Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

VX2, I need some help very badly!


  • Please log in to reply

#1
bcpettit

bcpettit

    New Member

  • Member
  • Pip
  • 9 posts
I've got this hellacious mallware stuff. I would appreciate any help you guys could give me. Thanks.

Ben

Heres what it looks like right now.


Logfile of HijackThis v1.99.0
Scan saved at 11:07:48 AM, on 12/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
C:\Program Files\NCR\TDAT\TGTW\05.00.00.00\bin\GtwRsrvTdmst.exe
D:\Program Files\NCR\BYNET Software\blmsvc.exe
d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
D:\Program Files\NCR\Teradata Warehouse Builder\bin\portmap.exe
D:\WINDOWS\Explorer.EXE
C:\Program Files\NCR\TDAT\PDE\05.00.00.11\bin\pdeinetd.exe
D:\Program Files\NCR\Teradata Warehouse Builder\bin\pipcd.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
D:\PROGRA~1\mcafee.com\agent\mcagent.exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
d:\PROGRA~1\mcafee.com\vso\mcshield.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\System32\wkogqu.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\System32\cmd.exe
D:\WINDOWS\system32\ntvdm.exe
D:\WINDOWS\system32\strings.exe
D:\WINDOWS\system32\find.exe
D:\Documents and Settings\Benjamin Pettit\Desktop\Trouble\hijackthis199.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\system32\uxpgw.dll/sp.html#32526
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\system32\uxpgw.dll/sp.html#32526
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: strings.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\calsp.dll
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O23 - Service: BYNET - NCR - D:\Program Files\NCR\BYNET Software\blmsvc.exe
O23 - Service: Teradata GTW Reserve Port - NCR - C:\Program Files\NCR\TDAT\TGTW\05.00.00.00\bin\GtwRsrvTdmst.exe
O23 - Service: McAfee.com McShield - Unknown - d:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ONC RPC Portmapper - Unknown - D:\Program Files\NCR\Teradata Warehouse Builder\bin\portmap.exe
O23 - Service: Teradata inetd Service - Unknown - C:\Program Files\NCR\TDAT\PDE\05.00.00.11\bin\pdeinetd.exe
O23 - Service: PIPC Daemon - Unknown - D:\Program Files\NCR\Teradata Warehouse Builder\bin\pipcd.exe
O23 - Service: Teradata Database Initiator (recond) - Unknown - C:\Program Files\NCR\TDAT\PDE\05.00.00.11\bin\recond.exe
O23 - Service: TDQM Server - NCR - D:\Program Files\NCR\Teradata DQM\server\tdqmserv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - D:\WINDOWS\system32\ZoneLabs\vsmon.exe








Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
Applets
crypt32chain
cryptnet
cscdll
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{E9BE5817-6E11-4654-AF4F-6158E5A9E22F}







Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: D:\Documents and Settings\Benjamin

Pettit\Desktop\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive D is Windows
Volume Serial Number is 68BB-B90E

Directory of D:\WINDOWS\System32

12/29/2004 10:46 AM 223,026 j44oleh31h4.dll
12/29/2004 10:41 AM 222,745 ir24l5fq1.dll
12/24/2004 09:36 PM 225,554 hr0o05d3e.dll
12/24/2004 08:41 PM <DIR> dllcache
12/24/2004 08:38 PM 222,985 p26s0cj7efo.dll
12/23/2004 01:35 PM 224,860 hrj4051qe.dll
12/11/2004 10:48 AM 223,438 cousapi.dll
10/28/2004 08:44 PM <DIR> Microsoft
6 File(s) 1,342,608 bytes
2 Dir(s) 2,192,547,840 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive D is Windows
Volume Serial Number is 68BB-B90E

Directory of D:\WINDOWS\System32

12/29/2004 10:56 AM 890 vsconfig.xml
12/27/2004 05:15 PM 4,212 zllictbl.dat
12/24/2004 08:41 PM <DIR> dllcache
2 File(s) 5,102 bytes
1 Dir(s) 2,192,547,840 bytes free

---------- Files Named "Guard" -------------

Volume in drive D is Windows
Volume Serial Number is 68BB-B90E

Directory of D:\WINDOWS\System32

12/29/2004 10:56 AM 222,745 guard.tmp
1 File(s) 222,745 bytes
0 Dir(s) 2,192,547,840 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive D is Windows
Volume Serial Number is 68BB-B90E

Directory of D:\WINDOWS\System32

12/29/2004 10:56 AM 222,745 guard.tmp
12/11/2004 01:01 AM 0 ~GLH0014.TMP
09/22/2004 06:46 PM 2,362,104 SET7A.tmp
09/22/2004 06:46 PM 1,027,072 SET77.tmp
09/22/2004 06:46 PM 229,376 SET6A.tmp
08/03/2004 11:56 PM 1,236,480 ~GLH0019.TMP
03/31/2003 07:00 AM 2,577 CONFIG.TMP
03/13/2001 02:50 PM 2,494 ~GLH0009.TMP
8 File(s) 5,082,848 bytes
0 Dir(s) 2,192,543,744 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User

Agent\Post Platform]
"{E9BE5817-6E11-4654-AF4F-6158E5A9E22F}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\ir24l5fq1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

D:\WINDOWS\SYSTEM32\
cousapi.dll Sat Dec 11 2004 10:49:00a ..S.R 223,438 218.20 K
hr0o05~1.dll Fri Dec 24 2004 9:36:08p ..S.R 225,554 220.27 K
hrj405~1.dll Thu Dec 23 2004 1:35:26p ..S.R 224,860 219.59 K
ir24l5~1.dll Wed Dec 29 2004 10:41:40a ..S.R 222,745 217.52 K
j44ole~1.dll Wed Dec 29 2004 10:46:08a ..S.R 223,026 217.80 K
p26s0c~1.dll Fri Dec 24 2004 8:38:40p ..S.R 222,985 217.76 K
vsconfig.xml Wed Dec 29 2004 10:56:06a A..H. 890 0.87 K
zllictbl.dat Mon Dec 27 2004 5:15:04p ...H. 4,212 4.11 K

8 items found: 8 files, 0 directories.
Total of file sizes: 1,347,710 bytes 1.29 M

------------ Strings.exe Qoologic Results ------------

D:\WINDOWS\system32\cpzqiu.dll: updates.qoologic.com
D:\WINDOWS\system32\eaunsp.dll: updates.qoologic.com
D:\WINDOWS\system32\hqmaxu.exe: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

D:\WINDOWS\system32\installer.exe: .aspack
D:\WINDOWS\system32\pvykgu.dat: .aspack
D:\WINDOWS\system32\wkogqu.exe: .aspack
D:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hnpifg.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="\"d:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"d:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="d:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="D:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Narrator"="D:\\WINDOWS\\System32\\wkogqu.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\I

MAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\M

API]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\M

SFS]
"Installed"="1"



PLEASE HELP!
  • 0

Advertisements


#2
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • D:\WINDOWS\System32\j44oleh31h4.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • D:\WINDOWS\System32\ir24l5fq1.dll
    • D:\WINDOWS\System32\hr0o05d3e.dll
    • D:\WINDOWS\System32\p26s0cj7efo.dll
    • D:\WINDOWS\System32\hrj4051qe.dll
    • D:\WINDOWS\System32\cousapi.dll
    • D:\WINDOWS\System32\zllictbl.dat
    • D:\WINDOWS\System32\cpzqiu.dll
    • D:\WINDOWS\System32\eaunsp.dll
    • D:\WINDOWS\System32\hqmaxu.exe
    • D:\WINDOWS\System32\pvykgu.dat
    • D:\WINDOWS\System32\wkogqu.exe
    • D:\WINDOWS\System32\installer.exe
      D:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hnpifg.exe
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • You may get this message>>>"Pending File Rename Operations Registry Data has been Removed by

    External Process!" This is okay, you will just have to manually restart your pc.
  • Double-click on find.bat and post the new output.txt.
-=jonnyrotten=- :tazz:
  • 0

#3
bcpettit

bcpettit

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: D:\Documents and Settings\Benjamin Pettit\Desktop\Trouble\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive D is Windows
Volume Serial Number is 68BB-B90E

Directory of D:\WINDOWS\System32

12/29/2004 03:23 PM 224,873 LCPCT11N.DLL
12/29/2004 03:20 PM 223,026 dnj0011me.dll
12/29/2004 01:17 PM 224,873 kt48l7hu1.dll
12/24/2004 08:41 PM <DIR> dllcache
10/28/2004 08:44 PM <DIR> Microsoft
3 File(s) 672,772 bytes
2 Dir(s) 2,254,880,768 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive D is Windows
Volume Serial Number is 68BB-B90E

Directory of D:\WINDOWS\System32

12/29/2004 03:23 PM 4,212 zllictbl.dat
12/29/2004 03:21 PM 890 vsconfig.xml
12/24/2004 08:41 PM <DIR> dllcache
2 File(s) 5,102 bytes
1 Dir(s) 2,254,880,768 bytes free

---------- Files Named "Guard" -------------

Volume in drive D is Windows
Volume Serial Number is 68BB-B90E

Directory of D:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive D is Windows
Volume Serial Number is 68BB-B90E

Directory of D:\WINDOWS\System32

12/11/2004 01:01 AM 0 ~GLH0014.TMP
09/22/2004 06:46 PM 2,362,104 SET7A.tmp
09/22/2004 06:46 PM 1,027,072 SET77.tmp
09/22/2004 06:46 PM 229,376 SET6A.tmp
08/03/2004 11:56 PM 1,236,480 ~GLH0019.TMP
03/31/2003 07:00 AM 2,577 CONFIG.TMP
03/13/2001 02:50 PM 2,494 ~GLH0009.TMP
7 File(s) 4,860,103 bytes
0 Dir(s) 2,254,876,672 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E9BE5817-6E11-4654-AF4F-6158E5A9E22F}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\kt48l7hu1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

D:\WINDOWS\SYSTEM32\
dnj001~1.dll Wed Dec 29 2004 3:20:20p ..S.R 223,026 217.80 K
kt48l7~1.dll Wed Dec 29 2004 1:17:20p ..S.R 224,873 219.60 K
lcpct11n.dll Wed Dec 29 2004 3:23:12p ..S.R 224,873 219.60 K
vsconfig.xml Wed Dec 29 2004 3:21:38p A..H. 890 0.87 K
zllictbl.dat Wed Dec 29 2004 3:23:54p ...H. 4,212 4.11 K

5 items found: 5 files, 0 directories.
Total of file sizes: 677,874 bytes 661.98 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="\"d:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"d:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="d:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="D:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


Still seems to be infected. :tazz:
  • 0

#4
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
You're definitely still infected, this was just a scan to help show what needs to be removed. Please follow the following instructions.
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • D:\WINDOWS\System32\LCPCT11N.DLL
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • D:\WINDOWS\System32\dnj0011me.dll
    • D:\WINDOWS\System32\kt48l7hu1.dll
    • D:\WINDOWS\System32\zllictbl.dat
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • You may get this message>>>"Pending File Rename Operations Registry Data has been Removed by External Process!" This is okay, you will just have to manually restart your pc.
  • Double-click on find.bat and post the new output.txt.
-=jonnyrotten=- :tazz:
  • 0

#5
bcpettit

bcpettit

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: D:\Documents and Settings\Benjamin Pettit\Desktop\Trouble\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive D is Windows
Volume Serial Number is 68BB-B90E

Directory of D:\WINDOWS\System32

12/24/2004 08:41 PM <DIR> dllcache
10/28/2004 08:44 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 2,201,772,032 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive D is Windows
Volume Serial Number is 68BB-B90E

Directory of D:\WINDOWS\System32

12/29/2004 11:59 PM 890 vsconfig.xml
12/29/2004 11:59 PM 4,212 zllictbl.dat
12/24/2004 08:41 PM <DIR> dllcache
2 File(s) 5,102 bytes
1 Dir(s) 2,201,772,032 bytes free

---------- Files Named "Guard" -------------

Volume in drive D is Windows
Volume Serial Number is 68BB-B90E

Directory of D:\WINDOWS\System32

12/29/2004 11:57 PM 56 Guard.tmp
1 File(s) 56 bytes
0 Dir(s) 2,201,772,032 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive D is Windows
Volume Serial Number is 68BB-B90E

Directory of D:\WINDOWS\System32

12/29/2004 11:57 PM 56 Guard.tmp
12/11/2004 01:01 AM 0 ~GLH0014.TMP
09/22/2004 06:46 PM 2,362,104 SET7A.tmp
09/22/2004 06:46 PM 1,027,072 SET77.tmp
09/22/2004 06:46 PM 229,376 SET6A.tmp
08/03/2004 11:56 PM 1,236,480 ~GLH0019.TMP
03/31/2003 07:00 AM 2,577 CONFIG.TMP
03/13/2001 02:50 PM 2,494 ~GLH0009.TMP
8 File(s) 4,860,159 bytes
0 Dir(s) 2,201,767,936 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E9BE5817-6E11-4654-AF4F-6158E5A9E22F}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\dnj0011me.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

D:\WINDOWS\SYSTEM32\
vsconfig.xml Wed Dec 29 2004 11:59:44p A..H. 890 0.87 K
zllictbl.dat Wed Dec 29 2004 11:59:42p ...H. 4,212 4.11 K

2 items found: 2 files, 0 directories.
Total of file sizes: 5,102 bytes 4.98 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="\"d:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"d:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="d:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="D:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#6
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Copy and paste the quoted text below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E9BE5817-6E11-4654-AF4F-6158E5A9E22F}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]

  • Download VX2Finder.
  • Double-click on VX2Finder.exe.
  • Click "Restore Policy".
  • In the File menu click "Exit".
  • Double-click on KillBox.exe.
  • In the File menu click "Delete all Dummy files".
  • In the Tools menu click "Delete Temp Files".
  • Choose "Standard File Kill" if not already selected.
  • Paste these files one by one into the top "Full Path of File to Delete" box.
    • C:\RECYCLER\desktop.ini
    • C:\WINDOWS\System32\drivers\etc\HOSTS
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Confirm Delete prompt.
  • It should give you a successful "File was deleted" prompt for each one.
Next post a new Hijack This log (this is the very first one you posted) so we can clean up the rest.

-=jonnyrotten=- :tazz:
  • 0

#7
bcpettit

bcpettit

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.0
Scan saved at 11:12:32 PM, on 1/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
C:\Program Files\NCR\TDAT\TGTW\05.00.00.00\bin\GtwRsrvTdmst.exe
D:\Program Files\NCR\BYNET Software\blmsvc.exe
d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
D:\Program Files\NCR\Teradata Warehouse Builder\bin\portmap.exe
C:\Program Files\NCR\TDAT\PDE\05.00.00.11\bin\pdeinetd.exe
D:\Program Files\NCR\Teradata Warehouse Builder\bin\pipcd.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
d:\PROGRA~1\mcafee.com\vso\mcshield.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
D:\PROGRA~1\mcafee.com\agent\mcagent.exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
d:\progra~1\mcafee.com\vso\mcvsftsn.exe
D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
D:\PROGRA~1\McAfee.com\Agent\mcupdui.exe
D:\Program Files\Microsoft IntelliPoint\Point32.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Benjamin Pettit\Desktop\Trouble\hijackthis199.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpySweeper] "c:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O23 - Service: BYNET - NCR - D:\Program Files\NCR\BYNET Software\blmsvc.exe
O23 - Service: Teradata GTW Reserve Port - NCR - C:\Program Files\NCR\TDAT\TGTW\05.00.00.00\bin\GtwRsrvTdmst.exe
O23 - Service: McAfee.com McShield - Unknown - d:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ONC RPC Portmapper - Unknown - D:\Program Files\NCR\Teradata Warehouse Builder\bin\portmap.exe
O23 - Service: Teradata inetd Service - Unknown - C:\Program Files\NCR\TDAT\PDE\05.00.00.11\bin\pdeinetd.exe
O23 - Service: PIPC Daemon - Unknown - D:\Program Files\NCR\Teradata Warehouse Builder\bin\pipcd.exe
O23 - Service: Teradata Database Initiator (recond) - Unknown - C:\Program Files\NCR\TDAT\PDE\05.00.00.11\bin\recond.exe
O23 - Service: TDQM Server - NCR - D:\Program Files\NCR\Teradata DQM\server\tdqmserv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#8
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
How are things running now? I can't really find anything wrong in the log. Do you know who this trusted IP address is?

O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

If not, then run Hijack This and put a check in each of the boxes next to the two entries above. Click fix checked at the bottom. Reboot and post a new log. It looks clean. Please give details on how it is running now.

-=jonnyrotten=- :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP