Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

RUNDLL error, UMonitor

Started by smonahan , Dec 29 2004 10:41 PM

  • Please log in to reply

#1
smonahan
Posted 29 December 2004 - 10:41 PM

smonahan

    New Member

  • Member
  • Pip
  • 9 posts
First, let me say how glad I was to find this site. I was much relieved to see I wasn't the only one having this problem.

I'm getting a RUNDLL error message when I boot my laptop, similar to what others on this site have reported:

RUNDLL
An exception ocurred while trying to run ""C:\windows\system32\<filename>", UMonitor

The error message reports a different DLL file each time I boot. When I noticed it wasn't the same one every time, I started recording the file names. Here's what I've seen so far:

wcnbrand.dll
dumsrpcn.dll
aisldp.dll
DVAUTH.DLL
WCNSTRM.DLL

I then noticed I had some programs installed that I didn't install. Among these were things like SurfSideKick 2, CrazyWinnings, Loader2, and BargainBuddy (I'm not sure these are all of them; I hadn't started keeping track of what I was doing yet).

Then I found your site, and the page entitled, "You must do this before posting a HJT log".

I ran Adaware, and it found some spyware. I believe they were all tracking cookies. I will post the log in a separate post.

I ran CWShredder and it found and removed:
- CWS.BootConf
- CWS.Svchost32
- Removing host file redirections
But when I run it again, all three are always back again.

I ran Spybot Search and Destroy. It found and fixed several things, but there are some things it's having a problem with. Here's a log of what it finds:
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1879234141-1687909686-1107288150-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
Common hijacker: Redirected host (Redirected host, nothing done)
Common hijacker: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Bootconf: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Loadbat: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Msconfd: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Oslogo: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Tapicfg: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Xmlmimefilter: Redirected host (Redirected host, nothing done)
IGetNet: Redirected host (Redirected host, nothing done)
--- Spybot - Search && Destroy version: 1.3 ---
2004-11-29 Includes\Cookies.sbi
2004-12-15 Includes\Dialer.sbi
2004-12-16 Includes\Hijackers.sbi
2004-12-15 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-12-15 Includes\Malware.sbi
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2004-12-16 Includes\Spybots.sbi
2004-11-29 Includes\Tracks.uti
2004-12-15 Includes\Trojans.sbi

When I choose to Fix Problems, it appears to successfully fix all of them. All of these things immediately reappear when I run Spybot Search and Destory again.

I ran Norton Antivirus, and it didn't find anything.

I ran Trend Housecall and it found about 12 viruses, all of which it was able to remove except for one: C:\WINDOWS\system32\guard.tmp

I ran Panda Activescan and it didn't find anything.

I have all Windows critical updates installed, including SP2. However, I use Norton Personal Firewall, so I don't have the SP2 firewall enabled.

I've rebooted, and RUNDLL error still exists.

I've created a HJT logfile, I'll post it in a separate post.

I have noticed my computer exhibiting some strange symptons. I don't know if these are related to this problem, but they started at the same time.
- When I delete something, it doesn't go to my recycle bin. It's just gone.
- When I try to shutdown the computer (by hitting Start->Turn Off, and pressing Turn Off or Restart), it doesn't do anything. I have to do it a second time before it actually starts to shut down.
- I run a popup blocker called Guardwall. It adds some buttons to my IE toolbar. When I start up IE, Guardwall is disabled, and when I press the toolbar buttons to enable it, they don't work.
  • 0

Advertisements

#2
smonahan
Posted 29 December 2004 - 10:44 PM

smonahan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here is my Adaware log:




Lavasoft Ad-aware Professional Build 158
Logfile created on :Tuesday, December 28, 2004 9:52:39 PM
Using reference-file :01R04 27.01.2003
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R04 27.01.2003
Internal build : 6
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 153846 Bytes
Signature data size : 150039 Bytes
Reference data size : 3743 Bytes
Signatures total : 3806
Target categories : 6
Target families : 71

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:46 %
Total physical memory:785772 kb
Available physical memory:354548 kb
Total page file size:1134656 kb
Available on page file:752288 kb
Total virtual memory:2097024 kb
Available virtual memory:2050468 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically mark all objects in result list
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Block Popups and banned sites
Set : Automatically pop up event log if event occours
Set : Show splash screen
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 12-29-2004 5:40:03 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 12-29-2004 5:40:11 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 12-29-2004 5:40:11 AM
BasePriority : Normal
FileSize : 105 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft Windows Operating System
Created on : 8/29/2002 10:00:00 AM
Last accessed : 12/29/2004 5:05:20 AM
Last modified : 8/4/2004 7:56:55 AM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 12-29-2004 5:40:11 AM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft Windows Operating System
Created on : 8/29/2002 10:00:00 AM
Last accessed : 12/29/2004 5:05:20 AM
Last modified : 8/4/2004 7:56:50 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 12-29-2004 5:40:12 AM
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft Windows Operating System
Created on : 8/29/2002 10:00:00 AM
Last accessed : 12/29/2004 5:05:20 AM
Last modified : 8/4/2004 7:56:57 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 12-29-2004 5:40:13 AM
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft Windows Operating System
Created on : 8/29/2002 10:00:00 AM
Last accessed : 12/29/2004 5:05:20 AM
Last modified : 8/4/2004 7:56:57 AM

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 12-29-2004 5:40:15 AM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft Windows Operating System
Created on : 8/29/2002 10:00:00 AM
Last accessed : 12/29/2004 5:05:20 AM
Last modified : 8/4/2004 7:56:57 AM

#:8 [aspnet_admin.exe]
FilePath : C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\
ThreadCreationTime : 12-29-2004 5:40:15 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 2.0.40607.42 (beta1.040607-4200)
ProductVersion : 2.0.40607.42
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Microsoft ASP.NET Admin Service
InternalName : aspnet_admin.exe
OriginalFilename : aspnet_admin.exe
ProductName : Microsoft .NET Framework
Created on : 7/8/2004 6:02:52 AM
Last accessed : 12/29/2004 5:05:20 AM
Last modified : 7/8/2004 6:02:52 AM

#:9 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 12-29-2004 5:40:15 AM
BasePriority : Normal
FileSize : 309 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 11/13/2002 9:44:02 PM
Last accessed : 12/29/2004 5:05:20 AM
Last modified : 11/13/2002 9:44:02 PM

#:10 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ThreadCreationTime : 12-29-2004 5:40:15 AM
BasePriority : Normal
FileSize : 308 KB
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft Visual Studio .NET
Created on : 1/5/2002 4:00:37 PM
Last accessed : 12/29/2004 5:05:20 AM
Last modified : 1/5/2002 4:00:37 PM

#:11 [navapsvc.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton AntiVirus\
ThreadCreationTime : 12-29-2004 5:40:15 AM
BasePriority : Normal
FileSize : 113 KB
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 7/21/2004 2:56:05 AM
Last accessed : 12/29/2004 5:52:40 AM
Last modified : 11/15/2002 12:41:26 AM

#:12 [nisum.exe]
FilePath : C:\Program Files\Norton Personal Firewall\
ThreadCreationTime : 12-29-2004 5:40:15 AM
BasePriority : Normal
FileSize : 137 KB
FileVersion : 6.02.2003
ProductVersion : 6.02.2003
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton Internet Security NISUM
InternalName : NISUM
OriginalFilename : NISUM.exe
ProductName : Norton Internet Security
Created on : 7/21/2004 2:02:49 AM
Last accessed : 12/29/2004 5:05:21 AM
Last modified : 3/3/2003 6:06:36 PM

#:13 [nprotect.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton Utilities\
ThreadCreationTime : 12-29-2004 5:40:15 AM
BasePriority : Normal
FileSize : 132 KB
FileVersion : 16.00.0.22
ProductVersion : 16.00.0.22
Copyright : Copyright © 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
OriginalFilename : NPROTECT.EXE
ProductName : Norton Utilities
Created on : 7/21/2004 2:44:15 AM
Last accessed : 12/29/2004 5:05:21 AM
Last modified : 8/14/2002 11:03:00 AM

#:14 [nopdb.exe]
FilePath : C:\PROGRA~1\NORTON~2\SPEEDD~1\
ThreadCreationTime : 12-29-2004 5:40:16 AM
BasePriority : Normal
FileSize : 168 KB
FileVersion : 7.00.0.24
ProductVersion : 7.00.0.24
Copyright : Copyright © 2002
CompanyName : Symantec Corporation
FileDescription : NOPDB
InternalName : NOPDB
OriginalFilename : NOPDB.dll
ProductName : Norton Speed Disk
Created on : 7/21/2004 2:45:29 AM
Last accessed : 12/29/2004 5:05:21 AM
Last modified : 8/14/2002 11:00:00 AM

#:15 [wltrysvc.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 12-29-2004 5:40:16 AM
BasePriority : Normal
FileSize : 44 KB
Created on : 7/16/2004 10:07:13 AM
Last accessed : 12/29/2004 5:05:21 AM
Last modified : 2/20/2004 9:14:04 PM

#:16 [bcmwltry.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 12-29-2004 5:40:16 AM
BasePriority : Normal
FileSize : 548 KB
FileVersion : 3.40.67.0
ProductVersion : 3.40.67.0
Copyright : 1998-2003, Dell Computer Corporation All Rights Reserved.
CompanyName : Dell Computer Corporation
FileDescription : Dell Wireless WLAN Card Wireless Network Tray Applet
InternalName : bcmwltry.exe
OriginalFilename : bcmwltry.exe
ProductName : Dell Wireless WLAN Card Wireless Network Tray Applet
Created on : 7/16/2004 10:07:13 AM
Last accessed : 12/29/2004 5:43:14 AM
Last modified : 2/23/2004 4:56:04 PM

#:17 [dxdebugservice.exe]
FilePath : C:\DX90SDK\Utilities\DirectX extensions for Visual Studio .NET\
ThreadCreationTime : 12-29-2004 5:40:16 AM
BasePriority : Normal
FileSize : 70 KB
FileVersion : 4.09.00.1126
ProductVersion : 4.09.00.1126
Copyright : Copyright Microsoft Corp. 1994-2002
CompanyName : Microsoft Corporation
FileDescription : DirectX extensions for Visual Studio
InternalName : DXDebugService.exe
OriginalFilename : DXDebugService.exe
ProductName : Microsoft DirectX for Windows
Created on : 9/10/2003 4:45:52 PM
Last accessed : 12/29/2004 5:05:21 AM
Last modified : 9/10/2003 4:45:52 PM

#:18 [symwsc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\Security Center\
ThreadCreationTime : 12-29-2004 5:40:16 AM
BasePriority : Normal
FileSize : 309 KB
FileVersion : 2005.1.2.20
ProductVersion : 2005.1
Copyright : Copyright © 1997-2004 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Norton Security Center Service
InternalName : SymWSC.exe
OriginalFilename : SymWSC.exe
ProductName : Norton Security Center
Created on : 11/3/2004 12:59:50 AM
Last accessed : 12/29/2004 5:05:21 AM
Last modified : 11/3/2004 12:59:50 AM

#:19 [ccpxysvc.exe]
FilePath : C:\Program Files\Norton Personal Firewall\
ThreadCreationTime : 12-29-2004 5:40:17 AM
BasePriority : Normal
FileSize : 33 KB
FileVersion : 6.02.2003
ProductVersion : 6.02.2003
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton Internet Security Proxy Service
InternalName : ccPxySvc
OriginalFilename : ccPxySvc.exe
ProductName : Norton Internet Security
Created on : 7/21/2004 2:02:47 AM
Last accessed : 12/29/2004 5:05:21 AM
Last modified : 3/3/2003 6:05:18 PM

#:20 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 12-29-2004 5:40:21 AM
BasePriority : Normal
FileSize : 1008 KB
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft Windows Operating System
Created on : 8/29/2002 10:00:00 AM
Last accessed : 12/29/2004 5:40:22 AM
Last modified : 8/4/2004 7:56:49 AM

#:21 [trirot.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 12-29-2004 5:40:26 AM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 6,14,01,2059
ProductVersion : 6,14,01,2059
Copyright : Copyright © 2003-2004 XGI Technology, Inc.
CompanyName : XGI Technology, Inc.
FileDescription : Trirot
InternalName : Trirot
OriginalFilename : Trirot.exe
ProductName : Trirot
Created on : 1/1/1980 5:00:00 AM
Last accessed : 12/29/2004 5:06:30 AM
Last modified : 5/21/2004 2:54:42 AM

#:22 [bcmsmmsg.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 12-29-2004 5:40:26 AM
BasePriority : Normal
FileSize : 120 KB
FileVersion : 3.5.25 08/27/2003 20:04:35
ProductVersion : 3.5.25 08/27/2003 20:04:35
Copyright : Copyright Broadcom Corporation 1998-2000
CompanyName : Broadcom Corporation
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
OriginalFilename : smdmstat.exe
ProductName : BCM Modem Messaging Applet
Created on : 1/1/1980 5:00:00 AM
Last accessed : 12/29/2004 5:07:09 AM
Last modified : 8/29/2003 10:59:24 AM

#:23 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_03\bin\
ThreadCreationTime : 12-29-2004 5:40:26 AM
BasePriority : Normal
FileSize : 32 KB
Created on : 11/19/2003 10:48:18 PM
Last accessed : 12/29/2004 5:06:30 AM
Last modified : 11/19/2003 10:48:14 PM

#:24 [syntplpr.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ThreadCreationTime : 12-29-2004 5:40:26 AM
BasePriority : Normal
FileSize : 108 KB
FileVersion : 7.5.7 02May03
ProductVersion : 7.5.7 02May03
Copyright : Copyright © Synaptics, Inc. 1996-2003
CompanyName : Synaptics, Inc.
FileDescription : TouchPad Driver Helper Application
InternalName : SynTPLpr
OriginalFilename : SynTPLpr.exe
ProductName : Progressive Touch
Created on : 7/16/2004 10:01:24 AM
Last accessed : 12/29/2004 5:06:30 AM
Last modified : 5/2/2003 10:21:48 PM

#:25 [syntpenh.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ThreadCreationTime : 12-29-2004 5:40:26 AM
BasePriority : Normal
FileSize : 596 KB
FileVersion : 7.5.7 02May03
ProductVersion : 7.5.7 02May03
Copyright : Copyright © Synaptics, Inc. 1996-2003
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Scrolleroo
OriginalFilename : SynTPEnh.exe
ProductName : Progressive Touch
Created on : 7/16/2004 10:01:24 AM
Last accessed : 12/29/2004 5:06:30 AM
Last modified : 5/2/2003 10:15:44 PM

#:26 [dvdlauncher.exe]
FilePath : C:\Program Files\CyberLink\PowerDVD\
ThreadCreationTime : 12-29-2004 5:40:27 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 3.00.0000
ProductVersion : 3.00.0000
Copyright : Copyright © 2003 CyberLink Corp.
CompanyName : CyberLink Corp.
FileDescription : CyberLink PowerCinema Resident Program
InternalName : CyberLink PowerCinema Resident Program
OriginalFilename : DVDLauncher.EXE
ProductName : Cyberlink PowerCinema 3.0
Created on : 7/16/2004 10:04:45 AM
Last accessed : 12/29/2004 5:06:30 AM
Last modified : 4/11/2004 4:43:44 PM

#:27 [dadapp.exe]
FilePath : C:\Program Files\Dell\AccessDirect\
ThreadCreationTime : 12-29-2004 5:40:27 AM
BasePriority : Normal
FileSize : 206 KB
Created on : 7/16/2004 10:05:11 AM
Last accessed : 12/29/2004 5:06:30 AM
Last modified : 3/4/2004 4:36:22 PM

#:28 [quickset.exe]
FilePath : C:\Program Files\Dell\QuickSet\
ThreadCreationTime : 12-29-2004 5:40:27 AM
BasePriority : Normal
FileSize : 476 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright © 2001
FileDescription : QuickSet MFC Application
InternalName : direct
OriginalFilename : direct.EXE
ProductName : QuickSet Application
Created on : 7/16/2004 10:06:04 AM
Last accessed : 12/29/2004 5:06:30 AM
Last modified : 3/5/2004 1:59:30 AM

#:29 [support.exe]
FilePath : C:\Program Files\Common Files\Dell\EUSW\
ThreadCreationTime : 12-29-2004 5:40:27 AM
BasePriority : Normal
FileSize : 288 KB
FileVersion : 2, 0, 0, 34
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2002
CompanyName : Dell
FileDescription : Support
InternalName : Support
OriginalFilename : Support.exe
ProductName : Dell Support
Created on : 10/7/2003 9:21:10 PM
Last accessed : 12/29/2004 5:06:30 AM
Last modified : 10/7/2003 9:21:10 PM

#:30 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 12-29-2004 5:40:27 AM
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.0.10.006
ProductVersion : 1.0.10.006
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 7/21/2004 1:58:52 AM
Last accessed : 12/29/2004 5:06:30 AM
Last modified : 12/2/2003 9:11:04 PM

#:31 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ThreadCreationTime : 12-29-2004 5:40:27 AM
BasePriority : Normal
FileSize : 176 KB
FileVersion : 0.1.0.3034
ProductVersion : 0.1.0.3034
Copyright : Copyright RealNetworks, Inc. 1995-2004
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealPlayer (32-bit)
Created on : 7/21/2004 4:27:14 AM
Last accessed : 12/29/2004 5:06:30 AM
Last modified : 7/21/2004 4:27:15 AM

#:32 [fppdis1.exe]
FilePath : C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\
ThreadCreationTime : 12-29-2004 5:40:27 AM
BasePriority : Normal
FileSize : 352 KB
FileVersion : 1.41
ProductVersion : 1.41
Copyright : Copyright © 2001-2002 FinePrint Software, LLC
CompanyName : FinePrint Software, LLC
FileDescription : FinePrint pdfFactory
ProductName : FinePrint pdfFactory
Created on : 7/23/2004 4:24:11 AM
Last accessed : 12/29/2004 5:40:27 AM
Last modified : 3/13/2002 9:03:34 PM

#:33 [ad-watch.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 12-29-2004 5:40:27 AM
BasePriority : Normal
FileSize : 387 KB
FileVersion : 3.1.2.17
ProductVersion : 3.0
Copyright : 2001-2003 Team Lavasoft
CompanyName : Lavasoft Sweden
FileDescription : Ad-watch Monitor
InternalName : Ad-watch.exe
OriginalFilename : Ad-watch.exe
ProductName : Ad-aware 6
Created on : 8/8/2004 6:24:39 AM
Last accessed : 12/29/2004 5:40:31 AM
Last modified : 1/27/2003 12:15:08 PM

#:34 [dadtray.exe]
FilePath : C:\Program Files\Dell\AccessDirect\
ThreadCreationTime : 12-29-2004 5:40:28 AM
BasePriority : Normal
FileSize : 184 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright © 1999-2002
FileDescription : DadTray MFC Application
InternalName : DadTray
OriginalFilename : DadTray.EXE
ProductName : DadTray Application
Created on : 7/16/2004 10:05:11 AM
Last accessed : 12/29/2004 5:06:30 AM
Last modified : 11/18/2002 3:11:10 PM

#:35 [ramboo~1.exe]
FilePath : C:\PROGRA~1\RAMBOO~1\
ThreadCreationTime : 12-29-2004 5:40:28 AM
BasePriority : Normal
FileSize : 458 KB

#:36 [sticker.exe]
FilePath : C:\Program Files\MoRUN.net\Sticker\
ThreadCreationTime : 12-29-2004 5:40:28 AM
BasePriority : Normal
FileSize : 292 KB
FileVersion : 3.5
ProductVersion : 3.5
Copyright : 2002-2004 © MoRUN.net. All rights reserved.
CompanyName : MoRUN.net
InternalName : Sticker.exe
OriginalFilename : Sticker.exe
ProductName : MoRUN.net Sticker
Created on : 8/12/2004 1:09:06 PM
Last accessed : 12/29/2004 5:06:30 AM
Last modified : 8/12/2004 1:09:06 PM

#:37 [notifyalert.exe]
FilePath : c:\Program Files\Dell\Support\Alert\bin\
ThreadCreationTime : 12-29-2004 5:40:28 AM
BasePriority : Normal
FileSize : 344 KB
FileVersion : 2.1.0.72
ProductVersion : 2.1.0.72
Copyright :
CompanyName :
FileDescription :
InternalName : NotifyAlert.exe
OriginalFilename : NotifyAlert.exe
ProductName :
Created on : 10/7/2003 9:20:18 PM
Last accessed : 12/29/2004 5:06:30 AM
Last modified : 10/7/2003 9:20:18 PM

#:38 [mnyexpr.exe]
FilePath : C:\Program Files\Microsoft Money\System\
ThreadCreationTime : 12-29-2004 5:40:29 AM
BasePriority : Normal
FileSize : 196 KB
FileVersion : 12.00.0613
ProductVersion : 12.00.0613
Copyright : Copyright Microsoft Corporation
CompanyName : Microsoft Corp.
FileDescription : Microsoft Money Express
InternalName : mnyexpr
OriginalFilename : mnyexpr.exe
ProductName : Microsoft MSN Money Deluxe
Created on : 6/18/2003 5:00:00 PM
Last accessed : 12/29/2004 5:06:37 AM
Last modified : 6/18/2003 5:00:00 PM

#:39 [sysdoc32.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton Utilities\
ThreadCreationTime : 12-29-2004 5:40:33 AM
BasePriority : Idle
FileSize : 24 KB
FileVersion : 16.00.0.22
ProductVersion : 16.00.0.22
Copyright : Copyright © 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Norton System Doctor
InternalName : SYSDOC32
OriginalFilename : SYSDOC32.EXE
ProductName : Norton Utilities
Created on : 7/21/2004 2:44:07 AM
Last accessed : 12/29/2004 5:40:33 AM
Last modified : 8/14/2002 11:03:00 AM

#:40 [kazaalite.kpp]
FilePath : C:\Program Files\Kazaa Lite K++\
ThreadCreationTime : 12-29-2004 5:40:35 AM
BasePriority : Normal
FileSize : 2182 KB
Created on : 7/17/2003 1:19:52 AM
Last accessed : 12/29/2004 5:40:35 AM
Last modified : 7/17/2003 1:19:52 AM

#:41 [wmiapsrv.exe]
FilePath : C:\WINDOWS\System32\wbem\
ThreadCreationTime : 12-29-2004 5:40:54 AM
BasePriority : Normal
FileSize : 123 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : WMI Performance Adapter Service
InternalName : WmiApSrv.exe
OriginalFilename : WmiApSrv.exe
ProductName : Microsoft Windows Operating System
Created on : 8/29/2002 10:00:00 AM
Last accessed : 12/29/2004 5:06:37 AM
Last modified : 8/4/2004 7:56:57 AM

#:42 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 12-29-2004 5:43:18 AM
BasePriority : Normal
FileSize : 32 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Microsoft Windows Operating System
Created on : 8/29/2002 10:00:00 AM
Last accessed : 12/29/2004 5:32:11 AM
Last modified : 8/4/2004 7:56:55 AM

#:43 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 12-29-2004 5:43:46 AM
BasePriority : Normal
FileSize : 91 KB
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft Windows Operating System
Created on : 8/29/2002 10:00:00 AM
Last accessed : 12/29/2004 5:43:49 AM
Last modified : 8/4/2004 7:56:50 AM

#:44 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 12-29-2004 5:44:23 AM
BasePriority : Normal
FileSize : 760 KB
FileVersion : 6.0.1.158
ProductVersion : 6.0.0.0
Copyright : Copyright Lavasoft Sweden
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Professional
Created on : 8/8/2004 6:24:40 AM
Last accessed : 12/29/2004 5:44:23 AM
Last modified : 1/27/2003 5:42:22 PM

#:45 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 12-29-2004 5:51:05 AM
BasePriority : Normal
FileSize : 1628 KB
FileVersion : 4.7.3000
ProductVersion : Version 4.7.3000
Copyright : Copyright © Microsoft Corporation 2004
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 8/20/2002 8:08:38 PM
Last accessed : 12/29/2004 5:51:05 AM
Last modified : 8/4/2004 7:56:53 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Tracking Cookie Object recognized!
Type : File
Data : sean@advertising[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\

Created on : 12/29/2004 5:10:12 AM
Last accessed : 12/29/2004 5:10:12 AM
Last modified : 12/29/2004 5:10:12 AM



Tracking Cookie Object recognized!
Type : File
Data : sean@atdmt[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\

Created on : 12/29/2004 1:46:10 AM
Last accessed : 12/29/2004 6:05:46 AM
Last modified : 12/29/2004 1:46:10 AM



Tracking Cookie Object recognized!
Type : File
Data : sean@bluestreak[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\

Created on : 12/29/2004 5:43:57 AM
Last accessed : 12/29/2004 5:43:57 AM
Last modified : 12/29/2004 5:43:57 AM



Tracking Cookie Object recognized!
Type : File
Data : sean@doubleclick[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\

Created on : 12/29/2004 1:53:31 AM
Last accessed : 12/29/2004 6:05:46 AM
Last modified : 12/29/2004 1:58:08 AM



Tracking Cookie Object recognized!
Type : File
Data : sean@fastclick[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\

Created on : 12/29/2004 5:43:59 AM
Last accessed : 12/29/2004 5:43:59 AM
Last modified : 12/29/2004 5:43:59 AM



Tracking Cookie Object recognized!
Type : File
Data : sean@mediaplex[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\

Created on : 12/29/2004 1:58:27 AM
Last accessed : 12/29/2004 6:05:46 AM
Last modified : 12/29/2004 1:58:27 AM



Tracking Cookie Object recognized!
Type : File
Data : [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Sean\Local Settings\Temp\Cookies\

Created on : 12/29/2004 5:10:12 AM
Last accessed : 12/29/2004 5:10:12 AM
Last modified : 12/29/2004 5:10:12 AM



Disk scan result for C:\
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 7

10:48:26 PM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:55:47:424
Objects scanned :221500
Objects identified :7
Objects ignored :0
New objects :7
  • 0

#3
smonahan
Posted 29 December 2004 - 10:46 PM

smonahan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here is my HJT log:



Logfile of HijackThis v1.99.0
Scan saved at 8:34:27 PM, on 12/29/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\DX90SDK\Utilities\DirectX extensions for Visual Studio .NET\DXDebugService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Trirot.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
C:\Program Files\MoRUN.net\Sticker\sticker.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamedev.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ‚ÔÈ
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll (file missing)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: GuardWall - {37C8204D-97C3-4127-BB28-1BFF3FA2F7DA} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Program Files\IEMenuExtension\tbextn.dll
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [Trirot] Trirot.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [XGIWatchDog] C:\Program Files\XGI\twatdog.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RamBooster] C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
O4 - HKCU\..\Run: [Sticker] C:\Program Files\MoRUN.net\Sticker\sticker.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - Startup: Kazaa Lite K++.lnk = C:\Program Files\Kazaa Lite K++\klrun.exe
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XML Spy Suite\spy.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...11a0351cafa03db
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} - http://sp.ask.com/do...askbar-inst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe (file missing)
  • 0

#4
Metallica
Posted 30 December 2004 - 09:37 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Three logs and I need a fourth one. :tazz:
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
Regards,

Pieter
  • 0

#5
smonahan
Posted 30 December 2004 - 08:03 PM

smonahan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks Pieter. Here's my FindIt log. *NOTE* -- As FindIt was running, a windows message came up that said:

16 bit MS-DOS Subsystem
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to teminate the application.

I clicked on Ignore, and this is the resulting log file:




Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is B827-B78D

Directory of C:\WINDOWS\System32

12/29/2004 05:43 PM <DIR> DLLCACHE
12/29/2004 05:36 PM 223,232 j42q0ef5eh2.dll
12/28/2004 11:45 PM 224,372 l60ulgd9160.dll
10/25/2004 09:46 PM 6,144 access.ctl
07/20/2004 06:46 PM 32 {8BB491AB-2EC3-4FDF-BBAE-E520B61A2A2F}.dat
07/20/2004 06:45 PM 32 {762E06F8-C254-40CC-8380-029152B8E1AD}.dat
07/20/2004 06:44 PM 32 {9E66EE93-D72D-4A31-886F-8564DA085541}.dat
07/20/2004 06:43 PM 32 {4A37B642-9A4F-44DF-86EF-EF7F6DD6AFEF}.dat
07/20/2004 06:43 PM 32 {BDAF2F7C-FD60-45BC-AA79-2F368493A4D5}.dat
07/20/2004 06:43 PM 32 {EB1A2A81-1E63-4FD9-BD94-3C5618D28D5F}.dat
07/20/2004 06:42 PM 32 {4C5D2D29-AA37-4B48-8859-95DDB9E7ADEA}.dat
07/20/2004 05:48 PM 32 {9ACE0555-717B-4B8F-A1C2-6695B2DCA8B8}.dat
07/16/2004 01:16 AM <DIR> Microsoft
04/05/2001 09:43 AM 94,208 msstkprp.dll
12 File(s) 548,212 bytes
2 Dir(s) 9,642,852,352 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B827-B78D

Directory of C:\WINDOWS\System32

12/29/2004 05:43 PM <DIR> DLLCACHE
10/25/2004 09:46 PM 6,144 access.ctl
07/20/2004 06:46 PM 32 {8BB491AB-2EC3-4FDF-BBAE-E520B61A2A2F}.dat
07/20/2004 06:45 PM 32 {762E06F8-C254-40CC-8380-029152B8E1AD}.dat
07/20/2004 06:44 PM 32 {9E66EE93-D72D-4A31-886F-8564DA085541}.dat
07/20/2004 06:43 PM 32 {4A37B642-9A4F-44DF-86EF-EF7F6DD6AFEF}.dat
07/20/2004 06:43 PM 32 {BDAF2F7C-FD60-45BC-AA79-2F368493A4D5}.dat
07/20/2004 06:43 PM 32 {EB1A2A81-1E63-4FD9-BD94-3C5618D28D5F}.dat
07/20/2004 06:42 PM 32 {4C5D2D29-AA37-4B48-8859-95DDB9E7ADEA}.dat
07/20/2004 05:48 PM 32 {9ACE0555-717B-4B8F-A1C2-6695B2DCA8B8}.dat
09/03/2002 05:57 AM 488 logonui.exe.manifest
09/03/2002 05:57 AM 488 WindowsLogon.manifest
09/03/2002 05:57 AM 749 ncpa.cpl.manifest
09/03/2002 05:57 AM 749 nwc.cpl.manifest
09/03/2002 05:57 AM 749 sapi.cpl.manifest
09/03/2002 05:57 AM 749 cdplayer.exe.manifest
09/03/2002 05:57 AM 749 wuaucpl.cpl.manifest
16 File(s) 11,121 bytes
1 Dir(s) 9,642,848,256 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is B827-B78D

Directory of C:\WINDOWS\System32

12/29/2004 11:14 PM 224,372 guard.tmp
1 File(s) 224,372 bytes
0 Dir(s) 9,642,848,256 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is B827-B78D

Directory of C:\WINDOWS\System32

12/29/2004 11:14 PM 224,372 guard.tmp
10/25/2004 02:15 PM 57,344 nsl25.tmp
08/29/2002 02:00 AM 2,577 CONFIG.TMP
3 File(s) 284,293 bytes
0 Dir(s) 9,642,844,160 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5467FC41-A0BA-45F7-AAED-E51FC4CAB1C8}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l60ulgd9160.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM32\pav.sig: Qoologic
C:\WINDOWS\SYSTEM32\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\pav.sig: AsPack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegServer"="regserve.exe"
"Trirot"="Trirot.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"DadApp"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\Quickset.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DwlClient"="c:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"pdfFactory Pro Dispatcher v1"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\2\\fppdis1.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"Ad-watch"="C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-watch.exe"
"XGIWatchDog"="C:\\Program Files\\XGI\\twatdog.exe"
"SurfSideKick 2"="C:\\Program Files\\SurfSideKick 2\\Ssk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#6
Metallica
Posted 31 December 2004 - 01:47 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.
C:\WINDOWS\System32\j42q0ef5eh2.dll
C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\SYSTEM32\pav.sig
C:\WINDOWS\System32\l60ulgd9160.dll <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5467FC41-A0BA-45F7-AAED-E51FC4CAB1C8}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]


Then uninstall SurfSideKick under Add/Remove Software and post a new HijackThis log.

Regards,

Pieter
  • 0

#7
smonahan
Posted 31 December 2004 - 07:36 PM

smonahan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks, Pieter. I followed your directions above. I didn't know if I was supposed to reboot, so I rebooted after uninstalling SurfSide, then ran HJT.

Also, here are some new dll files that have caused boot errors:
mhcpxl32.dll
tuispdeu.dll
inpeers.dll
rfoc3260.dll

Here is my new HJT log:




Logfile of HijackThis v1.99.0
Scan saved at 5:34:02 PM, on 12/31/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\DX90SDK\Utilities\DirectX extensions for Visual Studio .NET\DXDebugService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Trirot.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
C:\Program Files\MoRUN.net\Sticker\sticker.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\system32\rundll32.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamedev.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ‚ÔÈ
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll (file missing)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Program Files\IEMenuExtension\tbextn.dll
O3 - Toolbar: GuardWall - {37C8204D-97C3-4127-BB28-1BFF3FA2F7DA} - C:\Program Files\Failsafe\GuardWall\PnIE.dll
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [Trirot] Trirot.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [XGIWatchDog] C:\Program Files\XGI\twatdog.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RamBooster] C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
O4 - HKCU\..\Run: [Sticker] C:\Program Files\MoRUN.net\Sticker\sticker.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - Startup: Kazaa Lite K++.lnk = C:\Program Files\Kazaa Lite K++\klrun.exe
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: strings.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XML Spy Suite\spy.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: @C:\Program Files\Failsafe\GuardWall\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardWall\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardWall\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardWall\PnIE.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...11a0351cafa03db
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} - http://sp.ask.com/do...askbar-inst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe (file missing)
  • 0

#8
Metallica
Posted 01 January 2005 - 05:40 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll (file missing)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll

O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Program Files\IEMenuExtension\tbextn.dll

O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [Trirot] Trirot.exe

O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe

O4 - HKCU\..\Run: [Sticker] C:\Program Files\MoRUN.net\Sticker\sticker.exe

O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - Startup: Kazaa Lite K++.lnk = C:\Program Files\Kazaa Lite K++\klrun.exe

Then reboot and run HijackThis again.
Make sure to allow the changes in AdWatch.

If any of the O1 lines return I will need a new FindIt log.
If they don't just post the HijackThis log please.

Regards,

Pieter
  • 0

#9
smonahan
Posted 01 January 2005 - 08:10 PM

smonahan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks Peiter,

I check and fixed all items with the exception of:
O4 - HKCU\..\Run: [Sticker] C:\Program Files\MoRUN.net\Sticker\sticker.exe
since I recognize that as a legitimate program that I use. Please let me know if you know for sure that there is something malicious about it.

I rebooted and ran HJT again, and some of the O1 lines have returned. Here is a new FindIt log followed by a new HJT log:

FindIt:




Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is B827-B78D

Directory of C:\WINDOWS\System32

01/01/2005 05:57 PM <DIR> DLLCACHE
01/01/2005 05:50 PM 224,372 l46o0ej3eho.dll
12/31/2004 01:26 AM 224,803 irlql5351.dll
10/25/2004 09:46 PM 6,144 access.ctl
07/20/2004 06:46 PM 32 {8BB491AB-2EC3-4FDF-BBAE-E520B61A2A2F}.dat
07/20/2004 06:45 PM 32 {762E06F8-C254-40CC-8380-029152B8E1AD}.dat
07/20/2004 06:44 PM 32 {9E66EE93-D72D-4A31-886F-8564DA085541}.dat
07/20/2004 06:43 PM 32 {4A37B642-9A4F-44DF-86EF-EF7F6DD6AFEF}.dat
07/20/2004 06:43 PM 32 {BDAF2F7C-FD60-45BC-AA79-2F368493A4D5}.dat
07/20/2004 06:43 PM 32 {EB1A2A81-1E63-4FD9-BD94-3C5618D28D5F}.dat
07/20/2004 06:42 PM 32 {4C5D2D29-AA37-4B48-8859-95DDB9E7ADEA}.dat
07/20/2004 05:48 PM 32 {9ACE0555-717B-4B8F-A1C2-6695B2DCA8B8}.dat
07/16/2004 01:16 AM <DIR> Microsoft
04/05/2001 09:43 AM 94,208 msstkprp.dll
12 File(s) 549,783 bytes
2 Dir(s) 9,515,810,816 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B827-B78D

Directory of C:\WINDOWS\System32

01/01/2005 05:57 PM <DIR> DLLCACHE
10/25/2004 09:46 PM 6,144 access.ctl
07/20/2004 06:46 PM 32 {8BB491AB-2EC3-4FDF-BBAE-E520B61A2A2F}.dat
07/20/2004 06:45 PM 32 {762E06F8-C254-40CC-8380-029152B8E1AD}.dat
07/20/2004 06:44 PM 32 {9E66EE93-D72D-4A31-886F-8564DA085541}.dat
07/20/2004 06:43 PM 32 {4A37B642-9A4F-44DF-86EF-EF7F6DD6AFEF}.dat
07/20/2004 06:43 PM 32 {BDAF2F7C-FD60-45BC-AA79-2F368493A4D5}.dat
07/20/2004 06:43 PM 32 {EB1A2A81-1E63-4FD9-BD94-3C5618D28D5F}.dat
07/20/2004 06:42 PM 32 {4C5D2D29-AA37-4B48-8859-95DDB9E7ADEA}.dat
07/20/2004 05:48 PM 32 {9ACE0555-717B-4B8F-A1C2-6695B2DCA8B8}.dat
09/03/2002 05:57 AM 488 logonui.exe.manifest
09/03/2002 05:57 AM 488 WindowsLogon.manifest
09/03/2002 05:57 AM 749 ncpa.cpl.manifest
09/03/2002 05:57 AM 749 nwc.cpl.manifest
09/03/2002 05:57 AM 749 sapi.cpl.manifest
09/03/2002 05:57 AM 749 cdplayer.exe.manifest
09/03/2002 05:57 AM 749 wuaucpl.cpl.manifest
16 File(s) 11,121 bytes
1 Dir(s) 9,515,806,720 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is B827-B78D

Directory of C:\WINDOWS\System32

01/01/2005 05:54 PM 224,803 guard.tmp
1 File(s) 224,803 bytes
0 Dir(s) 9,515,806,720 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is B827-B78D

Directory of C:\WINDOWS\System32

01/01/2005 05:54 PM 224,803 guard.tmp
10/25/2004 02:15 PM 57,344 nsl25.tmp
08/29/2002 02:00 AM 2,577 CONFIG.TMP
3 File(s) 284,724 bytes
0 Dir(s) 9,515,802,624 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5467FC41-A0BA-45F7-AAED-E51FC4CAB1C8}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Nls]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\irlql5351.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"DadApp"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\Quickset.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DwlClient"="c:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"pdfFactory Pro Dispatcher v1"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\2\\fppdis1.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"Ad-watch"="C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-watch.exe"
"XGIWatchDog"="C:\\Program Files\\XGI\\twatdog.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"







HJT:




Logfile of HijackThis v1.99.0
Scan saved at 5:59:27 PM, on 1/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\DX90SDK\Utilities\DirectX extensions for Visual Studio .NET\DXDebugService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\MoRUN.net\Sticker\sticker.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamedev.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ‚ÔÈ
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: GuardWall - {37C8204D-97C3-4127-BB28-1BFF3FA2F7DA} - C:\Program Files\Failsafe\GuardWall\PnIE.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [XGIWatchDog] C:\Program Files\XGI\twatdog.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RamBooster] C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
O4 - HKCU\..\Run: [Sticker] C:\Program Files\MoRUN.net\Sticker\sticker.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: strings.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XML Spy Suite\spy.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: @C:\Program Files\Failsafe\GuardWall\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardWall\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardWall\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardWall\PnIE.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...11a0351cafa03db
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} - http://sp.ask.com/do...askbar-inst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe (file missing)
  • 0

#10
Metallica
Posted 02 January 2005 - 05:24 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
If you recognize Sticker you can leave it.
I listed it because it looks suspicious and I couldn't imagine it needs to start at boot.

Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\l46o0ej3eho.dll
C:\WINDOWS\System32\irlql5351.dll <= save till last
C:\WINDOWS\guard.tmp


After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{5467FC41-A0BA-45F7-AAED-E51FC4CAB1C8}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Nls]



Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - Global Startup: strings.exe

Reboot once more and post a new HijackThis log.

Regards,

Pieter
  • 0

Advertisements

#11
smonahan
Posted 02 January 2005 - 04:06 PM

smonahan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks, Pieter. Here's my new HJT log:




Logfile of HijackThis v1.99.0
Scan saved at 2:03:46 PM, on 1/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\DX90SDK\Utilities\DirectX extensions for Visual Studio .NET\DXDebugService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\system32\vuoqiw.exe
C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\MoRUN.net\Sticker\sticker.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamedev.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ‚ÔÈ
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: GuardWall - {37C8204D-97C3-4127-BB28-1BFF3FA2F7DA} - C:\Program Files\Failsafe\GuardWall\PnIE.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [XGIWatchDog] C:\Program Files\XGI\twatdog.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RamBooster] C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
O4 - HKCU\..\Run: [Sticker] C:\Program Files\MoRUN.net\Sticker\sticker.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XML Spy Suite\spy.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: @C:\Program Files\Failsafe\GuardWall\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardWall\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardWall\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardWall\PnIE.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...11a0351cafa03db
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} - http://sp.ask.com/do...askbar-inst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe (file missing)
  • 0

#12
Metallica
Posted 03 January 2005 - 05:29 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Good. :tazz:

Download LSPfix here: http://www.cexx.org/lspfix.htm
Launch the application, and click the "I know what I'm doing" checkbox.
Check all instances of winlspak.dll (and nothing else), and move them to the "Remove" pane.
Then click Finish.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...11a0351cafa03db
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} - http://sp.ask.com/do...askbar-inst.cab

Reboot into safe mode and delete:
C:\WINDOWS\system32\vuoqiw.exe

Post a new HijackThis log when you are done.

Regards,

Pieter
  • 0

#13
smonahan
Posted 03 January 2005 - 10:36 PM

smonahan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
>Check all instances of winlspak.dll (and nothing else), and move them to
>the "Remove" pane.
>Then click Finish.

There was only one instance. It gave this result:

0 Namespace provider entries removed
0 Namespace provider entries renumbered
4 Protocol provider entries removed
15 Protocol provider entries renumbered

>Reboot into
>safe mode and delete:
>C:\WINDOWS\system32\vuoqiw.exe

After I did this and rebooted normally, my Ad-watch alarm came up and said:

Warning!
An attempt to alter a protected object has been detected.
(Attempt to add a registry value)
Root: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows\Current\Version\Run
Value: Narrator
Data:
New Data: C:\WINDOWS\system32\vuoqiw.exe
[Allow][Block]

I selected Block. When I checked my Windows\system32 directory, the vuoqiw file was back. I did the entire safe mode process a second time, and after rebooting, the ad-watch alarm popped up again, I selected Block, just as before, and it looks as though the file is gone this time.

>Post a new HijackThis log when you are done.

Here it is:




Logfile of HijackThis v1.99.0
Scan saved at 8:34:14 PM, on 1/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\DX90SDK\Utilities\DirectX extensions for Visual Studio .NET\DXDebugService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
C:\Program Files\MoRUN.net\Sticker\sticker.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kgpfuh.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamedev.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ‚ÔÈ
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: GuardWall - {D2F719F3-106A-402B-9996-3A5B12ACA564} - C:\Program Files\Failsafe\GuardWall\PnIE.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: GuardWall - {37C8204D-97C3-4127-BB28-1BFF3FA2F7DA} - C:\Program Files\Failsafe\GuardWall\PnIE.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [XGIWatchDog] C:\Program Files\XGI\twatdog.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RamBooster] C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
O4 - HKCU\..\Run: [Sticker] C:\Program Files\MoRUN.net\Sticker\sticker.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XML Spy Suite\spy.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: @C:\Program Files\Failsafe\GuardWall\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardWall\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardWall\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardWall\PnIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe (file missing)
  • 0

#14
Metallica
Posted 04 January 2005 - 10:08 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Reboot into safe mode and remove:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kgpfuh.exe

That's the last suspicious entry I see in your running processes.

Regards,

Pieter
  • 0

#15
smonahan
Posted 05 January 2005 - 12:57 AM

smonahan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Done. I think that may have done it. I am no longer getting RUNDLL errors while booting, and my GuardWall seems to be working fine now.

Thanks for all your help Pieter. You da man!!!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP