Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • Please log in to reply
31 replies to this topic

#1 Lyna

Lyna

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 06 February 2005 - 02:56 AM

please help me, i'm new with hijack and id really like to fix my homepage, no matter how many times i change it it automatically changes back to this 216 balbla web page, please help me get rid of the spy ware on my pc
heres the log file:

Logfile of HijackThis v1.99.0
Scan saved at 9:01:50 PM, on 2/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\WINDOWS ADTOOLS\WINADTOOLS.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE
C:\PROGRAM FILES\WINDOWS ADTOOLS\WINRATCHET.EXE
C:\PROGRAM FILES\ETRODRG\JBDP.EXE
C:\WINDOWS\MSMSGR2.EXE
C:\RALXH.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\ACTALERT.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\ACTALERT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://out.true-counter.com/b/?101 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...count_id=153510
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...count_id=153510
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cg...k=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=153510
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?101 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://xtramsn.co.nz/home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ZFREE
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\PROGRAM FILES\SURFSIDEKICK 2\SSKBHO.DLL
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL,-100 - {37C8204D-97C3-4127-BB28-1BFF3FA2F7DA} - C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL (file missing)
O3 - Toolbar: procforrect - {0FD67BCE-3D36-47DF-D9B2-AE92092E5496} - C:\PROGRAM FILES\GPL INFO LONG\PHONESAVE.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1601.0\EN-US\MSNTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\PROGRAM FILES\IEMENUEXTENSION\TBEXTN.DLL
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [MSOffice] C:\WINDOWS\SYSTEM\MSOFFICE\SERVICES.EXE
O4 - HKLM\..\Run: [Windows AdTools] C:\PROGRAM FILES\WINDOWS ADTOOLS\WINADTOOLS.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Vhhhpa] C:\PROGRAM FILES\QQHYK\KUSFWX.EXE
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKLM\..\Run: [Emanp] C:\PROGRAM FILES\ETRODRG\JBDP.EXE
O4 - HKLM\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~2\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [myqF] C:\RALXH.EXE
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\RALXH.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O4 - HKCU\..\RunServices: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\RunServices: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKCU\..\RunServices: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~2\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~2\DAP\dapextie2.htm
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL
O9 - Extra 'Tools' menuitem: @C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~2\DAP\DAP.EXE (file missing)
O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm (file missing)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm (file missing)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet4_80.dll' missing
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {81361155-FAF9-11D3-B0D3-00C04F612FF1} (MSN Chat Control 3.0) - http://fdl.msn.com/public/chat/msnchat3.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Control) - http://content.communities.msn.com/cs/MsnPUpld.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co...X.cab?9,0,712,0
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://209.8.20.130/dl/adv237/x.chm::/load.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...d7510b28ebf1261
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_lyrics.cab
O18 - Protocol: ayb - (no CLSID) - (no file)
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
O19 - User stylesheet: C:\WINDOWS\default.css (HKLM)

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:03 AM

Posted 06 February 2005 - 07:27 PM

Hello Lyna,

Let's start by running some scans and seeing what they come up with. They should take out some of the malware. :thumbsup:

***************************************************

Please download, update and run (one at a time of course!)
Spybot 1.3 and Adaware SE

Fix whatever they suggest.

***************************************************

If you need help running these tools, here are some helpful tutorials.
Spybot 1.3 Tutorial
Adaware SE Tutorial


***************************************************

Be sure to run Adaware SE with a Full Scan in the Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.



The following explains how to set Ad-aware's settings to perform a "Full Scan."

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:
Scan within archives
Under Memory & Registry, Check EVERYTHING
In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level.

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:
Unload recognized processes during scanning
Include info about ignored objects in logfile, if detected in scan
Include basic Ad-aware settings in logfile
Include additional Ad-aware settings in logfile
Include used command line parameters in logfile

In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot
UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.



***************************************************


Please download, update and run the free A2 (A squared) anti-trojan

Let it fix whatever it wants to.

***************************************************


I know you may have anti-virus software, but sometimes its definitions are corrupted due to malware. Online scans are the best resort in this case.
Run this pc through the Panda Scan Online virus scanner
or Trend Micro Housecall Online virus scanner


***************************************************

Next, reboot and post a fresh HijackThis log to this thread.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Lyna

Lyna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 06 February 2005 - 10:59 PM

ok thanx i'll get to it :thumbsup:

#4 Lyna

Lyna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 08 February 2005 - 11:31 PM

sorry for double posting.

ok i'v followed the instructions, i'v dwnld spaybot, updated that and scaned, downloaded ad aware, updated and scanned and when done scanning i had pblems deleting some files, i couldnt delete these 2 files with the name "coolwebsearch" on them, when ever i tried the deleting sign freezez( by the way this was in safe mode). i downloaded a2 and updated it and used it, this fixed the problem with the web page its not the http://213... site anymore, A2 changed it to msn, and lastly i took the online virus scan trends micro houscall. problems, i still get unexpected popups and about every 10 - 20 sec the workoffline or try agian window appears when i'm not on th net its so annoying, please help me clean my log file.

Logfile of HijackThis v1.99.0
Scan saved at 5:25:39 PM, on 2/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\RALXH.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://xtramsn.co.nz/home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ZFREE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = httpproxy.clear.net.nz:8080
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL,-100 - {37C8204D-97C3-4127-BB28-1BFF3FA2F7DA} - C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL (file missing)
O3 - Toolbar: procforrect - {0FD67BCE-3D36-47DF-D9B2-AE92092E5496} - C:\PROGRAM FILES\GPL INFO LONG\PHONESAVE.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1601.0\EN-US\MSNTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Vhhhpa] C:\PROGRAM FILES\QQHYK\KUSFWX.EXE
O4 - HKLM\..\Run: [Emanp] C:\PROGRAM FILES\ETRODRG\JBDP.EXE
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [myqF] C:\RALXH.EXE
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\RALXH.EXE
O4 - HKLM\..\Run: [ntechin] C:\N20050308.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~2\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~2\DAP\dapextie2.htm
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL
O9 - Extra 'Tools' menuitem: @C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~2\DAP\DAP.EXE (file missing)
O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm (file missing)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet4_80.dll' missing
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted IP range: (HKLM)
O16 - DPF: {81361155-FAF9-11D3-B0D3-00C04F612FF1} (MSN Chat Control 3.0) - http://fdl.msn.com/public/chat/msnchat3.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Control) - http://content.communities.msn.com/cs/MsnPUpld.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co...X.cab?9,0,712,0
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Edited by Lyna, 08 February 2005 - 11:33 PM.


#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:03 AM

Posted 09 February 2005 - 01:59 PM

Hello Lyna,

You computer is quite a mess. You have several malware on your computer, the most sercious being a nasty VX2 infection. This is going to be multi-step process, and we should be able to remove it. :thumbsup:

Download the following file here:
http://castlecops.com/zx/Zupe/FindIt9xME.zip
and unzip the contents to a folder.
When it has unzipped, open that folder and double click on Find.bat.
It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Lyna

Lyna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 10 February 2005 - 12:32 AM

ok here it is, someone please hurry and give a detailed fix

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 2970-11E5
Directory of C:\WINDOWS\SYSTEM

KGYGAAVL SYS 10,022 02-10-05 1:39p KGyGaAvL.sys
3DE67A~1 SYS 56 02-10-05 1:39p 3DE67AF46F.sys
PMWRPROF DLL 222,568 02-04-05 4:13p PMWRPROF.DLL
PLDLIB DLL 222,568 02-04-05 4:13p PLDLIB.DLL
SPLWID DLL 222,568 02-04-05 4:13p SPLWID.DLL
PFMAS DLL 222,568 02-04-05 4:13p pfmas.dll
IQCFGDLL DLL 222,568 02-04-05 4:13p IQCFGDLL.DLL
RU3228_8 DLL 222,568 02-04-05 4:13p RU3228_8.DLL
MIPI32 DLL 222,568 02-04-05 4:13p MIPI32.DLL
DYNHUPNP DLL 222,568 02-04-05 4:13p DYNHUPNP.DLL
OVTWA400 DLL 222,568 02-04-05 4:13p OVTWA400.DLL
MWCO30 DLL 222,568 02-04-05 4:13p MWCO30.DLL
FHPWPP DLL 222,568 02-04-05 4:13p FHPWPP.DLL
OMBC32 DLL 222,568 02-04-05 4:13p OMBC32.DLL
PEFWIN32 DLL 222,568 02-04-05 4:13p PEFWIN32.DLL
RJVPSP DLL 222,568 02-04-05 4:13p RJVPSP.DLL
LJIMG11N DLL 222,568 02-04-05 4:13p LjImg11n.dll
SGBAPI DLL 222,568 02-04-05 4:13p sgbapi.dll
PYSPL DLL 222,568 02-04-05 4:13p PYSPL.DLL
QWUT DLL 222,568 02-04-05 4:13p QWUT.DLL
JZVART DLL 222,568 02-04-05 4:13p JZVART.DLL
FWSRCH DLL 222,568 02-04-05 4:13p FWSRCH.DLL
RQCLTCCM DLL 222,568 02-04-05 4:13p RQCLTCCM.DLL
MWPISTUB DLL 222,568 02-04-05 4:13p mWpistub.dll
VS5DB DLL 222,568 02-04-05 4:13p VS5DB.DLL
JWVACYPT DLL 222,568 02-04-05 4:13p JWVACYPT.DLL
WYLP32T DLL 222,568 02-04-05 4:13p WYLP32T.DLL
VBPUBAPI DLL 222,568 02-04-05 4:13p VBPUBAPI.DLL
SRFTPUB DLL 222,568 02-04-05 4:13p SRFTPUB.DLL
GKDEF DLL 222,568 02-04-05 4:13p GKDEF.DLL
EDDAZ32 DLL 222,568 02-04-05 4:13p EDDAZ32.DLL
DZNHUPNP DLL 222,568 02-04-05 4:13p DZNHUPNP.DLL
IFSTSCH DLL 222,568 02-04-05 4:13p IFSTSCH.DLL
LDPCX80N DLL 222,568 02-04-05 4:13p LDPCX80N.DLL
CWETCFG DLL 222,568 02-04-05 4:13p CWETCFG.DLL
DYGHELP DLL 222,568 02-04-05 4:13p DygHelp.dll
36 file(s) 7,577,390 bytes
0 dir(s) 1,869.70 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 2970-11E5
Directory of C:\WINDOWS\SYSTEM

KGYGAAVL SYS 10,022 02-10-05 1:39p KGyGaAvL.sys
3DE67A~1 SYS 56 02-10-05 1:39p 3DE67AF46F.sys
RATINGS POL 8,192 01-04-03 2:08p RATINGS.POL
FOLDER HTT 13,122 08-22-01 7:06p FOLDER.HTT
DESKTOP INI 266 08-22-01 7:06p DESKTOP.INI
5 file(s) 31,658 bytes
0 dir(s) 1,869.70 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{209C9A40-7932-11D9-8FBC-444553540000}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
pmwrprof.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
pldlib.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
splwid.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
pfmas.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
iqcfgdll.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
ru3228_8.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
mipi32.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
dynhupnp.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
ovtwa400.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
mwco30.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
fhpwpp.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
ombc32.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
pefwin32.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
rjvpsp.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
ljimg11n.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
sgbapi.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
pyspl.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
qwut.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
jzvart.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
fwsrch.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
rqcltccm.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
mwpistub.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
vs5db.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
jwvacypt.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
wylp32t.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
vbpubapi.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
srftpub.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
gkdef.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
eddaz32.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
kgygaavl.sys Thu Feb 10 2005 1:39:52p A.SH. 10,022 9.79 K
dznhupnp.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
ifstsch.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
ldpcx80n.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
cwetcfg.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
dyghelp.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
3de67a~1.sys Thu Feb 10 2005 1:39:52p ..SHR 56 0.05 K

36 items found: 36 files, 0 directories.
Total of file sizes: 7,577,390 bytes 7.22 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.398: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.398: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.398: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.398: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.398: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.398: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\xwebpic10.ocx: .aspack
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\PMWRPROF.DLL: UMonitor
C:\WINDOWS\SYSTEM\PLDLIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\SPLWID.DLL: UMonitor
C:\WINDOWS\SYSTEM\pfmas.dll: UMonitor
C:\WINDOWS\SYSTEM\IQCFGDLL.DLL: UMonitor
C:\WINDOWS\SYSTEM\RU3228_8.DLL: UMonitor
C:\WINDOWS\SYSTEM\MIPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DYNHUPNP.DLL: UMonitor
C:\WINDOWS\SYSTEM\OVTWA400.DLL: UMonitor
C:\WINDOWS\SYSTEM\MWCO30.DLL: UMonitor
C:\WINDOWS\SYSTEM\FHPWPP.DLL: UMonitor
C:\WINDOWS\SYSTEM\OMBC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\PEFWIN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\RJVPSP.DLL: UMonitor
C:\WINDOWS\SYSTEM\LjImg11n.dll: UMonitor
C:\WINDOWS\SYSTEM\sgbapi.dll: UMonitor
C:\WINDOWS\SYSTEM\PYSPL.DLL: UMonitor
C:\WINDOWS\SYSTEM\QWUT.DLL: UMonitor
C:\WINDOWS\SYSTEM\JZVART.DLL: UMonitor
C:\WINDOWS\SYSTEM\FWSRCH.DLL: UMonitor
C:\WINDOWS\SYSTEM\RQCLTCCM.DLL: UMonitor
C:\WINDOWS\SYSTEM\mWpistub.dll: UMonitor
C:\WINDOWS\SYSTEM\VS5DB.DLL: UMonitor
C:\WINDOWS\SYSTEM\JWVACYPT.DLL: UMonitor
C:\WINDOWS\SYSTEM\WYLP32T.DLL: UMonitor
C:\WINDOWS\SYSTEM\SCEM0409.DLL: UMonitor
C:\WINDOWS\SYSTEM\VBPUBAPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\SRFTPUB.DLL: UMonitor
C:\WINDOWS\SYSTEM\GKDEF.DLL: UMonitor
C:\WINDOWS\SYSTEM\EDDAZ32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DZNHUPNP.DLL: UMonitor
C:\WINDOWS\SYSTEM\IFSTSCH.DLL: UMonitor
C:\WINDOWS\SYSTEM\LDPCX80N.DLL: UMonitor
C:\WINDOWS\SYSTEM\CWETCFG.DLL: UMonitor
C:\WINDOWS\SYSTEM\DygHelp.dll: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_CC"="C:\\PROGRAM FILES\\GRISOFT\\AVG6\\avgcc32.exe /startup"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"Vhhhpa"="C:\\PROGRAM FILES\\QQHYK\\KUSFWX.EXE"
"Emanp"="C:\\PROGRAM FILES\\ETRODRG\\JBDP.EXE"
"_Cat4"="C:\\WINDOWS\\msmsgr2.exe"
"myqF"="C:\\RALXH.EXE"
"0 44}5]C:\\Program Files\\ISTsvc\\istsvc.exe"="C:\\RALXH.EXE"
"ntechin"="C:\\N20050308.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"



#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:03 AM

Posted 10 February 2005 - 02:44 AM

Hello Lyna,

Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the Killbox. http://www.bleepingcomputer.com/files/killbox.php


Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.


1. Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.


2. Paste this file into the top Full Path of File to Delete field.

C:\WINDOWS\SYSTEM\PMWRPROF.DLL

3. Click the Delete File button which looks like a stop sign.


4. Click Yes at the Replace on Reboot prompt.


5. Click No at the Pending Operations prompt.


Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.

C:\WINDOWS\SYSTEM\PLDLIB.DLL
C:\WINDOWS\SYSTEM\SPLWID.DLL
C:\WINDOWS\SYSTEM\pfmas.dll
C:\WINDOWS\SYSTEM\IQCFGDLL.DLL
C:\WINDOWS\SYSTEM\RU3228_8.DLL
C:\WINDOWS\SYSTEM\MIPI32.DLL
C:\WINDOWS\SYSTEM\DYNHUPNP.DLL
C:\WINDOWS\SYSTEM\OVTWA400.DLL
C:\WINDOWS\SYSTEM\MWCO30.DLL
C:\WINDOWS\SYSTEM\FHPWPP.DLL
C:\WINDOWS\SYSTEM\OMBC32.DLL
C:\WINDOWS\SYSTEM\PEFWIN32.DLL
C:\WINDOWS\SYSTEM\RJVPSP.DLL
C:\WINDOWS\SYSTEM\LjImg11n.dll
C:\WINDOWS\SYSTEM\sgbapi.dll
C:\WINDOWS\SYSTEM\PYSPL.DLL
C:\WINDOWS\SYSTEM\QWUT.DLL
C:\WINDOWS\SYSTEM\JZVART.DLL
C:\WINDOWS\SYSTEM\FWSRCH.DLL
C:\WINDOWS\SYSTEM\RQCLTCCM.DLL
C:\WINDOWS\SYSTEM\mWpistub.dll
C:\WINDOWS\SYSTEM\VS5DB.DLL
C:\WINDOWS\SYSTEM\JWVACYPT.DLL
C:\WINDOWS\SYSTEM\WYLP32T.DLL
C:\WINDOWS\SYSTEM\VBPUBAPI.DLL
C:\WINDOWS\SYSTEM\SRFTPUB.DLL
C:\WINDOWS\SYSTEM\GKDEF.DLL
C:\WINDOWS\SYSTEM\EDDAZ32.DLL
C:\WINDOWS\SYSTEM\DZNHUPNP.DLL
C:\WINDOWS\SYSTEM\IFSTSCH.DLL
C:\WINDOWS\SYSTEM\LDPCX80N.DLL
C:\WINDOWS\SYSTEM\CWETCFG.DLL
C:\WINDOWS\SYSTEM\DygHelp.dll
C:\WINDOWS\System32\Guard.tmp


After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.


Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.


Step 2:


Please run Findit again and post the resulting log. Remember it may take quite a bit of time before the log appears. So be patient.

Edited by SifuMike, 10 February 2005 - 10:08 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Lyna

Lyna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 11 February 2005 - 02:15 AM

ok i think i did it right, well the work ofline window doesnt pop up any more, neither do the pop ups when i'm on the net,

heres the new log from find it

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 2970-11E5
Directory of C:\WINDOWS\SYSTEM

KGYGAAVL SYS 10,022 02-10-05 1:39p KGyGaAvL.sys
3DE67A~1 SYS 56 02-10-05 1:39p 3DE67AF46F.sys
WYLP32T DLL 222,568 02-04-05 4:13p WYLP32T.DLL
PMWRPROF DLL 222,568 02-04-05 4:13p PMWRPROF.DLL
4 file(s) 455,214 bytes
0 dir(s) 1,878.64 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 2970-11E5
Directory of C:\WINDOWS\SYSTEM

KGYGAAVL SYS 10,022 02-10-05 1:39p KGyGaAvL.sys
3DE67A~1 SYS 56 02-10-05 1:39p 3DE67AF46F.sys
RATINGS POL 8,192 01-04-03 2:08p RATINGS.POL
FOLDER HTT 13,122 08-22-01 7:06p FOLDER.HTT
DESKTOP INI 266 08-22-01 7:06p DESKTOP.INI
5 file(s) 31,658 bytes
0 dir(s) 1,878.64 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{209C9A40-7932-11D9-8FBC-444553540000}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
wylp32t.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
kgygaavl.sys Thu Feb 10 2005 1:39:52p A.SH. 10,022 9.79 K
pmwrprof.dll Fri Feb 4 2005 4:13:08p ..S.R 222,568 217.35 K
3de67a~1.sys Thu Feb 10 2005 1:39:52p ..SHR 56 0.05 K

4 items found: 4 files, 0 directories.
Total of file sizes: 455,214 bytes 444.54 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.398: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.398: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.398: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.398: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.398: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.398: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\xwebpic10.ocx: .aspack
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\WYLP32T.DLL: UMonitor
C:\WINDOWS\SYSTEM\SCEM0409.DLL: UMonitor
C:\WINDOWS\SYSTEM\PMWRPROF.DLL: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_CC"="C:\\PROGRAM FILES\\GRISOFT\\AVG6\\avgcc32.exe /startup"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"Vhhhpa"="C:\\PROGRAM FILES\\QQHYK\\KUSFWX.EXE"
"Emanp"="C:\\PROGRAM FILES\\ETRODRG\\JBDP.EXE"
"_Cat4"="C:\\WINDOWS\\msmsgr2.exe"
"myqF"="C:\\RALXH.EXE"
"0 44}5]C:\\Program Files\\ISTsvc\\istsvc.exe"="C:\\RALXH.EXE"
"ntechin"="C:\\N20050308.EXE"
"IST Service"="C:\\Program Files\\ISTsvc\\istsvc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"




Edited by Lyna, 11 February 2005 - 02:17 AM.


#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:03 AM

Posted 11 February 2005 - 02:44 AM

Hello Lyna,

Do not be discouraged, as it normally takes at least two of these killbox sessions. :thumbsup: Usually one or two of the dll's are missed the first time around. :flowers:


Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Double-click on KillBox.exe to launch the program.


1. Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.


2. Paste this file into the top Full Path of File to Delete field.

C:\WINDOWS\SYSTEM\PMWRPROF.DLL


3. Click the Delete File button which looks like a stop sign.


4. Click Yes at the Replace on Reboot prompt.


5. Click No at the Pending Operations prompt.


Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.

C:\WINDOWS\SYSTEM\WYLP32T.DLL
C:\WINDOWS\SYSTEM\SCEM0409.DLL

C:\WINDOWS\System32\Guard.tmp

After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.


Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.


Step 2:


Please run Findit again and post the resulting log. Remember it may take quite a bit of time before the log appears. So be patient.

Edited by SifuMike, 11 February 2005 - 02:47 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Lyna

Lyna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 20 February 2005 - 11:13 PM

special thanx to Diasuke for finding my old topic, usually i just click on the my topics link and it would show me my first topic but i had to create another one since it said some error or somthin. any ways here's the find it log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 2970-11E5
Directory of C:\WINDOWS\SYSTEM

KGYGAAVL SYS 10,022 02-15-05 4:51p KGyGaAvL.sys
3DE67A~1 SYS 56 02-15-05 4:51p 3DE67AF46F.sys
2 file(s) 10,078 bytes
0 dir(s) 1,876.13 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 2970-11E5
Directory of C:\WINDOWS\SYSTEM

KGYGAAVL SYS 10,022 02-15-05 4:51p KGyGaAvL.sys
3DE67A~1 SYS 56 02-15-05 4:51p 3DE67AF46F.sys
RATINGS POL 8,192 01-04-03 2:08p RATINGS.POL
FOLDER HTT 13,122 08-22-01 7:06p FOLDER.HTT
DESKTOP INI 266 08-22-01 7:06p DESKTOP.INI
5 file(s) 31,658 bytes
0 dir(s) 1,876.12 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{209C9A40-7932-11D9-8FBC-444553540000}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
kgygaavl.sys Tue Feb 15 2005 4:51:18p A.SH. 10,022 9.79 K
3de67a~1.sys Tue Feb 15 2005 4:51:18p ..SHR 56 0.05 K

2 items found: 2 files, 0 directories.
Total of file sizes: 10,078 bytes 9.84 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.398: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.398: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.398: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.398: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.398: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.398: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\xwebpic10.ocx: .aspack
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\PMWRPROF.DLL: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_CC"="C:\\PROGRAM FILES\\GRISOFT\\AVG6\\avgcc32.exe /startup"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"Vhhhpa"="C:\\PROGRAM FILES\\QQHYK\\KUSFWX.EXE"
"Emanp"="C:\\PROGRAM FILES\\ETRODRG\\JBDP.EXE"
"_Cat4"="C:\\WINDOWS\\msmsgr2.exe"
"myqF"="C:\\RALXH.EXE"
"0 44}5]C:\\Program Files\\ISTsvc\\istsvc.exe"="C:\\RALXH.EXE"
"ntechin"="C:\\N20050308.EXE"
"IST Service"="C:\\Program Files\\ISTsvc\\istsvc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"



#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:03 AM

Posted 21 February 2005 - 12:23 AM

Hello Lyna,

It been so long since you posted, I thought we had lost you. :thumbsup: Welcome back.

Step 1:

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop.



REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{209C9A40-7932-11D9-8FBC-444553540000}"=-




Double-click on the fix.reg file you saved on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.


Step 2:


Repair the Recycle bin:
Click Start, Run and type cmd. Press OK.

A DOS window will open.

Type the following and then press Enter after typing each one:

attrib -h -s c:\recycler

del c:\recycler

Close the window and REBOOT.

Check if the Recycle Bin is OK. Please report back.


Step 3:


Download VX2Finder from this link: http://www.downloads.subratam.org/VX2Finder.exe

Run Vx2Finder and click on the Restore Policy button.


Step 4:

Download the Hoster from here

http://members.aol.com/toadbee/hoster.zip

Press "Restore Original Hosts" and press "OK".
Exit Program.
This will restore the original deleted Hosts file.


Step 5:

Post another find.bat log along with a new hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Lyna

Lyna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 21 February 2005 - 07:40 PM

um i'm just wondering can i still follow your instructions even though i have already shut down since my last post, will anything bad happen or not?

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:03 AM

Posted 21 February 2005 - 11:10 PM

i'm just wondering can i still follow your instructions even though i have already shut down since my last post, will anything bad happen or not


Hello lyna,

You lost me. :thumbsup:
Do you mean you turned your computer off?

If so, that is OK, as I think we have killed the malware.

Lets continue with the instructions in my previous post.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Lyna

Lyna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 22 February 2005 - 12:15 AM

another problem. i did the fix.reg part that went fine, but what do i do with it on the desktop? can i delete it or does it have to saty there.
my main problem is the dos part, when i click start, run, then type cmd, the message pops up saying it cant find it

"cannot find "cmd"(or one of its components). Make sure the path and filename are coorect and that all required libaries are available."
:thumbsup:

Edited by Lyna, 22 February 2005 - 12:18 AM.


#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:03 AM

Posted 22 February 2005 - 02:14 PM

Hello Lyna,

another problem. i did the fix.reg part that went fine, but what do i do with it on the desktop? can i delete it or does it have to stay there.


If it worked OK, then you can delete it.


my main problem is the dos part, when i click start, run, then type cmd, the message pops up saying it cant find it

"cannot find "cmd"(or one of its components). Make sure the path and filename are coorect and that all required libaries are available."


Try this: Start>Run>command instead of CMD.

On Win98 you should use 'command' instead of 'cmd'!
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users