frank Posted February 9, 2006 Report Share Posted February 9, 2006 i turn on the computer and like 4 command promps appear, an error message abuot 16 bit ms-dos subsystem, and a rundll error saying error loading 0oqw0ct0.dll any thing in here malware i can get rid of or fix what is happening?(or things i dont need)Logfile of HijackThis v1.99.1Scan saved at 7:39:27 PM, on 2/8/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Kerio\Personal Firewall\persfw.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\inet20010\winlogon.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\ASUS\Probe\AsusProb.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\Common Files\AOL\1139095246\ee\AOLSoftware.exeC:\WINDOWS\system32\paytime.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\mozilla.org\Mozilla\Mozilla.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ntvdm.exec:\program files\common files\aol\1139095246\ee\aim6.exeC:\WINDOWS\system32\wpabaln.exeC:\Documents and Settings\Sean\My Documents\malware removal\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.htmlR3 - Default URLSearchHook is missingF3 - REG:win.ini: run=C:\WINDOWS\inet20010\winlogon.exeO2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dllO2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exeO4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clearO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139095246\ee\AOLSoftware.exeO4 - HKLM\..\Run: [i downloaded pirated Software from P2P] C:\WINDOWS\system32\Battlefield2 .exeO4 - HKLM\..\Run: [system service79] C:\WINDOWS\\\etb\\pokapoka79.exeO4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exeO4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd5.exeO4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /sO4 - HKLM\..\Run: [6104308] tskmgr.exe /ibpmO4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20010\winlogon.exeO4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 4967156O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban5.exeO4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exeO4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turboO4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imAppO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"O4 - HKCU\..\Run: [6104308] tskmgr.exe /ibpmO4 - HKCU\..\Run: [klop] C:\WINDOWS\25.tmpO4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exeO4 - HKCU\..\Run: [rkfu] C:\PROGRA~1\COMMON~1\rkfu\rkfum.exeO4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exeO4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exeO4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20010\winlogon.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cabO18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO20 - AppInit_DLLs: repairs302972994.dllO20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\r0r60a9sed.dllO20 - Winlogon Notify: hpprintx - hpprintx.dll (file missing)O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\system32\opmnjckd.dllO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe Link to post Share on other sites
Matt Posted February 9, 2006 Report Share Posted February 9, 2006 You have the latest version of VX2. Download L2mfix from one of these two locations:http://www.atribune.org/downloads/l2mfix.exehttp://www.downloads.subratam.org/l2mfix.exeSave the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exeC:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first. Link to post Share on other sites
frank Posted February 9, 2006 Author Report Share Posted February 9, 2006 You have the latest version of VX2. Download L2mfix from one of these two locations:http://www.atribune.org/downloads/l2mfix.exehttp://www.downloads.subratam.org/l2mfix.exeSave the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exeC:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.L2MFIX find log 010406These are the registry keys present**********************************************************************************Winlogon/notify:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]"DLLName"="Ati2evxx.dll""Asynchronous"=dword:00000000"Impersonate"=dword:00000001"Lock"="AtiLockEvent""Logoff"="AtiLogoffEvent""Logon"="AtiLogonEvent""Disconnect"="AtiDisConnectEvent""Reconnect"="AtiReConnectEvent""Safe"=dword:00000000"Shutdown"="AtiShutdownEvent""StartScreenSaver"="AtiStartScreenSaverEvent""StartShell"="AtiStartShellEvent""Startup"="AtiStartupEvent""StopScreenSaver"="AtiStopScreenSaverEvent""Unlock"="AtiUnLockEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00"Logoff"="ChainWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Logoff"="CryptnetWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]"DLLName"="cscdll.dll""Logon"="WinlogonLogonEvent""Logoff"="WinlogonLogoffEvent""ScreenSaver"="WinlogonScreenSaverEvent""Startup"="WinlogonStartupEvent""Shutdown"="WinlogonShutdownEvent""StartShell"="WinlogonStartShellEvent""Impersonate"=dword:00000000"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]"Asynchronous"=dword:00000000"DllName"="C:\\WINDOWS\\system32\\r0r60a9sed.dll""Impersonate"=dword:00000000"Logon"="WinLogon""Logoff"="WinLogoff""Shutdown"="WinShutdown" Link to post Share on other sites
Matt Posted February 9, 2006 Report Share Posted February 9, 2006 Close any programs you have open since this step requires a reboot.From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix. Link to post Share on other sites
frank Posted February 9, 2006 Author Report Share Posted February 9, 2006 Close any programs you have open since this step requires a reboot.From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.L2mfix 010406Creating Account.The command completed successfully.Adding Administrative privleges. The command completed successfully.Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successfulRunning From:C:\WINDOWS\system32Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03Copyright© 2002-2003 [email protected]Killing PID 928 'smss.exe'Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03Copyright© 2002-2003 [email protected]Killing PID 1024 'winlogon.exe'Killing PID 1024 'winlogon.exe'Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03Copyright© 2002-2003 [email protected]Killing PID 1372 'explorer.exe'Killing PID 1372 'explorer.exe'Killing PID 1372 'explorer.exe'Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03Copyright© 2002-2003 [email protected]Error, Cannot find a process with an image name of rundll32.exeRestoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successfulScanning First Pass. Please Wait!First Pass Completed Second Pass Scanning Second pass Completed!Restoring Windows Update Certificates.:The following Is the Current Export of the Winlogon notify key:****************************************************************************Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]"DLLName"="Ati2evxx.dll""Asynchronous"=dword:00000000"Impersonate"=dword:00000001"Lock"="AtiLockEvent""Logoff"="AtiLogoffEvent""Logon"="AtiLogonEvent""Disconnect"="AtiDisConnectEvent""Reconnect"="AtiReConnectEvent""Safe"=dword:00000000"Shutdown"="AtiShutdownEvent""StartScreenSaver"="AtiStartScreenSaverEvent""StartShell"="AtiStartShellEvent""Startup"="AtiStartupEvent""StopScreenSaver"="AtiStopScreenSaverEvent""Unlock"="AtiUnLockEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00"Logoff"="ChainWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Logoff"="CryptnetWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]"DLLName"="cscdll.dll""Logon"="WinlogonLogonEvent""Logoff"="WinlogonLogoffEvent""ScreenSaver"="WinlogonScreenSaverEvent""Startup"="WinlogonStartupEvent""Shutdown"="WinlogonShutdownEvent""StartShell"="WinlogonStartShellEvent""Impersonate"=dword:00000000"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]"Asynchronous"=dword:00000000"DllName"="C:\\WINDOWS\\system32\\r0r60a9sed.dll""Impersonate"=dword:00000000"Logon"="WinLogon""Logoff"="WinLogoff""Shutdown"="WinShutdown"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpprintx]"DllName"=hex(2):68,00,70,00,70,00,72,00,69,00,6e,00,74,00,78,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Startup"="hpprintx""Impersonate"=dword:00000001"Asynchronous"=dword:00000001"MaxWait"=dword:00000001"nk453id"="[20882906427633-NG-Sean]"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]"DLLName"="wlnotify.dll""Logon"="SCardStartCertProp""Logoff"="SCardStopCertProp""Lock"="SCardSuspendCertProp""Unlock"="SCardResumeCertProp""Enabled"=dword:00000001"Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]"Asynchronous"=dword:00000000"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Impersonate"=dword:00000000"StartShell"="SchedStartShell""Logoff"="SchedEventLogOff"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]"Logoff"="WLEventLogoff""Impersonate"=dword:00000000"Asynchronous"=dword:00000001"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]"DLLName"="WlNotify.dll""Lock"="SensLockEvent""Logon"="SensLogonEvent""Logoff"="SensLogoffEvent""Safe"=dword:00000001"MaxWait"=dword:00000258"StartScreenSaver"="SensStartScreenSaverEvent""StopScreenSaver"="SensStopScreenSaverEvent""Startup"="SensStartupEvent""Shutdown"="SensShutdownEvent""StartShell"="SensStartShellEvent""PostShell"="SensPostShellEvent""Disconnect"="SensDisconnectEvent""Reconnect"="SensReconnectEvent""Unlock"="SensUnlockEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]"Asynchronous"=dword:00000000"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Impersonate"=dword:00000000"Logoff"="TSEventLogoff""Logon"="TSEventLogon""PostShell"="TSEventPostShell""Shutdown"="TSEventShutdown""StartShell"="TSEventStartShell""Startup"="TSEventStartup""MaxWait"=dword:00000258"Reconnect"="TSEventReconnect""Disconnect"="TSEventDisconnect"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]"DLLName"="wlnotify.dll""Logon"="RegisterTicketExpiredNotificationEvent""Logoff"="UnregisterTicketExpiredNotificationEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001The following are the files found: ****************************************************************************Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. ****************************************************************************Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\CLSID\{AC3CA426-F420-45AE-89D9-0C2858D56B51}]@=""[HKEY_CLASSES_ROOT\CLSID\{AC3CA426-F420-45AE-89D9-0C2858D56B51}\Implemented Categories]@=""[HKEY_CLASSES_ROOT\CLSID\{AC3CA426-F420-45AE-89D9-0C2858D56B51}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]@=""[HKEY_CLASSES_ROOT\CLSID\{AC3CA426-F420-45AE-89D9-0C2858D56B51}\InprocServer32]@="C:\\WINDOWS\\system32\\ivssuba.dll""ThreadingModel"="Apartment"REGEDIT4[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]"{AC3CA426-F420-45AE-89D9-0C2858D56B51}"=-[-HKEY_CLASSES_ROOT\CLSID\{AC3CA426-F420-45AE-89D9-0C2858D56B51}]REGEDIT4[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]"SV1"=""****************************************************************************Desktop.ini Contents: ********************************************************************************************************************************************************Checking for L2MFix account(0=no 1=yes): 0Zipping up files for submission: zip warning: name not matched: dlls\*.*zip error: Nothing to do! (backup.zip) adding: backregs/AC3CA426-F420-45AE-89D9-0C2858D56B51.reg (212 bytes security) (deflated 70%) adding: backregs/notibac.reg (164 bytes security) (deflated 87%) adding: backregs/shell.reg (164 bytes security) (deflated 74%) Link to post Share on other sites
Matt Posted February 9, 2006 Report Share Posted February 9, 2006 Hi frank. Please post a new HJT log. Link to post Share on other sites
frank Posted February 9, 2006 Author Report Share Posted February 9, 2006 Hi frank. Please post a new HJT log.Logfile of HijackThis v1.99.1Scan saved at 10:31:56 PM, on 2/8/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\Program Files\ewido anti-malware\ewidoguard.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Kerio\Personal Firewall\persfw.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\ehome\mcrdsvc.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\notepad.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\mozilla.org\Mozilla\Mozilla.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\wpabaln.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Grisoft\AVG Free\avgcc.exeC:\Program Files\Grisoft\AVG Free\avgwb.datC:\Documents and Settings\Sean\My Documents\malware removal\HijackThis.exeR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blankR3 - Default URLSearchHook is missingO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exeO4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clearO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [6104308] tskmgr.exe /ibpmO4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 4967156O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turboO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [6104308] tskmgr.exe /ibpmO4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exeO4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cabO18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO20 - AppInit_DLLs: repairs302972994.dllO20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\r0r60a9sed.dllO20 - Winlogon Notify: hpprintx - hpprintx.dll (file missing)O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\system32\opmnjckd.dllO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exeO23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe Link to post Share on other sites
Matt Posted February 9, 2006 Report Share Posted February 9, 2006 Hi frank. Looks like it didnt get it. Try running step 2 again from the l2mfix directions. If it doesn't catch it this second time, we can use a dfferent tool. I'm signing off now for the night. Catcha ya tomorrow.Good luck Link to post Share on other sites
