boot normally surf to http://www.kaspersky.com/scanforvirus and have this file checked:
C:\WINDOWS\system32\yvikyk.exe

Then look in the Task Scheduler and look for files with names like:
A60D57949086CF90
AF8FF26590B06B8D

Let me know the properties for those tasks, so I can advise what else needs to be removed.
Also post a new FindIt and HijackThis log.

Regards,

Pieter
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP