Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Hijackthis Log!


  • Please log in to reply
19 replies to this topic

#1 JJG1015

JJG1015

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 11 April 2005 - 05:42 PM

I'm having problems running IE: everytime I open it, the page is blank and the bottom of the screen reads "Finding site: toolbar2.trafficgeneration.biz." I cannot connect to the internet or AIM at all, but luckily I already had Spybot, Ad-aware, and Hijackthis downloaded. I have run both Spybot and Ad-aware, but the problem is still there. I ran Hijackthis and here is a copy of my log:

Logfile of HijackThis v1.99.0
Scan saved at 5:20:48 PM, on 4/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\lelzejlx.exe
C:\Program Files\pgflsz8z\pgflsz8z.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\nppscfg.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\System32\rlazak.exe
C:\WINDOWS\MOGODLL.EXE
C:\WINDOWS\PRABENC.EXE
C:\Program Files\BearShare\BearShare.exe
C:\WINDOWS\System32\pacis.exe
C:\WINDOWS\tempdl\Terp03292005.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\Honey\Application Data\aaat.exe
C:\WINDOWS\System32\n?tepad.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\pgflsz8z\950816.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\pgflsz8z\pgflsz8z1\pgflsz8z1.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Honey\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com/flash/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rr.com/flash/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Honey\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.rr.com/flash/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {8EDF5CC3-E10A-98AB-7153-EC5B245B63B5} - C:\WINDOWS\System32\ozx.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsc498.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {BEF26CC4-CC4C-ADE9-5C63-DE7667194EF0} - C:\WINDOWS\System32\ozx.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FX] C:\Documents and Settings\Honey\Desktop\m00.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [twuzigcalyeclyygeszgssrhxv] C:\WINDOWS\lelzejlx.exe
O4 - HKLM\..\Run: [pgflsz8z] C:\Program Files\pgflsz8z\pgflsz8z.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [0s3X3sV] nppscfg.exe
O4 - HKLM\..\Run: [zwdjvztw] c:\windows\system32\zwdjvztw.exe
O4 - HKLM\..\Run: [u] C:\windows\system32\u.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlazak.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msdioo.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteypa32.exe
O4 - HKLM\..\Run: [MOGODLL] C:\WINDOWS\MOGODLL.EXE
O4 - HKLM\..\Run: [PRABENC] C:\WINDOWS\PRABENC.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [GMedia2] C:\WINDOWS\tempdl\GSM2.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\WINDOWS\tempdl\Terp03292005.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Ersb] C:\Documents and Settings\Honey\Application Data\aaat.exe
O4 - HKCU\..\Run: [Zsu] C:\WINDOWS\System32\n?tepad.exe
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: dcua.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm492YYUS
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0032.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0004.exe
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service - Unknown - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Any help is greatly appreciated...thank you!

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:11 AM

Posted 12 April 2005 - 02:01 PM

Hi JJG1015 and welcome to the BC forums. You are currently running an older version of HijackThis. This version does not have the functionality we need to do the repairs efficiently. If you cannot download the newer version directly to your machine then download to a different machine and copy it to a disk and install it on your problem machine.

Please click on the link below and download the most current version:HijackThis_sfx.exe
Delete your current HijackThis.exe file and double-click on the file you just downloaded and then click on the Unzip button to install the newer version. It will be installed to the C:\Program Files\HijackThis\ directory by default.

Start HijackThis and perform a new scan. Post your new log file back here as a relpy to this topic and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 JJG1015

JJG1015
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 12 April 2005 - 07:11 PM

Here's my new log file. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 7:05:26 PM, on 4/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\lelzejlx.exe
C:\Program Files\pgflsz8z\pgflsz8z.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\nppscfg.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\System32\rlazak.exe
C:\WINDOWS\MOGODLL.EXE
C:\WINDOWS\PRABENC.EXE
C:\WINDOWS\System32\pacis.exe
C:\WINDOWS\tempdl\Terp03292005.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\Honey\Application Data\aaat.exe
C:\WINDOWS\System32\n?tepad.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\pgflsz8z\950816.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\pgflsz8z\pgflsz8z1\pgflsz8z1.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com/flash/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rr.com/flash/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Honey\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.rr.com/flash/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {8EDF5CC3-E10A-98AB-7153-EC5B245B63B5} - C:\WINDOWS\System32\ozx.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsc498.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {BEF26CC4-CC4C-ADE9-5C63-DE7667194EF0} - C:\WINDOWS\System32\ozx.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FX] C:\Documents and Settings\Honey\Desktop\m00.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [twuzigcalyeclyygeszgssrhxv] C:\WINDOWS\lelzejlx.exe
O4 - HKLM\..\Run: [pgflsz8z] C:\Program Files\pgflsz8z\pgflsz8z.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [0s3X3sV] nppscfg.exe
O4 - HKLM\..\Run: [zwdjvztw] c:\windows\system32\zwdjvztw.exe
O4 - HKLM\..\Run: [u] C:\windows\system32\u.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlazak.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteypa32.exe
O4 - HKLM\..\Run: [MOGODLL] C:\WINDOWS\MOGODLL.EXE
O4 - HKLM\..\Run: [PRABENC] C:\WINDOWS\PRABENC.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [GMedia2] C:\WINDOWS\tempdl\GSM2.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\WINDOWS\tempdl\Terp03292005.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Ersb] C:\Documents and Settings\Honey\Application Data\aaat.exe
O4 - HKCU\..\Run: [Zsu] C:\WINDOWS\System32\n?tepad.exe
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: dcua.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm492YYUS
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0032.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0004.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:11 AM

Posted 12 April 2005 - 09:07 PM

Hello again JJG1015. Well, where to begin. We have a number of different infections going on here. I believe you have a relatively new infection called Bube.d. There is currently only 1 fix available so let's run that first.

Go here: How to remove Bube.d aka Win32.Beavis aka isrvs and follow the directions to download, install, update and run the trial version of Kapersky Anti-Virus.

When you have finished, post a new log bak here and I will review it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 JJG1015

JJG1015
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 12 April 2005 - 11:43 PM

I ran KAV and here is my new log:

Logfile of HijackThis v1.99.1
Scan saved at 11:37:15 PM, on 4/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\lelzejlx.exe
C:\Program Files\pgflsz8z\pgflsz8z.exe
C:\WINDOWS\System32\nppscfg.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\System32\rlazak.exe
C:\WINDOWS\MOGODLL.EXE
C:\WINDOWS\PRABENC.EXE
C:\WINDOWS\System32\pacis.exe
C:\WINDOWS\tempdl\Terp03292005.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\Honey\Application Data\aaat.exe
C:\WINDOWS\System32\n?tepad.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\pgflsz8z\950816.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\pgflsz8z\pgflsz8z1\pgflsz8z1.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com/flash/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rr.com/flash/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Honey\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.rr.com/flash/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {8EDF5CC3-E10A-98AB-7153-EC5B245B63B5} - C:\WINDOWS\System32\ozx.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsc498.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {BEF26CC4-CC4C-ADE9-5C63-DE7667194EF0} - C:\WINDOWS\System32\ozx.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FX] C:\Documents and Settings\Honey\Desktop\m00.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [twuzigcalyeclyygeszgssrhxv] C:\WINDOWS\lelzejlx.exe
O4 - HKLM\..\Run: [pgflsz8z] C:\Program Files\pgflsz8z\pgflsz8z.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [0s3X3sV] nppscfg.exe
O4 - HKLM\..\Run: [zwdjvztw] c:\windows\system32\zwdjvztw.exe
O4 - HKLM\..\Run: [u] C:\windows\system32\u.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlazak.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteypa32.exe
O4 - HKLM\..\Run: [MOGODLL] C:\WINDOWS\MOGODLL.EXE
O4 - HKLM\..\Run: [PRABENC] C:\WINDOWS\PRABENC.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [GMedia2] C:\WINDOWS\tempdl\GSM2.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\WINDOWS\tempdl\Terp03292005.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Ersb] C:\Documents and Settings\Honey\Application Data\aaat.exe
O4 - HKCU\..\Run: [Zsu] C:\WINDOWS\System32\n?tepad.exe
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: dcua.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm492YYUS
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0032.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0004.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:11 AM

Posted 13 April 2005 - 12:44 PM

Hello again JJG1015. Well that didn't seem to phase it at all so we're going to have to roll our sleeves up and get into it. Please follow the steps below in order.

Step #1

Now we will remove some programs using Add or Remove Programs in the Control Panel:
  • Click Start.
  • Click Control Panel.
  • Double-click Add or Remove Programs.
  • Look in the Currently installed programs box for each program listed below and if it is there:
  • Click on it to select it.
  • Click Change (or Change/Remove) button.
  • If you are prompted to confirm the removal of the program, click Yes.
Delphi Viewer (or anything with Delphin in the name)
Step #2

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).

Download About:Buster.zip and unzip it to its own directory. Start AboutBuster and click the Ok button. Now click the Update button and then the Check for Update button. If an update is available click the Download Update button. When the updates have been downloaded close AboutBuster (do not run it yet).

Download CleanUp! and install it. Do not run it yet.

Step #3

Start HijackThis and follow these steps:
  • Click on Config button
  • Click on the Misc Tools button
  • Click on the Open Process Manager button
Find the following items and click on each one to select it and then click on the Kill Process button to stop the process.:C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\lelzejlx.exe
C:\Program Files\pgflsz8z\pgflsz8z.exe
C:\WINDOWS\System32\nppscfg.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\System32\rlazak.exe
C:\WINDOWS\MOGODLL.EXE
C:\WINDOWS\PRABENC.EXE
C:\WINDOWS\System32\pacis.exe
C:\WINDOWS\tempdl\Terp03292005.exe
C:\Documents and Settings\Honey\Application Data\aaat.exe
C:\WINDOWS\System32\n?tepad.exe
C:\Program Files\pgflsz8z\950816.exe
C:\Program Files\pgflsz8z\pgflsz8z1\pgflsz8z1.exe

Step #4

Now click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Honey\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: (no name) - {8EDF5CC3-E10A-98AB-7153-EC5B245B63B5} - C:\WINDOWS\System32\ozx.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsc498.dll
O2 - BHO: (no name) - {BEF26CC4-CC4C-ADE9-5C63-DE7667194EF0} - C:\WINDOWS\System32\ozx.dll
O4 - HKLM\..\Run: [FX] C:\Documents and Settings\Honey\Desktop\m00.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [twuzigcalyeclyygeszgssrhxv] C:\WINDOWS\lelzejlx.exe
O4 - HKLM\..\Run: [pgflsz8z] C:\Program Files\pgflsz8z\pgflsz8z.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [0s3X3sV] nppscfg.exe
O4 - HKLM\..\Run: [zwdjvztw] c:\windows\system32\zwdjvztw.exe
O4 - HKLM\..\Run: [u] C:\windows\system32\u.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlazak.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteypa32.exe
O4 - HKLM\..\Run: [MOGODLL] C:\WINDOWS\MOGODLL.EXE
O4 - HKLM\..\Run: [PRABENC] C:\WINDOWS\PRABENC.EXE
O4 - HKLM\..\Run: [GMedia2] C:\WINDOWS\tempdl\GSM2.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\WINDOWS\tempdl\Terp03292005.exe
O4 - HKCU\..\Run: [Ersb] C:\Documents and Settings\Honey\Application Data\aaat.exe
O4 - Global Startup: dcua.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm492YYUS
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0004.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #5

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\lelzejlx.exe
C:\WINDOWS\MOGODLL.EXE
C:\WINDOWS\PRABENC.EXE
C:\WINDOWS\tempdl\ <--folder
C:\WINDOWS\System32\ozx.dll
C:\WINDOWS\System32\nsc498.dll
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\nppscfg.exe
c:\windows\system32\zwdjvztw.exe
C:\windows\system32\u.exe
C:\WINDOWS\System32\picsvr\ <--folder
C:\WINDOWS\System32\rlazak.exe
C:\WINDOWS\System32\msmc.exe
C:\windows\system32\eliteypa32.exe
C:\WINDOWS\System32\pacis.exe
C:\Documents and Settings\Honey\Desktop\m00.exe
C:\Documents and Settings\Honey\Application Data\aaat.exe
C:\DOCUMENTS AND SETTINGS\Honey\LOCAL SETTINGS\Temp\se.dllC:\Program Files\pgflsz8z\
E6F1873B.DLL (search for this file and delete all instances - see the note below regrding searching in XP)
dcua.exe (search for this file and delete all instances - see the note below regrding searching in XP)

Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Step #6

Run AboutBuster and save the logs:
  • Browse to where you saved AboutBuster and run AboutBuster.exe.
  • Click "OK" at the directions Read: Important! prompt.
  • Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
  • Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
  • Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
  • Click "Exit" and "Exit" again to exit AboutBuster.
Step #7

Run CWShredder
  • Double-click on CWShredder.exe.
  • Click "Fix ->" and click "OK" at the prompt.
  • CWShredder will scan and clean your system of CWS files.
  • Click "Next->" and then "Exit".
Step #8

Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.

Step #9

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here along with details of any problems you encountered performing the above steps using the Add Reply button and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 JJG1015

JJG1015
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 13 April 2005 - 07:00 PM

I went through every step and didn't run into any problems. Here's by new log:

Logfile of HijackThis v1.99.1
Scan saved at 6:56:59 PM, on 4/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\Program Files\BearShare\BearShare.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\BearShare\BearShare.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\System32\rlazak.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\n?tepad.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com/flash/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.rr.com/flash/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ICHlprObj Class - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - C:\PROGRA~1\ALADDI~1\INTERN~1\IC3hlpr.dll
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\PROGRA~1\ALADDI~1\INTERN~1\PopFiltr.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [WinFSG] "C:\Program Files\Aladdin Systems\Internet Cleanup\MSFG.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlazak.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteypa32.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Zsu] C:\WINDOWS\System32\n?tepad.exe
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0032.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:11 AM

Posted 13 April 2005 - 09:36 PM

Hey JJG1015. Wow. That went better than I expected. Now I need a little info on a couple of the files we are dealing with so please perform the following steps. Before you do so print these directions off becuase we'll try to remove the ones that are left also but in Safe Mode this time so you won't have an internet connection while we are attempting it.

Step #1

Open Notepad and copy/paste the text from the quotebox below into the new document:

dir C:\WINDOWS\System32\n?tepad.exe /a h > files.txt notepad files.txt


Save the document to your desktop as findnp.bat and close Notepad. Locate the findnp.bat file on your desktop and double-click on it to run it. Notepad should open up with some information in it. Include that information in your next post.

Step #2

I believe that one of the files causing you problems is infected with Qoologic. To determine what files are on your system and where they are hiding please do the following:
  • Download Find-Qoologic2.zip save it to your Desktop.
  • Unzip Find-Qoologic2.zip to its own folder and then use Windows Explorer to navigate to that folder.
  • Double-click the Find-Qoologic2.bat file to run it.
  • When Notepad opens with the results in it copy/paste the entire contents of the document back here in your next post.
Step #3

Let's try to get rid of the following entries with HijackThis again.

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlazak.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteypa32.exe
O4 - HKCU\..\Run: [Zsu] C:\WINDOWS\System32\n?tepad.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\System32\rlazak.exe
C:\windows\system32\eliteypa32.exe

Step #4

Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.

Step #5

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here along with details of any problems you encountered performing the above steps (and the information from Steps 1 & 2) using the Add Reply button and I will review it when it comes in.

OT

Edited by OldTimer, 13 April 2005 - 09:40 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 JJG1015

JJG1015
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 13 April 2005 - 10:33 PM

Everything seemed to run smoothly. Here are my logs.

Step 1:
Volume in drive C has no label.
Volume Serial Number is AC50-C37E

Directory of C:\WINDOWS\System32

09/03/2002 08:00 AM 66,048 notepad.exe
04/06/2005 07:39 AM 425,984 n?tepad.exe
2 File(s) 492,032 bytes

Directory of C:\Documents and Settings\Honey\Desktop


Directory of C:\Documents and Settings\Honey\Desktop


Directory of C:\Documents and Settings\Honey\Desktop

04/13/2005 09:52 PM 0 files.txt
1 File(s) 0 bytes
0 Dir(s) 24,713,003,008 bytes free

Step 2:
"Find activesetup", version1, launched at: 21:55
Operating System: Windows XP


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
"d8edc2c2-b1ac-4d71-8bb9-a407e2e3d1aa\(Default)" = ""
\StubPath = "C:\WINDOWS\System32\cqxaxmo.exe" [null data]
"{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default)" = ""
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:12:23 PM, on 4/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\rlazak.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com/flash/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.rr.com/flash/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ICHlprObj Class - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - C:\PROGRA~1\ALADDI~1\INTERN~1\IC3hlpr.dll
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\PROGRA~1\ALADDI~1\INTERN~1\PopFiltr.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [WinFSG] "C:\Program Files\Aladdin Systems\Internet Cleanup\MSFG.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlazak.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0032.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:11 AM

Posted 14 April 2005 - 11:36 AM

Hi JJG1015. The log from the Find-Qoologic2.bat is only a part of the file that should have been genereated. It appears that you do have a Qoologic infection and there should be more files involved which would show up in that log.

Can you run the Find-Qooligic2.bat file again. It will take some time to run so be patient. When finished, Notepad should open with the final log file. Copy/pste that final log back here so I can review it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 JJG1015

JJG1015
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 14 April 2005 - 07:18 PM

I ran it over again and this time it gave me this. Hopefully it's the whole log this time!

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files found


Checking Global Startup

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
.
..
Adobe Reader Speed Launch.lnk
America Online 9.0 Tray Icon.lnk
dcua.exe
desktop.ini
Microsoft Office.lnk
Smart Wizard Wireless Settings.lnk

User Startup:
C:\Documents and Settings\Honey\Start Menu\Programs\Startup
.
..
desktop.ini
Protector.lnk
Scheduler.lnk

Registry Entries Found

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gksysxqy
<NO NAME> REG_SZ {6cc73901-2d5b-490f-85db-463b937958ea}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
<NO NAME> REG_SZ {dd230880-495a-11d1-b064-008048ec2fc5}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Mumtaz
<NO NAME> REG_SZ {51131DA7-1D24-40e5-AE07-5E3750F5DE3C}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

Active setup

"Find activesetup", version1, launched at: 19:12
Operating System: Windows XP


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
"d8edc2c2-b1ac-4d71-8bb9-a407e2e3d1aa\(Default)" = ""
\StubPath = "C:\WINDOWS\System32\cqxaxmo.exe" [null data]
"{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default)" = ""
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:11 AM

Posted 14 April 2005 - 09:29 PM

Hey JJG1015. Yes, that's what I was looking for. Ok, let's get this show on the road.

Step #1

Download Pocket Killbox and unzip it to your desktop.

Step #2

Open Notepad and copy/paste the text in the quotebox below into the the new document:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{d8edc2c2-b1ac-4d71-8bb9-a407e2e3d1aa}]
[-HKEY_CLASSES_ROOT\CLSID\{d8edc2c2-b1ac-4d71-8bb9-a407e2e3d1aa}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d8edc2c2-b1ac-4d71-8bb9-a407e2e3d1aa}]
[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gksysxqy]
[-HKEY_CLASSES_ROOT\CLSID\{6cc73901-2d5b-490f-85db-463b937958ea}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6cc73901-2d5b-490f-85db-463b937958ea}]
[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Mumtaz]
[-HKEY_CLASSES_ROOT\CLSID\{51131DA7-1D24-40e5-AE07-5E3750F5DE3C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51131DA7-1D24-40e5-AE07-5E3750F5DE3C}]


Save the document as regfixqoo.reg to your desktop and then close Notepad.

Step #3

Start Killbox and click on the Delete on reboot option.

Highlight the text below and press the Ctrl key and the C keys at the same time to copy the text to the clipboard:C:\WINDOWS\System32\rlazak.exe

Now click on the File menu in Killbox and click on the Paste from Clipboard item.

Click the button that looks like a red circle with a white X in it. Killbox will tell you that all listed files will be deleted on next reboot.. Click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

You system will reboot now.

Step #4

After you have rebooted, locate the regfixqoo.reg file on your desktop and right-click on it. Select the option to Merge and answer Yes or Ok to any prompts.

Step #5

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlazak.exe
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #6

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Verify that the following files/folders are gone and delete them if they are not:C:\WINDOWS\System32\rlazak.exe
Step #7

Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.

Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here along with details of any problems you encountered performing the above steps using the Add Reply button and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 JJG1015

JJG1015
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 14 April 2005 - 10:23 PM

OT, I didn't run into any problems with any of the steps. Here's my new log file...thanks!

Logfile of HijackThis v1.99.1
Scan saved at 10:18:55 PM, on 4/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\Program Files\BearShare\BearShare.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\dcua.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com/flash/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.rr.com/flash/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ICHlprObj Class - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - C:\PROGRA~1\ALADDI~1\INTERN~1\IC3hlpr.dll
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\PROGRA~1\ALADDI~1\INTERN~1\PopFiltr.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [WinFSG] "C:\Program Files\Aladdin Systems\Internet Cleanup\MSFG.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlazak.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0032.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:11 AM

Posted 14 April 2005 - 11:14 PM

Hey JJG1015. That 04 entry is still there. When you ran HijackThis and verified that the C:\WINDOWS\System32\rlazak.exe file was gone was it really gone? If so, it's back again. Can you please run the Find-Qoologic2.bat file again and post a new log back here so I can take a look at it?

Thanks.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 JJG1015

JJG1015
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 15 April 2005 - 09:54 PM

OT, after I ran HijackThis and checked to see that the file was gone, it was. Nothing popped up, but when I run HJT again, that filename showed up. I ran Qoologic again and here is my log file:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files found



(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
.
..
Adobe Reader Speed Launch.lnk
America Online 9.0 Tray Icon.lnk
dcua.exe
desktop.ini
Microsoft Office.lnk
Smart Wizard Wireless Settings.lnk

User Startup:
C:\Documents and Settings\Honey\Start Menu\Programs\Startup
.
..
desktop.ini
Protector.lnk
Scheduler.lnk

Registry Entries Found

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
<NO NAME> REG_SZ {dd230880-495a-11d1-b064-008048ec2fc5}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

Active setup

"Find activesetup", version1, launched at: 13:46
Operating System: Windows XP


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
"d8edc2c2-b1ac-4d71-8bb9-a407e2e3d1aa\(Default)" = ""
\StubPath = "C:\WINDOWS\System32\cqxaxmo.exe" [null data]
"{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default)" = ""
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users