frank Posted February 10, 2006 Author Report Share Posted February 10, 2006 Hi frank. Looks like it didnt get it. Try running step 2 again from the l2mfix directions. If it doesn't catch it this second time, we can use a dfferent tool. I'm signing off now for the night. Catcha ya tomorrow.Good luck L2mfix 010406Creating Account.The command completed successfully.Adding Administrative privleges. The command completed successfully.Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successfulRunning From:C:\WINDOWS\system32Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03Copyright© 2002-2003 [email protected]Killing PID 928 'smss.exe'Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03Copyright© 2002-2003 [email protected]Killing PID 1024 'winlogon.exe'Killing PID 1024 'winlogon.exe'Killing PID 1024 'winlogon.exe'Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03Copyright© 2002-2003 [email protected]Killing PID 320 'explorer.exe'Killing PID 320 'explorer.exe'Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03Copyright© 2002-2003 [email protected]Error, Cannot find a process with an image name of rundll32.exeRestoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successfulScanning First Pass. Please Wait!First Pass Completed Second Pass Scanning Second pass Completed!Restoring Windows Update Certificates.:The following Is the Current Export of the Winlogon notify key:****************************************************************************Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]"DLLName"="Ati2evxx.dll""Asynchronous"=dword:00000000"Impersonate"=dword:00000001"Lock"="AtiLockEvent""Logoff"="AtiLogoffEvent""Logon"="AtiLogonEvent""Disconnect"="AtiDisConnectEvent""Reconnect"="AtiReConnectEvent""Safe"=dword:00000000"Shutdown"="AtiShutdownEvent""StartScreenSaver"="AtiStartScreenSaverEvent""StartShell"="AtiStartShellEvent""Startup"="AtiStartupEvent""StopScreenSaver"="AtiStopScreenSaverEvent""Unlock"="AtiUnLockEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00"Logoff"="ChainWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Logoff"="CryptnetWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]"DLLName"="cscdll.dll""Logon"="WinlogonLogonEvent""Logoff"="WinlogonLogoffEvent""ScreenSaver"="WinlogonScreenSaverEvent""Startup"="WinlogonStartupEvent""Shutdown"="WinlogonShutdownEvent""StartShell"="WinlogonStartShellEvent""Impersonate"=dword:00000000"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]"Asynchronous"=dword:00000000"DllName"="C:\\WINDOWS\\system32\\r0r60a9sed.dll""Impersonate"=dword:00000000"Logon"="WinLogon""Logoff"="WinLogoff""Shutdown"="WinShutdown"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpprintx]"DllName"=hex(2):68,00,70,00,70,00,72,00,69,00,6e,00,74,00,78,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Startup"="hpprintx""Impersonate"=dword:00000001"Asynchronous"=dword:00000001"MaxWait"=dword:00000001"nk453id"="[20882906427633-NG-Sean]"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]"DLLName"="wlnotify.dll""Logon"="SCardStartCertProp""Logoff"="SCardStopCertProp""Lock"="SCardSuspendCertProp""Unlock"="SCardResumeCertProp""Enabled"=dword:00000001"Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]"Asynchronous"=dword:00000000"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Impersonate"=dword:00000000"StartShell"="SchedStartShell""Logoff"="SchedEventLogOff"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]"Logoff"="WLEventLogoff""Impersonate"=dword:00000000"Asynchronous"=dword:00000001"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]"DLLName"="WlNotify.dll""Lock"="SensLockEvent""Logon"="SensLogonEvent""Logoff"="SensLogoffEvent""Safe"=dword:00000001"MaxWait"=dword:00000258"StartScreenSaver"="SensStartScreenSaverEvent""StopScreenSaver"="SensStopScreenSaverEvent""Startup"="SensStartupEvent""Shutdown"="SensShutdownEvent""StartShell"="SensStartShellEvent""PostShell"="SensPostShellEvent""Disconnect"="SensDisconnectEvent""Reconnect"="SensReconnectEvent""Unlock"="SensUnlockEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]"Asynchronous"=dword:00000000"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Impersonate"=dword:00000000"Logoff"="TSEventLogoff""Logon"="TSEventLogon""PostShell"="TSEventPostShell""Shutdown"="TSEventShutdown""StartShell"="TSEventStartShell""Startup"="TSEventStartup""MaxWait"=dword:00000258"Reconnect"="TSEventReconnect""Disconnect"="TSEventDisconnect"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]"DLLName"="wlnotify.dll""Logon"="RegisterTicketExpiredNotificationEvent""Logoff"="UnregisterTicketExpiredNotificationEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001The following are the files found: ****************************************************************************Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. ****************************************************************************REGEDIT4[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]REGEDIT4[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]"SV1"=""****************************************************************************Desktop.ini Contents: ********************************************************************************************************************************************************Checking for L2MFix account(0=no 1=yes): 0Zipping up files for submission: zip warning: name not matched: dlls\*.*zip error: Nothing to do! (backup.zip) adding: backregs/AC3CA426-F420-45AE-89D9-0C2858D56B51.reg (164 bytes security) (deflated 70%) adding: backregs/notibac.reg (164 bytes security) (deflated 87%) adding: backregs/shell.reg (164 bytes security) (deflated 74%)HERE IS THE HJT LOG(NEW)-------------------------------------------------Logfile of HijackThis v1.99.1Scan saved at 9:32:18 PM, on 2/9/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\Program Files\ewido anti-malware\ewidoguard.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Kerio\Personal Firewall\persfw.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\ASUS\Probe\AsusProb.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\mozilla.org\Mozilla\Mozilla.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wpabaln.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Documents and Settings\Sean\My Documents\malware removal\HijackThis.exeR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blankR3 - Default URLSearchHook is missingO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exeO4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clearO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [6104308] tskmgr.exe /ibpmO4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 4967156O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turboO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [6104308] tskmgr.exe /ibpmO4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cabO18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO20 - AppInit_DLLs: repairs302972994.dllO20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\r0r60a9sed.dllO20 - Winlogon Notify: hpprintx - hpprintx.dll (file missing)O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\system32\opmnjckd.dll (file missing)O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exeO23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe Link to post Share on other sites
Matt Posted February 10, 2006 Report Share Posted February 10, 2006 Please download WebRoot SpySweeper from HERE (It's a 2 week trial):Click Download Now to download the program.Install it. Once the program is installed, it will open.It will prompt you to update to the latest definitions, click Yes.Once the definitions are installed, click Options on the left side.Click the Sweep Options tab.Under What to Sweep please put a check next to the following:Sweep MemorySweep RegistrySweep CookiesSweep All User AccountsEnable Direct Disk SweepingSweep Contents of Compressed FilesSweep for RootkitsPlease UNCHECK Do not Sweep System Restore Folder.[*]Click Sweep Now on the left side.[*]Click the Start button.[*]When it's done scanning, click the Next button.[*]Make sure everything has a check next to it, then click the Next button.[*]It will remove all of the items found.[*]Click Session Log in the upper right corner, copy everything in that window.[*]Click the Summary tab and click Finish.[*]Paste the contents of the session log you copied into your next reply, along with a new HJT log. Link to post Share on other sites
frank Posted February 10, 2006 Author Report Share Posted February 10, 2006 Please download WebRoot SpySweeper from HERE (It's a 2 week trial):Click Download Now to download the program.Install it. Once the program is installed, it will open.It will prompt you to update to the latest definitions, click Yes.Once the definitions are installed, click Options on the left side.Click the Sweep Options tab.Under What to Sweep please put a check next to the following:Sweep MemorySweep RegistrySweep CookiesSweep All User AccountsEnable Direct Disk SweepingSweep Contents of Compressed FilesSweep for RootkitsPlease UNCHECK Do not Sweep System Restore Folder.[*]Click Sweep Now on the left side.[*]Click the Start button.[*]When it's done scanning, click the Next button.[*]Make sure everything has a check next to it, then click the Next button.[*]It will remove all of the items found.[*]Click Session Log in the upper right corner, copy everything in that window.[*]Click the Summary tab and click Finish.[*]Paste the contents of the session log you copied into your next reply, along with a new HJT log.********9:41 PM: | Start of Session, Thursday, February 09, 2006 |9:41 PM: Spy Sweeper started9:41 PM: Sweep initiated using definitions version 6129:42 PM: Starting Memory Sweep9:44 PM: Memory Sweep Complete, Elapsed Time: 00:01:589:44 PM: Starting Registry Sweep9:44 PM: Found Adware: surfsidekick9:44 PM: HKLM\software\microsoft\windows nt\currentversion\windows\ || appinit_dlls (ID = 819064)9:44 PM: Found Trojan Horse: spamrelayer_alpiok9:44 PM: HKCR\clsid\{636821fc-6f5c-2f1b-b164-e67214f678e2}\ (3 subtraces) (ID = 942353)9:44 PM: HKLM\software\classes\clsid\{636821fc-6f5c-2f1b-b164-e67214f678e2}\ (3 subtraces) (ID = 942360)9:44 PM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || systray.exgl (ID = 942368)9:44 PM: Found Adware: cws_secure32.html hijack9:44 PM: HKLM\software\microsoft\internet explorer\main\ || start page (ID = 946025)9:44 PM: Found Adware: command9:44 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)9:44 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)9:44 PM: Found Adware: quicklink search toolbar9:44 PM: HKCR\permeation.permeater\ (3 subtraces) (ID = 1133968)9:44 PM: HKCR\permeation.permeater.1\ (3 subtraces) (ID = 1133972)9:44 PM: HKCR\permeation.trecker\ (3 subtraces) (ID = 1133976)9:44 PM: HKCR\permeation.trecker.1\ (3 subtraces) (ID = 1133980)9:44 PM: HKCR\clsid\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (10 subtraces) (ID = 1133998)9:44 PM: HKCR\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (9 subtraces) (ID = 1134093)9:44 PM: HKLM\software\classes\permeation.permeater\ (3 subtraces) (ID = 1134157)9:44 PM: HKLM\software\classes\permeation.permeater.1\ (3 subtraces) (ID = 1134161)9:44 PM: HKLM\software\classes\permeation.trecker\ (3 subtraces) (ID = 1134165)9:44 PM: HKLM\software\classes\permeation.trecker.1\ (3 subtraces) (ID = 1134169)9:44 PM: HKLM\software\classes\clsid\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (10 subtraces) (ID = 1134187)9:44 PM: HKLM\software\classes\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (9 subtraces) (ID = 1134251)9:44 PM: Found Adware: spysheriff9:44 PM: HKLM\software\microsoft\internet explorer\main\ || start page (ID = 1140862)9:44 PM: Found Trojan Horse: infected mushrooms9:44 PM: HKU\S-1-5-21-220523388-1220945662-725345543-1003\software\microsoft\windows\currentversion\run\ || windowsupdatent (ID = 1124765)9:44 PM: Registry Sweep Complete, Elapsed Time:00:00:089:44 PM: Starting Cookie Sweep9:44 PM: Found Spy Cookie: atwola cookie9:44 PM: sean@atwola[1].txt (ID = 2255)9:44 PM: Cookie Sweep Complete, Elapsed Time: 00:00:009:44 PM: Starting File Sweep9:44 PM: Found Trojan Horse: komforochka smtp relay9:44 PM: c:\windows\inet20010 (1 subtraces) (ID = -2147459835)9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005901.exe". Access is denied9:44 PM: c:\program files\jalmp (3 subtraces) (ID = -2147459072)9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005995.exe". Access is denied9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0009013.exe". Access is denied9:44 PM: a0009113.exe (ID = 202812)9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005836.exe". Access is denied9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005997.exe". Access is denied9:44 PM: a0005860.exe (ID = 238236)9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005876.exe". Access is denied9:44 PM: Found Trojan Horse: trojan-downloader-dh9:44 PM: a0005884.exe (ID = 208497)9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005896.exe". Access is denied9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0004786.exe". Access is denied9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp41\a0004390.exe". Access is denied9:44 PM: a0005953.exe (ID = 212830)9:44 PM: a0005952.exe (ID = 212831)9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005986.exe". Access is denied9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0004787.exe". Access is denied9:44 PM: Found Adware: targetsaver9:44 PM: class-barrel (ID = 78229)9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005984.dll". Access is denied9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006097.exe". Access is denied9:44 PM: a0009221.dll (ID = 239855)9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0005811.exe". Access is denied9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0005813.exe". Access is denied9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0005815.exe". Access is denied9:44 PM: a0006053.exe (ID = 212830)9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0008053.exe". Access is denied9:44 PM: a0006052.exe (ID = 212831)9:44 PM: a0009115.exe (ID = 240726)9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0008054.exe". Access is denied9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005959.exe". Access is denied9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0008055.exe". Access is denied9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005885.exe". Access is denied9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006086.exe". Access is denied9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006084.dll". Access is denied9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006032.exe". Access is denied9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0008012.dll". Access is denied9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0004789.exe". Access is denied9:44 PM: a0009106.dll (ID = 220754)9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp36\a0003998.exe". Access is denied9:45 PM: a0005955.exe (ID = 212828)9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005883.dll". Access is denied9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005934.exe". Access is denied9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005998.exe". Access is denied9:45 PM: Found Adware: spysheriff fakealert9:45 PM: secure32.html (ID = 184319)9:45 PM: Found Adware: coolwebsearch (cws)9:45 PM: a0009107.exe (ID = 239915)9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005903.exe". Access is denied9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005902.exe". Access is denied9:45 PM: a0005947.exe (ID = 237448)9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005900.exe". Access is denied9:45 PM: Found Trojan Horse: trojan-backdoor-haxdoor9:45 PM: a0005895.sys (ID = 238244)9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005931.exe". Access is denied9:46 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006059.exe". Access is denied9:46 PM: vocabulary (ID = 78283)9:46 PM: a0006055.exe (ID = 212828)9:46 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005891.exe". Access is denied9:46 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005899.exe". Access is denied9:47 PM: a0005847.exe (ID = 237448)9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005834.exe". Access is denied9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005969.exe". Access is denied9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006098.exe". Access is denied9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006029.exe". Access is denied9:47 PM: a0006047.exe (ID = 237448)9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005869.exe". Access is denied9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005991.exe". Access is denied9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006091.exe". Access is denied9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005881.exe". Access is denied9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0006000.exe". Access is denied9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005897.dll". Access is denied9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005996.dll". Access is denied9:48 PM: Found Adware: wfgtech9:48 PM: a0009111.exe (ID = 203674)9:48 PM: Found Adware: ezula ilookup9:48 PM: a0004016.src (ID = 111060)9:48 PM: a0005985.exe (ID = 208497)9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006100.exe". Access is denied9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006095.exe". Access is denied9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006069.exe". Access is denied9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006096.dll". Access is denied9:48 PM: a0006085.exe (ID = 208497)9:49 PM: dh9013.exe (ID = 208497)9:49 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005898.exe". Access is denied9:49 PM: a0005855.exe (ID = 212828)9:49 PM: a0005872.vbs (ID = 231442)9:49 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0005814.exe". Access is denied9:49 PM: a0006042.dll (ID = 189)9:49 PM: a0005973.exe (ID = 231443)9:49 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005933.exe". Access is denied9:49 PM: secure32.html (ID = 184319)9:49 PM: a0005951.config (ID = 212361)9:49 PM: a0005944.exe (ID = 242377)9:49 PM: a0005948.dll (ID = 238167)9:49 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006031.exe". Access is denied9:49 PM: a0005943.dll (ID = 189)9:49 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0004799.exe". Access is denied9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0006002.exe". Access is denied9:50 PM: Found Adware: clkoptimizer9:50 PM: a0009110.exe (ID = 208542)9:50 PM: a0005848.dll (ID = 238167)9:50 PM: a0005949.cfg (ID = 208796)9:50 PM: a0006049.cfg (ID = 208796)9:50 PM: Found Adware: look2me9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0006001.exe". Access is denied9:50 PM: a0006017.dll (ID = 159)9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005999.exe". Access is denied9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005982.exe". Access is denied9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005859.exe". Access is denied9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006077.exe". Access is denied9:50 PM: a0009118.sys (ID = 238244)9:50 PM: a0005972.vbs (ID = 231442)9:50 PM: a0005851.config (ID = 212361)9:50 PM: a0005853.exe (ID = 212830)9:50 PM: a0005852.exe (ID = 212831)9:50 PM: a0005843.exe (ID = 242377)9:50 PM: a0005960.exe (ID = 238236)9:50 PM: a0006072.vbs (ID = 231442)9:50 PM: a0006073.exe (ID = 231443)9:50 PM: a0005849.cfg (ID = 208796)9:50 PM: a0006048.dll (ID = 238167)9:50 PM: a0006043.exe (ID = 242377)9:50 PM: Found Adware: elitebar9:50 PM: a0008076.dll (ID = 198437)9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp36\a0003995.exe". Access is denied9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005837.exe". Access is denied9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0005812.exe". Access is denied9:51 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006102.exe". Access is denied9:51 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006101.exe". Access is denied9:51 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005977.exe". Access is denied9:51 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006099.exe". Access is denied9:51 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006082.exe". Access is denied9:51 PM: a0006060.exe (ID = 238236)9:51 PM: a0006051.config (ID = 212361)9:52 PM: Found Adware: findthewebsiteyouneed hijacker9:52 PM: a0009125.exe (ID = 242088)9:52 PM: a0009230.exe (ID = 239916)9:52 PM: Found Adware: dollarrevenue9:52 PM: a0009109.exe (ID = 241756)9:52 PM: Found Trojan Horse: trojan-backdoor-us15info9:52 PM: a0009116.exe (ID = 239949)9:52 PM: a0009124.exe (ID = 241762)9:52 PM: a0004803.lnk (ID = 60599)9:52 PM: a0004804.lnk (ID = 60601)9:52 PM: a0004012.lnk (ID = 60599)9:52 PM: a0004013.lnk (ID = 60601)9:52 PM: a0005974.vbs (ID = 185675)9:52 PM: a0005873.vbs (ID = 185675)9:52 PM: a0005857.bat (ID = 212353)9:52 PM: a0005854.config (ID = 212358)9:52 PM: a0005957.bat (ID = 212353)9:52 PM: a0005954.config (ID = 212358)9:52 PM: a0006074.vbs (ID = 185675)9:52 PM: a0006057.bat (ID = 212353)9:52 PM: a0006054.config (ID = 212358)9:58 PM: Found System Monitor: potentially rootkit-masked files9:58 PM: sysbus32.sys (ID = 0)10:03 PM: Sweep Canceled10:04 PM: File Sweep Complete, Elapsed Time: 00:19:5710:04 PM: Traces Found: 18310:05 PM: Removal process initiated10:05 PM: Quarantining All Traces: clkoptimizer10:05 PM: Quarantining All Traces: elitebar10:05 PM: Quarantining All Traces: infected mushrooms10:05 PM: Quarantining All Traces: komforochka smtp relay10:05 PM: Quarantining All Traces: look2me10:05 PM: Quarantining All Traces: potentially rootkit-masked files10:05 PM: potentially rootkit-masked files is in use. It will be removed on reboot.10:05 PM: sysbus32.sys is in use. It will be removed on reboot.10:05 PM: Quarantining All Traces: spamrelayer_alpiok10:05 PM: Quarantining All Traces: spysheriff fakealert10:05 PM: Quarantining All Traces: trojan-backdoor-haxdoor10:05 PM: Quarantining All Traces: trojan-backdoor-us15info10:05 PM: Quarantining All Traces: coolwebsearch (cws)10:05 PM: Quarantining All Traces: dollarrevenue10:05 PM: Quarantining All Traces: quicklink search toolbar10:05 PM: Quarantining All Traces: spysheriff10:05 PM: Quarantining All Traces: surfsidekick10:05 PM: Quarantining All Traces: trojan-downloader-dh10:05 PM: Quarantining All Traces: command10:05 PM: Quarantining All Traces: cws_secure32.html hijack10:05 PM: Quarantining All Traces: ezula ilookup10:05 PM: Quarantining All Traces: findthewebsiteyouneed hijacker10:05 PM: Quarantining All Traces: targetsaver10:05 PM: Quarantining All Traces: wfgtech10:05 PM: Quarantining All Traces: atwola cookie10:06 PM: Removal process completed. Elapsed time 00:01:05********9:40 PM: | Start of Session, Thursday, February 09, 2006 |9:40 PM: Spy Sweeper started9:41 PM: Your spyware definitions have been updated.9:41 PM: | End of Session, Thursday, February 09, 2006 |HJT LOG________________________________Logfile of HijackThis v1.99.1Scan saved at 10:07:39 PM, on 2/9/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\Program Files\ewido anti-malware\ewidoguard.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Kerio\Personal Firewall\persfw.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\mozilla.org\Mozilla\Mozilla.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wpabaln.exeC:\Program Files\Common Files\AOL\1139095246\ee\aolsoftware.exec:\program files\common files\aol\1139095246\ee\aim6.exeC:\Program Files\Webroot\Spy Sweeper\SpySweeper.exeC:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exeC:\Program Files\Windows Media Player\wmplayer.exeC:\WINDOWS\ALCFDRTM.EXEC:\Documents and Settings\Sean\My Documents\malware removal\HijackThis.exeR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blankR3 - Default URLSearchHook is missingO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exeO4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clearO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [6104308] tskmgr.exe /ibpmO4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 4967156O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintrayO4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turboO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [6104308] tskmgr.exe /ibpmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cabO18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\r0r60a9sed.dllO20 - Winlogon Notify: hpprintx - hpprintx.dll (file missing)O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dllO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exeO23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exeO23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe Link to post Share on other sites
Dan Posted February 11, 2006 Report Share Posted February 11, 2006 Hi,Matt is away, so I'll take over for him.Lets try the manual fix.Download finditnt2000xp.zip.Unzip the contents of finditnt2000xp.zip to a convenient location.Navigate to the Find It NT-2K-XP folder and double-click on find.bat.A command prompt will open and it will search your computer for malicious files.Once it has finished a Notepad window will pop up with output.txt.Copy the entire contents of output.txt into your next post.Danny Link to post Share on other sites
frank Posted February 12, 2006 Author Report Share Posted February 12, 2006 Hi,Matt is away, so I'll take over for him.Lets try the manual fix.Download finditnt2000xp.zip.Unzip the contents of finditnt2000xp.zip to a convenient location.Navigate to the Find It NT-2K-XP folder and double-click on find.bat.A command prompt will open and it will search your computer for malicious files.Once it has finished a Notepad window will pop up with output.txt.Copy the entire contents of output.txt into your next post.Danny Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing.Find.bat is running from: C:\Documents and Settings\Sean\My Documents\My Downloads\finditnt2000xp\Find It NT-2K-XP ------- System Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 88DA-5EDA Directory of C:\WINDOWS\System3202/07/2006 10:51 PM 234,272 ivssuba.dll02/07/2006 10:51 PM 234,962 r0r60a9sed.dll02/07/2006 10:33 PM 234,272 kgdsf.dll02/07/2006 10:33 PM 234,272 ibdetect.dll02/05/2006 10:56 AM <DIR> dllcache02/04/2006 03:56 AM <DIR> Microsoft 4 File(s) 937,778 bytes 2 Dir(s) 45,149,118,464 bytes free ------- Hidden Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 88DA-5EDA Directory of C:\WINDOWS\System3202/05/2006 10:56 AM <DIR> dllcache02/04/2006 03:51 AM 488 logonui.exe.manifest02/04/2006 03:51 AM 488 WindowsLogon.manifest02/04/2006 03:51 AM 749 nwc.cpl.manifest02/04/2006 03:51 AM 749 sapi.cpl.manifest02/04/2006 03:51 AM 749 ncpa.cpl.manifest02/04/2006 03:51 AM 749 wuaucpl.cpl.manifest02/04/2006 03:51 AM 749 cdplayer.exe.manifest 7 File(s) 4,721 bytes 1 Dir(s) 45,149,118,464 bytes free ------------ Files Named "Guard" --------------- Volume in drive C has no label. Volume Serial Number is 88DA-5EDA Directory of C:\WINDOWS\System32 ------ Temp Files in System32 Directory ------ Volume in drive C has no label. Volume Serial Number is 88DA-5EDA Directory of C:\WINDOWS\System3208/10/2004 06:00 AM 2,577 CONFIG.TMP 1 File(s) 2,577 bytes 0 Dir(s) 45,149,114,368 bytes free ------------------ User Agent ----------------REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]"SV1"="" ------------- Keys Under Notify -------------REGEDIT4[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]"DLLName"="Ati2evxx.dll""Asynchronous"=dword:00000000"Impersonate"=dword:00000001"Lock"="AtiLockEvent""Logoff"="AtiLogoffEvent""Logon"="AtiLogonEvent""Disconnect"="AtiDisConnectEvent""Reconnect"="AtiReConnectEvent""Safe"=dword:00000000"Shutdown"="AtiShutdownEvent""StartScreenSaver"="AtiStartScreenSaverEvent""StartShell"="AtiStartShellEvent""Startup"="AtiStartupEvent""StopScreenSaver"="AtiStopScreenSaverEvent""Unlock"="AtiUnLockEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00"Logoff"="ChainWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00"Logoff"="CryptnetWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]"DLLName"="cscdll.dll""Logon"="WinlogonLogonEvent""Logoff"="WinlogonLogoffEvent""ScreenSaver"="WinlogonScreenSaverEvent""Startup"="WinlogonStartupEvent""Shutdown"="WinlogonShutdownEvent""StartShell"="WinlogonStartShellEvent""Impersonate"=dword:00000000"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]"Asynchronous"=dword:00000000"DllName"="C:\\WINDOWS\\system32\\r0r60a9sed.dll""Impersonate"=dword:00000000"Logon"="WinLogon""Logoff"="WinLogoff""Shutdown"="WinShutdown"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpprintx]"DllName"=hex(2):68,70,70,72,69,6e,74,78,2e,64,6c,6c,00"Startup"="hpprintx""Impersonate"=dword:00000001"Asynchronous"=dword:00000001"MaxWait"=dword:00000001"nk453id"="[20882906427633-NG-Sean]"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]"DLLName"="wlnotify.dll""Logon"="SCardStartCertProp""Logoff"="SCardStopCertProp""Lock"="SCardSuspendCertProp""Unlock"="SCardResumeCertProp""Enabled"=dword:00000001"Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]"Asynchronous"=dword:00000000"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00"Impersonate"=dword:00000000"StartShell"="SchedStartShell""Logoff"="SchedEventLogOff"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]"Logoff"="WLEventLogoff""Impersonate"=dword:00000000"Asynchronous"=dword:00000001"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]"DLLName"="WlNotify.dll""Lock"="SensLockEvent""Logon"="SensLogonEvent""Logoff"="SensLogoffEvent""Safe"=dword:00000001"MaxWait"=dword:00000258"StartScreenSaver"="SensStartScreenSaverEvent""StopScreenSaver"="SensStopScreenSaverEvent""Startup"="SensStartupEvent""Shutdown"="SensShutdownEvent""StartShell"="SensStartShellEvent""PostShell"="SensPostShellEvent""Disconnect"="SensDisconnectEvent""Reconnect"="SensReconnectEvent""Unlock"="SensUnlockEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]"Asynchronous"=dword:00000000"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00"Impersonate"=dword:00000000"Logoff"="TSEventLogoff""Logon"="TSEventLogon""PostShell"="TSEventPostShell""Shutdown"="TSEventShutdown""StartShell"="TSEventStartShell""Startup"="TSEventStartup""MaxWait"=dword:00000258"Reconnect"="TSEventReconnect""Disconnect"="TSEventDisconnect"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]"DLLName"="wlnotify.dll""Logon"="RegisterTicketExpiredNotificationEvent""Logoff"="UnregisterTicketExpiredNotificationEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]"Asynchronous"=dword:00000000"DllName"="WRLogonNTF.dll""Impersonate"=dword:00000001"Lock"="WRLock""StartScreenSaver"="WRStartScreenSaver""StartShell"="WRStartShell""Startup"="WRStartup""StopScreenSaver"="WRStopScreenSaver""Unlock"="WRUnlock""Shutdown"="WRShutdown""Logoff"="WRLogoff""Logon"="WRLogon" ------------- Locate.com Results -------------C:\WINDOWS\SYSTEM32\ cdplay~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K ibdetect.dll Tue Feb 7 2006 10:33:12p ..S.R 234,272 228.78 K ivssuba.dll Tue Feb 7 2006 10:51:40p ..S.R 234,272 228.78 K kgdsf.dll Tue Feb 7 2006 10:33:20p ..S.R 234,272 228.78 K logonu~1.man Sat Feb 4 2006 3:51:08a A..HR 488 0.48 K ncpacp~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K nwccpl~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K r0r60a~1.dll Tue Feb 7 2006 10:51:40p ..S.R 234,962 229.45 K sapicp~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K window~1.man Sat Feb 4 2006 3:51:08a A..HR 488 0.48 K wuaucp~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K11 items found: 11 files, 0 directories. Total of file sizes: 942,499 bytes 920.41 K -------- Strings.exe Qoologic Results -------- --------- Strings.exe Aspack Results ---------C:\WINDOWS\system32\d3dx9_25.dll: D3DXUVAtlasPackC:\WINDOWS\system32\MRT.exe: (ASPack)C:\WINDOWS\system32\MRT.exe: (AsPack2k)C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b)C:\WINDOWS\system32\MRT.exe: (ASPack 2.1)C:\WINDOWS\system32\MRT.exe: (ASPack 2.12)C:\WINDOWS\system32\MRT.exe: (ASPack 2.11)C:\WINDOWS\system32\MRT.exe: (ASPack 2.000)C:\WINDOWS\system32\MRT.exe: (ASPack 2.001)C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x)C:\WINDOWS\system32\MRT.exe: ASPack2000C:\WINDOWS\system32\MRT.exe: ASPack 1.61C:\WINDOWS\system32\MRT.exe: ASPack 1.084C:\WINDOWS\system32\MRT.exe: ASPack 1.083C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02bC:\WINDOWS\system32\MRT.exe: ASPack 1.07bC:\WINDOWS\system32\MRT.exe: ASPack 1.05bC:\WINDOWS\system32\MRT.exe: ASPack 1.02C:\WINDOWS\system32\MRT.exe: ASPACKC:\WINDOWS\system32\MRT.exe: aspACKC:\WINDOWS\system32\MRT.exe: aspACKC:\WINDOWS\system32\MRT.exe: aspACKC:\WINDOWS\system32\MRT.exe: aspACKC:\WINDOWS\system32\MRT.exe: aspACKC:\WINDOWS\system32\MRT.exe: aspACKC:\WINDOWS\system32\MRT.exe: aspACKC:\WINDOWS\system32\ntdll.dll: .aspack -------------- HKLM Run Key ----------------REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SoundMan"="SOUNDMAN.EXE""ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe""6104308"="tskmgr.exe /ibpm""AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP""SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray""ASUS Probe"="C:\\Program Files\\ASUS\\Probe\\AsusProb.exe""KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\ 65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]"Installed"="1"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]"Installed"="1""NoChange"="1"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]"Installed"="1" Link to post Share on other sites
Dan Posted February 13, 2006 Report Share Posted February 13, 2006 (edited) Please download the Killbox by Option^Explicit.Note:In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it.Click on the "All Files" button.Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + CC:\WINDOWS\System32\ivssuba.dllC:\WINDOWS\System32\r0r60a9sed.dllC:\WINDOWS\System32\kgdsf.dllC:\WINDOWS\System32\ibdetect.dllC:\WINDOWS\SYSTEM32\ibdetect.dllC:\WINDOWS\SYSTEM32\ivssuba.dllC:\WINDOWS\SYSTEM32\kgdsf.dllC:\WINDOWS\SYSTEM32\logonu~1.manC:\WINDOWS\SYSTEM32\ncpacp~1.manC:\WINDOWS\SYSTEM32\nwccpl~1.manC:\WINDOWS\SYSTEM32\r0r60a~1.dllC:\WINDOWS\SYSTEM32\sapicp~1.manC:\WINDOWS\SYSTEM32\window~1.manC:\WINDOWS\SYSTEM32\wuaucp~1.man Return to Killbox, go to the File menu, and choose "Paste from Clipboard".Click the red-and-white "Delete File" button. Click "OK" at any PendingRenameOperations prompt.Double-click on find.bat and post the new output.txt.Danny Edited February 13, 2006 by Danny Link to post Share on other sites
frank Posted February 14, 2006 Author Report Share Posted February 14, 2006 Please download the Killbox by Option^Explicit.Note:In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it.Click on the "All Files" button.Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + CC:\WINDOWS\System32\ivssuba.dllC:\WINDOWS\System32\r0r60a9sed.dllC:\WINDOWS\System32\kgdsf.dllC:\WINDOWS\System32\ibdetect.dllC:\WINDOWS\SYSTEM32\ibdetect.dllC:\WINDOWS\SYSTEM32\ivssuba.dllC:\WINDOWS\SYSTEM32\kgdsf.dllC:\WINDOWS\SYSTEM32\logonu~1.manC:\WINDOWS\SYSTEM32\ncpacp~1.manC:\WINDOWS\SYSTEM32\nwccpl~1.manC:\WINDOWS\SYSTEM32\r0r60a~1.dllC:\WINDOWS\SYSTEM32\sapicp~1.manC:\WINDOWS\SYSTEM32\window~1.manC:\WINDOWS\SYSTEM32\wuaucp~1.man Return to Killbox, go to the File menu, and choose "Paste from Clipboard".Click the red-and-white "Delete File" button. Click "OK" at any PendingRenameOperations prompt.Double-click on find.bat and post the new output.txt.Danny NEW OUTPUT LOG>>>>>>>>>>>>>.Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing.Find.bat is running from: C:\Documents and Settings\Sean\My Documents\My Downloads\finditnt2000xp\Find It NT-2K-XP ------- System Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 88DA-5EDA Directory of C:\WINDOWS\System3202/05/2006 10:56 AM <DIR> dllcache02/04/2006 03:56 AM <DIR> Microsoft 0 File(s) 0 bytes 2 Dir(s) 44,617,871,360 bytes free ------- Hidden Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 88DA-5EDA Directory of C:\WINDOWS\System3202/05/2006 10:56 AM <DIR> dllcache02/04/2006 03:51 AM 749 cdplayer.exe.manifest 1 File(s) 749 bytes 1 Dir(s) 44,617,871,360 bytes free ------------ Files Named "Guard" --------------- Volume in drive C has no label. Volume Serial Number is 88DA-5EDA Directory of C:\WINDOWS\System32 ------ Temp Files in System32 Directory ------ Volume in drive C has no label. Volume Serial Number is 88DA-5EDA Directory of C:\WINDOWS\System3208/10/2004 06:00 AM 2,577 CONFIG.TMP 1 File(s) 2,577 bytes 0 Dir(s) 44,617,871,360 bytes free ------------------ User Agent ----------------REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]"SV1"="" ------------- Keys Under Notify -------------REGEDIT4[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]"DLLName"="Ati2evxx.dll""Asynchronous"=dword:00000000"Impersonate"=dword:00000001"Lock"="AtiLockEvent""Logoff"="AtiLogoffEvent""Logon"="AtiLogonEvent""Disconnect"="AtiDisConnectEvent""Reconnect"="AtiReConnectEvent""Safe"=dword:00000000"Shutdown"="AtiShutdownEvent""StartScreenSaver"="AtiStartScreenSaverEvent""StartShell"="AtiStartShellEvent""Startup"="AtiStartupEvent""StopScreenSaver"="AtiStopScreenSaverEvent""Unlock"="AtiUnLockEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00"Logoff"="ChainWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00"Logoff"="CryptnetWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]"DLLName"="cscdll.dll""Logon"="WinlogonLogonEvent""Logoff"="WinlogonLogoffEvent""ScreenSaver"="WinlogonScreenSaverEvent""Startup"="WinlogonStartupEvent""Shutdown"="WinlogonShutdownEvent""StartShell"="WinlogonStartShellEvent""Impersonate"=dword:00000000"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpprintx]"DllName"=hex(2):68,70,70,72,69,6e,74,78,2e,64,6c,6c,00"Startup"="hpprintx""Impersonate"=dword:00000001"Asynchronous"=dword:00000001"MaxWait"=dword:00000001"nk453id"="[20882906427633-NG-Sean]"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]"DLLName"="wlnotify.dll""Logon"="SCardStartCertProp""Logoff"="SCardStopCertProp""Lock"="SCardSuspendCertProp""Unlock"="SCardResumeCertProp""Enabled"=dword:00000001"Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]"Asynchronous"=dword:00000000"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00"Impersonate"=dword:00000000"StartShell"="SchedStartShell""Logoff"="SchedEventLogOff"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]"Logoff"="WLEventLogoff""Impersonate"=dword:00000000"Asynchronous"=dword:00000001"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]"DLLName"="WlNotify.dll""Lock"="SensLockEvent""Logon"="SensLogonEvent""Logoff"="SensLogoffEvent""Safe"=dword:00000001"MaxWait"=dword:00000258"StartScreenSaver"="SensStartScreenSaverEvent""StopScreenSaver"="SensStopScreenSaverEvent""Startup"="SensStartupEvent""Shutdown"="SensShutdownEvent""StartShell"="SensStartShellEvent""PostShell"="SensPostShellEvent""Disconnect"="SensDisconnectEvent""Reconnect"="SensReconnectEvent""Unlock"="SensUnlockEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]"Asynchronous"=dword:00000000"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00"Impersonate"=dword:00000000"Logoff"="TSEventLogoff""Logon"="TSEventLogon""PostShell"="TSEventPostShell""Shutdown"="TSEventShutdown""StartShell"="TSEventStartShell""Startup"="TSEventStartup""MaxWait"=dword:00000258"Reconnect"="TSEventReconnect""Disconnect"="TSEventDisconnect"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]"DLLName"="wlnotify.dll""Logon"="RegisterTicketExpiredNotificationEvent""Logoff"="UnregisterTicketExpiredNotificationEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]"Asynchronous"=dword:00000000"DllName"="WRLogonNTF.dll""Impersonate"=dword:00000001"Lock"="WRLock""StartScreenSaver"="WRStartScreenSaver""StartShell"="WRStartShell""Startup"="WRStartup""StopScreenSaver"="WRStopScreenSaver""Unlock"="WRUnlock""Shutdown"="WRShutdown""Logoff"="WRLogoff""Logon"="WRLogon" ------------- Locate.com Results -------------C:\WINDOWS\SYSTEM32\ cdplay~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K1 item found: 1 file, 0 directories. Total of file sizes: 749 bytes 0.73 K -------- Strings.exe Qoologic Results -------- --------- Strings.exe Aspack Results ---------C:\WINDOWS\system32\d3dx9_25.dll: D3DXUVAtlasPackC:\WINDOWS\system32\MRT.exe: (ASPack)C:\WINDOWS\system32\MRT.exe: (AsPack2k)C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b)C:\WINDOWS\system32\MRT.exe: (ASPack 2.1)C:\WINDOWS\system32\MRT.exe: (ASPack 2.12)C:\WINDOWS\system32\MRT.exe: (ASPack 2.11)C:\WINDOWS\system32\MRT.exe: (ASPack 2.000)C:\WINDOWS\system32\MRT.exe: (ASPack 2.001)C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x)C:\WINDOWS\system32\MRT.exe: ASPack2000C:\WINDOWS\system32\MRT.exe: ASPack 1.61C:\WINDOWS\system32\MRT.exe: ASPack 1.084C:\WINDOWS\system32\MRT.exe: ASPack 1.083C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02bC:\WINDOWS\system32\MRT.exe: ASPack 1.07bC:\WINDOWS\system32\MRT.exe: ASPack 1.05bC:\WINDOWS\system32\MRT.exe: ASPack 1.02C:\WINDOWS\system32\MRT.exe: ASPACKC:\WINDOWS\system32\MRT.exe: aspACKC:\WINDOWS\system32\MRT.exe: aspACKC:\WINDOWS\system32\MRT.exe: aspACKC:\WINDOWS\system32\MRT.exe: aspACKC:\WINDOWS\system32\MRT.exe: aspACKC:\WINDOWS\system32\MRT.exe: aspACKC:\WINDOWS\system32\MRT.exe: aspACKC:\WINDOWS\system32\ntdll.dll: .aspack -------------- HKLM Run Key ----------------REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SoundMan"="SOUNDMAN.EXE""ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe""AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP""SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray""gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]"Installed"="1"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]"Installed"="1""NoChange"="1"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]"Installed"="1" Link to post Share on other sites
Dan Posted February 15, 2006 Report Share Posted February 15, 2006 Hi,Can you please try this:Please download Look2Me-Destroyer.exe to your desktop.Close all windows before continuing.Double-click Look2Me-Destroyer.exe to run it.Put a check next to Run this program as a task.You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OKWhen Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.Once it's done scanning, click the Remove L2M button.You will receive a Done Scanning message, click OK.When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.Your computer will then shutdown.Turn your computer back on.Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.If Look2Me-Destroyer does not reopen automatically, reboot and try again.If you receive a message from your firewall about this program accessing the internet please allow it.If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX Link to post Share on other sites
therock247uk Posted April 5, 2006 Report Share Posted April 5, 2006 Inactive topic...If you still need help on this problem, contact me or one of the Moderators to re-open this up.Topic closed. Link to post Share on other sites
Recommended Posts