Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Bloodhound.W32.EP, Request for Removal Tips[RESOLVED]

Started by vex , Jan 16 2005 05:28 PM

  • This topic is locked This topic is locked

#31
vex2
Posted 30 January 2005 - 03:43 PM

vex2

    Member

  • Member
  • PipPip
  • 37 posts
arning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Pratik\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is HDD
Volume Serial Number is 8C73-A9EA

Directory of C:\WINDOWS\System32

29/01/2005 00:19 <DIR> dllcache
20/01/2005 22:05 7,680 Thumbs.db
23/03/2003 13:13 <DIR> Microsoft
1 File(s) 7,680 bytes
2 Dir(s) 45,608,787,968 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is HDD
Volume Serial Number is 8C73-A9EA

Directory of C:\WINDOWS\System32

29/01/2005 00:19 <DIR> dllcache
20/01/2005 22:05 7,680 Thumbs.db
27/08/2002 12:01 488 logonui.exe.manifest
27/08/2002 12:01 488 WindowsLogon.manifest
27/08/2002 12:01 749 sapi.cpl.manifest
27/08/2002 12:01 749 nwc.cpl.manifest
27/08/2002 12:01 749 ncpa.cpl.manifest
27/08/2002 12:01 749 cdplayer.exe.manifest
27/08/2002 12:01 749 wuaucpl.cpl.manifest
8 File(s) 12,401 bytes
1 Dir(s) 45,608,787,968 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is HDD
Volume Serial Number is 8C73-A9EA

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C is HDD
Volume Serial Number is 8C73-A9EA

Directory of C:\WINDOWS\System32

26/01/2005 16:06 45 spm1316.tmp
26/01/2005 16:06 27 mjgEGEJ.tmp
18/08/2001 11:00 2,577 CONFIG.TMP
3 File(s) 2,649 bytes
0 Dir(s) 45,608,783,872 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iexplore]
"DllName"=hex(2):78,6f,66,41,6f,2e,64,6c,6c,00
"Startup"="expF4"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
"MaxWait"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
thumbs.db Thu 20 Jan 2005 22:05:46 A.SH. 7,680 7.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 7,680 bytes 7.50 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\\WINDOWS\\htpatch.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"iamapp"="C:\\Program Files\\Norton Internet Security\\IAMAPP.EXE"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"VCSPlayer"="\"C:\\Program Files\\Virtual CD v4 SDK\\system\\vcsplay.exe\""
"CleanEasyImg"="c:\\apps\\easydvd\\cleanall.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"TotalRecorderScheduler"="C:\\Program Files\\HighCriteria\\TotalRecorder\\TotRecSched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MMTrayLSI"="MMTrayLSI.exe"
"MMTray2K"="MMTray2k.exe"
"MMTray"="MMTray.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
@=""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

Advertisements

#32
Metallica
Posted 31 January 2005 - 01:00 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Still there and still pointing to the same file:
xofAo.dll

I think I'll really need to have a look at that file to help you solve the problem.

If you wish youu can try the instructions at this site under the Recovery tab:
http://www.sophos.co...jdloaderew.html

Regards,

Pieter
  • 0

#33
vex2
Posted 31 January 2005 - 05:04 PM

vex2

    Member

  • Member
  • PipPip
  • 37 posts
i followed da instructions under recovery but nothing seems to have changed
  • 0

#34
Metallica
Posted 01 February 2005 - 10:42 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you post a new FindIt log, so I can check?
And a HijackThis log please.

Regards,

Pieter
  • 0

#35
vex2
Posted 01 February 2005 - 02:28 PM

vex2

    Member

  • Member
  • PipPip
  • 37 posts
Hey thanx, it has actually helped a bit but i still cant access websites, etc. Heres the two logs...


FindIt log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Pratik\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is HDD
Volume Serial Number is 8C73-A9EA

Directory of C:\WINDOWS\System32

01/02/2005 18:38 <DIR> dllcache
20/01/2005 22:05 7,680 Thumbs.db
23/03/2003 13:13 <DIR> Microsoft
1 File(s) 7,680 bytes
2 Dir(s) 45,250,797,568 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is HDD
Volume Serial Number is 8C73-A9EA

Directory of C:\WINDOWS\System32

01/02/2005 18:38 <DIR> dllcache
20/01/2005 22:05 7,680 Thumbs.db
27/08/2002 12:01 488 logonui.exe.manifest
27/08/2002 12:01 488 WindowsLogon.manifest
27/08/2002 12:01 749 sapi.cpl.manifest
27/08/2002 12:01 749 nwc.cpl.manifest
27/08/2002 12:01 749 ncpa.cpl.manifest
27/08/2002 12:01 749 cdplayer.exe.manifest
27/08/2002 12:01 749 wuaucpl.cpl.manifest
8 File(s) 12,401 bytes
1 Dir(s) 45,250,797,568 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is HDD
Volume Serial Number is 8C73-A9EA

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C is HDD
Volume Serial Number is 8C73-A9EA

Directory of C:\WINDOWS\System32

30/01/2005 21:37 45 spm1316.tmp
30/01/2005 21:37 27 mjgEGEJ.tmp
18/08/2001 11:00 2,577 CONFIG.TMP
3 File(s) 2,649 bytes
0 Dir(s) 45,250,793,472 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
thumbs.db Thu 20 Jan 2005 22:05:46 A.SH. 7,680 7.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 7,680 bytes 7.50 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\\WINDOWS\\htpatch.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"iamapp"="C:\\Program Files\\Norton Internet Security\\IAMAPP.EXE"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"VCSPlayer"="\"C:\\Program Files\\Virtual CD v4 SDK\\system\\vcsplay.exe\""
"CleanEasyImg"="c:\\apps\\easydvd\\cleanall.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"TotalRecorderScheduler"="C:\\Program Files\\HighCriteria\\TotalRecorder\\TotRecSched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MMTrayLSI"="MMTrayLSI.exe"
"MMTray2K"="MMTray2k.exe"
"MMTray"="MMTray.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
@=""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

--------------------------------------------------------------------------------

Hjack This Log:

Logfile of HijackThis v1.99.0
Scan saved at 20:08:29, on 01/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\MMTrayLSI.exe
C:\WINDOWS\System32\MMTray2k.exe
C:\WINDOWS\System32\MMTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\WINDOWS\notepad.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/003/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nowfind.net/003/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/003/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nowfind.net/003/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/003/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nowfind.net/003/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/003/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/003/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/003/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/003/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/003/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/003/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/003/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/003/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/003/index.html
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://nowfind.net/r...allery.php?url=
O13 - WWW Prefix: http://nowfind.net/r...allery.php?url=
O13 - Home Prefix: http://nowfind.net/r...allery.php?url=
O13 - Mosaic Prefix: http://nowfind.net/r...allery.php?url=
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17....es/MsnPUpld.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105984077280
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://www.anonymize...nner/WebAAS.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
  • 0

#36
vex2
Posted 01 February 2005 - 02:31 PM

vex2

    Member

  • Member
  • PipPip
  • 37 posts
sorry the first bit of the tetx did not show up when i pasted it into the reply box....here it is:


Hey thanx, it has actually helped a bit but i still cant access websites, etc. Heres the two logs...


FindIt log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
  • 0

#37
Metallica
Posted 02 February 2005 - 01:12 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/003/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nowfind.net/003/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/003/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nowfind.net/003/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/003/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nowfind.net/003/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/003/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/003/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/003/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/003/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/003/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/003/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/003/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/003/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/003/index.html

O13 - DefaultPrefix: http://nowfind.net/r...allery.php?url=
O13 - WWW Prefix: http://nowfind.net/r...allery.php?url=
O13 - Home Prefix: http://nowfind.net/r...allery.php?url=
O13 - Mosaic Prefix: http://nowfind.net/r...allery.php?url=

Then reboot and find this file:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
and rename it to HOSTS.bak

Then in IE click tools/internet options/programs tab and at the bottom click "reset websettings"

Reboot once more and let us know how it goes.

Regards,

Pieter
  • 0

#38
vex2
Posted 02 February 2005 - 04:55 PM

vex2

    Member

  • Member
  • PipPip
  • 37 posts
hi..i done that but the outcome is still the same!
  • 0

#39
Metallica
Posted 03 February 2005 - 07:10 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Please download and install Agent Ransack from: http://www.mythicsof...ck/default.aspx

Run the program and make sure there are Checkmarks in the Expert User and Containing Text boxes on the Advanced tab.

In the bottom bar type or paste nowfind.net

Then click Start Search.

It will take quite a while before it's done.

When it is click "Save results" (icon #4 from the left)
Choose save to clipboard and paste them into your next post.

Regards,

Pieter
  • 0

#40
vex2
Posted 05 February 2005 - 04:42 PM

vex2

    Member

  • Member
  • PipPip
  • 37 posts
hi the results wouldnt paste without the pc crashin so i had to upload it, can u please download the txt file from here:

http://s21.yousendit...WU04XZI6GJKR0RS

thanks
  • 0

Advertisements

#41
Metallica
Posted 07 February 2005 - 01:19 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Geez. What a bulk to wade through. :tazz:

Not your fault. I asked for it.

Can you find this file:
C:\WINDOWS\system32\mtwcnl32.dll

If present, follow the instructions here:
http://securityrespo...okmarker.c.html

Regards,

Pieter
  • 0

#42
vex2
Posted 08 February 2005 - 04:09 PM

vex2

    Member

  • Member
  • PipPip
  • 37 posts
i dun everything until this stage "Remove the registry value that loads the Trojan"....the value wasnt there and the value in the stage afta wasnt either so nothing has changed
  • 0

#43
Metallica
Posted 09 February 2005 - 06:37 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you reboot and rename C:\WINDOWS\system32\mtwcnl32.dll to mtwcnl32.bak

That will only work if it's inactive.
Let me know if it does.

Regards,

Pieter
  • 0

#44
vex2
Posted 09 February 2005 - 04:13 PM

vex2

    Member

  • Member
  • PipPip
  • 37 posts
sorry but nothing has changed
  • 0

#45
Metallica
Posted 10 February 2005 - 05:29 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I am aware of that, but were you able to rename the file?
I need to know this before we can make a plan for a cure.

Regards,

Pieter
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP