Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

CoolWWWSearch, Guard.tmp, Umonitor

Started by dasace , Jan 08 2005 03:00 AM

  • This topic is locked This topic is locked

#1
dasace
Posted 08 January 2005 - 03:00 AM

dasace

    New Member

  • Member
  • Pip
  • 9 posts
Hi,

I recently downloaded Azarus Bit Torrent client. and after the first 24 hours using it. I managed to get the CoolWWWSearch virus, and a number of spyware issues. When I turn adaware, it will find a number of ciritical objects such as VX2, ieautosearch, CoolWWWSearch, but during the process Explorer usually crashes, and the screen will flash all my desktop icons and toolar. I've tried antivirus programs (free ones like trend micro, and E-Trust EZ Armor), the detect trojans, remove them, but the keep comming back. I've seen posts like mine posted, but I don't know if its diff. for each system, since everyone is posting logs. If anyone can give me instructions on how to get rid of this, I'd really apprecaite it.

Thanks in advance!

AL
  • 0

Advertisements

#2
-=jonnyrotten=-
Posted 08 January 2005 - 04:08 AM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
-=jonnyrotten=- :tazz:
  • 0

#3
dasace
Posted 08 January 2005 - 11:13 AM

dasace

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Albert\Desktop\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B43C-70C1

Directory of C:\WINDOWS\System32

01/08/2005 04:00 AM 222,890 p28q0cl5efq.dll
01/07/2005 10:32 PM 222,890 fpp4037qe.dll
12/15/2004 08:02 PM <DIR> dllcache
10/19/2004 01:08 PM <DIR> Microsoft
2 File(s) 445,780 bytes
2 Dir(s) 166,666,489,856 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B43C-70C1

Directory of C:\WINDOWS\System32

12/15/2004 08:02 PM <DIR> dllcache
10/15/2004 08:13 AM 488 logonui.exe.manifest
10/15/2004 08:13 AM 488 WindowsLogon.manifest
10/15/2004 08:13 AM 749 nwc.cpl.manifest
10/15/2004 08:13 AM 749 sapi.cpl.manifest
10/15/2004 08:13 AM 749 ncpa.cpl.manifest
10/15/2004 08:13 AM 749 wuaucpl.cpl.manifest
10/15/2004 08:13 AM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 166,666,489,856 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is B43C-70C1

Directory of C:\WINDOWS\System32

01/08/2005 11:57 AM 222,890 guard.tmp
03/31/2003 08:50 PM 258 RECGUARD.INI
2 File(s) 223,148 bytes
0 Dir(s) 166,666,485,760 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is B43C-70C1

Directory of C:\WINDOWS\System32

01/08/2005 11:57 AM 222,890 guard.tmp
08/28/2002 08:00 PM 2,577 CONFIG.TMP
2 File(s) 225,467 bytes
0 Dir(s) 166,666,485,760 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BFE94F7C-8BD7-46CF-9906-4F43ACEF94F4}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\fpp4037qe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Fri Oct 15 2004 8:13:18a A..HR 749 0.73 K
fpp403~1.dll Fri Jan 7 2005 10:32:08p ..S.R 222,890 217.66 K
logonu~1.man Fri Oct 15 2004 8:13:22a A..HR 488 0.48 K
ncpacp~1.man Fri Oct 15 2004 8:13:18a A..HR 749 0.73 K
nwccpl~1.man Fri Oct 15 2004 8:13:18a A..HR 749 0.73 K
p28q0c~1.dll Sat Jan 8 2005 4:00:52a ..S.R 222,890 217.66 K
sapicp~1.man Fri Oct 15 2004 8:13:18a A..HR 749 0.73 K
window~1.man Fri Oct 15 2004 8:13:22a A..HR 488 0.48 K
wuaucp~1.man Fri Oct 15 2004 8:13:18a A..HR 749 0.73 K

9 items found: 9 files, 0 directories.
Total of file sizes: 450,501 bytes 439.94 K

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\ipziub.dll: updates.qoologic.com
C:\WINDOWS\system32\luglzo.dll: updates.qoologic.com
C:\WINDOWS\system32\luplmw.exe: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\vuyvor.exe: .aspack
C:\WINDOWS\system32\wuqwyb.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kgykpt.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Protect"="SHVRTF.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ntsmod"="C:\\WINDOWS\\system32\\ntsmod.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"VetTray"="C:\\PROGRA~1\\CA\\ETRUST~1\\ETRUST~1\\VetTray.exe"
"Narrator"="C:\\WINDOWS\\system32\\vuyvor.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"







Thats the FindIt! logfile. Hope this helps. Thanks again. 8)
  • 0

#4
-=jonnyrotten=-
Posted 08 January 2005 - 01:53 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\p28q0cl5efq.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\fpp4037qe.dll
    • C:\WINDOWS\System32\ipziub.dll
    • C:\WINDOWS\System32\luglzo.dll
    • C:\WINDOWS\System32\luplmw.exe
    • C:\WINDOWS\System32\vuyvor.exe
    • C:\WINDOWS\System32\wuqwyb.dat
    • C:\\WINDOWS\\system32\\fpp4037qe.dll
    • C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kgykpt.exe
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • Double-click on find.bat and post the new output.txt.
Reboot normally and post new log.

-=jonnyrotten=- :tazz:
  • 0

#5
dasace
Posted 08 January 2005 - 02:47 PM

dasace

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I did all the killbox commands, however after every line I tried to delete, and select No, when it asks to reboot, I got another box that said The file could not be deleted. However, I don't know if it worked or not. Here is the new log.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Albert\Desktop\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B43C-70C1

Directory of C:\WINDOWS\System32

01/08/2005 03:42 PM 222,890 macshext.dll
01/08/2005 12:20 PM 222,890 fpru0399e.dll
01/08/2005 12:18 PM 222,890 o8840ilqe8qe0.dll
12/15/2004 08:02 PM <DIR> dllcache
10/19/2004 01:08 PM <DIR> Microsoft
3 File(s) 668,670 bytes
2 Dir(s) 166,636,515,328 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B43C-70C1

Directory of C:\WINDOWS\System32

12/15/2004 08:02 PM <DIR> dllcache
10/15/2004 08:13 AM 488 logonui.exe.manifest
10/15/2004 08:13 AM 488 WindowsLogon.manifest
10/15/2004 08:13 AM 749 nwc.cpl.manifest
10/15/2004 08:13 AM 749 sapi.cpl.manifest
10/15/2004 08:13 AM 749 ncpa.cpl.manifest
10/15/2004 08:13 AM 749 wuaucpl.cpl.manifest
10/15/2004 08:13 AM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 166,636,515,328 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is B43C-70C1

Directory of C:\WINDOWS\System32

03/31/2003 08:50 PM 258 RECGUARD.INI
1 File(s) 258 bytes
0 Dir(s) 166,636,511,232 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is B43C-70C1

Directory of C:\WINDOWS\System32

08/28/2002 08:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 166,636,511,232 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BFE94F7C-8BD7-46CF-9906-4F43ACEF94F4}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\o8840ilqe8qe0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Fri Oct 15 2004 8:13:18a A..HR 749 0.73 K
fpru03~1.dll Sat Jan 8 2005 12:20:50p ..S.R 222,890 217.66 K
logonu~1.man Fri Oct 15 2004 8:13:22a A..HR 488 0.48 K
macshext.dll Sat Jan 8 2005 3:42:12p ..S.R 222,890 217.66 K
ncpacp~1.man Fri Oct 15 2004 8:13:18a A..HR 749 0.73 K
nwccpl~1.man Fri Oct 15 2004 8:13:18a A..HR 749 0.73 K
o8840i~1.dll Sat Jan 8 2005 12:18:06p ..S.R 222,890 217.66 K
sapicp~1.man Fri Oct 15 2004 8:13:18a A..HR 749 0.73 K
window~1.man Fri Oct 15 2004 8:13:22a A..HR 488 0.48 K
wuaucp~1.man Fri Oct 15 2004 8:13:18a A..HR 749 0.73 K

10 items found: 10 files, 0 directories.
Total of file sizes: 673,391 bytes 657.61 K

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\ipziub.dll: updates.qoologic.com
C:\WINDOWS\system32\luglzo.dll: updates.qoologic.com
C:\WINDOWS\system32\luplmw.exe: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\vuyvor.exe: .aspack
C:\WINDOWS\system32\wuqwyb.dat: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Protect"="SHVRTF.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ntsmod"="C:\\WINDOWS\\system32\\ntsmod.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"VetTray"="C:\\PROGRA~1\\CA\\ETRUST~1\\ETRUST~1\\VetTray.exe"
"Narrator"="C:\\WINDOWS\\system32\\vuyvor.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#6
Metallica
Posted 08 January 2005 - 03:07 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\system32\ipziub.dll
C:\WINDOWS\system32\luglzo.dll
C:\WINDOWS\system32\luplmw.exe
C:\WINDOWS\system32\vuyvor.exe
C:\WINDOWS\system32\macshext.dll
C:\WINDOWS\system32\fpru0399e.dll
C:\WINDOWS\system32\wuqwyb.dat
C:\WINDOWS\system32\o8840ilqe8qe0.dll <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BFE94F7C-8BD7-46CF-9906-4F43ACEF94F4}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-


Download VX2Finder from:
http://www.downloads...g/VX2Finder.exe
Run it and use the Restore Policy button

Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.

Regards,

Pieter
  • 0

#7
dasace
Posted 08 January 2005 - 03:29 PM

dasace

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks!

I did everything you said to do. After I ran the VX2Finder, and hit Restore Policies, it requested a restart, which I did. Then I created the reclymer.bat and installed it. Here is a new FindIt log.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Albert\Desktop\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B43C-70C1

Directory of C:\WINDOWS\System32

12/15/2004 08:02 PM <DIR> dllcache
10/19/2004 01:08 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 166,644,785,152 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B43C-70C1

Directory of C:\WINDOWS\System32

12/15/2004 08:02 PM <DIR> dllcache
10/15/2004 08:13 AM 488 logonui.exe.manifest
10/15/2004 08:13 AM 488 WindowsLogon.manifest
10/15/2004 08:13 AM 749 nwc.cpl.manifest
10/15/2004 08:13 AM 749 sapi.cpl.manifest
10/15/2004 08:13 AM 749 ncpa.cpl.manifest
10/15/2004 08:13 AM 749 wuaucpl.cpl.manifest
10/15/2004 08:13 AM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 166,644,785,152 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is B43C-70C1

Directory of C:\WINDOWS\System32

01/08/2005 04:17 PM 222,890 guard.tmp
03/31/2003 08:50 PM 258 RECGUARD.INI
2 File(s) 223,148 bytes
0 Dir(s) 166,644,781,056 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is B43C-70C1

Directory of C:\WINDOWS\System32

01/08/2005 04:17 PM 222,890 guard.tmp
08/28/2002 08:00 PM 2,577 CONFIG.TMP
2 File(s) 225,467 bytes
0 Dir(s) 166,644,781,056 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\fpru0399e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Fri Oct 15 2004 8:13:18a A..HR 749 0.73 K
logonu~1.man Fri Oct 15 2004 8:13:22a A..HR 488 0.48 K
ncpacp~1.man Fri Oct 15 2004 8:13:18a A..HR 749 0.73 K
nwccpl~1.man Fri Oct 15 2004 8:13:18a A..HR 749 0.73 K
sapicp~1.man Fri Oct 15 2004 8:13:18a A..HR 749 0.73 K
window~1.man Fri Oct 15 2004 8:13:22a A..HR 488 0.48 K
wuaucp~1.man Fri Oct 15 2004 8:13:18a A..HR 749 0.73 K

7 items found: 7 files, 0 directories.
Total of file sizes: 4,721 bytes 4.61 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Protect"="SHVRTF.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ntsmod"="C:\\WINDOWS\\system32\\ntsmod.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"VetTray"="C:\\PROGRA~1\\CA\\ETRUST~1\\ETRUST~1\\VetTray.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#8
Metallica
Posted 08 January 2005 - 03:36 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Almost there.

Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\system32\fpru0399e.dll

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]

Then post a HijackThis log.

Regards,

Pieter
  • 0

#9
dasace
Posted 08 January 2005 - 03:41 PM

dasace

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok, I'm in process of doing those steps. Is a HijackThis log the same as the ones I've been posting?
  • 0

#10
dasace
Posted 08 January 2005 - 03:48 PM

dasace

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Done with that step. Heres the HijackThis log.

Logfile of HijackThis v1.99.0
Scan saved at 4:47:49 PM, on 1/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\SHVRTF.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ntsmod.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Protect] SHVRTF.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ntsmod] C:\WINDOWS\system32\ntsmod.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: raid_tool.exe.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098105293812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
  • 0

Advertisements

#11
Metallica
Posted 08 January 2005 - 03:51 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
:tazz:

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [ntsmod] C:\WINDOWS\system32\ntsmod.exe

Reboot and surf to:
http://www.kaspersky.com/scanforvirus
Upload C:\WINDOWS\system32\ntsmod.exe and let me know the results.

Regards,

Pieter
  • 0

#12
dasace
Posted 08 January 2005 - 04:10 PM

dasace

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok, done the HijackThis file removal.
Unfortunately I think the KaperskyLab servers are down or slow. Its not loading the entire page for me. I can only get the page title on the bar.

Should I run AdAware and see what it picks up?
  • 0

#13
Metallica
Posted 08 January 2005 - 04:13 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you mail the file to me?
I'll have a look.

Send it (preferably zipped) to pieterATwilderssecurity.org (replace AT with @)

Regards,

Pieter
  • 0

#14
dasace
Posted 08 January 2005 - 05:03 PM

dasace

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Done. Thanks!
  • 0

#15
Metallica
Posted 08 January 2005 - 05:20 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts

Done. Thanks!

View Post


Nothing yet.
I'll check again tomorrow.

Good night,

Pieter
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP