Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

output.txt of Finditnt2000xp


  • Please log in to reply

#1
fifthlui

fifthlui

    Member

  • Member
  • PipPip
  • 11 posts
Hi Stuff,

Metallica had just wanted me to download the Finditnt2000xp and then send the log file in here.

Would you please check and help me. I dont know what to do ;) and I am really get bored of this s***.

Thanks Metallica and thank you all in advance :tazz:

--------------------------------------------------------------------------------------------

Find.bat is running from: C:\Documents and Settings\sales team\My Documents\Programs\Virus\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5089-55FE

Directory of C:\WINDOWS\System32

14.01.05 09:33 225.615 abtxprxy.dll
13.01.05 11:45 226.247 hrj8051ue.dll
12.01.05 17:03 225.615 g4220efoeh2c0.dll
03.01.05 16:36 <DIR> dllcache
30.12.04 09:20 225.197 ogbctrac.dll
29.12.04 14:12 135 fhrpath.txt
28.12.04 11:02 224.031 hr4405hqe.dll
28.12.04 09:59 225.197 wjps.dll
28.12.04 09:38 224.031 HQIMON.DLL
25.12.04 14:15 10.022 KGyGaAvL.sys
22.12.04 16:15 225.447 lv2u09f9e.dll
21.12.04 09:09 224.235 mukbcoin.dll
17.12.04 13:03 224.954 t8r8li9u18.dll
17.12.04 09:43 224.994 o8luli3918.dll
13.12.04 09:19 225.150 gp2ml3f11.dll
10.12.04 09:44 225.150 pfrfctrs.dll
06.12.04 13:16 9.386 sysfhr.dat
27.11.04 16:00 226.004 en86l1ls1.dll
14.10.04 13:46 <DIR> Microsoft
27.02.04 15:25 61.440 fhrrc.dll
14.04.03 03:00 71.588 sysfhr.sys
19 File(s) 3.304.438 bytes
2 Dir(s) 60.126.834.688 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5089-55FE

Directory of C:\WINDOWS\System32

03.01.05 16:36 <DIR> dllcache
29.12.04 14:12 135 fhrpath.txt
25.12.04 14:15 10.022 KGyGaAvL.sys
13.12.04 11:55 488 logonui.exe.manifest
13.12.04 11:55 488 WindowsLogon.manifest
13.12.04 11:55 749 cdplayer.exe.manifest
13.12.04 11:55 749 sapi.cpl.manifest
13.12.04 11:55 749 nwc.cpl.manifest
13.12.04 11:55 749 ncpa.cpl.manifest
13.12.04 11:55 749 wuaucpl.cpl.manifest
06.12.04 13:16 9.386 sysfhr.dat
14.04.03 03:00 71.588 sysfhr.sys
11 File(s) 95.852 bytes
1 Dir(s) 60.126.830.592 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 5089-55FE

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 5089-55FE

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{183BC4E8-8242-43B4-B0CD-FD0DD22BE27B}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g4220efoeh2c0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
abtxprxy.dll Fri 14 Jan 2005 9:33:58 ..S.R 225.615 220,32 K
cdplay~1.man Mon 13 Dec 2004 11:55:08 A..HR 749 0,73 K
en86l1~1.dll Sat 27 Nov 2004 16:00:28 ..S.R 226.004 220,71 K
fhrpath.txt Wed 29 Dec 2004 14:12:46 A.SH. 135 0,13 K
g4220e~1.dll Wed 12 Jan 2005 17:03:08 ..S.R 225.615 220,32 K
gp2ml3~1.dll Mon 13 Dec 2004 9:19:06 ..S.R 225.150 219,87 K
hqimon.dll Tue 28 Dec 2004 9:38:10 ..S.R 224.031 218,78 K
hr4405~1.dll Tue 28 Dec 2004 11:02:48 ..S.R 224.031 218,78 K
hrj805~1.dll Thu 13 Jan 2005 11:45:14 ..S.R 226.247 220,94 K
kgygaavl.sys Sat 25 Dec 2004 14:15:16 A.SH. 10.022 9,79 K
logonu~1.man Mon 13 Dec 2004 11:55:14 A..HR 488 0,48 K
lv2u09~1.dll Wed 22 Dec 2004 16:15:02 ..S.R 225.447 220,16 K
mukbcoin.dll Tue 21 Dec 2004 9:09:34 ..S.R 224.235 218,98 K
ncpacp~1.man Mon 13 Dec 2004 11:55:08 A..HR 749 0,73 K
nwccpl~1.man Mon 13 Dec 2004 11:55:08 A..HR 749 0,73 K
o8luli~1.dll Fri 17 Dec 2004 9:43:42 ..S.R 224.994 219,72 K
ogbctrac.dll Thu 30 Dec 2004 9:20:30 ..S.R 225.197 219,92 K
pfrfctrs.dll Fri 10 Dec 2004 9:44:06 ..S.R 225.150 219,87 K
sapicp~1.man Mon 13 Dec 2004 11:55:08 A..HR 749 0,73 K
sysfhr.dat Mon 6 Dec 2004 13:16:06 ..SHR 9.386 9,16 K
t8r8li~1.dll Fri 17 Dec 2004 13:03:36 ..S.R 224.954 219,68 K
window~1.man Mon 13 Dec 2004 11:55:14 A..HR 488 0,48 K
wjps.dll Tue 28 Dec 2004 9:59:38 ..S.R 225.197 219,92 K
wuaucp~1.man Mon 13 Dec 2004 11:55:08 A..HR 749 0,73 K

24 items found: 24 files, 0 directories.
Total of file sizes: 3.176.131 bytes 3,03 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"NWTRAY"="NWTRAY.EXE"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"MyWebSearch Email Plugin"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\abtxprxy.dll
C:\WINDOWS\System32\hrj8051ue.dll
C:\WINDOWS\System32\ogbctrac.dll
C:\WINDOWS\System32\hr4405hqe.dll
C:\WINDOWS\System32\wjps.dll
C:\WINDOWS\System32\lv2u09f9e.dll
C:\WINDOWS\System32\mukbcoin.dll
C:\WINDOWS\System32\t8r8li9u18.dll
C:\WINDOWS\System32\o8luli3918.dll
C:\WINDOWS\System32\gp2ml3f11.dll
C:\WINDOWS\System32\pfrfctrs.dll
C:\WINDOWS\System32\en86l1ls1.dll
C:\WINDOWS\System32\g4220efoeh2c0.dll <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{183BC4E8-8242-43B4-B0CD-FD0DD22BE27B}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]


Download VX2Finder from:
http://www.downloads...g/VX2Finder.exe
Run it and use the Restore Policy button

Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.

Post back with a HijackThis log.

Regards,

Pieter
  • 0

#3
fifthlui

fifthlui

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Metallica .. you are a great man..! thanks a lot.. :tazz:
now my recycle bin is really empty and it stores the files I deleted before I want to remove them, like before.. this is greeat.. :thumbsup:

I am working for nealy one hour and there is no pop ups or adawares till now. and hope they will not be again..

But for to be sure I am sending the hijack.log again.. would you please check it..

You are a great man.. thanks.. ;)

(in addition.. what will I do with the files on my desktop "FixVX2.reg" & "recyclerem.bat".. Can I delete them?)

-------------------

Logfile of HijackThis v1.99.0
Scan saved at 10:00:29, on 15.01.05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\sales team\My Documents\Programs\Virus Programları\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0FC8B38E-9293-424C-9D0E-CE60775679CF} (SubClassEditCtrlContainer Class) - https://sube.garanti...EditControl.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
Glad we could help. :tazz:

Safe surfing

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

If those stay away after a reboot and your Recycvle Bin keeps behaving you can delete the files we made.

Regards,

Pieter
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP