[4fun]

Excuse me , Pieter ! I mystyped the"AWW", it should be "AAW" , i'm terribly sorry ...
As your suggestion, here's my logfile :


Logfile of HijackThis v1.99.0
Scan saved at 15:03:19, on 02/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\FREEME~1\fmempro.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Symmetricom\SymmTime\SymmTime.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\MTDFVP\TDFVP.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\mtd2002\mtd2002EVA.exe
C:\Program Files\mtd2002\MTDSERVER.EXE
C:\Program Files\mtd2002\MTDSHELF.EXE
C:\Program Files\eMule\emule.exe
C:\Documents and Settings\Bui DK\Mes documents\Hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRA~1\FREEME~1\fmempro.exe" autostart
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: LimeWire 4.2.6 Pro.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Sam.lnk = ?
O4 - Global Startup: SymmTime.lnk = ?
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Service COM de gravage de CD IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: Service Norton AntiVirus Auto-Protect - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall - Unknown - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe (file missing)
O23 - Service: Plug-and-Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Carte à puce - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\FICHIE~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Journaux et alertes de performance - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet - Unknown - C:\WINDOWS\System32\tlntsvr.exe
O23 - Service: Trend NT Realtime Service - Unknown - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Proxy Service - Unknown - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe (file missing)
O23 - Service: Cliché instantané de volume - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

[Advertisements]

I need some extra information.

1. Do you know what this does?
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f

2. I noticed some leftovers from Trend Micro. Did you uninstall that?

3.

• Download finditnt2000xp.zip.
• Unzip the contents of finditnt2000xp.zip to a convenient location.
• Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
• A command prompt will open and it will search your computer for malicious files.
• Once it has finished a Notepad window will pop up with output.txt.
• Copy the entire contents of output.txt into your next post.

Regards,

Pieter

[Metallica]

I need some extra information.

1. Do you know what this does?
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f

2. I noticed some leftovers from Trend Micro. Did you uninstall that?

3.

• Download finditnt2000xp.zip.
• Unzip the contents of finditnt2000xp.zip to a convenient location.
• Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
• A command prompt will open and it will search your computer for malicious files.
• Once it has finished a Notepad window will pop up with output.txt.
• Copy the entire contents of output.txt into your next post.

Regards,

Pieter

[4fun]

Yes ,
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f is just a kind of dictionary .


I did install the Trend micro before, but already uninstalled it , i don't know why it lefts those files . I will delete them manually .





That find.bat seems not to work for me !! I tried to doubleclick it for times but the command prompt always opened and shut down immediately (i couldn't read the phrase written in that command prompt) . I didn't get any pop up windows . However , I got a file named "Find-It" in the drive C . It contains 9 text documents named: guard , header.txtheader , locate , system , useragent , header , hidden , notify , temp . And here are their contents :
+guard :
Le volume dans le lecteur C n'a pas de nom.
Le num‚ro de s‚rie du volume est DC74-3CFB

R‚pertoire de C:\WINDOWS\System32

02/01/2005 18:52 223ÿ783 guard.tmp
1 fichier(s) 223ÿ783 octets
0 R‚p(s) 127ÿ115ÿ427ÿ840 octets libres

--------- Temp Files in System32 Directory --------


+header.txtheader : ( empty )
+locate :
------------ Strings.exe Qoologic Results ------------


+system :
Le volume dans le lecteur C n'a pas de nom.
Le num‚ro de s‚rie du volume est DC74-3CFB

R‚pertoire de C:\WINDOWS\System32

02/01/2005 16:57 223ÿ783 n6r20g9oe6.dll
02/01/2005 16:47 224ÿ303 e2jm0c11ef.dll
02/01/2005 16:29 223ÿ783 t88ulil918q.dll
02/01/2005 14:03 224ÿ303 sqellstyle.dll
01/01/2005 17:22 223ÿ377 ovhlp30e.dll
29/12/2004 17:26 <REP> dllcache
07/11/2004 03:32 <REP> Microsoft
5 fichier(s) 1ÿ119ÿ549 octets
2 R‚p(s) 127ÿ115ÿ431ÿ936 octets libres

------- Hidden Files in System32 Directory -------


+useragent :
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{95C4C51E-2B06-48A8-9309-678466914AB5}"=""


------------ Keys Under Notify ------------


+header :

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Bui DK\Mes documents

------- System Files in System32 Directory -------



+hidden :

Le volume dans le lecteur C n'a pas de nom.
Le num‚ro de s‚rie du volume est DC74-3CFB

R‚pertoire de C:\WINDOWS\System32

29/12/2004 17:26 <REP> dllcache
29/12/2004 16:37 0 RBKCDD7.tmp.LOG
29/12/2004 16:37 0 RBKCDD4.tmp.LOG
29/12/2004 16:37 0 RBKCDCF.tmp.LOG
29/12/2004 16:37 0 RBKCDCC.tmp.LOG
29/12/2004 16:37 0 RBKCDC7.tmp.LOG
29/12/2004 16:37 0 RBKCDC4.tmp.LOG
29/12/2004 16:37 0 RBKCDBF.tmp.LOG
29/12/2004 16:37 0 RBKCDBC.tmp.LOG
29/12/2004 16:37 0 RBKCDB7.tmp.LOG
29/12/2004 16:37 0 RBKCDB4.tmp.LOG
29/12/2004 16:37 0 RBKCDAF.tmp.LOG
29/12/2004 16:37 0 RBKCDAC.tmp.LOG
29/12/2004 14:11 0 RBK1778.tmp.LOG
29/12/2004 14:11 0 RBK1773.tmp.LOG
29/12/2004 14:11 0 RBK1770.tmp.LOG
29/12/2004 14:11 0 RBK176B.tmp.LOG
29/12/2004 14:11 0 RBK1768.tmp.LOG
29/12/2004 14:11 0 RBK1763.tmp.LOG
29/12/2004 14:11 0 RBK1760.tmp.LOG
29/12/2004 14:11 0 RBK175B.tmp.LOG
29/12/2004 14:11 0 RBK1758.tmp.LOG
29/12/2004 14:11 0 RBK1753.tmp.LOG
29/12/2004 14:11 0 RBK1750.tmp.LOG
29/12/2004 14:11 0 RBK174B.tmp.LOG
29/12/2004 12:34 0 RO1F70.tmp.LOG
29/12/2004 12:34 0 RO1F6B.tmp.LOG
29/12/2004 12:34 0 RO1F68.tmp.LOG
29/12/2004 12:34 0 RO1F63.tmp.LOG
29/12/2004 12:34 0 RO1F60.tmp.LOG
29/12/2004 12:34 0 RO1F5B.tmp.LOG
29/12/2004 12:34 0 RO1F58.tmp.LOG
29/12/2004 12:34 0 RO1F53.tmp.LOG
29/12/2004 12:34 0 RO1F50.tmp.LOG
29/12/2004 12:34 0 RO1F4B.tmp.LOG
29/12/2004 12:34 0 RO1F48.tmp.LOG
29/12/2004 12:34 0 RO1F43.tmp.LOG
29/12/2004 11:52 0 RBK2D5B.tmp.LOG
29/12/2004 11:52 0 RBK2D58.tmp.LOG
29/12/2004 11:52 0 RBK2D53.tmp.LOG
29/12/2004 11:52 0 RBK2D50.tmp.LOG
29/12/2004 11:52 0 RBK2D4B.tmp.LOG
29/12/2004 11:52 0 RBK2D48.tmp.LOG
29/12/2004 11:52 0 RBK2D43.tmp.LOG
29/12/2004 11:52 0 RBK2D40.tmp.LOG
29/12/2004 11:52 0 RBK2D3B.tmp.LOG
29/12/2004 11:52 0 RBK2D38.tmp.LOG
29/12/2004 11:52 0 RBK2D33.tmp.LOG
29/12/2004 11:52 0 RBK2D30.tmp.LOG
29/12/2004 11:01 237ÿ568 RBK2D50.bak
29/12/2004 11:01 3ÿ670ÿ016 RBK2D58.bak
29/12/2004 11:01 237ÿ568 RBK2D48.bak
28/12/2004 18:56 262ÿ144 RBK2D5B.bak
10/11/2004 15:34 262ÿ144 RBK2D53.bak
10/11/2004 15:34 262ÿ144 RBK2D4B.bak
07/11/2004 01:59 488 logonui.exe.manifest
07/11/2004 01:59 488 WindowsLogon.manifest
07/11/2004 01:59 749 cdplayer.exe.manifest
07/11/2004 01:59 749 sapi.cpl.manifest
07/11/2004 01:59 749 nwc.cpl.manifest
07/11/2004 01:59 749 ncpa.cpl.manifest
07/11/2004 01:59 749 wuaucpl.cpl.manifest
61 fichier(s) 4ÿ936ÿ305 octets
1 R‚p(s) 127ÿ115ÿ427ÿ840 octets libres

---------- Files Named "Guard" -------------



+notify :

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\t88ulil918q.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------



+temp :

Le volume dans le lecteur C n'a pas de nom.
Le num‚ro de s‚rie du volume est DC74-3CFB

R‚pertoire de C:\WINDOWS\System32

02/01/2005 18:52 223ÿ783 guard.tmp
29/12/2004 16:37 57ÿ344 RBKCDAC.tmp
29/12/2004 14:11 57ÿ344 RBK174B.tmp
29/12/2004 11:52 57ÿ344 RBK2D30.tmp
28/08/2001 13:00 3ÿ072 CONFIG.TMP
5 fichier(s) 398ÿ887 octets
0 R‚p(s) 127ÿ115ÿ423ÿ744 octets libres

---------------- User Agent ------------


I think the names of these text documents are misplaced ..... Anyway , i couldn't find the note-pad output.txt as you recommended .
I know my work was not good as you expected ..... sorry guy .
Thanks for your care !

[Metallica]

It must be a language problem, butI think I have evrything I need.

Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\system32\n6r20g9oe6.dll
C:\WINDOWS\system32\e2jm0c11ef.dll
C:\WINDOWS\system32\sqellstyle.dll
C:\WINDOWS\system32\ovhlp30e.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\t88ulil918q.dll <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{95C4C51E-2B06-48A8-9309-678466914AB5}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes]


Download and run: http://www.downloads...g/VX2Finder.exe

Use the User Agent$ and Restore Policy Buttons.
Reboot when prompted to.

Now we need to find the name of your Recycle Bin. This depends on your file system.
First set hidden files/folders to show as follows:
Double Click on My Computer.
Click on Tools > Folder Options... in the menus.
Click on the View tab.
Select Show hidden files and folders under Hidden files and folders.
Click Apply to all folders.
Click the OK button.

Now in the C:\ directory you should see a (transparent) folder that is either called Recycler or Recycled. Adapt the part below to match yours.

Check the name of your folder first (it depends on your filesystem) and then go to go to Start > Run and type "Cmd" without quotes and hit Ok

At the prompt, type the following and hit Enter after each line:
Type: cd\ [enter]
Type: attrib -s -h recycled [enter] or attrib -s -h recycler [enter]
Type: del recycled [enter] or del recycler [enter]

Reboot and let us know if it's fixed.

Regards,

Pieter

[4fun]

Arggg...It counldn't be fixed ! After downloading the VX2finder , I only could press the Restore Policy Button , because the User Agent$ is transparent ! And as you said , it demanded to reboot, but after that , i couldn't find the transparent folder named recycled or recycler in the C:\directory...(i'm sure that all the hidden files or folders were shown ) . So I had to stop here at this step.....
Thanks a lot for your help !

[Metallica]

The fact that the User Agent$ was greyed out is actually a good sign.

Could you copy and paste the text in bold into your IE addressbar and post the results that get displayed:
java script:navigator.userAgent

Post that along with a new HijackThis log.

Regards,

Pieter

[4fun]

Ok, here is what i got :
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

[4fun]

Ok, here is what i got with the IE :

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Here is my HijackThis log :

Logfile of HijackThis v1.99.0
Scan saved at 23:05:23, on 02/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\FREEME~1\fmempro.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Symmetricom\SymmTime\SymmTime.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\mtd2002\MTDSERVER.EXE
C:\Program Files\mtd2002\MTDSHELF.EXE
C:\Program Files\eMule\emule.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bui DK\Mes documents\Hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRA~1\FREEME~1\fmempro.exe" autostart
O4 - HKCU\..\Run: [mtd2002Svr] "C:\Program Files\mtd2002"\mtdserver.exe -f
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: LimeWire 4.2.6 Pro.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Sam.lnk = ?
O4 - Global Startup: SymmTime.lnk = ?
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Service COM de gravage de CD IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: Service Norton AntiVirus Auto-Protect - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall - Unknown - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe (file missing)
O23 - Service: Plug-and-Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Carte à puce - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\FICHIE~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Journaux et alertes de performance - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet - Unknown - C:\WINDOWS\System32\tlntsvr.exe
O23 - Service: Trend NT Realtime Service - Unknown - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Proxy Service - Unknown - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe (file missing)
O23 - Service: Cliché instantané de volume - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

Thanks !

[Metallica]

Excellent. Looks like we wormed our way through removing it there.

A few more things to do.

Click Start > Run > type or copy& paste regsvr32 "C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll"

Repeat the procedure for:
regsvr32 "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll"

I do not see any signs of any other BHO's you were using. Just to explain: sometimes this infection wipes out the entire BHO key in the registry. Seeing that the two above should have been there and are gone, I think this is what happend to you.
If you think of any more you should have let me know.

Regards,

Pieter

[4fun]

Wow, it's marvellous of you ! All of the VX2, pop up windows , alerts....are driven out by your action from distance !!! I don't know how to say it , you're perfect and thank you so much !
But, frankly speaking , I don't really understand this .... and i'm not good enough to think of any thing else your explanation .
hmm.... I've got another trouble , it looks like that my Recycle pin didn't work , every time i delete a folder or a file , it isn't sent to the Recycle Pin , but directly removed forever from my CPU , and i'm sure that this is not the consequence of our work . I had thought the malware made this and hoped after deleting it , this would be fixed , but now, it remains....
Anyway , you made to me a picture of Saint ! Wonderful , you !

Thank you all the way I could !

[Metallica]

Now we need to find the name of your Recycle Bin. This depends on your file system.
First set hidden files/folders to show as follows:
Double Click on My Computer.
Click on Tools > Folder Options... in the menus.
Click on the View tab.
Select Show hidden files and folders under Hidden files and folders.
Click Apply to all folders.
Click the OK button.

Now in the C:\ directory you should see a (transparent) folder that is either called Recycler or Recycled. Adapt the part below to match yours.

Check the name of your folder first (it depends on your filesystem) and then go to go to Start > Run and type "Cmd" without quotes and hit Ok

At the prompt, type the following and hit Enter after each line:
Type: cd\ [enter]
Type: attrib -s -h recycled [enter] or attrib -s -h recycler [enter]
Type: del recycled [enter] or del recycler [enter]

Reboot and let us know if it's fixed.

That should have taken care of your Recycle Bin problems.

Do you know if your computer is using FAT or NTFS ?
You can check this by doubleclicking "My Computer"
Rightclick C: and choose Properties
On the General tab the Filesystem will be listed.
Let me know.

Regards,

Pieter

[4fun]

I didn't find the transparent folder named Recycled or Recycler as you talked in the C:\ !! So I can't tell you if this works . My computer is using NTFS . That's all i can do now .

( I don't understand why I couldn't acess to the forum by using Mozilla Firefox yestersday , and today , either ! But now I can by using IE ( yesterday IE didn't work ,either) . The problem was that the page of forum didn't appear , it was another page named "cPanel" ; and sometimes there were some phrases saying that this page got some errors, ..... )

Thank you for your help !

[admin]

I didn't find the transparent folder named Recycled or Recycler as you talked in the C:\ !! So I can't tell you if this works .

Be sure you're able to view hidden and system files: http://www.xtra.co.n...1916458,00.html

I don't understand why I couldn't acess to the forum by using Mozilla Firefox yestersday , and today , either ! But now I can by using IE ( yesterday IE didn't work ,either) . The problem was that the page of forum didn't appear , it was another page named "cPanel" ; and sometimes there were some phrases saying that this page got some errors, .....

The problem was on our end. We had some server troubles.

[Metallica]

This should work for everyone.

Copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "A ll Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.

Regards,

Pieter

[4fun]

ah ,I'm sorry , it did work , it's my fault , I didn't uncheck "Hide protected operating system files (recommended)" . And I followed the solution of using the prompt , now it was fixed ! How can you guys do that , it's incredible !!! Cool !!!! Thank you all so much ! I began to be attracted by you ! As you know , the CPU usually gets in trouble , but now I 'am ensured to fix them all !

For some times before , when I ran so many programs , my CPU shut down suddenly and rebooted . Then , when the Window started up , my webroot spysweeper sometimes popped up an alert : KernelFaultCheck(processing startup alerts) , I was informed this is a system function ? But after that , I got some others reports of Microsoft :

Le système a récupéré d'une erreur sérieuse.(cursory translation: The system retrieved a serious error)

Signature de l'erreur
BCCode : 1000000a BCP1 : 9CE82240 BCP2 : 00000002 BCP3 : 00000000
BCP4 : 8051EC1C OSVer : 5_1_2600 SP : 2_0 Product : 256_1

Les fichiers suivants seront inclus dans ce rapport :(These following files will be included in this report)

C:\DOCUME~1\BUIDK~1\LOCALS~1\Temp\WER868f.dir00\Mini010305-01.dmp

C:\DOCUME~1\BUIDK~1\LOCALS~1\Temp\WER868f.dir00\sysdata.xml

This doesn't appear all the time , maybe just anytime i run too much the programs , so I don't know if this can be an error .... Could you help me out ?

Thank you all !!!