Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Umonitor, Virutal Bouncer, AdDestroyer and more


  • Please log in to reply

#1
InoculateMe

InoculateMe

    New Member

  • Member
  • Pip
  • 6 posts
Hello,
First off, I'd like to say for the record that the people creating these ill-ware programs should all be tossed into prison.

I have many types of unwanted "ware" on my computer. So far I have not been successful at removing them and I am reluctant to try the more advanced tools like "KillBox" without proper guidance, so I would very much appreciate any help I can get. :tazz:

Current Symptoms:
(1) Error message during startup "An exception occurred wile trying to run C:\windows\system32\swmstore.dll" (dll name changes each time at startup)
(2) AdDestroyer trying to install
(3) Virtual bouncer trying to install


I have run (in safe mode first, then in normal boot mode):
(1) AdAware SE which cannot seem to kill the "VX2" malware
(C:\windows\system32\hr8s0517e.dll)
(C:\windows\system32\guard.tmp)

(2) SpyBot which could not kill the following:
"CoolWWWSearch.BootConf"
"CoolWWWSearch.Loadbat"
"CoolWWWSearch.MSConfd"
"CoolWWWSearch.Oslogo"
"CoolWWWSearch.Tapicfg"
"CoolWWWSearch.Xmlmimefilter"
"Virtual Bouncer"

(3) CWShredder(version 2.0 since version 2.12 doesn't work for me) which says it
removes "CWS.BootConf" and restores host file redirections, but the cool search
pieces always come back after reboot.

(4) Microsoft AntiVirus which says it kills Virtual Bouncer and AdDestroyer, but they come back.

(5) Norton Antivirus Which found nothing.

(5) HiJackThis -- Items I "Fix" come back (E.g. O1 - Hosts: 69.20.16.183 ieautosearch; 04 - Startup:Thumbs.db)



Here is my HiJackThis Log:
------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 8:48:02 PM, on 1/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ltmsg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\System32\tbctray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Documents and Settings\Joel Smith\My Documents\DownLoads\Malware Fighting\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://search.search...k=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://search.search...look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://search.search...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://search.search...k=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://search.search...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://search.search...look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://search.search...look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://search.search...look=stmpl1&fw=
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec
Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Thumbs.db
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton
AntiVirus\navapw32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) -
http://down.plaxo.co...laxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) -http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
http://v4.windowsupd...7609.8604513889
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) -
http://64.75.174.5/push.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab


End of HiJackThis Log
--------------------------



Start of FindIT Log
----------------------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Joel Smith\My

Documents\DownLoads\Malware Fighting\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 07D1-0317

Directory of C:\WINDOWS\System32

01/19/2005 08:16 PM 224,988 hrru0599e.dll
01/19/2005 07:12 PM 222,883 ennol1531.dll
01/17/2005 02:20 PM 225,233 f0l0la3m1d.dll
01/17/2005 12:31 PM 223,183 lv2q09f5e.dll
01/17/2005 12:22 PM 223,183 lvj4091qe.dll
01/15/2005 06:43 PM 223,183 lv4409hqe.dll
01/13/2005 10:14 AM 225,685 n24s0ch7ef4.dll
01/09/2005 05:00 PM 225,908 jt0s07d7e.dll
01/09/2005 02:26 PM 223,230 m4460ehseh460.dll
01/08/2005 02:15 PM 223,230 SYNYHCY.DLL
01/06/2005 10:25 AM 223,765 lv0o09d3e.dll
01/04/2005 09:30 PM 224,054 enp6l17s1.dll
01/02/2005 04:45 PM 224,462 sRmlib.dll
12/27/2004 08:10 PM 223,887 lvn2095oe.dll
12/27/2004 06:06 PM 222,602 l4r0le9m1h.dll
12/27/2004 06:02 PM 225,593 kedgkl.dll
12/27/2004 02:42 PM 225,044 wxhisn.dll
12/25/2004 07:31 PM 226,157 l4p20e7oeh.dll
12/25/2004 07:28 PM 226,157 srmapi.dll
12/25/2004 01:37 PM 225,044 hwetmon.dll
12/22/2004 10:38 AM 225,228 fp6m03j1e.dll
12/21/2004 05:02 PM 223,365 fplm0331e.dll
12/15/2004 06:47 PM 512 Xej7.a7q
11/18/2004 08:21 PM 512 Flr0i.a99
11/16/2004 08:20 PM 512 Dqk5Y.8x1
10/25/2004 11:42 AM 512 Xej7.b7q
10/11/2004 07:55 PM 512 BnyLS.46s
09/17/2004 02:45 PM 512 YkvIP.h5p
09/16/2004 02:45 PM 512 Zgl8.du7
09/14/2004 02:45 PM 512 Elq0h.z89
09/13/2004 02:45 PM 512 Dkp0h.y89
09/09/2004 12:46 PM 253,979 BrvxMFLv.exe
09/09/2004 12:46 PM 253,979 Xkxj.exe
09/09/2004 12:46 PM 253,979 OmacI.exe
09/09/2004 12:46 PM 253,979 Cjo9gQ88.exe
09/09/2004 12:46 PM 253,979 AyeYd.exe
09/09/2004 11:33 AM 1,104 Dvy137.6rz
09/02/2004 12:01 PM 1,104 Szep85ln.cvb
08/31/2004 12:01 PM 1,104 Rydo84k.lat
08/26/2004 11:36 AM 1,104 UbgrYPnp.exd
08/24/2004 11:36 AM 1,104 LutB.13c
08/19/2004 07:21 PM 1,104 ZkvIQ.i5q
08/09/2004 01:14 PM 1,104 TagqXPmo.dwc
08/08/2004 01:15 PM 253,973 Nahn.exe
08/08/2004 01:15 PM 253,973 Xhv3bo4A.exe
08/08/2004 01:15 PM 253,973 SczONI3.exe
08/08/2004 01:15 PM 253,973 Qxw3.exe
08/08/2004 01:15 PM 253,973 Vdnykb.exe
08/08/2004 01:15 PM 253,973 Epb3.exe
08/06/2004 10:46 PM 1,104 Arzh0g6.5ow
08/04/2004 09:46 AM 1,104 Diam4yYT.0v1
07/09/2004 12:11 PM 1,104 MliBY92.ze2
06/29/2004 11:59 AM 1,104 Zmg4.86t
06/22/2004 11:23 AM 1,104 VbhrYQop.exd
06/21/2004 11:23 AM 1,104 GnsDk.b90
06/14/2004 11:19 AM 1,104 Cjo9g.x88
06/11/2004 04:09 PM 1,104 Ahm8.ev7
06/08/2004 04:08 PM 1,188 JqvGme.017
04/09/2004 02:30 PM 1,104 Rydo84km.bua
03/13/2004 07:15 PM 1,020 Elq0i.z99
02/18/2004 12:30 PM 458,773 IvgkmB.exe
01/25/2004 04:55 PM 442,389 RypT0v1Z.exe
01/07/2004 04:37 PM 1,104 Vpi2lmBU.akh
01/07/2004 04:37 PM 225,301 Vyw4.exe
01/07/2004 04:37 PM 225,301 CerHP4.exe
01/07/2004 04:37 PM 225,301 Sty5.exe
01/07/2004 04:37 PM 225,301 Udnp3JE1.exe
01/07/2004 04:37 PM 225,301 Qww2.exe
01/07/2004 03:49 PM 1,020 MtyJ62F.g8o
01/07/2004 03:49 PM 1,104 Pwbm74i.k9s
01/04/2004 03:49 PM 1,104 Szep85lm.bua
11/22/2003 04:34 PM 1,020 Bin9.ew7
11/20/2003 03:17 PM 225,301 XlwAC636.exe
11/20/2003 03:17 PM 225,301 Xit05.exe
11/20/2003 03:17 PM 225,301 Iyc1.exe
11/20/2003 03:17 PM 225,301 Wswrb9.exe
11/20/2003 03:17 PM 225,301 AieOnW4m.exe
11/20/2003 03:17 PM 225,301 ZhrH.exe
10/30/2002 05:26 PM 32 {756E2763-05F6-4BB2-BE0B-E8222978819B}.dat
10/24/2002 09:17 PM <DIR> Microsoft
10/24/2002 08:38 PM <DIR> dllcache
04/05/2001 09:43 AM 94,208 msstkprp.dll
80 File(s) 11,233,342 bytes
2 Dir(s) 42,001,760,256 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 07D1-0317

Directory of C:\WINDOWS\System32

01/19/2005 07:40 PM <DIR> vmss
01/19/2005 07:40 PM <DIR> wsxsvc
12/15/2004 06:47 PM 512 Xej7.a7q
11/18/2004 08:21 PM 512 Flr0i.a99
11/16/2004 08:20 PM 512 Dqk5Y.8x1
10/25/2004 11:42 AM 512 Xej7.b7q
10/11/2004 07:55 PM 512 BnyLS.46s
09/17/2004 02:45 PM 512 YkvIP.h5p
09/16/2004 02:45 PM 512 Zgl8.du7
09/14/2004 02:45 PM 512 Elq0h.z89
09/13/2004 02:45 PM 512 Dkp0h.y89
09/09/2004 12:46 PM 253,979 OmacI.exe
09/09/2004 12:46 PM 253,979 BrvxMFLv.exe
09/09/2004 12:46 PM 253,979 Xkxj.exe
09/09/2004 12:46 PM 253,979 Cjo9gQ88.exe
09/09/2004 12:46 PM 253,979 AyeYd.exe
09/09/2004 12:29 PM 488 WindowsLogon.manifest
09/09/2004 12:29 PM 488 logonui.exe.manifest
09/09/2004 12:29 PM 749 sapi.cpl.manifest
09/09/2004 12:29 PM 749 wuaucpl.cpl.manifest
09/09/2004 12:29 PM 749 ncpa.cpl.manifest
09/09/2004 12:29 PM 749 nwc.cpl.manifest
09/09/2004 12:29 PM 749 cdplayer.exe.manifest
09/09/2004 11:33 AM 1,104 Dvy137.6rz
09/02/2004 12:01 PM 1,104 Szep85ln.cvb
08/31/2004 12:01 PM 1,104 Rydo84k.lat
08/26/2004 11:36 AM 1,104 UbgrYPnp.exd
08/24/2004 11:36 AM 1,104 LutB.13c
08/19/2004 07:21 PM 1,104 ZkvIQ.i5q
08/09/2004 01:14 PM 1,104 TagqXPmo.dwc
08/08/2004 01:15 PM 253,973 Xhv3bo4A.exe
08/08/2004 01:15 PM 253,973 Nahn.exe
08/08/2004 01:15 PM 253,973 Qxw3.exe
08/08/2004 01:15 PM 253,973 Vdnykb.exe
08/08/2004 01:15 PM 253,973 SczONI3.exe
08/08/2004 01:15 PM 253,973 Epb3.exe
08/06/2004 10:46 PM 1,104 Arzh0g6.5ow
08/04/2004 09:46 AM 1,104 Diam4yYT.0v1
07/09/2004 12:11 PM 1,104 MliBY92.ze2
06/29/2004 11:59 AM 1,104 Zmg4.86t
06/22/2004 11:23 AM 1,104 VbhrYQop.exd
06/21/2004 11:23 AM 1,104 GnsDk.b90
06/14/2004 11:19 AM 1,104 Cjo9g.x88
06/11/2004 04:09 PM 1,104 Ahm8.ev7
06/08/2004 04:08 PM 1,188 JqvGme.017
04/09/2004 02:30 PM 1,104 Rydo84km.bua
03/13/2004 07:15 PM 1,020 Elq0i.z99
02/18/2004 12:30 PM 458,773 IvgkmB.exe
01/25/2004 04:55 PM 442,389 RypT0v1Z.exe
01/07/2004 04:37 PM 1,104 Vpi2lmBU.akh
01/07/2004 04:37 PM 225,301 Vyw4.exe
01/07/2004 04:37 PM 225,301 CerHP4.exe
01/07/2004 04:37 PM 225,301 Sty5.exe
01/07/2004 04:37 PM 225,301 Udnp3JE1.exe
01/07/2004 04:37 PM 225,301 Qww2.exe
01/07/2004 03:49 PM 1,020 MtyJ62F.g8o
01/07/2004 03:49 PM 1,104 Pwbm74i.k9s
01/04/2004 03:49 PM 1,104 Szep85lm.bua
11/22/2003 04:34 PM 1,020 Bin9.ew7
11/20/2003 03:17 PM 225,301 XlwAC636.exe
11/20/2003 03:17 PM 225,301 Xit05.exe
11/20/2003 03:17 PM 225,301 Iyc1.exe
11/20/2003 03:17 PM 225,301 Wswrb9.exe
11/20/2003 03:17 PM 225,301 AieOnW4m.exe
11/20/2003 03:17 PM 225,301 ZhrH.exe
10/30/2002 05:26 PM 32 {756E2763-05F6-4BB2-BE0B-E8222978819B}.dat
10/24/2002 08:38 PM <DIR> dllcache
64 File(s) 6,207,791 bytes
3 Dir(s) 42,001,743,872 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 07D1-0317

Directory of C:\WINDOWS\System32

01/19/2005 08:19 PM 222,883 guard.tmp
1 File(s) 222,883 bytes
0 Dir(s) 42,001,727,488 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 07D1-0317

Directory of C:\WINDOWS\System32

01/19/2005 08:19 PM 222,883 guard.tmp
08/03/2004 11:56 PM 1,236,480 ~GLH0019.TMP
08/03/2004 11:56 PM 1,236,480 msxml3.dll.tmp
08/03/2004 11:56 PM 1,236,480 ~GLH0014.TMP
05/19/2004 08:21 AM 560 tmpmpt1.tmp
08/23/2001 12:00 PM 2,577 CONFIG.TMP
01/15/2001 03:54 PM 425,760 tbc1.tmp
01/15/2001 08:54 AM 425,760 tbc61.tmp
8 File(s) 4,786,980 bytes
0 Dir(s) 42,001,711,104 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

Settings\User Agent\Post Platform]
"{47F277F1-216F-4D7B-AEA2-53B2BD1A6164}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\Group Policy]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ennol1531.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
srmapi.dll Sat Dec 25 2004 7:28:36p ..S.R 226,157 220.86 K
wxhisn.dll Mon Dec 27 2004 2:42:28p ..S.R 225,044 219.77 K
synyhcy.dll Sat Jan 8 2005 2:15:34p ..S.R 223,230 217.99 K
hwetmon.dll Sat Dec 25 2004 1:37:26p ..S.R 225,044 219.77 K
lv4409~1.dll Sat Jan 15 2005 6:43:24p ..S.R 223,183 217.95 K
flr0i.a99 Thu Nov 18 2004 8:21:36p ..SH. 512 0.50 K
ennol1~1.dll Wed Jan 19 2005 7:12:26p ..S.R 222,883 217.66 K
jt0s07~1.dll Sun Jan 9 2005 5:00:44p ..S.R 225,908 220.61 K
lvj409~1.dll Mon Jan 17 2005 12:22:54p ..S.R 223,183 217.95 K
dqk5y.8x1 Tue Nov 16 2004 8:20:10p ..SH. 512 0.50 K
m4460e~1.dll Sun Jan 9 2005 2:26:10p ..S.R 223,230 217.99 K
lv2q09~1.dll Mon Jan 17 2005 12:31:30p ..S.R 223,183 217.95 K
xej7.b7q Mon Oct 25 2004 11:42:34a ..SH. 512 0.50 K
lv0o09~1.dll Thu Jan 6 2005 10:25:16a ..S.R 223,765 218.52 K
enp6l1~1.dll Tue Jan 4 2005 9:30:32p ..S.R 224,054 218.80 K
n24s0c~1.dll Thu Jan 13 2005 10:14:20a ..S.R 225,685 220.39 K
xej7.a7q Wed Dec 15 2004 6:47:44p ..SH. 512 0.50 K
fplm03~1.dll Tue Dec 21 2004 5:02:08p ..S.R 223,365 218.13 K
f0l0la~1.dll Mon Jan 17 2005 2:20:46p ..S.R 225,233 219.95 K
hrru05~1.dll Wed Jan 19 2005 8:16:28p ..S.R 224,988 219.71 K
fp6m03~1.dll Wed Dec 22 2004 10:38:24a ..S.R 225,228 219.95 K
kedgkl.dll Mon Dec 27 2004 6:02:32p ..S.R 225,593 220.30 K
l4p20e~1.dll Sat Dec 25 2004 7:31:38p ..S.R 226,157 220.86 K
srmlib.dll Sun Jan 2 2005 4:45:16p ..S.R 224,462 219.20 K
l4r0le~1.dll Mon Dec 27 2004 6:06:56p ..S.R 222,602 217.38 K
lvn209~1.dll Mon Dec 27 2004 8:10:38p ..S.R 223,887 218.64 K

26 items found: 26 files, 0 directories.
Total of file sizes: 4,938,112 bytes 4.71 M

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\SYSTEM32\hlhhlm.exe: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\SYSTEM32\jsdvwsdk.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"

-osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security

Center\\UsrPrmpt.exe"
"LTWinModem1"="ltmsg.exe 9"
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Advanced Tools Check"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe"
"TraySantaCruz"="C:\\WINDOWS\\System32\\tbctray.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponen

ts]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponen

ts\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponen

ts\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponen

ts\MSFS]
"Installed"="1"


End of FindIT Log
-----------------------------
  • 0

Advertisements


#2
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Find and delete these 2 folders:

C:\Windows\System32\VMSS
C:\Windows\System32\wsxsvc
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\hrru0599e.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\f0l0la3m1d.dll
    • C:\WINDOWS\System32\lv2q09f5e.dll
    • C:\WINDOWS\System32\lvj4091qe.dll
    • C:\WINDOWS\System32\lv4409hqe.dll
    • C:\WINDOWS\System32\n24s0ch7ef4.dll
    • C:\WINDOWS\System32\jt0s07d7e.dll
    • C:\WINDOWS\System32\m4460ehseh460.dll
    • C:\WINDOWS\System32\SYNYHCY.DLL
    • C:\WINDOWS\System32\lv0o09d3e.dll
    • C:\WINDOWS\System32\enp6l17s1.dll
    • C:\WINDOWS\System32\sRmlib.dll
    • C:\WINDOWS\System32\lvn2095oe.dll
    • C:\WINDOWS\System32\l4r0le9m1h.dll
    • C:\WINDOWS\System32\kedgkl.dll
    • C:\WINDOWS\System32\wxhisn.dll
    • C:\WINDOWS\System32\l4p20e7oeh.dll
    • C:\WINDOWS\System32\srmapi.dll
    • C:\WINDOWS\System32\hwetmon.dll
    • C:\WINDOWS\System32\fp6m03j1e.dll
    • C:\WINDOWS\System32\fplm0331e.dll
    • C:\WINDOWS\System32\ennol1531.dll
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "NO" at the Pending Operations prompt to restart your computer.
    Now paste these files one at a time in the Full Path of File to Delete box.

    C:\WINDOWS\SYSTEM32\hlhhlm.exe
    C:\WINDOWS\SYSTEM32\jsdvwsdk.dll

    Make sure you put a check in the box next to "Delete on Reboot" for these 2 only. Choose "Yes" to reboot now after pasting the 2nd file in and clicking delete.
  • You may get this message>>>"Pending File Rename Operations Registry Data has been Removed by External Process!" This is okay, you will just have to manually restart your pc.
  • Double-click on find.bat and post the new output.txt.
Reboot normally and post a new log.

-=jonnyrotten=- :tazz:
  • 0

#3
InoculateMe

InoculateMe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
OK JohnnyR, here is the new FindIt Log for your review.

----------------------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Joel Smith\My Documents\DownLoads\Malware Fighting\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 07D1-0317

Directory of C:\WINDOWS\System32

12/15/2004 06:47 PM 512 Xej7.a7q
11/18/2004 08:21 PM 512 Flr0i.a99
11/16/2004 08:20 PM 512 Dqk5Y.8x1
10/25/2004 11:42 AM 512 Xej7.b7q
10/11/2004 07:55 PM 512 BnyLS.46s
09/17/2004 02:45 PM 512 YkvIP.h5p
09/16/2004 02:45 PM 512 Zgl8.du7
09/14/2004 02:45 PM 512 Elq0h.z89
09/13/2004 02:45 PM 512 Dkp0h.y89
09/09/2004 12:46 PM 253,979 OmacI.exe
09/09/2004 12:46 PM 253,979 Xkxj.exe
09/09/2004 12:46 PM 253,979 Cjo9gQ88.exe
09/09/2004 12:46 PM 253,979 BrvxMFLv.exe
09/09/2004 12:46 PM 253,979 AyeYd.exe
09/09/2004 11:33 AM 1,104 Dvy137.6rz
09/02/2004 12:01 PM 1,104 Szep85ln.cvb
08/31/2004 12:01 PM 1,104 Rydo84k.lat
08/26/2004 11:36 AM 1,104 UbgrYPnp.exd
08/24/2004 11:36 AM 1,104 LutB.13c
08/19/2004 07:21 PM 1,104 ZkvIQ.i5q
08/09/2004 01:14 PM 1,104 TagqXPmo.dwc
08/08/2004 01:15 PM 253,973 Xhv3bo4A.exe
08/08/2004 01:15 PM 253,973 Nahn.exe
08/08/2004 01:15 PM 253,973 Vdnykb.exe
08/08/2004 01:15 PM 253,973 Qxw3.exe
08/08/2004 01:15 PM 253,973 SczONI3.exe
08/08/2004 01:15 PM 253,973 Epb3.exe
08/06/2004 10:46 PM 1,104 Arzh0g6.5ow
08/04/2004 09:46 AM 1,104 Diam4yYT.0v1
07/09/2004 12:11 PM 1,104 MliBY92.ze2
06/29/2004 11:59 AM 1,104 Zmg4.86t
06/22/2004 11:23 AM 1,104 VbhrYQop.exd
06/21/2004 11:23 AM 1,104 GnsDk.b90
06/14/2004 11:19 AM 1,104 Cjo9g.x88
06/11/2004 04:09 PM 1,104 Ahm8.ev7
06/08/2004 04:08 PM 1,188 JqvGme.017
04/09/2004 02:30 PM 1,104 Rydo84km.bua
03/13/2004 07:15 PM 1,020 Elq0i.z99
02/18/2004 12:30 PM 458,773 IvgkmB.exe
01/25/2004 04:55 PM 442,389 RypT0v1Z.exe
01/07/2004 04:37 PM 1,104 Vpi2lmBU.akh
01/07/2004 04:37 PM 225,301 Qww2.exe
01/07/2004 04:37 PM 225,301 Udnp3JE1.exe
01/07/2004 04:37 PM 225,301 CerHP4.exe
01/07/2004 04:37 PM 225,301 Vyw4.exe
01/07/2004 04:37 PM 225,301 Sty5.exe
01/07/2004 03:49 PM 1,020 MtyJ62F.g8o
01/07/2004 03:49 PM 1,104 Pwbm74i.k9s
01/04/2004 03:49 PM 1,104 Szep85lm.bua
11/22/2003 04:34 PM 1,020 Bin9.ew7
11/20/2003 03:17 PM 225,301 XlwAC636.exe
11/20/2003 03:17 PM 225,301 Xit05.exe
11/20/2003 03:17 PM 225,301 Iyc1.exe
11/20/2003 03:17 PM 225,301 Wswrb9.exe
11/20/2003 03:17 PM 225,301 AieOnW4m.exe
11/20/2003 03:17 PM 225,301 ZhrH.exe
10/30/2002 05:26 PM 32 {756E2763-05F6-4BB2-BE0B-E8222978819B}.dat
10/24/2002 09:17 PM <DIR> Microsoft
10/24/2002 08:38 PM <DIR> dllcache
04/05/2001 09:43 AM 94,208 msstkprp.dll
58 File(s) 6,297,278 bytes
2 Dir(s) 41,693,315,072 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 07D1-0317

Directory of C:\WINDOWS\System32

12/15/2004 06:47 PM 512 Xej7.a7q
11/18/2004 08:21 PM 512 Flr0i.a99
11/16/2004 08:20 PM 512 Dqk5Y.8x1
10/25/2004 11:42 AM 512 Xej7.b7q
10/11/2004 07:55 PM 512 BnyLS.46s
09/17/2004 02:45 PM 512 YkvIP.h5p
09/16/2004 02:45 PM 512 Zgl8.du7
09/14/2004 02:45 PM 512 Elq0h.z89
09/13/2004 02:45 PM 512 Dkp0h.y89
09/09/2004 12:46 PM 253,979 BrvxMFLv.exe
09/09/2004 12:46 PM 253,979 OmacI.exe
09/09/2004 12:46 PM 253,979 Cjo9gQ88.exe
09/09/2004 12:46 PM 253,979 Xkxj.exe
09/09/2004 12:46 PM 253,979 AyeYd.exe
09/09/2004 12:29 PM 488 logonui.exe.manifest
09/09/2004 12:29 PM 488 WindowsLogon.manifest
09/09/2004 12:29 PM 749 cdplayer.exe.manifest
09/09/2004 12:29 PM 749 wuaucpl.cpl.manifest
09/09/2004 12:29 PM 749 sapi.cpl.manifest
09/09/2004 12:29 PM 749 nwc.cpl.manifest
09/09/2004 12:29 PM 749 ncpa.cpl.manifest
09/09/2004 11:33 AM 1,104 Dvy137.6rz
09/02/2004 12:01 PM 1,104 Szep85ln.cvb
08/31/2004 12:01 PM 1,104 Rydo84k.lat
08/26/2004 11:36 AM 1,104 UbgrYPnp.exd
08/24/2004 11:36 AM 1,104 LutB.13c
08/19/2004 07:21 PM 1,104 ZkvIQ.i5q
08/09/2004 01:14 PM 1,104 TagqXPmo.dwc
08/08/2004 01:15 PM 253,973 Xhv3bo4A.exe
08/08/2004 01:15 PM 253,973 Nahn.exe
08/08/2004 01:15 PM 253,973 Qxw3.exe
08/08/2004 01:15 PM 253,973 Vdnykb.exe
08/08/2004 01:15 PM 253,973 SczONI3.exe
08/08/2004 01:15 PM 253,973 Epb3.exe
08/06/2004 10:46 PM 1,104 Arzh0g6.5ow
08/04/2004 09:46 AM 1,104 Diam4yYT.0v1
07/09/2004 12:11 PM 1,104 MliBY92.ze2
06/29/2004 11:59 AM 1,104 Zmg4.86t
06/22/2004 11:23 AM 1,104 VbhrYQop.exd
06/21/2004 11:23 AM 1,104 GnsDk.b90
06/14/2004 11:19 AM 1,104 Cjo9g.x88
06/11/2004 04:09 PM 1,104 Ahm8.ev7
06/08/2004 04:08 PM 1,188 JqvGme.017
04/09/2004 02:30 PM 1,104 Rydo84km.bua
03/13/2004 07:15 PM 1,020 Elq0i.z99
02/18/2004 12:30 PM 458,773 IvgkmB.exe
01/25/2004 04:55 PM 442,389 RypT0v1Z.exe
01/07/2004 04:37 PM 1,104 Vpi2lmBU.akh
01/07/2004 04:37 PM 225,301 Vyw4.exe
01/07/2004 04:37 PM 225,301 CerHP4.exe
01/07/2004 04:37 PM 225,301 Sty5.exe
01/07/2004 04:37 PM 225,301 Udnp3JE1.exe
01/07/2004 04:37 PM 225,301 Qww2.exe
01/07/2004 03:49 PM 1,020 MtyJ62F.g8o
01/07/2004 03:49 PM 1,104 Pwbm74i.k9s
01/04/2004 03:49 PM 1,104 Szep85lm.bua
11/22/2003 04:34 PM 1,020 Bin9.ew7
11/20/2003 03:17 PM 225,301 XlwAC636.exe
11/20/2003 03:17 PM 225,301 Xit05.exe
11/20/2003 03:17 PM 225,301 Iyc1.exe
11/20/2003 03:17 PM 225,301 Wswrb9.exe
11/20/2003 03:17 PM 225,301 AieOnW4m.exe
11/20/2003 03:17 PM 225,301 ZhrH.exe
10/30/2002 05:26 PM 32 {756E2763-05F6-4BB2-BE0B-E8222978819B}.dat
10/24/2002 08:38 PM <DIR> dllcache
64 File(s) 6,207,791 bytes
1 Dir(s) 41,693,298,688 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 07D1-0317

Directory of C:\WINDOWS\System32

01/20/2005 07:18 PM 56 guard.tmp
1 File(s) 56 bytes
0 Dir(s) 41,693,282,304 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 07D1-0317

Directory of C:\WINDOWS\System32

01/20/2005 07:18 PM 56 guard.tmp
08/03/2004 11:56 PM 1,236,480 ~GLH0019.TMP
08/03/2004 11:56 PM 1,236,480 msxml3.dll.tmp
08/03/2004 11:56 PM 1,236,480 ~GLH0014.TMP
05/19/2004 08:21 AM 560 tmpmpt1.tmp
08/23/2001 12:00 PM 2,577 CONFIG.TMP
01/15/2001 03:54 PM 425,760 tbc1.tmp
01/15/2001 08:54 AM 425,760 tbc61.tmp
8 File(s) 4,564,153 bytes
0 Dir(s) 41,693,265,920 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{26831D12-2013-4472-BA43-DED9878091E2}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\H323TSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n46q0ej5eho.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
flr0i.a99 Thu Nov 18 2004 8:21:36p ..SH. 512 0.50 K
dqk5y.8x1 Tue Nov 16 2004 8:20:10p ..SH. 512 0.50 K
xej7.b7q Mon Oct 25 2004 11:42:34a ..SH. 512 0.50 K
xej7.a7q Wed Dec 15 2004 6:47:44p ..SH. 512 0.50 K

4 items found: 4 files, 0 directories.
Total of file sizes: 2,048 bytes 2.00 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"LTWinModem1"="ltmsg.exe 9"
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Advanced Tools Check"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe"
"TraySantaCruz"="C:\\WINDOWS\\System32\\tbctray.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


End of FindIt Log
-----------------------

Let me know how it looks...
  • 0

#4
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Delete this file with the killbox the same as you removed the other ones before.

C:\Windows\System32\n46q0ej5eho.dll

Copy and paste the quoted text below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{26831D12-2013-4472-BA43-DED9878091E2}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\H323TSP]


Reboot and post a new output.txt

-=jonnyrotten=- :tazz:
  • 0

#5
InoculateMe

InoculateMe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Dr Rotten,
Here is the new FindIt Log. I'm crossing my fingers... :woot:
-------------------------------


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Joel Smith\My Documents\DownLoads\Malware Fighting\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 07D1-0317

Directory of C:\WINDOWS\System32

12/15/2004 06:47 PM 512 Xej7.a7q
11/18/2004 08:21 PM 512 Flr0i.a99
11/16/2004 08:20 PM 512 Dqk5Y.8x1
10/25/2004 11:42 AM 512 Xej7.b7q
10/11/2004 07:55 PM 512 BnyLS.46s
09/17/2004 02:45 PM 512 YkvIP.h5p
09/16/2004 02:45 PM 512 Zgl8.du7
09/14/2004 02:45 PM 512 Elq0h.z89
09/13/2004 02:45 PM 512 Dkp0h.y89
09/09/2004 12:46 PM 253,979 OmacI.exe
09/09/2004 12:46 PM 253,979 Xkxj.exe
09/09/2004 12:46 PM 253,979 Cjo9gQ88.exe
09/09/2004 12:46 PM 253,979 BrvxMFLv.exe
09/09/2004 12:46 PM 253,979 AyeYd.exe
09/09/2004 11:33 AM 1,104 Dvy137.6rz
09/02/2004 12:01 PM 1,104 Szep85ln.cvb
08/31/2004 12:01 PM 1,104 Rydo84k.lat
08/26/2004 11:36 AM 1,104 UbgrYPnp.exd
08/24/2004 11:36 AM 1,104 LutB.13c
08/19/2004 07:21 PM 1,104 ZkvIQ.i5q
08/09/2004 01:14 PM 1,104 TagqXPmo.dwc
08/08/2004 01:15 PM 253,973 Xhv3bo4A.exe
08/08/2004 01:15 PM 253,973 Nahn.exe
08/08/2004 01:15 PM 253,973 Vdnykb.exe
08/08/2004 01:15 PM 253,973 Qxw3.exe
08/08/2004 01:15 PM 253,973 SczONI3.exe
08/08/2004 01:15 PM 253,973 Epb3.exe
08/06/2004 10:46 PM 1,104 Arzh0g6.5ow
08/04/2004 09:46 AM 1,104 Diam4yYT.0v1
07/09/2004 12:11 PM 1,104 MliBY92.ze2
06/29/2004 11:59 AM 1,104 Zmg4.86t
06/22/2004 11:23 AM 1,104 VbhrYQop.exd
06/21/2004 11:23 AM 1,104 GnsDk.b90
06/14/2004 11:19 AM 1,104 Cjo9g.x88
06/11/2004 04:09 PM 1,104 Ahm8.ev7
06/08/2004 04:08 PM 1,188 JqvGme.017
04/09/2004 02:30 PM 1,104 Rydo84km.bua
03/13/2004 07:15 PM 1,020 Elq0i.z99
02/18/2004 12:30 PM 458,773 IvgkmB.exe
01/25/2004 04:55 PM 442,389 RypT0v1Z.exe
01/07/2004 04:37 PM 1,104 Vpi2lmBU.akh
01/07/2004 04:37 PM 225,301 Qww2.exe
01/07/2004 04:37 PM 225,301 Udnp3JE1.exe
01/07/2004 04:37 PM 225,301 CerHP4.exe
01/07/2004 04:37 PM 225,301 Vyw4.exe
01/07/2004 04:37 PM 225,301 Sty5.exe
01/07/2004 03:49 PM 1,020 MtyJ62F.g8o
01/07/2004 03:49 PM 1,104 Pwbm74i.k9s
01/04/2004 03:49 PM 1,104 Szep85lm.bua
11/22/2003 04:34 PM 1,020 Bin9.ew7
11/20/2003 03:17 PM 225,301 XlwAC636.exe
11/20/2003 03:17 PM 225,301 Xit05.exe
11/20/2003 03:17 PM 225,301 Iyc1.exe
11/20/2003 03:17 PM 225,301 Wswrb9.exe
11/20/2003 03:17 PM 225,301 AieOnW4m.exe
11/20/2003 03:17 PM 225,301 ZhrH.exe
10/30/2002 05:26 PM 32 {756E2763-05F6-4BB2-BE0B-E8222978819B}.dat
10/24/2002 09:17 PM <DIR> Microsoft
10/24/2002 08:38 PM <DIR> dllcache
04/05/2001 09:43 AM 94,208 msstkprp.dll
58 File(s) 6,297,278 bytes
2 Dir(s) 41,690,054,656 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 07D1-0317

Directory of C:\WINDOWS\System32

12/15/2004 06:47 PM 512 Xej7.a7q
11/18/2004 08:21 PM 512 Flr0i.a99
11/16/2004 08:20 PM 512 Dqk5Y.8x1
10/25/2004 11:42 AM 512 Xej7.b7q
10/11/2004 07:55 PM 512 BnyLS.46s
09/17/2004 02:45 PM 512 YkvIP.h5p
09/16/2004 02:45 PM 512 Zgl8.du7
09/14/2004 02:45 PM 512 Elq0h.z89
09/13/2004 02:45 PM 512 Dkp0h.y89
09/09/2004 12:46 PM 253,979 BrvxMFLv.exe
09/09/2004 12:46 PM 253,979 OmacI.exe
09/09/2004 12:46 PM 253,979 Cjo9gQ88.exe
09/09/2004 12:46 PM 253,979 Xkxj.exe
09/09/2004 12:46 PM 253,979 AyeYd.exe
09/09/2004 12:29 PM 488 logonui.exe.manifest
09/09/2004 12:29 PM 488 WindowsLogon.manifest
09/09/2004 12:29 PM 749 cdplayer.exe.manifest
09/09/2004 12:29 PM 749 wuaucpl.cpl.manifest
09/09/2004 12:29 PM 749 sapi.cpl.manifest
09/09/2004 12:29 PM 749 nwc.cpl.manifest
09/09/2004 12:29 PM 749 ncpa.cpl.manifest
09/09/2004 11:33 AM 1,104 Dvy137.6rz
09/02/2004 12:01 PM 1,104 Szep85ln.cvb
08/31/2004 12:01 PM 1,104 Rydo84k.lat
08/26/2004 11:36 AM 1,104 UbgrYPnp.exd
08/24/2004 11:36 AM 1,104 LutB.13c
08/19/2004 07:21 PM 1,104 ZkvIQ.i5q
08/09/2004 01:14 PM 1,104 TagqXPmo.dwc
08/08/2004 01:15 PM 253,973 Xhv3bo4A.exe
08/08/2004 01:15 PM 253,973 Nahn.exe
08/08/2004 01:15 PM 253,973 Qxw3.exe
08/08/2004 01:15 PM 253,973 Vdnykb.exe
08/08/2004 01:15 PM 253,973 SczONI3.exe
08/08/2004 01:15 PM 253,973 Epb3.exe
08/06/2004 10:46 PM 1,104 Arzh0g6.5ow
08/04/2004 09:46 AM 1,104 Diam4yYT.0v1
07/09/2004 12:11 PM 1,104 MliBY92.ze2
06/29/2004 11:59 AM 1,104 Zmg4.86t
06/22/2004 11:23 AM 1,104 VbhrYQop.exd
06/21/2004 11:23 AM 1,104 GnsDk.b90
06/14/2004 11:19 AM 1,104 Cjo9g.x88
06/11/2004 04:09 PM 1,104 Ahm8.ev7
06/08/2004 04:08 PM 1,188 JqvGme.017
04/09/2004 02:30 PM 1,104 Rydo84km.bua
03/13/2004 07:15 PM 1,020 Elq0i.z99
02/18/2004 12:30 PM 458,773 IvgkmB.exe
01/25/2004 04:55 PM 442,389 RypT0v1Z.exe
01/07/2004 04:37 PM 1,104 Vpi2lmBU.akh
01/07/2004 04:37 PM 225,301 Vyw4.exe
01/07/2004 04:37 PM 225,301 CerHP4.exe
01/07/2004 04:37 PM 225,301 Sty5.exe
01/07/2004 04:37 PM 225,301 Udnp3JE1.exe
01/07/2004 04:37 PM 225,301 Qww2.exe
01/07/2004 03:49 PM 1,020 MtyJ62F.g8o
01/07/2004 03:49 PM 1,104 Pwbm74i.k9s
01/04/2004 03:49 PM 1,104 Szep85lm.bua
11/22/2003 04:34 PM 1,020 Bin9.ew7
11/20/2003 03:17 PM 225,301 XlwAC636.exe
11/20/2003 03:17 PM 225,301 Xit05.exe
11/20/2003 03:17 PM 225,301 Iyc1.exe
11/20/2003 03:17 PM 225,301 Wswrb9.exe
11/20/2003 03:17 PM 225,301 AieOnW4m.exe
11/20/2003 03:17 PM 225,301 ZhrH.exe
10/30/2002 05:26 PM 32 {756E2763-05F6-4BB2-BE0B-E8222978819B}.dat
10/24/2002 08:38 PM <DIR> dllcache
64 File(s) 6,207,791 bytes
1 Dir(s) 41,690,038,272 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 07D1-0317

Directory of C:\WINDOWS\System32

01/20/2005 07:18 PM 56 guard.tmp
1 File(s) 56 bytes
0 Dir(s) 41,690,021,888 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 07D1-0317

Directory of C:\WINDOWS\System32

01/20/2005 07:18 PM 56 guard.tmp
08/03/2004 11:56 PM 1,236,480 ~GLH0019.TMP
08/03/2004 11:56 PM 1,236,480 msxml3.dll.tmp
08/03/2004 11:56 PM 1,236,480 ~GLH0014.TMP
05/19/2004 08:21 AM 560 tmpmpt1.tmp
08/23/2001 12:00 PM 2,577 CONFIG.TMP
01/15/2001 03:54 PM 425,760 tbc1.tmp
01/15/2001 08:54 AM 425,760 tbc61.tmp
8 File(s) 4,564,153 bytes
0 Dir(s) 41,690,005,504 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
flr0i.a99 Thu Nov 18 2004 8:21:36p ..SH. 512 0.50 K
dqk5y.8x1 Tue Nov 16 2004 8:20:10p ..SH. 512 0.50 K
xej7.b7q Mon Oct 25 2004 11:42:34a ..SH. 512 0.50 K
xej7.a7q Wed Dec 15 2004 6:47:44p ..SH. 512 0.50 K

4 items found: 4 files, 0 directories.
Total of file sizes: 2,048 bytes 2.00 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"LTWinModem1"="ltmsg.exe 9"
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Advanced Tools Check"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe"
"TraySantaCruz"="C:\\WINDOWS\\System32\\tbctray.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


:tazz: ;) :thumbsup: :cheers: :cheers:
  • 0

#6
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Very good. Next step is some cleanup.
  • Download VX2Finder.
  • Double-click on VX2Finder.exe.
  • Click "Restore Policy".
  • In the File menu click "Exit".
  • Double-click on KillBox.exe.
  • In the File menu click "Delete all Dummy files".
  • In the Tools menu click "Delete Temp Files".
  • Choose "Standard File Kill" if not already selected.
  • Paste these files one by one into the top "Full Path of File to Delete" box.
    • C:\RECYCLER\desktop.ini
    • C:\WINDOWS\System32\drivers\etc\HOSTS
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Confirm Delete prompt.
  • It should give you a successful "File was deleted" prompt for each one.
Reboot and post just a Hijack This log now. :tazz:

Click Here download the latest version of Hijack This (1.99.0). It's better able to catch the latest threats.

-=jonnyrotten=- ;)
  • 0

#7
InoculateMe

InoculateMe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I got a "file not found" message when attempting to remove C:\RECYCLER\desktop.ini with KillBox.
:tazz:

Here is the new HijackThis Log.
------------------
Logfile of HijackThis v1.99.0
Scan saved at 12:00:18 AM, on 1/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ltmsg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\System32\tbctray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Documents and Settings\Joel Smith\My Documents\DownLoads\Malware Fighting\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search...look=stmpl1&fw=
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Thumbs.db
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton AntiVirus\navapw32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.co...laxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://64.75.174.5/push.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: OracleOraHome92ManagementServer - Unknown - C:\oracle\ora92\bin\OMSNTsrv.exe (file missing)
O23 - Service: OracleOraHome92TNSListener - Unknown - C:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceOEMREP - Unknown - c:\oracle\ora92\bin\ORACLE.EXE (file missing)
O23 - Service: OracleServiceSJORACLE - Unknown - c:\oracle\ora92\bin\ORACLE.EXE (file missing)
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#8
InoculateMe

InoculateMe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Sorry!! I forgot to reboot before running the HiJackThis Log.
:tazz:

Here is the REAL log
--------------
Logfile of HijackThis v1.99.0
Scan saved at 12:09:46 AM, on 1/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\ltmsg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\System32\tbctray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Joel Smith\My Documents\DownLoads\Malware Fighting\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search...look=stmpl1&fw=
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Thumbs.db
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton AntiVirus\navapw32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.co...laxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://64.75.174.5/push.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: OracleOraHome92ManagementServer - Unknown - C:\oracle\ora92\bin\OMSNTsrv.exe (file missing)
O23 - Service: OracleOraHome92TNSListener - Unknown - C:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceOEMREP - Unknown - c:\oracle\ora92\bin\ORACLE.EXE (file missing)
O23 - Service: OracleServiceSJORACLE - Unknown - c:\oracle\ora92\bin\ORACLE.EXE (file missing)
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#9
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search...look=stmpl1&fw=
O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.co...laxoInstall.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://64.75.174.5/push.cab
O23 - Service: OracleOraHome92ManagementServer - Unknown - C:\oracle\ora92\bin\OMSNTsrv.exe (file missing)
O23 - Service: OracleOraHome92TNSListener - Unknown - C:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceOEMREP - Unknown - c:\oracle\ora92\bin\ORACLE.EXE (file missing)
O23 - Service: OracleServiceSJORACLE - Unknown - c:\oracle\ora92\bin\ORACLE.EXE (file missing)

Spybot Search & Destroy Download and install. Start Spybot S&D, Click the Search for updates button, if any are found then click the Download Updates button. After all updates are downloaded, click the Check for problems button. When the scan is complete, place a check next to anything marked in red, then click the Fix selected problems button. You may need to run Spybot S&D multiple times to remove all infections.

Download Ad-aware from: http://www.geekstogo...n=download&id=5

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

-> Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
-> Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
-> Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
-> Click on Proceed to save the settings.

-> Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
-> Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

-> Save the log file when it asks and then click Finish

-> When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

-> Reboot your computer.

Let me know how things are running now :tazz:

-=jonnyrotten=- ;)
  • 0

#10
InoculateMe

InoculateMe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
OK, I ran all spyware scans until they came up clean. Then rebooted and ran them clean again. Everything seams to be perfect with no popups or rundll errors occuring. ;)

Hoorah! :thumbsup:

You are the man! :tazz:
  • 0

#11
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. ;)


*** Clean log install SP2 **
We highly recommend installing SP2. Click here: http://windowsupdate.microsoft.com/.
-or-
It's a very large download, so if you're on dial-up, order a free CD here:
http://www.microsoft...default810.mspx

-=jonnyrotten=- :thumbsup:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP