Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

New Here


  • Please log in to reply

#1
Determined Dave

Determined Dave

    Member

  • Member
  • PipPip
  • 56 posts
I got a christmas present that I can't get rid of. My computer began running slower and then suddenly I was getting many pop-ups. I run Computer Associates Firewall and Antivirus. I also have t heir PestPatrol software. I tried Ad-Aware but found it didnt seem to remove all pests after a reboot and I got frustrated when they didn't return my inquiry via e-mail for 23 days. I have run and re-run a thorough PestPatrol Scans and followed some of their advice on getting rid of pests. I've emptied all cookies and temp files from safe mode and re-run PestPatrol afterward. I've still got pop-ups.

If you would help me find the HijackThis software I would be most grateful to run a log and submit it here for more help. Please walk me through what you might need to help me determine how to exterminate my pests.

Thanks
Dave
  • 0

Advertisements


#2
thelostguru

thelostguru

    Member

  • Member
  • PipPip
  • 44 posts
HijackThis Log
Read this page. The link to download HijackThis is on this page too.

-=TheLostGuru=- :tazz:
  • 0

#3
Determined Dave

Determined Dave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Thank you!
To follow is my first log. I have only run PestPatrol, have not downloaded any of the other programs mentioned on the page you recommended as yet. So here's the log as it exists now.
I appreciate your help.
Dave

Logfile of HijackThis v1.98.2
Scan saved at 12:05:17 PM, on 12/29/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\netconfg.exe
C:\WINDOWS\system32\nbnoraj.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\mmups.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\WINDOWS\TEMP\ICD1.tmp\svcmm32.exe
C:\Program Files\Bcpc\bcpc.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\winupdt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [rs3i34l] netconfg.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdtl.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://www.bargain-b...er_ICMEDIAX.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - https://quicken.ehos...s/custappx3.CAB
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...99/sdcregie.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/loader2.ocx
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.co...file=stamps.cab
O16 - DPF: {CE185270-53A5-11D9-9669-0800200C9A66} - http://www.ouchvideo...mviewer_ic2.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-mo.../cabs/alien.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
  • 0

#4
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
  • Download

    finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
-=jonnyrotten=- :tazz:
  • 0

#5
Determined Dave

Determined Dave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Jhonnyrotten, thank you for your interest. As requested, here is the output log txt from FindIT.
Dave
~~~~~~~~~~~~
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Downloads\FindIt\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is DSK1_VOL1
Volume Serial Number is 2C5C-7AC0

Directory of C:\WINDOWS\System32

12/28/2004 02:13 PM 225,871 guard.tmp
12/28/2004 01:41 PM 222,853 n0r2la9o1d.dll
12/28/2004 01:34 PM 222,607 lvrs0997e.dll
12/28/2004 01:26 PM 222,575 hrls0537e.dll
12/28/2004 01:03 PM 225,871 hrn8055ue.dll
12/28/2004 09:03 AM 225,016 oquninst.dll
12/28/2004 07:46 AM 225,811 p88q0il5e8q.dll
12/27/2004 08:59 AM <DIR> dllcache
03/10/2004 07:31 PM <DIR> Microsoft
7 File(s) 1,570,604 bytes
2 Dir(s) 126,830,657,536 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is DSK1_VOL1
Volume Serial Number is 2C5C-7AC0

Directory of C:\WINDOWS\System32

12/28/2004 01:42 PM 238 vsconfig.xml
12/27/2004 09:35 AM <DIR> vmss
12/27/2004 08:59 AM <DIR> dllcache
04/12/2004 01:56 PM 4,212 zllictbl.dat
03/10/2004 04:42 PM 488 WindowsLogon.manifest
03/10/2004 04:42 PM 488 logonui.exe.manifest
03/10/2004 04:42 PM 749 ncpa.cpl.manifest
03/10/2004 04:42 PM 749 nwc.cpl.manifest
03/10/2004 04:42 PM 749 sapi.cpl.manifest
03/10/2004 04:42 PM 749 wuaucpl.cpl.manifest
03/10/2004 04:42 PM 749 cdplayer.exe.manifest
9 File(s) 9,171 bytes
2 Dir(s) 126,830,649,344 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is DSK1_VOL1
Volume Serial Number is 2C5C-7AC0

Directory of C:\WINDOWS\System32

12/28/2004 02:13 PM 225,871 guard.tmp
1 File(s) 225,871 bytes
0 Dir(s) 126,830,649,344 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is DSK1_VOL1
Volume Serial Number is 2C5C-7AC0

Directory of C:\WINDOWS\System32

12/28/2004 02:13 PM 225,871 guard.tmp
08/23/2001 06:00 AM 2,577 CONFIG.TMP
2 File(s) 228,448 bytes
0 Dir(s) 126,830,645,248 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8E211105-A36B-4135-ABBC-A9D4073AC330}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hrn8055ue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
guard.tmp Tue Dec 28 2004 2:13:58p ..S.R 225,871 220.57 K
hrls05~1.dll Tue Dec 28 2004 1:26:46p ..S.R 222,575 217.36 K
hrn805~1.dll Tue Dec 28 2004 1:03:04p ..S.R 225,871 220.57 K
lvrs09~1.dll Tue Dec 28 2004 1:34:28p ..S.R 222,607 217.39 K
n0r2la~1.dll Tue Dec 28 2004 1:41:50p ..S.R 222,853 217.63 K
oquninst.dll Tue Dec 28 2004 9:03:44a ..S.R 225,016 219.74 K
p88q0i~1.dll Tue Dec 28 2004 7:46:56a ..S.R 225,811 220.52 K
vsconfig.xml Tue Dec 28 2004 1:42:30p A..H. 238 0.23 K

8 items found: 8 files, 0 directories.
Total of file sizes: 1,570,842 bytes 1.50 M

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\randreco.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VetTray"="C:\\PROGRA~1\\CA\\ETRUST~1\\ETRUST~1\\VetTray.exe"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"EPSON Stylus CX5200"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P19 \"EPSON Stylus CX5200\" /O6 \"USB001\" /M \"Stylus CX5200\""
"rs3i34l"="netconfg.exe"
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust PestPatrol\\PPActiveDetection.exe\""
"mediamotor.exe"="C:\\WINDOWS\\mmups.exe"
"winupdtl"="C:\\WINDOWS\\system32\\winupdtl.exe"
"CSV10P70"="C:\\Program Files\\CSBB\\CSv10P070.exe"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#6
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\n0r2la9o1d.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\lvrs0997e.dll
    • C:\WINDOWS\System32\hrls0537e.dll
    • C:\WINDOWS\System32\hrn8055ue.dll
    • C:\WINDOWS\System32\oquninst.dll
    • C:\WINDOWS\System32\p88q0il5e8q.dll
    • C:\WINDOWS\System32\zllictbl.dat
    • C:\WINDOWS\System32\randreco.exe
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • You may get this message>>>"Pending File Rename Operations Registry Data has been Removed by External Process!" This is okay, you will just have to manually restart your pc.
  • Double-click on find.bat and post the new output.txt.
-=jonnyrotten=- :tazz:
  • 0

#7
Determined Dave

Determined Dave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Johnny, thank you so much for your help... unfortunately there are new developments... things were looking really good until my 15 year old daughter went on the computer and use AIM AOL Instant Messenger. She says thats all she did. AFter I got back to the computer (she has her own username on Windows XP and I was still logged on <switch user> while she was also logged on) later I had tons of alerts from eTrust EZ Antivirus and PestPatrol with tons of new bugs found. She swears all she did was go and chat on AIM. So, I have run a new log from FindIt for you to scan. I'm going to go try to follow the instructions given above. Until then, please read this latest log and see if your instructions have changed. Also, the computer is practically unuseable because every 10 seconds I get an alert from eTrust EZ Antivirus that says two viruses have been found... the alert reads as follows... "eTrust EZ Antivirus real-time protection has found that C:\windows\system32\kalvjwd32.exe is Win32.Startpage.KR trojan" and also the same message for C:\WINDOWS\system32\error32.dat . The odd thing is that when I browse to that location I do not see kalvjwd32 in that directory. error32.dat is there and supposedly the last scan found it and deleted it but its still there. I thank you so much for your assistance. These two alerts come up every 10 seconds and are set to stay on top of all other pages. I ran a virus scan but it did not clear up the se alert windows that pop up.
~~~~~~~~~~~~~~~~
Here is the latest log...

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Downloads\FindIt\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is DSK1_VOL1
Volume Serial Number is 2C5C-7AC0

Directory of C:\WINDOWS\System32

12/30/2004 12:40 AM 222,853 hrn8055ue.dll
12/29/2004 11:59 PM 223,467 j4j60e1seh.dll
12/28/2004 02:13 PM 225,871 m6280gfue6280.dll
12/28/2004 01:34 PM 222,607 lvrs0997e.dll
12/28/2004 01:26 PM 222,575 hrls0537e.dll
12/28/2004 09:03 AM 225,016 oquninst.dll
12/28/2004 07:46 AM 225,811 p88q0il5e8q.dll
12/27/2004 08:59 AM <DIR> dllcache
03/10/2004 07:31 PM <DIR> Microsoft
7 File(s) 1,568,200 bytes
2 Dir(s) 126,777,729,024 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is DSK1_VOL1
Volume Serial Number is 2C5C-7AC0

Directory of C:\WINDOWS\System32

12/30/2004 12:14 AM 238 vsconfig.xml
12/27/2004 09:35 AM <DIR> vmss
12/27/2004 08:59 AM <DIR> dllcache
04/12/2004 01:56 PM 4,212 zllictbl.dat
03/10/2004 04:42 PM 488 WindowsLogon.manifest
03/10/2004 04:42 PM 488 logonui.exe.manifest
03/10/2004 04:42 PM 749 ncpa.cpl.manifest
03/10/2004 04:42 PM 749 nwc.cpl.manifest
03/10/2004 04:42 PM 749 sapi.cpl.manifest
03/10/2004 04:42 PM 749 wuaucpl.cpl.manifest
03/10/2004 04:42 PM 749 cdplayer.exe.manifest
9 File(s) 9,171 bytes
2 Dir(s) 126,777,720,832 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is DSK1_VOL1
Volume Serial Number is 2C5C-7AC0

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is DSK1_VOL1
Volume Serial Number is 2C5C-7AC0

Directory of C:\WINDOWS\System32

08/23/2001 06:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 126,777,716,736 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8E211105-A36B-4135-ABBC-A9D4073AC330}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\H323TSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j4j60e1seh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
hrls05~1.dll Tue Dec 28 2004 1:26:46p ..S.R 222,575 217.36 K
hrn805~1.dll Thu Dec 30 2004 12:40:54a ..S.R 222,853 217.63 K
j4j60e~1.dll Wed Dec 29 2004 11:59:52p ..S.R 223,467 218.23 K
lvrs09~1.dll Tue Dec 28 2004 1:34:28p ..S.R 222,607 217.39 K
m6280g~1.dll Tue Dec 28 2004 2:13:58p ..S.R 225,871 220.57 K
oquninst.dll Tue Dec 28 2004 9:03:44a ..S.R 225,016 219.74 K
p88q0i~1.dll Tue Dec 28 2004 7:46:56a ..S.R 225,811 220.52 K
vsconfig.xml Thu Dec 30 2004 12:14:30a A..H. 238 0.23 K

8 items found: 8 files, 0 directories.
Total of file sizes: 1,568,438 bytes 1.49 M

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\randreco.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VetTray"="C:\\PROGRA~1\\CA\\ETRUST~1\\ETRUST~1\\VetTray.exe"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"EPSON Stylus CX5200"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P19 \"EPSON Stylus CX5200\" /O6 \"USB001\" /M \"Stylus CX5200\""
"rs3i34l"="netconfg.exe"
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust PestPatrol\\PPActiveDetection.exe\""
"mediamotor.exe"="C:\\WINDOWS\\mmups.exe"
"winupdtl"="C:\\WINDOWS\\system32\\winupdtl.exe"
"CSV10P70"="C:\\Program Files\\CSBB\\CSv10P070.exe"
"kalvsys"="C:\\windows\\system32\\kalvjwd32.exe"
"Desktop Search"="C:\\WINDOWS\\isrvs\\desktop.exe"
"ffis"="C:\\WINDOWS\\isrvs\\ffisearch.exe"
"USB controller"="\"C:\\WINDOWS\\TEMP\\ICD1.tmp\\svcmm32.exe\" /startup"
"vmss"="C:\\WINDOWS\\system32\\vmss\\vmss.exe"
"satmat"="C:\\WINDOWS\\satmat.exe"
"hpmncc"="C:\\WINDOWS\\system32\\hpmncc.exe"
"fvkiyc"="C:\\WINDOWS\\system32\\fvkiyc.exe"
"Dvx"="C:\\WINDOWS\\system32\\wsxsvc\\wsxsvc.exe"
"BCPC"="\"C:\\Program Files\\Bcpc\\bcpc.exe\""
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Plus\\Ad-Watch.exe\""
"aldoexxm"="C:\\WINDOWS\\system32\\nbnoraj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#8
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Does your daughter have an Administrator account too? Or is it limited? If she has admin priveledges you will need to post logs for all admin accounts or else everything will be infected from each one. You are infected with the same thing again....by the way. I will have further instructions soon. Hang tight.

-=jonnyrotten=-
  • 0

#9
Determined Dave

Determined Dave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Johnny,
None of the files you asked me to delete using killbox show up in C:\WINDOWS\system32 directory. Do I need to go in somewhere and tell windows to show hidden files and folders?
Thanks!
Dave
  • 0

#10
Determined Dave

Determined Dave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
I hesitate to admit, I don't know what kind of account she has. I just put her name in when I was installing Windows XP, it could be an administrator account.
:::looking down... kicking dust with the toe of my shoe:::
Dave
  • 0

Advertisements


#11
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
It's ok, go to control panel, user accounts. It will list all your accounts and they type next to them. Let me know what type she has. It is most likely administrator so this means you will have to do this for your account and any other admin accounts. It would be a good idea to have only one admin accound and the rest limited. Anyways, we'll talk about that later lets just fix what's happening now. In the meantime don't change any of the accounts, also I wouldn't suggest letting anyone else on until this is clear. I'm helpin as quick as I can, there's alot of others with this same infection lately. I will have further instructions in my next post.

-=jonnyrotten=- :tazz:

Use the killbox to delete these files in the same manner as you did before:

C:\WINDOWS\system32\hrn8055ue.dll
j4j60e1seh.dll
m6280gfue6280.dll
lvrs0997e.dll
hrls0537e.dll
oquninst.dll
p88q0il5e8q.dll
zllictbl.dat
randreco.exe

They're all in the c:\windows\system32 directory. When finished post a new output.txt log.
  • 0

#12
Determined Dave

Determined Dave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Here's the latest log.... THANKS!
Dave
~~~~~~~~~~~~
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Downloads\FindIt\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is DSK1_VOL1
Volume Serial Number is 2C5C-7AC0

Directory of C:\WINDOWS\System32

12/27/2004 08:59 AM <DIR> dllcache
03/10/2004 07:31 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 126,789,238,784 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is DSK1_VOL1
Volume Serial Number is 2C5C-7AC0

Directory of C:\WINDOWS\System32

12/30/2004 08:52 AM 238 vsconfig.xml
12/30/2004 08:52 AM 4,212 zllictbl.dat
12/27/2004 09:35 AM <DIR> vmss
12/27/2004 08:59 AM <DIR> dllcache
03/10/2004 04:42 PM 488 WindowsLogon.manifest
03/10/2004 04:42 PM 488 logonui.exe.manifest
03/10/2004 04:42 PM 749 ncpa.cpl.manifest
03/10/2004 04:42 PM 749 nwc.cpl.manifest
03/10/2004 04:42 PM 749 sapi.cpl.manifest
03/10/2004 04:42 PM 749 wuaucpl.cpl.manifest
03/10/2004 04:42 PM 749 cdplayer.exe.manifest
9 File(s) 9,171 bytes
2 Dir(s) 126,789,234,688 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is DSK1_VOL1
Volume Serial Number is 2C5C-7AC0

Directory of C:\WINDOWS\System32

12/30/2004 02:02 AM 223,467 guard.tmp
1 File(s) 223,467 bytes
0 Dir(s) 126,789,234,688 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is DSK1_VOL1
Volume Serial Number is 2C5C-7AC0

Directory of C:\WINDOWS\System32

12/30/2004 02:02 AM 223,467 guard.tmp
08/23/2001 06:00 AM 2,577 CONFIG.TMP
2 File(s) 226,044 bytes
0 Dir(s) 126,789,230,592 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8E211105-A36B-4135-ABBC-A9D4073AC330}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hrn8055ue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
vsconfig.xml Thu Dec 30 2004 8:52:26a A..H. 238 0.23 K
zllictbl.dat Thu Dec 30 2004 8:52:18a ...H. 4,212 4.11 K

2 items found: 2 files, 0 directories.
Total of file sizes: 4,450 bytes 4.34 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VetTray"="C:\\PROGRA~1\\CA\\ETRUST~1\\ETRUST~1\\VetTray.exe"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"EPSON Stylus CX5200"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P19 \"EPSON Stylus CX5200\" /O6 \"USB001\" /M \"Stylus CX5200\""
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust PestPatrol\\PPActiveDetection.exe\""
"mediamotor.exe"="C:\\WINDOWS\\mmups.exe"
"winupdtl"="C:\\WINDOWS\\system32\\winupdtl.exe"
"CSV10P70"="C:\\Program Files\\CSBB\\CSv10P070.exe"
"kalvsys"="C:\\windows\\system32\\kalvjwd32.exe"
"Desktop Search"="C:\\WINDOWS\\isrvs\\desktop.exe"
"ffis"="C:\\WINDOWS\\isrvs\\ffisearch.exe"
"USB controller"="\"C:\\WINDOWS\\TEMP\\ICD1.tmp\\svcmm32.exe\" /startup"
"vmss"="C:\\WINDOWS\\system32\\vmss\\vmss.exe"
"satmat"="C:\\WINDOWS\\satmat.exe"
"hpmncc"="C:\\WINDOWS\\system32\\hpmncc.exe"
"fvkiyc"="C:\\WINDOWS\\system32\\fvkiyc.exe"
"Dvx"="C:\\WINDOWS\\system32\\wsxsvc\\wsxsvc.exe"
"BCPC"="\"C:\\Program Files\\Bcpc\\bcpc.exe\""
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Plus\\Ad-Watch.exe\""
"aldoexxm"="C:\\WINDOWS\\system32\\nbnoraj.exe"
"rs3i34l"="wmpip32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
  • 0

#13
Determined Dave

Determined Dave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Oh... I have three other users of this computer besides me. And they are all currently set-up as administrators. Two of the four don't chat or use it hardly at all. I have not changed any user settings as yet as you suggest.
If I snooze eTrust EZ Antivirus Real-Time protection I can use my machine. If I have real-time protection running, those alert windows come up every 10 seconds causing me to interrupt anything I am doing.

I can't tell you how much this helps to have this assistance. I'd be lost without it. If you'd rather do this directly in e-mail let me know. I realize others can learn from the open posting but this is sounding like it is going to be more complicated with multiple users etc... anyway. Thanks allot!
  • 0

#14
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Email support defeats the purpose of a forum. All support wil be provided here. Besides, we've done it many times, and trust me, it works better. :tazz:
  • 0

#15
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Please use the killbox to remove this file in the same way as usual.

c:\windows\system32\zllictbl.dat

Copy and paste the quoted text below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8E211105-A36B-4135-ABBC-A9D4073AC330}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


Reboot normally and post a new Hijack This log.

-=jonnyrotten=- :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP